github.com/yimialmonte/fabric@v2.1.1+incompatible/discovery/authcache_test.go (about)

     1  /*
     2  Copyright IBM Corp. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package discovery
     8  
     9  import (
    10  	"encoding/asn1"
    11  	"errors"
    12  	"sync"
    13  	"testing"
    14  
    15  	"github.com/hyperledger/fabric/protoutil"
    16  	"github.com/stretchr/testify/assert"
    17  	"github.com/stretchr/testify/mock"
    18  )
    19  
    20  func TestSignedDataToKey(t *testing.T) {
    21  	key1, err1 := signedDataToKey(protoutil.SignedData{
    22  		Data:      []byte{1, 2, 3, 4},
    23  		Identity:  []byte{5, 6, 7},
    24  		Signature: []byte{8, 9},
    25  	})
    26  	key2, err2 := signedDataToKey(protoutil.SignedData{
    27  		Data:      []byte{1, 2, 3},
    28  		Identity:  []byte{4, 5, 6},
    29  		Signature: []byte{7, 8, 9},
    30  	})
    31  	assert.NoError(t, err1)
    32  	assert.NoError(t, err2)
    33  	assert.NotEqual(t, key1, key2)
    34  }
    35  
    36  type mockAcSupport struct {
    37  	mock.Mock
    38  }
    39  
    40  func (as *mockAcSupport) EligibleForService(channel string, data protoutil.SignedData) error {
    41  	return as.Called(channel, data).Error(0)
    42  }
    43  
    44  func (as *mockAcSupport) ConfigSequence(channel string) uint64 {
    45  	return as.Called(channel).Get(0).(uint64)
    46  }
    47  
    48  func TestCacheDisabled(t *testing.T) {
    49  	sd := protoutil.SignedData{
    50  		Data:      []byte{1, 2, 3},
    51  		Identity:  []byte("authorizedIdentity"),
    52  		Signature: []byte{1, 2, 3},
    53  	}
    54  
    55  	as := &mockAcSupport{}
    56  	as.On("ConfigSequence", "foo").Return(uint64(0))
    57  	as.On("EligibleForService", "foo", sd).Return(nil)
    58  	cache := newAuthCache(as, authCacheConfig{maxCacheSize: 100, purgeRetentionRatio: 0.5})
    59  
    60  	// Call the cache twice with the same argument and ensure the call isn't cached
    61  	cache.EligibleForService("foo", sd)
    62  	cache.EligibleForService("foo", sd)
    63  	as.AssertNumberOfCalls(t, "EligibleForService", 2)
    64  }
    65  
    66  func TestCacheUsage(t *testing.T) {
    67  	as := &mockAcSupport{}
    68  	as.On("ConfigSequence", "foo").Return(uint64(0))
    69  	as.On("ConfigSequence", "bar").Return(uint64(0))
    70  	cache := newAuthCache(as, defaultConfig())
    71  
    72  	sd1 := protoutil.SignedData{
    73  		Data:      []byte{1, 2, 3},
    74  		Identity:  []byte("authorizedIdentity"),
    75  		Signature: []byte{1, 2, 3},
    76  	}
    77  
    78  	sd2 := protoutil.SignedData{
    79  		Data:      []byte{1, 2, 3},
    80  		Identity:  []byte("authorizedIdentity"),
    81  		Signature: []byte{1, 2, 3},
    82  	}
    83  
    84  	sd3 := protoutil.SignedData{
    85  		Data:      []byte{1, 2, 3, 3},
    86  		Identity:  []byte("unAuthorizedIdentity"),
    87  		Signature: []byte{1, 2, 3},
    88  	}
    89  
    90  	testCases := []struct {
    91  		channel     string
    92  		expectedErr error
    93  		sd          protoutil.SignedData
    94  	}{
    95  		{
    96  			sd:      sd1,
    97  			channel: "foo",
    98  		},
    99  		{
   100  			sd:      sd2,
   101  			channel: "bar",
   102  		},
   103  		{
   104  			channel:     "bar",
   105  			sd:          sd3,
   106  			expectedErr: errors.New("user revoked"),
   107  		},
   108  	}
   109  
   110  	for _, tst := range testCases {
   111  		// Scenario I: Invocation is not cached
   112  		invoked := false
   113  		as.On("EligibleForService", tst.channel, tst.sd).Return(tst.expectedErr).Once().Run(func(_ mock.Arguments) {
   114  			invoked = true
   115  		})
   116  		t.Run("Not cached test", func(t *testing.T) {
   117  			err := cache.EligibleForService(tst.channel, tst.sd)
   118  			if tst.expectedErr == nil {
   119  				assert.NoError(t, err)
   120  			} else {
   121  				assert.Equal(t, tst.expectedErr.Error(), err.Error())
   122  			}
   123  			assert.True(t, invoked)
   124  			// Reset invoked to false for next test
   125  			invoked = false
   126  		})
   127  
   128  		// Scenario II: Invocation is cached.
   129  		// We don't define the mock invocation because it should be the same as last time.
   130  		// If the cache isn't used, the test would fail because the mock wasn't defined
   131  		t.Run("Cached test", func(t *testing.T) {
   132  			err := cache.EligibleForService(tst.channel, tst.sd)
   133  			if tst.expectedErr == nil {
   134  				assert.NoError(t, err)
   135  			} else {
   136  				assert.Equal(t, tst.expectedErr.Error(), err.Error())
   137  			}
   138  			assert.False(t, invoked)
   139  		})
   140  	}
   141  }
   142  
   143  func TestCacheMarshalFailure(t *testing.T) {
   144  	as := &mockAcSupport{}
   145  	cache := newAuthCache(as, defaultConfig())
   146  	asBytes = func(_ interface{}) ([]byte, error) {
   147  		return nil, errors.New("failed marshaling ASN1")
   148  	}
   149  	defer func() {
   150  		asBytes = asn1.Marshal
   151  	}()
   152  	err := cache.EligibleForService("mychannel", protoutil.SignedData{})
   153  	assert.Contains(t, err.Error(), "failed marshaling ASN1")
   154  }
   155  
   156  func TestCacheConfigChange(t *testing.T) {
   157  	as := &mockAcSupport{}
   158  	sd := protoutil.SignedData{
   159  		Data:      []byte{1, 2, 3},
   160  		Identity:  []byte("identity"),
   161  		Signature: []byte{1, 2, 3},
   162  	}
   163  
   164  	cache := newAuthCache(as, defaultConfig())
   165  
   166  	// Scenario I: At first, the identity is authorized
   167  	as.On("EligibleForService", "mychannel", sd).Return(nil).Once()
   168  	as.On("ConfigSequence", "mychannel").Return(uint64(0)).Times(2)
   169  	err := cache.EligibleForService("mychannel", sd)
   170  	assert.NoError(t, err)
   171  
   172  	// Scenario II: The identity is still authorized, and config hasn't changed yet.
   173  	// Result should be cached
   174  	as.On("ConfigSequence", "mychannel").Return(uint64(0)).Once()
   175  	err = cache.EligibleForService("mychannel", sd)
   176  	assert.NoError(t, err)
   177  
   178  	// Scenario III: A config change occurred, cache should be disregarded
   179  	as.On("ConfigSequence", "mychannel").Return(uint64(1)).Times(2)
   180  	as.On("EligibleForService", "mychannel", sd).Return(errors.New("unauthorized")).Once()
   181  	err = cache.EligibleForService("mychannel", sd)
   182  	assert.Contains(t, err.Error(), "unauthorized")
   183  }
   184  
   185  func TestCachePurgeCache(t *testing.T) {
   186  	as := &mockAcSupport{}
   187  	cache := newAuthCache(as, authCacheConfig{maxCacheSize: 4, purgeRetentionRatio: 0.75, enabled: true})
   188  	as.On("ConfigSequence", "mychannel").Return(uint64(0))
   189  
   190  	// Warm up the cache - attempt to place 4 identities to fill it up
   191  	for _, id := range []string{"identity1", "identity2", "identity3", "identity4"} {
   192  		sd := protoutil.SignedData{
   193  			Data:      []byte{1, 2, 3},
   194  			Identity:  []byte(id),
   195  			Signature: []byte{1, 2, 3},
   196  		}
   197  		// At first, all identities are eligible of the service
   198  		as.On("EligibleForService", "mychannel", sd).Return(nil).Once()
   199  		err := cache.EligibleForService("mychannel", sd)
   200  		assert.NoError(t, err)
   201  	}
   202  
   203  	// Now, ensure that at least 1 of the identities was evicted from the cache, but not all
   204  	var evicted int
   205  	for _, id := range []string{"identity5", "identity1", "identity2"} {
   206  		sd := protoutil.SignedData{
   207  			Data:      []byte{1, 2, 3},
   208  			Identity:  []byte(id),
   209  			Signature: []byte{1, 2, 3},
   210  		}
   211  		as.On("EligibleForService", "mychannel", sd).Return(errors.New("unauthorized")).Once()
   212  		err := cache.EligibleForService("mychannel", sd)
   213  		if err != nil {
   214  			evicted++
   215  		}
   216  	}
   217  	assert.True(t, evicted > 0 && evicted < 4, "evicted: %d, but expected between 1 and 3 evictions", evicted)
   218  }
   219  
   220  func TestCacheConcurrentConfigUpdate(t *testing.T) {
   221  	// Scenario: 2 requests for the same identity are made concurrently.
   222  	// Both are not cached, and thus their computation results might both enter the cache.
   223  	// The first request enters when the config sequence is 0, and a config update
   224  	// that revokes the identity takes place in the same time the access control check of the first request is evaluated.
   225  	// The first request's computation is stalled because of scheduling, and completes after the second,
   226  	// which happens after the config update takes place.
   227  	// The second request's computation result should not be overridden by the computation result
   228  	// of the first request although the first request's computation completes after the second request.
   229  
   230  	as := &mockAcSupport{}
   231  	sd := protoutil.SignedData{
   232  		Data:      []byte{1, 2, 3},
   233  		Identity:  []byte{1, 2, 3},
   234  		Signature: []byte{1, 2, 3},
   235  	}
   236  	var firstRequestInvoked sync.WaitGroup
   237  	firstRequestInvoked.Add(1)
   238  	var firstRequestFinished sync.WaitGroup
   239  	firstRequestFinished.Add(1)
   240  	var secondRequestFinished sync.WaitGroup
   241  	secondRequestFinished.Add(1)
   242  	cache := newAuthCache(as, defaultConfig())
   243  	// At first, the identity is eligible.
   244  	as.On("EligibleForService", "mychannel", mock.Anything).Return(nil).Once().Run(func(_ mock.Arguments) {
   245  		firstRequestInvoked.Done()
   246  		secondRequestFinished.Wait()
   247  	})
   248  	// But after the config change, it is not
   249  	as.On("EligibleForService", "mychannel", mock.Anything).Return(errors.New("unauthorized")).Once()
   250  	// The config sequence the first request sees
   251  	as.On("ConfigSequence", "mychannel").Return(uint64(0)).Once()
   252  	as.On("ConfigSequence", "mychannel").Return(uint64(1)).Once()
   253  	// The config sequence the second request sees
   254  	as.On("ConfigSequence", "mychannel").Return(uint64(1)).Times(2)
   255  
   256  	// First request returns OK
   257  	go func() {
   258  		defer firstRequestFinished.Done()
   259  		firstResult := cache.EligibleForService("mychannel", sd)
   260  		assert.NoError(t, firstResult)
   261  	}()
   262  	firstRequestInvoked.Wait()
   263  	// Second request returns that the identity isn't authorized
   264  	secondResult := cache.EligibleForService("mychannel", sd)
   265  	// Mark second request as finished to signal first request to finish its computation
   266  	secondRequestFinished.Done()
   267  	// Wait for first request to return
   268  	firstRequestFinished.Wait()
   269  	assert.Contains(t, secondResult.Error(), "unauthorized")
   270  
   271  	// Now make another request and ensure that the second request's result (an-authorized) was cached,
   272  	// even though it finished before the first request.
   273  	as.On("ConfigSequence", "mychannel").Return(uint64(1)).Once()
   274  	cachedResult := cache.EligibleForService("mychannel", sd)
   275  	assert.Contains(t, cachedResult.Error(), "unauthorized")
   276  }
   277  
   278  func defaultConfig() authCacheConfig {
   279  	return authCacheConfig{maxCacheSize: defaultMaxCacheSize, purgeRetentionRatio: defaultRetentionRatio, enabled: true}
   280  }