github.com/zcqzcg/fabric-ca@v2.0.0-alpha.0.20200416163940-d878ee6db75a+incompatible/lib/server_test.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package lib_test 8 9 import ( 10 "bytes" 11 "crypto/tls" 12 "crypto/x509" 13 "fmt" 14 "io" 15 "io/ioutil" 16 "math/rand" 17 "net" 18 "net/http" 19 "os" 20 "path" 21 "path/filepath" 22 "strconv" 23 "strings" 24 "sync" 25 "testing" 26 "time" 27 28 "github.com/cloudflare/cfssl/certdb" 29 "github.com/cloudflare/cfssl/csr" 30 "github.com/hyperledger/fabric-ca/api" 31 . "github.com/hyperledger/fabric-ca/lib" 32 "github.com/hyperledger/fabric-ca/lib/metadata" 33 "github.com/hyperledger/fabric-ca/lib/server/db" 34 "github.com/hyperledger/fabric-ca/lib/server/db/mysql" 35 "github.com/hyperledger/fabric-ca/lib/server/operations" 36 cadbuser "github.com/hyperledger/fabric-ca/lib/server/user" 37 libtls "github.com/hyperledger/fabric-ca/lib/tls" 38 "github.com/hyperledger/fabric-ca/util" 39 "github.com/hyperledger/fabric/bccsp/factory" 40 . "github.com/onsi/gomega" 41 "github.com/onsi/gomega/gbytes" 42 "github.com/spf13/viper" 43 "github.com/stretchr/testify/assert" 44 ) 45 46 const ( 47 rootPort = 7075 48 rootDir = "rootDir" 49 intermediatePort = 7076 50 intermediateDir = "intDir" 51 testdataDir = "../testdata" 52 pportEnvVar = "FABRIC_CA_SERVER_PROFILE_PORT" 53 testdata = "../testdata" 54 ) 55 56 func TestMain(m *testing.M) { 57 metadata.Version = "1.1.0" 58 os.Exit(m.Run()) 59 } 60 61 func TestSRVServerInit(t *testing.T) { 62 server := TestGetRootServer(t) 63 if server == nil { 64 return 65 } 66 67 err := server.Init(false) 68 if err != nil { 69 t.Errorf("First server init failed") 70 } 71 defer func() { 72 err = os.RemoveAll(rootDir) 73 if err != nil { 74 t.Errorf("RemoveAll failed: %s", err) 75 } 76 }() 77 err = server.Init(false) 78 if err != nil { 79 t.Errorf("Second server init failed") 80 } 81 err = server.Init(true) 82 if err != nil { 83 t.Errorf("Third Server init renew failed: %s", err) 84 } 85 // Verify that the duration of the newly created certificate is 15 years 86 d, err := util.GetCertificateDurationFromFile(path.Join(rootDir, "ca-cert.pem")) 87 assert.NoError(t, err) 88 assert.True(t, d.Hours() == 131400, fmt.Sprintf("Expecting 131400 but found %f", d.Hours())) 89 90 server.Config.CAcfg.CA.Certfile = "../testdata/ec.pem" 91 server.Config.CAcfg.CA.Keyfile = "../testdata/ec-key.pem" 92 err = server.Init(false) 93 if err != nil { 94 t.Errorf("Server init with known key/cert files failed: %s", err) 95 } 96 server.Config.CAcfg.CA.Certfile = "" 97 server.Config.CAcfg.CA.Keyfile = "" 98 err = server.Init(false) 99 if err != nil { 100 t.Errorf("Server init with known key/cert files failed: %s", err) 101 } 102 103 // Fail case - cannot get home directory 104 wd, err := os.Getwd() 105 if err != nil { 106 t.Fatalf("failed to get cwd: %s", err) 107 } 108 td, err := ioutil.TempDir("", "ServerInitStat") 109 if err != nil { 110 t.Fatalf("failed to get tmp dir: %s", err) 111 } 112 defer func() { 113 err = os.RemoveAll(td) 114 if err != nil { 115 t.Fatalf("RemoveAll failed: %s", err) 116 } 117 }() 118 server.HomeDir = "" 119 err = os.Chdir(td) 120 if err != nil { 121 t.Fatalf("failed to cd to %v: %s", td, err) 122 } 123 defer func() { 124 err = os.Chdir(wd) 125 if err != nil { 126 t.Fatalf("failed to cd to %v: %s", wd, err) 127 } 128 }() 129 fileInfo, err := os.Stat(".") 130 if err != nil { 131 t.Fatalf("os.Stat failed on current dir: %s", err) 132 } 133 oldmode := fileInfo.Mode() 134 curd, err := os.Getwd() 135 t.Logf("Current dir: %s", fileInfo.Name()) 136 t.Logf("Current curd: %v", curd) 137 err = os.Chmod(".", 0000) 138 if err != nil { 139 t.Fatalf("Chmod on %s failed: %s", fileInfo.Name(), err) 140 } 141 defer func() { 142 err = os.Chmod(td, oldmode) 143 if err != nil { 144 t.Fatalf("Chmod on %s failed: %s", td, err) 145 } 146 }() 147 148 err = server.Init(false) 149 t.Logf("Server.Init error: %v", err) 150 if err == nil { 151 t.Errorf("Server init should have failed (permission error)") 152 } 153 154 server.HomeDir = "" 155 } 156 157 func TestSRVRootServer(t *testing.T) { 158 var err error 159 var admin, user1 *Identity 160 var rr *api.RegistrationResponse 161 var recs []db.CertRecord 162 163 // Start the server 164 server := TestGetRootServer(t) 165 if server == nil { 166 return 167 } 168 err = server.Start() 169 if err != nil { 170 t.Fatalf("Server start failed: %s", err) 171 } 172 defer func() { 173 err = server.Stop() 174 if err != nil { 175 t.Errorf("Failed to stop server: %s", err) 176 } 177 err = os.RemoveAll(rootDir) 178 if err != nil { 179 t.Errorf("RemoveAll failed: %s", err) 180 } 181 err = os.RemoveAll("../testdata/msp") 182 if err != nil { 183 t.Errorf("RemoveAll failed: %s", err) 184 } 185 }() 186 err = server.Start() 187 t.Logf("Starting duplicate CA server: %s", err) 188 if err == nil { 189 t.Fatalf("Server start should have failed") 190 } 191 192 // Enroll request 193 client := getRootClient() 194 eresp, err := client.Enroll(&api.EnrollmentRequest{ 195 Name: "admin", 196 Secret: "adminpw", 197 }) 198 if err != nil { 199 t.Fatalf("Failed to enroll admin2/admin2pw: %s", err) 200 } 201 admin = eresp.Identity 202 // test registration permissions wrt roles and affiliation 203 testRegistration(admin, t) 204 // Register user1 205 rr, err = admin.Register(&api.RegistrationRequest{ 206 Name: "user1", 207 Type: "user", 208 Affiliation: "hyperledger.fabric.security", 209 Attributes: []api.Attribute{api.Attribute{Name: "attr1", Value: "val1"}}, 210 }) 211 if err != nil { 212 t.Fatalf("Failed to register user1: %s", err) 213 } 214 // Enroll user1 with an explicit OU. Make sure it is ignored. 215 eresp, err = client.Enroll(&api.EnrollmentRequest{ 216 Name: "user1", 217 Secret: rr.Secret, 218 CSR: &api.CSRInfo{Names: []csr.Name{csr.Name{OU: "foobar"}}}, 219 }) 220 if err != nil { 221 t.Fatalf("Failed to enroll user1: %s", err) 222 } 223 user1 = eresp.Identity 224 // Make sure the OUs are correct based on the identity type and affiliation 225 cert := user1.GetECert().GetX509Cert() 226 assert.NotNil(t, cert, "Failed to get user1's enrollment certificate") 227 228 ouPath := strings.Join(cert.Subject.OrganizationalUnit, ".") 229 assert.Equal(t, "user.hyperledger.fabric.security", ouPath, "Invalid OU path in certificate") 230 231 // The admin ID should have 1 cert in the DB now 232 dba := server.CA.CertDBAccessor() 233 recs, err = dba.GetCertificatesByID("admin") 234 if err != nil { 235 t.Errorf("Could not get admin's certs from DB: %s", err) 236 } 237 if len(recs) != 1 { 238 t.Errorf("Admin should have 1 cert in DB but found %d", len(recs)) 239 } 240 _, err = dba.GetUnexpiredCertificates() 241 if err != nil { 242 t.Errorf("Failed to get unexpired certificates: %s", err) 243 } 244 dba = &CertDBAccessor{} 245 _, err = dba.RevokeCertificatesByID("", 0) 246 if err == nil { 247 t.Error("dba.RevokeCertificatesByID on empty accessor should have failed") 248 } 249 var cr certdb.CertificateRecord 250 err = dba.InsertCertificate(cr) 251 if err == nil { 252 t.Error("dba.InsertCertificate on empty accessor should have failed") 253 } 254 // User1 should not be allowed to register 255 user2Registration := &api.RegistrationRequest{ 256 Name: "user2", 257 Type: "user", 258 Affiliation: "hyperledger.fabric-ca", 259 } 260 _, err = user1.Register(user2Registration) 261 if err == nil { 262 t.Error("User1 should have failed to register user2") 263 } 264 // Admin should be allowed to register user2 265 _, err = admin.Register(user2Registration) 266 if err != nil { 267 t.Errorf("Admin failed to register user2: %s", err) 268 } 269 // User1 renew 270 eresp, err = user1.Reenroll(&api.ReenrollmentRequest{}) 271 if err != nil { 272 t.Fatalf("Failed to reenroll user1: %s", err) 273 } 274 user1 = eresp.Identity 275 // User1 should not be allowed to revoke admin 276 _, err = user1.Revoke(&api.RevocationRequest{Name: "admin"}) 277 if err == nil { 278 t.Error("User1 should not be allowed to revoke admin") 279 } 280 // User1 should not be allowed to revoke user2 because of affiliation 281 _, err = user1.Revoke(&api.RevocationRequest{Name: "user2"}) 282 if err == nil { 283 t.Error("User1 should not be allowed to revoke user2 because of affiliation") 284 } 285 // Admin should not be allowed to revoke an invalid cert 286 _, err = admin.Revoke(&api.RevocationRequest{AKI: "foo", Serial: "bar"}) 287 if err == nil { 288 t.Error("Admin should have failed to revoke foo/bar") 289 } 290 // Revoke user1's identity 291 _, err = admin.Revoke(&api.RevocationRequest{Name: "user1"}) 292 if err != nil { 293 t.Fatalf("Failed to revoke user1's identity: %s", err) 294 } 295 296 // Test to make sure that if an identity registered with an 297 // attribute 'hf.Revoker=false' should not be able to make a 298 // successfull revocation request 299 secret, err := admin.Register(&api.RegistrationRequest{ 300 Name: "user3", 301 Type: "user", 302 Affiliation: "hyperledger.fabric-ca", 303 Attributes: makeAttrs(t, "hf.Revoker=false"), 304 }) 305 assert.NoError(t, err, "Failed to register user") 306 eresp, err = client.Enroll(&api.EnrollmentRequest{ 307 Name: "user3", 308 Secret: secret.Secret, 309 }) 310 assert.NoError(t, err, "Failed to enroll user2") 311 user3 := eresp.Identity 312 // User3 should not be allowed to revoke because of attribute 'hf.Revoker=false' 313 _, err = user3.Revoke(&api.RevocationRequest{Name: "admin"}) 314 assert.Error(t, err) 315 316 // deferred cleanup 317 } 318 319 // Test passwords with lowercase "e" to make sure it is stored 320 // correctly in the database with no conversion problems. 321 // See https://jira.hyperledger.org/projects/FAB/issues/FAB-5188 322 func TestSRVSpecialPassword(t *testing.T) { 323 324 user := "admin2" 325 pwd := "034e220796" 326 327 // Start the server 328 server := TestGetRootServer(t) 329 if server == nil { 330 return 331 } 332 err := server.RegisterBootstrapUser(user, pwd, "") 333 if err != nil { 334 t.Fatalf("Failed to register %s: %s", user, err) 335 } 336 err = server.Start() 337 if err != nil { 338 t.Fatalf("Server start failed: %s", err) 339 } 340 defer func() { 341 err = server.Stop() 342 if err != nil { 343 t.Errorf("Failed to stop server: %s", err) 344 } 345 err = os.RemoveAll("../testdata/msp/") 346 if err != nil { 347 t.Errorf("RemoveAll failed: %s", err) 348 } 349 err = os.RemoveAll(rootDir) 350 if err != nil { 351 t.Errorf("RemoveAll failed: %s", err) 352 } 353 }() 354 355 // Enroll request 356 client := getRootClient() 357 _, err = client.Enroll(&api.EnrollmentRequest{Name: user, Secret: pwd}) 358 if err != nil { 359 t.Fatalf("Failed to enroll %s: %s", user, err) 360 } 361 } 362 363 // TestProfiling tests if profiling endpoint can be accessed when profiling is 364 // enabled and not accessible when disabled (default) 365 func TestSRVProfiling(t *testing.T) { 366 t.Log("start TestProfiling") 367 368 defer func() { 369 err := os.RemoveAll(rootDir) 370 if err != nil { 371 t.Errorf("RemoveAll failed: %s", err) 372 } 373 }() 374 375 pport := rootPort + 1000 376 url := fmt.Sprintf("http://localhost:%d/debug/pprof/heap", pport) 377 378 // Start the server with profiling disabled 379 os.Setenv(pportEnvVar, strconv.Itoa(-1)) 380 server := TestGetServer(rootPort, rootDir, "", -1, t) 381 if server == nil { 382 return 383 } 384 err := server.Start() 385 if err != nil { 386 t.Fatalf("Server start failed: %s", err) 387 } 388 resp1, err2 := sendGetReq(url, t) 389 // send heap profiling request to the server and expect a bad response 390 // as profiling is disabled 391 if err2 == nil && resp1.StatusCode == 200 { 392 responseData, _ := ioutil.ReadAll(resp1.Body) 393 t.Errorf("Expected error response for profile request %s but got good response: %s", 394 url, responseData) 395 } 396 err = server.Stop() 397 if err != nil { 398 t.Errorf("Failed to stop server: %s", err) 399 } 400 401 // Start the server with profiling enabled but port set to server port 402 os.Setenv(pportEnvVar, strconv.Itoa(rootPort)) 403 server = TestGetServer(rootPort, rootDir, "", -1, t) 404 if server == nil { 405 return 406 } 407 err = server.Start() 408 if err == nil { 409 t.Fatalf("Server should not have started because of port conflict") 410 } 411 412 // Start the server with profiling enabled 413 os.Setenv(pportEnvVar, strconv.Itoa(pport)) 414 defer os.Unsetenv(pportEnvVar) 415 server = TestGetServer(rootPort, rootDir, "", -1, t) 416 if server == nil { 417 return 418 } 419 err = server.Start() 420 if err != nil { 421 t.Fatalf("Server start failed: %s", err) 422 } 423 defer func() { 424 err = server.Stop() 425 if err != nil { 426 t.Errorf("Failed to stop server: %s", err) 427 } 428 }() 429 430 // send heap profiling request to the server and expect a 200 response 431 // as profiling is enabled 432 resp, err1 := sendGetReq(url, t) 433 if err1 != nil || resp.StatusCode != 200 { 434 if err1 == nil { 435 responseData, _ := ioutil.ReadAll(resp.Body) 436 err1 = fmt.Errorf("Invalid response %s with code %d returned for the request %s", 437 string(responseData), resp.StatusCode, url) 438 } 439 t.Errorf("Failed to send request to %s: %s", url, err1) 440 } 441 } 442 443 // sendGetReq sends GET request to the specified URL 444 func sendGetReq(url string, t *testing.T) (resp *http.Response, err error) { 445 req, err := http.NewRequest("GET", url, bytes.NewReader([]byte{})) 446 if err != nil { 447 t.Fatalf("Failed to create request for url %s: %s", url, err) 448 } 449 var tr = new(http.Transport) 450 httpClient := &http.Client{Transport: tr} 451 return httpClient.Do(req) 452 } 453 454 func TestSRVIntermediateServerWithFalseAttr(t *testing.T) { 455 var err error 456 457 err = os.RemoveAll(rootDir) 458 if err != nil { 459 t.Errorf("RemoveAll failed: %s", err) 460 } 461 462 // Start the root server 463 rootServer := TestGetRootServer(t) 464 if rootServer == nil { 465 return 466 } 467 rootServer.CA.Config.Registry.Identities[0].Attrs["hf.IntermediateCA"] = "false" 468 err = rootServer.Start() 469 if !assert.NoError(t, err, "Server failed start") { 470 assert.FailNow(t, err.Error()) 471 } 472 // Clean up when done 473 defer func() { 474 err = rootServer.Stop() 475 if err != nil { 476 t.Errorf("Failed to stop server: %s", err) 477 } 478 err = os.RemoveAll(rootDir) 479 if err != nil { 480 t.Errorf("RemoveAll failed: %s", err) 481 } 482 err = os.RemoveAll(intermediateDir) 483 if err != nil { 484 t.Errorf("RemoveAll failed: %s", err) 485 } 486 }() 487 488 intermediateServer := TestGetIntermediateServer(0, t) 489 if intermediateServer == nil { 490 return 491 } 492 493 err = intermediateServer.Init(false) 494 util.ErrorContains(t, err, "Authorization failure", "Should have failed, the attribute 'hf.IntermediateCA' is not set to true. Cannot register as Intermediate CA") 495 496 // deferred cleanup 497 } 498 499 func TestSRVIntermediateServer(t *testing.T) { 500 var err error 501 502 // Start the root server 503 rootServer := TestGetRootServer(t) 504 if rootServer == nil { 505 return 506 } 507 err = rootServer.Start() 508 if err != nil { 509 t.Fatalf("Root server start failed: %s", err) 510 } 511 defer func() { 512 err = rootServer.Stop() 513 if err != nil { 514 t.Errorf("Root server stop failed: %s", err) 515 } 516 err := os.RemoveAll("../testdata/msp") 517 if err != nil { 518 t.Errorf("RemoveAll failed: %s", err) 519 } 520 err = os.RemoveAll(rootDir) 521 if err != nil { 522 t.Errorf("RemoveAll failed: %s", err) 523 } 524 }() 525 526 for idx := 0; idx < 3; idx++ { 527 testIntermediateServer(idx, t) 528 } 529 // deferred cleanup 530 } 531 532 func TestSRVIntermediateServerWithTLS(t *testing.T) { 533 var err error 534 535 rootServer := TestGetRootServer(t) 536 if rootServer == nil { 537 return 538 } 539 rootServer.Config.TLS.Enabled = true 540 rootServer.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 541 rootServer.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 542 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 543 rootServer.Config.TLS.ClientAuth.CertFiles = []string{"../../testdata/root.pem"} 544 545 //Invalid Authtype 546 rootServer.Config.TLS.ClientAuth.Type = "Token" 547 err = rootServer.Start() 548 t.Logf("rootServer.Start err %v", err) 549 if err == nil { 550 t.Fatal("Root server start should have failed: (invalid authtype)") 551 } 552 defer func() { 553 err = rootServer.Stop() 554 if err != nil { 555 t.Errorf("Root server stop failed: %s", err) 556 } 557 err = os.RemoveAll(rootDir) 558 if err != nil { 559 t.Errorf("RemoveAll failed: %s", err) 560 } 561 err = os.RemoveAll(intermediateDir) 562 if err != nil { 563 t.Errorf("RemoveAll failed: %s", err) 564 } 565 }() 566 567 //Valid authtype 568 rootServer.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 569 err = rootServer.Start() 570 t.Logf("rootServer.Start err %v", err) 571 if err != nil { 572 t.Fatal("Root server start failed") 573 } 574 parentURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 575 intermediateServer := TestGetServer(intermediatePort, intermediateDir, parentURL, -1, t) 576 if intermediateServer == nil { 577 return 578 } 579 intermediateServer.CA.Config.Intermediate.TLS.Client.CertFile = "../../testdata/tls_client-cert.pem" 580 intermediateServer.CA.Config.Intermediate.TLS.Client.KeyFile = "../../testdata/tls_client-key.pem" 581 intermediateServer.CA.Config.CSR.CN = "intermediateServer" 582 583 // Error case 1: CN specified for intermediate server 584 err = intermediateServer.Start() 585 if err == nil { 586 t.Errorf("CN specified for intermediate server, the server should have failed to start") 587 err = intermediateServer.Stop() 588 if err != nil { 589 t.Errorf("Failed to stop server: %s", err) 590 } 591 } 592 593 intermediateServer.CA.Config.CSR.CN = "" 594 intermediateServer.CA.Config.CSR.Hosts = []string{"testhost"} 595 596 // Error case 2: tls.certfiles not specified for intermediate server while connecting to parent CA server over TLS 597 err = intermediateServer.Start() 598 if err == nil { 599 t.Errorf("Certfiles not specified for the Intermediate server, the server should have failed to start") 600 err = intermediateServer.Stop() 601 if err != nil { 602 t.Errorf("Failed to stop server: %s", err) 603 } 604 } 605 606 // Success case 607 intermediateServer.CA.Config.Intermediate.TLS.CertFiles = []string{"../../testdata/root.pem"} 608 err = intermediateServer.Start() 609 if err != nil { 610 t.Errorf("Intermediate server start failed: %s", err) 611 err = intermediateServer.Stop() 612 if err != nil { 613 t.Errorf("Failed to stop server: %s", err) 614 } 615 } 616 time.Sleep(time.Second) 617 618 err = intermediateServer.Stop() 619 if err != nil { 620 t.Errorf("Intermediate server stop failed: %s", err) 621 } 622 623 // Make sure that the hostname was not inserted into the CA certificate 624 err = util.CheckHostsInCert(filepath.Join(intermediateDir, "ca-cert.pem"), "testhost") 625 if err == nil { 626 t.Error("A CA certificate should not have any hostnames") 627 } 628 629 // deferred cleanup 630 } 631 632 func TestSRVRunningTLSServer(t *testing.T) { 633 testDir := "tlsTestDir" 634 os.RemoveAll(testDir) 635 defer os.RemoveAll(testDir) 636 637 srv := TestGetServer(rootPort, testDir, "", -1, t) 638 639 srv.Config.TLS.Enabled = true 640 srv.Config.TLS.CertFile = "../../testdata/tls_server-cert.pem" 641 srv.Config.TLS.KeyFile = "../../testdata/tls_server-key.pem" 642 643 err := srv.Start() 644 if err != nil { 645 t.Fatalf("Server start failed: %s", err) 646 } 647 defer func() { 648 err = srv.Stop() 649 if err != nil { 650 t.Errorf("Failed to stop server: %s", err) 651 } 652 err = os.RemoveAll("../testdata/ca-cert.pem") 653 if err != nil { 654 t.Errorf("RemoveAll failed: %s", err) 655 } 656 err = os.RemoveAll("../testdata/fabric-ca-server.db") 657 if err != nil { 658 t.Errorf("RemoveAll failed: %s", err) 659 } 660 err = os.RemoveAll("../testdata/msp") 661 if err != nil { 662 t.Errorf("RemoveAll failed: %s", err) 663 } 664 }() 665 666 clientConfig := &ClientConfig{ 667 URL: fmt.Sprintf("https://localhost:%d", rootPort), 668 TLS: libtls.ClientTLSConfig{ 669 CertFiles: []string{"../testdata/root.pem"}, 670 Client: libtls.KeyCertFiles{ 671 KeyFile: "../testdata/tls_client-key.pem", 672 CertFile: "../testdata/tls_client-cert.pem", 673 }, 674 }, 675 } 676 677 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 678 679 _, err = clientConfig.Enroll(rawURL, testdataDir) 680 if err != nil { 681 t.Errorf("Failed to enroll over TLS: %s", err) 682 } 683 684 // make sure only TLSv1.2 and TLSv1.3 are supported 685 rootPool := x509.NewCertPool() 686 rootBytes, _ := ioutil.ReadFile("../testdata/root.pem") 687 rootPool.AppendCertsFromPEM(rootBytes) 688 for _, tlsVersion := range []uint16{tls.VersionTLS12, tls.VersionTLS13} { 689 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 690 RootCAs: rootPool, 691 MinVersion: tlsVersion, 692 MaxVersion: tlsVersion, 693 }) 694 assert.NoError(t, err, "Should have connected using a valid TLS version [TLSv1.2, TLSv1.3]") 695 } 696 for _, tlsVersion := range []uint16{tls.VersionSSL30, tls.VersionTLS10, tls.VersionTLS11} { 697 _, err = tls.Dial("tcp", fmt.Sprintf("localhost:%d", rootPort), &tls.Config{ 698 MinVersion: tlsVersion, 699 MaxVersion: tlsVersion, 700 }) 701 t.Logf("Attempting TLS version [%d]", tlsVersion) 702 assert.Error(t, err, "Should not have been able to connect with TLS version < 1.2") 703 if tlsVersion == tls.VersionSSL30 { 704 assert.Contains(t, err.Error(), "no supported versions satisfy MinVersion and MaxVersion") 705 } else { 706 assert.Contains(t, err.Error(), "protocol version not supported") 707 } 708 } 709 } 710 711 func TestSRVDefaultDatabase(t *testing.T) { 712 cleanTestSlateSRV(t) 713 defer func() { 714 err := os.RemoveAll("../testdata/ca-cert.pem") 715 if err != nil { 716 t.Errorf("RemoveAll failed: %s", err) 717 } 718 err = os.RemoveAll("../testdata/fabric-ca-server.db") 719 if err != nil { 720 t.Errorf("RemoveAll failed: %s", err) 721 } 722 err = os.RemoveAll("../testdata/msp") 723 if err != nil { 724 t.Errorf("RemoveAll failed: %s", err) 725 } 726 }() 727 728 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 729 730 err := srv.Start() 731 if err != nil { 732 t.Fatalf("Root server start failed: %s", err) 733 } 734 735 err = srv.Stop() 736 if err != nil { 737 t.Errorf("Failed to stop server: %s", err) 738 } 739 740 exist := util.FileExists("../testdata/fabric-ca-server.db") 741 if !exist { 742 t.Error("Failed to create default sqlite fabric-ca-server.db") 743 } 744 } 745 746 func TestSRVDefaultAddrPort(t *testing.T) { 747 cleanTestSlateSRV(t) 748 defer func() { 749 err := os.RemoveAll("../testdata/ca-cert.pem") 750 if err != nil { 751 t.Errorf("RemoveAll failed: %s", err) 752 } 753 err = os.RemoveAll("../testdata/fabric-ca-server.db") 754 if err != nil { 755 t.Errorf("RemoveAll failed: %s", err) 756 } 757 err = os.RemoveAll("../testdata/msp") 758 if err != nil { 759 t.Errorf("RemoveAll failed: %s", err) 760 } 761 }() 762 763 srv1 := getServer(rootPort, testdataDir, "", -1, t) 764 srv1.Config.Address = "" 765 srv1.Config.Port = 0 766 err := srv1.Start() 767 t.Logf("srv.Start err: %v", err) 768 if err != nil { 769 t.Fatalf("Failed to start server: %s", err) 770 } 771 defer func() { 772 err = srv1.Stop() 773 if err != nil { 774 t.Errorf("Failed to stop server: %s", err) 775 } 776 }() 777 778 // Start server with default port (already in use) 779 srv := getServer(rootPort, testdataDir, "", -1, t) 780 srv.Config.Address = "" 781 srv.Config.Port = 0 782 err = srv.Start() 783 t.Logf("srv.Start err: %v", err) 784 if err == nil { 785 t.Errorf("Root server start should have failed (port unavailable)") 786 err = srv.Stop() 787 if err != nil { 788 t.Errorf("Failed to stop server: %s", err) 789 } 790 } 791 792 // Again with TLS 793 srv = getServer(rootPort, testdataDir, "", -1, t) 794 srv.Config.TLS.Enabled = true 795 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 796 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 797 srv.Config.TLS.ClientAuth.Type = "RequireAndVerifyClientCert" 798 srv.Config.TLS.ClientAuth.CertFiles = []string{"../testdata/root.pem"} 799 srv.Config.Address = "" 800 srv.Config.Port = 0 801 802 err = srv.Start() 803 t.Logf("srv.Start err: %v", err) 804 if err == nil { 805 t.Errorf("Root server start should have failed (port unavailable)") 806 err = srv.Stop() 807 if err != nil { 808 t.Errorf("Failed to stop server: %s", err) 809 } 810 } 811 } 812 813 func TestSRVBadAuthHeader(t *testing.T) { 814 // Start the server 815 server := TestGetRootServer(t) 816 if server == nil { 817 return 818 } 819 err := server.Start() 820 if err != nil { 821 t.Fatalf("Server start failed: %s", err) 822 } 823 defer func() { 824 err = server.Stop() 825 if err != nil { 826 t.Errorf("Failed to stop server: %s", err) 827 } 828 err = os.RemoveAll(rootDir) 829 if err != nil { 830 t.Errorf("RemoveAll failed: %s", err) 831 } 832 }() 833 834 invalidTokenAuthorization(t) 835 invalidBasicAuthorization(t) 836 perEndpointNegativeTests("info", "none", t) 837 perEndpointNegativeTests("enroll", "basic", t) 838 perEndpointNegativeTests("reenroll", "token", t) 839 perEndpointNegativeTests("register", "token", t) 840 } 841 842 func invalidTokenAuthorization(t *testing.T) { 843 client := getRootClient() 844 845 emptyByte := make([]byte, 0) 846 url := fmt.Sprintf("http://localhost:%d/enroll", rootPort) 847 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 848 if err != nil { 849 t.Errorf("Failed creating new request: %s", err) 850 } 851 852 addTokenAuthHeader(req, t) 853 854 err = client.SendReq(req, nil) 855 if err == nil { 856 t.Error("Incorrect auth type set, request should have failed with authorization error") 857 } 858 } 859 860 func addTokenAuthHeader(req *http.Request, t *testing.T) { 861 CSP := factory.GetDefault() 862 cert, err := ioutil.ReadFile("../testdata/ec.pem") 863 if err != nil { 864 t.Fatalf("Failed reading ec.pem: %s", err) 865 } 866 key, err := util.ImportBCCSPKeyFromPEM("../testdata/ec-key.pem", CSP, true) 867 if err != nil { 868 t.Fatalf("Failed importing key %s", err) 869 } 870 emptyByte := make([]byte, 0) 871 token, err := util.CreateToken(CSP, cert, key, req.Method, req.URL.RequestURI(), emptyByte) 872 if err != nil { 873 t.Fatalf("Failed to add token authorization header: %s", err) 874 } 875 req.Header.Set("authorization", token) 876 } 877 878 func perEndpointNegativeTests(endpoint string, authType string, t *testing.T) { 879 client := getRootClient() 880 emptyByte := make([]byte, 0) 881 turl := fmt.Sprintf("http://localhost:7055/%s?ca=bogus", endpoint) 882 req, err := http.NewRequest("POST", turl, bytes.NewReader(emptyByte)) 883 if err != nil { 884 t.Fatalf("Failed in NewRequest with %s", turl) 885 } 886 err = client.SendReq(req, nil) 887 if err == nil { 888 if authType != "" { 889 t.Fatalf("No authorization header; should have failed for %s", turl) 890 } else { 891 t.Fatalf("Bad CA should have failed for %s", turl) 892 } 893 } 894 switch authType { 895 case "none": 896 case "basic": 897 req.SetBasicAuth("admin", "adminpw") 898 case "token": 899 addTokenAuthHeader(req, t) 900 default: 901 t.Fatalf("Invalid auth type: %s", authType) 902 } 903 err = client.SendReq(req, nil) 904 if err == nil { 905 t.Errorf("Invalid CA should have failed for %s", turl) 906 } 907 } 908 909 func invalidBasicAuthorization(t *testing.T) { 910 client := getRootClient() 911 912 emptyByte := make([]byte, 0) 913 url := fmt.Sprintf("http://localhost:%d/register", rootPort) 914 req, err := http.NewRequest("POST", url, bytes.NewReader(emptyByte)) 915 if err != nil { 916 t.Error(err) 917 } 918 919 req.SetBasicAuth("admin", "adminpw") 920 921 err = client.SendReq(req, nil) 922 if err == nil { 923 t.Error("Incorrect auth type set for register request; it should have failed but passed") 924 } 925 } 926 927 func TestSRVTLSAuthClient(t *testing.T) { 928 cleanTestSlateSRV(t) 929 defer cleanTestSlateSRV(t) 930 931 testNoClientCert(t) 932 testInvalidRootCertWithNoClientAuth(t) 933 testInvalidRootCertWithClientAuth(t) 934 testClientAuth(t) 935 } 936 937 func TestSRVMultiCAConfigs(t *testing.T) { 938 t.Log("TestMultiCA...") 939 940 defer func() { 941 cleanMultiCADir(t) 942 err := os.RemoveAll("../testdata/ca-cert.pem") 943 if err != nil { 944 t.Errorf("RemoveAll failed: %s", err) 945 } 946 err = os.RemoveAll("../testdata/fabric-ca-server.db") 947 if err != nil { 948 t.Errorf("RemoveAll failed: %s", err) 949 } 950 err = os.RemoveAll("../testdata/msp") 951 if err != nil { 952 t.Errorf("RemoveAll failed: %s", err) 953 } 954 }() 955 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 956 srv.Config.CAfiles = []string{"ca/ca1/fabric-ca-server-config.yaml", "ca/ca1/fabric-ca-server-config.yaml", "ca/ca2/fabric-ca-server-config.yaml"} 957 958 srv.CA.Config.CSR.Hosts = []string{"hostname"} 959 t.Logf("Server configuration: %+v", srv.Config) 960 961 // Starting server with two cas with same name 962 err := srv.Start() 963 t.Logf("Start two CAs with the same name: %v", err) 964 if err == nil { 965 t.Error("Trying to create two CAs with the same name, server start should have failed") 966 } 967 968 // Starting server with a missing ca config file 969 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca4/fabric-ca-server-config.yaml"} 970 err = srv.Start() 971 t.Logf("Start CA with missing config: %v", err) 972 if err == nil { 973 t.Error("Should have failed to start server, missing ca config file") 974 err = srv.Stop() 975 if err != nil { 976 t.Errorf("Failed to stop server: %s", err) 977 } 978 } 979 980 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml", "ca/rootca/ca3/fabric-ca-server-config.yaml"} 981 err = srv.Start() 982 t.Logf("Starting 3 CAs with a duplicated CN name: %s", err) 983 if err == nil { 984 t.Error("Should have failed to start server, CN name is the same across rootca2 and rootca3") 985 err = srv.Stop() 986 if err != nil { 987 t.Errorf("Failed to stop server: %s", err) 988 } 989 } 990 991 // Starting server with (bad) existing certificate 992 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-key.pem", make([]byte, 1), 0644) 993 t.Logf("Create err: %v", err) 994 if !util.FileExists("../testdata/ca/rootca/ca1/ca-key.pem") { 995 t.Fatal("../testdata/ca1/ca-key.pem doesn't exist") 996 } 997 err = ioutil.WriteFile("../testdata/ca/rootca/ca1/ca-cert.pem", make([]byte, 1), 0644) 998 t.Logf("Create err: %v", err) 999 if !util.FileExists("../testdata/ca/rootca/ca1/ca-cert.pem") { 1000 t.Fatal("../testdata/ca1/ca-cert.pem doesn't exist") 1001 } 1002 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 1003 err = srv.Start() 1004 t.Logf("srv.Start ERROR %v", err) 1005 if err == nil { 1006 t.Error("Should have failed to start server, invalid cert") 1007 err = srv.Stop() 1008 if err != nil { 1009 t.Errorf("Failed to stop server: %s", err) 1010 } 1011 } 1012 1013 // Starting server with unreadable certificate 1014 keyfile := filepath.Join(os.TempDir(), "ca-key.pem") 1015 err = CopyFile("../testdata/ca/rootca/ca1/ca-key.pem", keyfile) 1016 if err != nil { 1017 t.Errorf("Failed to copy file: %s", err) 1018 } 1019 if err = os.Chmod(keyfile, 0000); err != nil { 1020 t.Errorf("Failed to chmod key file: , %v", err) 1021 } 1022 certfile := filepath.Join(os.TempDir(), "ca-cert.pem") 1023 err = CopyFile("../testdata/ca/rootca/ca1/ca-cert.pem", certfile) 1024 if err != nil { 1025 t.Errorf("Failed to copy file: %s", err) 1026 } 1027 if err = os.Chmod(certfile, 0000); err != nil { 1028 t.Errorf("Failed to chmod cert file:, %v", err) 1029 } 1030 configfile := filepath.Join(os.TempDir(), "ca-server-config.yaml") 1031 err = CopyFile("../testdata/ca/rootca/ca1/fabric-ca-server-config.yaml", configfile) 1032 if err != nil { 1033 t.Errorf("Failed to copy file: %s", err) 1034 } 1035 srv.Config.CAfiles = []string{configfile} 1036 err = srv.Start() 1037 t.Logf("srv.Start ERROR %v", err) 1038 if err == nil { 1039 t.Error("Should have failed to start server, unreadable cert") 1040 err = srv.Stop() 1041 if err != nil { 1042 t.Errorf("Failed to stop server: %s", err) 1043 } 1044 } 1045 err = os.Remove(keyfile) 1046 if err != nil { 1047 t.Errorf("Remove failed: %s", err) 1048 } 1049 err = os.Remove(certfile) 1050 if err != nil { 1051 t.Errorf("Remove failed: %s", err) 1052 } 1053 err = os.Remove(configfile) 1054 if err != nil { 1055 t.Errorf("Remove failed: %s", err) 1056 } 1057 err = os.RemoveAll(filepath.Join(os.TempDir(), "msp")) 1058 if err != nil { 1059 t.Errorf("RemoveAll failed: %s", err) 1060 } 1061 1062 testBadCryptoData(t, srv, []string{"../testdata/expiredcert.pem", "../testdata/tls_client-key.pem", "expired cert"}) 1063 testBadCryptoData(t, srv, []string{"../testdata/noKeyUsage.cert.pem", "../testdata/noKeyUsage.key.pem", "invalid usage cert"}) 1064 testBadCryptoData(t, srv, []string{"../testdata/caFalse.cert.pem", "../testdata/caFalse.key.pem", "invalid Basic Constraints"}) 1065 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1066 testBadCryptoData(t, srv, []string{"../testdata/dsaCa-cert.pem", "../testdata/dsaCa-key.pem", "invalid key type"}) 1067 testBadCryptoData(t, srv, []string{"../testdata/rsa512-cert.pem", "../testdata/rsa512-key.pem", "key too short"}) 1068 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/ec256-2-key.pem", "non-matching ecdsa key"}) 1069 testBadCryptoData(t, srv, []string{"../testdata/rsa2048-1-cert.pem", "../testdata/rsa2048-2-key.pem", "non-matching rsa key"}) 1070 testBadCryptoData(t, srv, []string{"../testdata/ec256-1-cert.pem", "../testdata/rsa2048-1-cert.pem", "non-matching key type"}) 1071 1072 // Starting server with correct configuration 1073 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1074 t.Logf("Server configuration: %+v\n\n", srv.Config) 1075 1076 err = srv.Start() 1077 if err != nil { 1078 t.Fatal("Failed to start server:", err) 1079 } 1080 1081 if !util.FileExists("../testdata/ca/rootca/ca1/fabric-ca-server.db") { 1082 t.Error("Failed to correctly add ca1") 1083 } 1084 1085 if !util.FileExists("../testdata/ca/rootca/ca2/fabric-ca2-server.db") { 1086 t.Error("Failed to correctly add ca2") 1087 } 1088 1089 // Non-existent CA specified by client 1090 clientCA := getRootClient() 1091 _, err = clientCA.Enroll(&api.EnrollmentRequest{ 1092 Name: "admin", 1093 Secret: "adminpw", 1094 CAName: "rootca3", 1095 }) 1096 if err == nil { 1097 t.Error("Should have failed, client using ca name of 'ca3' but no CA exist by that name on server") 1098 } 1099 1100 //Send enroll request to specific CA 1101 clientCA1 := getRootClient() 1102 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1103 Name: "adminca1", 1104 Secret: "adminca1pw", 1105 CAName: "rootca1", 1106 }) 1107 if err != nil { 1108 t.Error("Failed to enroll, error: ", err) 1109 } 1110 1111 clientCA2 := getRootClient() 1112 resp, err := clientCA2.Enroll(&api.EnrollmentRequest{ 1113 Name: "admin", 1114 Secret: "adminpw", 1115 CAName: "rootca2", 1116 }) 1117 if err != nil { 1118 t.Error("Failed to enroll, error: ", err) 1119 } 1120 1121 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1122 CAName: "rootca2", 1123 }) 1124 if err != nil { 1125 t.Error("Failed to reenroll, error: ", err) 1126 } 1127 1128 // User enrolled with rootca2, should not be able to reenroll with rootca1 1129 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{ 1130 CAName: "rootca1", 1131 }) 1132 if err == nil { 1133 t.Error("Should have failed to reenroll a user with a different CA") 1134 } 1135 1136 // No ca name specified should sent to default CA 'ca' 1137 clientCA3 := getRootClient() 1138 _, err = clientCA3.Enroll(&api.EnrollmentRequest{ 1139 Name: "admin", 1140 Secret: "adminpw", 1141 }) 1142 if err != nil { 1143 t.Error("Failed to enroll, error: ", err) 1144 } 1145 1146 err = srv.Stop() 1147 if err != nil { 1148 t.Error("Failed to stop server:", err) 1149 } 1150 1151 // Starting server with correct configuration and pre-existing cert/key 1152 err = os.Remove("../testdata/ca/rootca/ca1/ca-cert.pem") 1153 if err != nil { 1154 t.Errorf("Remove failed: %s", err) 1155 } 1156 srv = getServer(rootPort, testdataDir, "", 0, t) 1157 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1158 t.Logf("Server configuration: %+v\n\n", srv.Config) 1159 1160 err = CopyFile("../testdata/ec256-1-cert.pem", "../testdata/ca/rootca/ca1/ca-cert.pem") 1161 if err != nil { 1162 t.Fatalf("Failed to copy ec256-1 cert to ../testdata/ca1/ca-cert.pem failed %v", err) 1163 } 1164 err = CopyFile("../testdata/ec256-1-key.pem", "../testdata/ca/rootca/ca1/ca-key.pem") 1165 if err != nil { 1166 t.Fatalf("Failed to copy key to ../testdata/ca/rootca/ca1/ca-key.pem failed %v", err) 1167 } 1168 1169 err = srv.Start() 1170 if err != nil { 1171 t.Fatal("Failed to start server:", err) 1172 } 1173 1174 err = srv.Stop() 1175 if err != nil { 1176 t.Error("Failed to stop server:", err) 1177 } 1178 1179 } 1180 1181 func TestSRVDefaultCAWithSetCAName(t *testing.T) { 1182 defer func() { 1183 err := os.RemoveAll("../testdata/ca-cert.pem") 1184 if err != nil { 1185 t.Errorf("RemoveAll failed: %s", err) 1186 } 1187 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1188 if err != nil { 1189 t.Errorf("RemoveAll failed: %s", err) 1190 } 1191 err = os.RemoveAll("../testdata/msp") 1192 if err != nil { 1193 t.Errorf("RemoveAll failed: %s", err) 1194 } 1195 }() 1196 1197 srv := getServer(rootPort, testdataDir, "", -1, t) 1198 srv.CA.Config.CA.Name = "DefaultCA" 1199 1200 err := srv.Start() 1201 if err != nil { 1202 t.Fatal("Failed to start server:", err) 1203 } 1204 1205 // No ca name specified should sent to default CA 'ca' 1206 client := getRootClient() 1207 _, err = client.Enroll(&api.EnrollmentRequest{ 1208 Name: "admin", 1209 Secret: "adminpw", 1210 }) 1211 if err != nil { 1212 t.Error("Failed to enroll, error: ", err) 1213 } 1214 1215 err = srv.Stop() 1216 if err != nil { 1217 t.Error("Failed to stop server:", err) 1218 } 1219 } 1220 1221 func TestSRVMultiCAWithIntermediate(t *testing.T) { 1222 defer func() { 1223 cleanMultiCADir(t) 1224 err := os.RemoveAll("../testdata/ca-cert.pem") 1225 if err != nil { 1226 t.Errorf("RemoveAll failed: %s", err) 1227 } 1228 err = os.RemoveAll("../testdata/fabric-ca-server.db") 1229 if err != nil { 1230 t.Errorf("RemoveAll failed: %s", err) 1231 } 1232 err = os.RemoveAll("../testdata/msp") 1233 if err != nil { 1234 t.Errorf("RemoveAll failed: %s", err) 1235 } 1236 err = os.RemoveAll("../testdata/IssuerPublicKey") 1237 if err != nil { 1238 t.Errorf("RemoveAll failed: %s", err) 1239 } 1240 err = os.RemoveAll("../testdata/IssuerSecretKey") 1241 if err != nil { 1242 t.Errorf("RemoveAll failed: %s", err) 1243 } 1244 err = os.RemoveAll("../testdata/IssuerRevocationPublicKey") 1245 if err != nil { 1246 t.Errorf("RemoveAll failed: %s", err) 1247 } 1248 }() 1249 1250 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1251 srv.Config.CAfiles = []string{"ca/rootca/ca1/fabric-ca-server-config.yaml", "ca/rootca/ca2/fabric-ca-server-config.yaml"} 1252 srv.CA.Config.CSR.Hosts = []string{"hostname"} 1253 t.Logf("Server configuration: %+v\n", srv.Config) 1254 1255 // Starting server with two cas with same name 1256 err := srv.Start() 1257 if err != nil { 1258 t.Fatalf("Failed to start server: %s", err) 1259 } 1260 1261 intermediatesrv := TestGetServer(intermediatePort, testdataDir, "", -1, t) 1262 intermediatesrv.Config.CAcount = 2 1263 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = fmt.Sprintf("http://adminca1:adminca1pw@localhost:%d", rootPort) 1264 intermediatesrv.CA.Config.CSR.Hosts = []string{"hostname"} 1265 1266 err = intermediatesrv.Start() 1267 assert.Error(t, err, "Error is expected if cacount is greater than 0 for intermediate CA") 1268 1269 intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"} 1270 err = intermediatesrv.Start() 1271 assert.Error(t, err, "Error is expected if both cacount and cafiles are specified") 1272 1273 intermediatesrv.Config.CAcount = 0 1274 intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = "" 1275 1276 // Start it 1277 err = intermediatesrv.Start() 1278 if err != nil { 1279 t.Errorf("Failed to start intermediate server: %s", err) 1280 } 1281 // Stop it 1282 err = intermediatesrv.Stop() 1283 if err != nil { 1284 t.Error("Failed to stop intermediate server: ", err) 1285 } 1286 1287 if !util.FileExists("../testdata/ca/intermediateca/ca1/ca-chain.pem") { 1288 t.Error("Failed to enroll intermediate ca") 1289 } 1290 1291 err = srv.Stop() 1292 if err != nil { 1293 t.Error("Failed to stop server: ", err) 1294 } 1295 1296 // Make sure there is no host name in the intermediate CA cert 1297 err = util.CheckHostsInCert(filepath.Join("../testdata/ca/intermediateca/ca1", "ca-cert.pem"), "testhost1") 1298 if err == nil { 1299 t.Error("Intermediate CA should not contain a hostname, but does") 1300 } 1301 } 1302 1303 func TestSRVDefaultMultiCA(t *testing.T) { 1304 t.Log("TestDefaultMultiCA...") 1305 defer func() { 1306 err := os.RemoveAll("../testdata/msp") 1307 if err != nil { 1308 t.Errorf("RemoveAll failed: %s", err) 1309 } 1310 err = os.RemoveAll("multica") 1311 if err != nil { 1312 t.Errorf("RemoveAll failed: %s", err) 1313 } 1314 }() 1315 srv := TestGetServer(rootPort, "multica", "", -1, t) 1316 srv.Config.CAcount = 4 // Starting 4 default CA instances 1317 srv.Config.CAfiles = []string{"fabric-ca1-config.yaml"} 1318 1319 err := srv.Start() 1320 if err == nil { 1321 t.Error("Both cacount and cafiles set, should have failed to start server") 1322 err = srv.Stop() 1323 if err != nil { 1324 t.Errorf("Failed to stop server: %s", err) 1325 } 1326 } 1327 1328 srv.Config.CAfiles = []string{} 1329 1330 err = srv.Start() 1331 if err != nil { 1332 t.Error("Failed to start server: ", err) 1333 } 1334 1335 //Send enroll request to specific CA 1336 clientCA1 := getRootClient() 1337 _, err = clientCA1.Enroll(&api.EnrollmentRequest{ 1338 Name: "admin", 1339 Secret: "adminpw", 1340 CAName: "ca4", 1341 }) 1342 if err != nil { 1343 t.Error("Failed to enroll, error: ", err) 1344 } 1345 1346 if srv.DBAccessor() == nil { 1347 t.Error("No registry found") 1348 } 1349 1350 err = srv.Stop() 1351 if err != nil { 1352 t.Error("Failed to stop server: ", err) 1353 } 1354 } 1355 1356 // Test the combination of multiple CAs in both root and intermediate servers. 1357 func TestSRVMultiCAIntermediates(t *testing.T) { 1358 myTestDir := "multicaIntermediates" 1359 err := os.RemoveAll(myTestDir) 1360 if err != nil { 1361 t.Errorf("RemoveAll failed: %s", err) 1362 } 1363 defer func(t *testing.T) { 1364 err = os.RemoveAll(myTestDir) 1365 if err != nil { 1366 t.Errorf("RemoveAll failed: %s", err) 1367 } 1368 }(t) 1369 // Start the root server with 2 non-default CAs 1370 rootServer := TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) 1371 rootServer.Config.CAcount = 2 1372 err = rootServer.Start() 1373 if err != nil { 1374 t.Fatalf("Failed to start root CA: %s", err) 1375 } 1376 home := path.Join(myTestDir, "intermediate") 1377 parentURL := fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 1378 intServer := TestGetServer(0, home, parentURL, -1, t) 1379 intServer.Config.CAfiles = []string{"ca1/ca1.yaml", "ca2/ca2.yaml"} 1380 ca1home := filepath.Join(home, "ca1") 1381 ca2home := filepath.Join(home, "ca2") 1382 1383 // Negative Case - same CA name from two intermediate CAs sent to the same root CA 1384 // Check that CA file paths are getting printed 1385 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1386 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1387 writeCAFile("ca1", "ca2", "ca2", ca2home, rootPort, t) 1388 err = intServer.Init(false) 1389 if assert.Error(t, err) { 1390 assert.Contains(t, err.Error(), ca1home) 1391 assert.Contains(t, err.Error(), ca2home) 1392 } 1393 err = rootServer.Stop() 1394 if err != nil { 1395 t.Error("Failed to stop server: ", err) 1396 } 1397 1398 err = os.RemoveAll(myTestDir) 1399 if err != nil { 1400 t.Fatalf("RemoveAll failed: %s", err) 1401 } 1402 1403 // Negative Case - same subject distinguished name from two intermediate CAs sent to the same root CA 1404 // Create ca1.yaml and ca2.yaml for the intermediate server CAs 1405 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1406 rootServer.Config.CAcount = 2 1407 err = rootServer.Start() 1408 if err != nil { 1409 t.Fatalf("Failed to start root CA: %s", err) 1410 } 1411 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1412 writeCAFile("ca2", "ca1", "ca2", ca2home, rootPort, t) 1413 err = intServer.Init(false) 1414 if assert.Error(t, err) { 1415 assert.Contains(t, err.Error(), "Both issuer and subject distinguished name are already in use") 1416 } 1417 err = rootServer.Stop() 1418 if err != nil { 1419 t.Error("Failed to stop server: ", err) 1420 } 1421 err = os.RemoveAll(myTestDir) 1422 if err != nil { 1423 t.Errorf("RemoveAll failed: %s", err) 1424 } 1425 1426 // Positive Case - same subject distinguished names from two intermediate CAs sent to two different root CAs 1427 rootServer = TestGetServer(rootPort, path.Join(myTestDir, "root"), "", -1, t) // reset server from last run above 1428 rootServer.Config.CAcount = 2 1429 err = rootServer.Start() 1430 if err != nil { 1431 t.Fatalf("Failed to start root CA: %s", err) 1432 } 1433 writeCAFile("ca1", "ca1", "ca1", ca1home, rootPort, t) 1434 writeCAFile("ca2", "ca2", "ca2", ca2home, rootPort, t) 1435 // Init the intermediate server 1436 err = intServer.Init(false) 1437 if err != nil { 1438 t.Fatalf("Failed to initialize intermediate server: %s", err) 1439 } 1440 err = rootServer.Stop() 1441 if err != nil { 1442 t.Error("Failed to stop server: ", err) 1443 } 1444 } 1445 1446 func TestSRVMaxEnrollmentInfinite(t *testing.T) { 1447 t.Log("Test max enrollment infinite") 1448 err := os.RemoveAll(rootDir) 1449 if err != nil { 1450 t.Errorf("RemoveAll failed: %s", err) 1451 } 1452 // Starting server/ca with infinite enrollments 1453 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1454 err = srv.Start() 1455 if err != nil { 1456 t.Fatalf("Server start failed: %s", err) 1457 } 1458 defer func() { 1459 err = srv.Stop() 1460 if err != nil { 1461 t.Errorf("Failed to stop server: %s", err) 1462 } 1463 err = os.RemoveAll("../testdata/msp") 1464 if err != nil { 1465 t.Errorf("RemoveAll failed: %s", err) 1466 } 1467 err = os.RemoveAll(rootDir) 1468 if err != nil { 1469 t.Errorf("RemoveAll failed: %s", err) 1470 } 1471 }() 1472 client := getRootClient() 1473 id, err := client.Enroll(&api.EnrollmentRequest{ 1474 Name: "admin", 1475 Secret: "adminpw", 1476 }) 1477 if err != nil { 1478 t.Error("Enrollment failed, error: ", err) 1479 } 1480 id.Identity.Store() 1481 // Names of users are of the form: 1482 // me_<client's max enrollment setting>_<server's max enrollment setting> 1483 // where "me" stands for "max enrollments" 1484 1485 // Registering user with missing max enrollment value 1486 _, err = id.Identity.Register(&api.RegistrationRequest{ 1487 Name: "me_missing_-1", 1488 Type: "client", 1489 Affiliation: "org2", 1490 }) 1491 if err != nil { 1492 t.Errorf("Failed to register me_missing_-1, error: %s", err) 1493 } 1494 1495 // Registering user with infinite max enrollments (-1) 1496 _, err = id.Identity.Register(&api.RegistrationRequest{ 1497 Name: "me_-1_-1", 1498 Type: "client", 1499 Affiliation: "org2", 1500 MaxEnrollments: -1, 1501 }) 1502 if err != nil { 1503 t.Errorf("Failed to register me_-1_-1, error: %s", err) 1504 } 1505 1506 // Registering user with zero max enrollments, will take value of CA's max enrollment 1507 _, err = id.Identity.Register(&api.RegistrationRequest{ 1508 Name: "me_0_-1", 1509 Type: "client", 1510 Affiliation: "org2", 1511 MaxEnrollments: 0, 1512 }) 1513 if err != nil { 1514 t.Errorf("Failed to register me_0_-1, error: %s", err) 1515 } 1516 1517 // Registering user with 1000 max enrollments 1518 _, err = id.Identity.Register(&api.RegistrationRequest{ 1519 Name: "me_1000_-1", 1520 Type: "client", 1521 Affiliation: "org2", 1522 MaxEnrollments: 1000, 1523 }) 1524 if err != nil { 1525 t.Errorf("Failed to register me_1000_-1, error: %s", err) 1526 } 1527 } 1528 1529 func TestSRVMaxEnrollmentDisabled(t *testing.T) { 1530 t.Log("Test max enrollment disabled") 1531 err := os.RemoveAll(rootDir) 1532 if err != nil { 1533 t.Errorf("RemoveAll failed: %s", err) 1534 } 1535 // Starting server/ca with infinite enrollments 1536 srv := TestGetServer(rootPort, rootDir, "", -1, t) 1537 err = srv.Start() 1538 if err != nil { 1539 t.Fatalf("Server start failed: %s", err) 1540 } 1541 // Clean up when done 1542 defer func() { 1543 err = srv.Stop() 1544 if err != nil { 1545 t.Errorf("Failed to stop server: %s", err) 1546 } 1547 err = os.RemoveAll("../testdata/msp") 1548 if err != nil { 1549 t.Errorf("RemoveAll failed: %s", err) 1550 } 1551 err = os.RemoveAll(rootDir) 1552 if err != nil { 1553 t.Errorf("RemoveAll failed: %s", err) 1554 } 1555 }() 1556 client := getRootClient() 1557 id, err := client.Enroll(&api.EnrollmentRequest{ 1558 Name: "admin", 1559 Secret: "adminpw", 1560 }) 1561 if err != nil { 1562 t.Errorf("Enrollment failed: %s", err) 1563 } 1564 // Disable enrollment 1565 srv.CA.Config.Registry.MaxEnrollments = 0 1566 // Make sure both registration and enrollment fail 1567 _, err = id.Identity.Register(&api.RegistrationRequest{ 1568 Name: "me_0_0", 1569 Type: "client", 1570 Affiliation: "org2", 1571 }) 1572 if err == nil { 1573 t.Error("Registration should have failed but didn't") 1574 } 1575 _, err = client.Enroll(&api.EnrollmentRequest{ 1576 Name: "admin", 1577 Secret: "adminpw", 1578 }) 1579 if err == nil { 1580 t.Error("Enrollment should have failed but didn't") 1581 } 1582 // deferred cleanup 1583 } 1584 1585 func TestSRVMaxEnrollmentLimited(t *testing.T) { 1586 err := os.RemoveAll(rootDir) 1587 if err != nil { 1588 t.Errorf("RemoveAll failed: %s", err) 1589 } 1590 t.Log("Test max enrollment limited") 1591 1592 // Starting server/ca with max enrollments of 1 1593 srv := TestGetServer(rootPort, rootDir, "", 1, t) 1594 err = srv.Start() 1595 if err != nil { 1596 t.Fatalf("Server start failed: %s", err) 1597 } 1598 // Clean up when done 1599 defer func() { 1600 err = srv.Stop() 1601 if err != nil { 1602 t.Errorf("Failed to stop server: %s", err) 1603 } 1604 err = os.RemoveAll("../testdata/msp") 1605 if err != nil { 1606 t.Errorf("RemoveAll failed: %s", err) 1607 } 1608 err = os.RemoveAll(rootDir) 1609 if err != nil { 1610 t.Errorf("RemoveAll failed: %s", err) 1611 } 1612 }() 1613 client := getRootClient() 1614 id, err := client.Enroll(&api.EnrollmentRequest{ 1615 Name: "admin", 1616 Secret: "adminpw", 1617 }) 1618 if err != nil { 1619 t.Fatalf("Enrollment failed, error: %s", err) 1620 } 1621 id.Identity.Store() 1622 _, err = client.Enroll(&api.EnrollmentRequest{ 1623 Name: "admin", 1624 Secret: "adminpw", 1625 }) 1626 if err == nil { 1627 t.Error("Enrollments should have been limited to 1 but allowed 2") 1628 } 1629 // Registering user with missing max enrollment value 1630 // Names of users are of the form: 1631 // me_<client's max enrollment setting>_<server's max enrollment setting> 1632 // where "me" stands for "max enrollments" 1633 _, err = id.Identity.Register(&api.RegistrationRequest{ 1634 Name: "me_-1_1", 1635 Type: "client", 1636 Affiliation: "org2", 1637 MaxEnrollments: -1, 1638 }) 1639 if err == nil { 1640 t.Error("Should have failed to register infinite but didn't") 1641 } 1642 _, err = id.Identity.Register(&api.RegistrationRequest{ 1643 Name: "me_0_1", 1644 Type: "client", 1645 Affiliation: "org2", 1646 MaxEnrollments: 0, 1647 }) 1648 if err != nil { 1649 t.Errorf("Failed to register me_0_1, error: %s", err) 1650 } 1651 user, err := srv.CA.DBAccessor().GetUser("me_0_1", nil) 1652 if err != nil { 1653 t.Errorf("Failed to find user 'me_0_1,' in database") 1654 } 1655 if user.GetMaxEnrollments() != 1 { 1656 t.Error("Failed to correctly set max enrollment value for a user registering with max enrollment of 0") 1657 } 1658 _, err = id.Identity.Register(&api.RegistrationRequest{ 1659 Name: "me_1_1", 1660 Type: "client", 1661 Affiliation: "org2", 1662 MaxEnrollments: 1, 1663 }) 1664 if err != nil { 1665 t.Errorf("Failed to register me_1_1, error: %s", err) 1666 } 1667 _, err = id.Identity.Register(&api.RegistrationRequest{ 1668 Name: "me_2_1", 1669 Type: "client", 1670 Affiliation: "org2", 1671 MaxEnrollments: 2, 1672 }) 1673 if err == nil { 1674 t.Error("Should have failed to register me_2_1 but didn't") 1675 } 1676 // deferred cleanup 1677 } 1678 1679 // Get certificate using the TLS profile on the server to retrieve a certificate to be used for TLS connection 1680 func TestTLSCertIssuance(t *testing.T) { 1681 testDir := "tlsTestDir" 1682 err := os.RemoveAll(testDir) 1683 if err != nil { 1684 t.Errorf("RemoveAll failed: %s", err) 1685 } 1686 defer func() { 1687 err = os.RemoveAll(testDir) 1688 if err != nil { 1689 t.Errorf("RemoveAll failed: %s", err) 1690 } 1691 }() 1692 srv := TestGetServer(rootPort, testDir, "", -1, t) 1693 err = srv.Start() 1694 if err != nil { 1695 t.Fatalf("Root server start failed: %s", err) 1696 } 1697 stopserver := true 1698 defer func() { 1699 if stopserver { 1700 err = srv.Stop() 1701 if err != nil { 1702 t.Errorf("Failed to stop server: %s", err) 1703 } 1704 } 1705 }() 1706 client := &Client{ 1707 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", rootPort)}, 1708 HomeDir: testDir, 1709 } 1710 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1711 Name: "admin", 1712 Secret: "adminpw", 1713 Profile: "tls", 1714 CSR: &api.CSRInfo{Hosts: []string{"localhost"}}, 1715 }) 1716 if err != nil { 1717 t.Fatalf("Failed to enroll: %s", err) 1718 } 1719 tlsCertBytes := eresp.Identity.GetECert().Cert() 1720 cert, err := util.GetX509CertificateFromPEM(tlsCertBytes) 1721 if err != nil { 1722 t.Fatalf("Failed to get certificate: %s", err) 1723 } 1724 // Check if the certificate has correct key usages 1725 if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 || cert.KeyUsage&x509.KeyUsageKeyEncipherment == 0 || cert.KeyUsage&x509.KeyUsageKeyAgreement == 0 { 1726 t.Fatal("Certificate does not have correct extended key usage. Should have Digital Signature, Key Encipherment, and Key Agreement") 1727 } 1728 // Check if the certificate has correct extended key usages 1729 clientAuth := false 1730 serverAuth := false 1731 for _, usage := range cert.ExtKeyUsage { 1732 if usage == x509.ExtKeyUsageClientAuth { 1733 clientAuth = true 1734 } 1735 if usage == x509.ExtKeyUsageServerAuth { 1736 serverAuth = true 1737 } 1738 } 1739 if !clientAuth || !serverAuth { 1740 t.Fatal("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 1741 } 1742 1743 stopserver = false 1744 err = srv.Stop() 1745 if err != nil { 1746 t.Fatalf("Failed to stop server: %s", err) 1747 } 1748 1749 // Write the TLS certificate to disk 1750 os.MkdirAll(testDir, 0755) 1751 tlsCertFile := path.Join(testDir, "tls-cert.pem") 1752 err = util.WriteFile(tlsCertFile, tlsCertBytes, 0644) 1753 if err != nil { 1754 t.Fatalf("Failed to write TLS certificate file: %s", err) 1755 } 1756 // Get a new server with TLS enabled 1757 srv = TestGetServer2(false, rootPort, testDir, "", -1, t) 1758 srv.Config.TLS.Enabled = true 1759 srv.Config.TLS.CertFile = "tls-cert.pem" 1760 // Start the server 1761 err = srv.Start() 1762 if err != nil { 1763 t.Fatalf("TLS server start failed: %s", err) 1764 } 1765 stopserver = true 1766 // Connect to the server over TLS 1767 cfg := &ClientConfig{URL: fmt.Sprintf("https://localhost:%d", rootPort)} 1768 cfg.TLS.Enabled = true 1769 cfg.TLS.CertFiles = []string{"ca-cert.pem"} 1770 client = &Client{Config: cfg, HomeDir: testDir} 1771 eresp, err = client.Enroll(&api.EnrollmentRequest{ 1772 Name: "admin", 1773 Secret: "adminpw", 1774 }) 1775 if err != nil { 1776 t.Fatalf("Failed to enroll over TLS: %s", err) 1777 } 1778 } 1779 1780 // Configure server to start server with no client authentication required 1781 func testNoClientCert(t *testing.T) { 1782 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1783 srv = getTLSConfig(srv, "NoClientCert", []string{}) 1784 1785 err := srv.Start() 1786 if err != nil { 1787 t.Fatalf("Root server start failed: %s", err) 1788 } 1789 1790 clientConfig := &ClientConfig{ 1791 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1792 TLS: libtls.ClientTLSConfig{ 1793 CertFiles: []string{"../testdata/root.pem"}, 1794 }, 1795 } 1796 1797 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1798 1799 _, err = clientConfig.Enroll(rawURL, testdataDir) 1800 if err != nil { 1801 t.Errorf("Failed to enroll over TLS with no client authentication required: %s", err) 1802 } 1803 1804 err = srv.Stop() 1805 if err != nil { 1806 t.Errorf("Failed to stop server: %s", err) 1807 } 1808 } 1809 1810 // Configure server to start with no client authentication required 1811 // Root2.pem does not exists, server should still start because no client auth is requred 1812 func testInvalidRootCertWithNoClientAuth(t *testing.T) { 1813 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1814 srv = getTLSConfig(srv, "NoClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1815 1816 err := srv.Start() 1817 if err != nil { 1818 t.Fatalf("Root server start failed: %s", err) 1819 } 1820 1821 err = srv.Stop() 1822 if err != nil { 1823 t.Errorf("Failed to stop server: %s", err) 1824 } 1825 } 1826 1827 // Configure server to start with client authentication required 1828 // Root2.pem does not exists, server should fail to start 1829 func testInvalidRootCertWithClientAuth(t *testing.T) { 1830 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1831 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem", "../testdata/root2.pem"}) 1832 1833 err := srv.Start() 1834 if err == nil { 1835 t.Error("Root2.pem does not exists, server should have failed to start") 1836 err = srv.Stop() 1837 if err != nil { 1838 t.Errorf("Failed to stop server: %s", err) 1839 } 1840 } 1841 } 1842 1843 // Configure server to start with client authentication required 1844 func testClientAuth(t *testing.T) { 1845 srv := TestGetServer(rootPort, testdataDir, "", -1, t) 1846 srv = getTLSConfig(srv, "RequireAndVerifyClientCert", []string{"../testdata/root.pem"}) 1847 1848 err := srv.Start() 1849 if err != nil { 1850 t.Fatalf("Root server start failed: %s", err) 1851 } 1852 1853 clientConfig := &ClientConfig{ 1854 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1855 TLS: libtls.ClientTLSConfig{ 1856 CertFiles: []string{"../testdata/root.pem"}, 1857 }, 1858 } 1859 1860 rawURL := fmt.Sprintf("https://admin:adminpw@localhost:%d", rootPort) 1861 1862 // Enrolling without any client certificate and key information set 1863 _, err = clientConfig.Enroll(rawURL, testdataDir) 1864 if err == nil { 1865 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, should have failed as no client cert was provided") 1866 } 1867 1868 // Client created with certificate and key for TLS 1869 clientConfig = &ClientConfig{ 1870 URL: fmt.Sprintf("https://localhost:%d", rootPort), 1871 TLS: libtls.ClientTLSConfig{ 1872 CertFiles: []string{"../testdata/root.pem"}, 1873 Client: libtls.KeyCertFiles{ 1874 KeyFile: "../testdata/tls_client-key.pem", 1875 CertFile: "../testdata/tls_client-cert.pem", 1876 }, 1877 }, 1878 } 1879 1880 _, err = clientConfig.Enroll(rawURL, testdataDir) 1881 if err != nil { 1882 t.Errorf("Client Auth Type: RequireAndVerifyClientCert, failed to enroll over TLS with client certificate provided") 1883 } 1884 1885 err = srv.Stop() 1886 if err != nil { 1887 t.Errorf("Failed to stop server: %s", err) 1888 } 1889 } 1890 1891 func testIntermediateServer(idx int, t *testing.T) { 1892 // Init the intermediate server 1893 intermediateServer := TestGetIntermediateServer(idx, t) 1894 if intermediateServer == nil { 1895 return 1896 } 1897 err := intermediateServer.Init(true) 1898 if err != nil { 1899 t.Fatalf("Intermediate server init failed: %s", err) 1900 } 1901 // Verify that the duration of the newly created intermediate certificate is 5 years 1902 d, err := util.GetCertificateDurationFromFile(path.Join(intermediateServer.HomeDir, "ca-cert.pem")) 1903 assert.NoError(t, err) 1904 assert.True(t, int(d.Hours()) == 43800, fmt.Sprintf("Expecting 43800 but found %f", d.Hours())) 1905 // Start it 1906 err = intermediateServer.Start() 1907 if err != nil { 1908 t.Fatalf("Intermediate server start failed: %s", err) 1909 } 1910 defer func() { 1911 err = intermediateServer.Stop() 1912 if err != nil { 1913 t.Errorf("Failed to stop server: %s", err) 1914 } 1915 1916 err = os.RemoveAll(intermediateDir) 1917 if err != nil { 1918 t.Errorf("RemoveAll failed: %s", err) 1919 } 1920 }() 1921 // Test enroll against intermediate (covering basic auth) 1922 c := getTestClient(intermediateServer.Config.Port) 1923 resp, err := c.Enroll(&api.EnrollmentRequest{Name: "admin", Secret: "adminpw"}) 1924 if err != nil { 1925 t.Fatalf("Failed to enroll with intermediate server: %s", err) 1926 } 1927 1928 // Test reenroll against intermediate (covering token auth) 1929 _, err = resp.Identity.Reenroll(&api.ReenrollmentRequest{}) 1930 if err != nil { 1931 t.Fatalf("Failed to reenroll with intermediate server: %s", err) 1932 } 1933 1934 // deferred cleanup 1935 } 1936 1937 func TestUnmarshalConfig(t *testing.T) { 1938 cfg := &ServerConfig{} 1939 cfgFile := "../testdata/testviperunmarshal.yaml" 1940 err := UnmarshalConfig(cfg, viper.GetViper(), cfgFile, true) 1941 if err != nil { 1942 t.Errorf("UnmarshalConfig failed: %s", err) 1943 } 1944 err = UnmarshalConfig(cfg, viper.GetViper(), "foo.yaml", true) 1945 if err == nil { 1946 t.Error("UnmarshalConfig invalid file passed but should have failed") 1947 } 1948 } 1949 1950 // TestSqliteLocking tests to ensure that "database is locked" 1951 // error does not occur when multiple requests are sent at the 1952 // same time. 1953 // This test assumes that sqlite is the database used in the tests 1954 func TestSRVSqliteLocking(t *testing.T) { 1955 // Start the server 1956 server := TestGetServer(rootPort, rootDir, "", -1, t) 1957 if server == nil { 1958 return 1959 } 1960 err := server.Start() 1961 if err != nil { 1962 t.Fatalf("Server start failed: %s", err) 1963 } 1964 // Clean up when done 1965 defer func() { 1966 err = server.Stop() 1967 if err != nil { 1968 t.Errorf("Failed to stop server: %s", err) 1969 } 1970 err = os.RemoveAll("../testdata/msp") 1971 if err != nil { 1972 t.Errorf("RemoveAll failed: %s", err) 1973 } 1974 err = os.RemoveAll(rootDir) 1975 if err != nil { 1976 t.Errorf("RemoveAll failed: %s", err) 1977 } 1978 }() 1979 1980 // Enroll bootstrap user 1981 client := getRootClient() 1982 eresp, err := client.Enroll(&api.EnrollmentRequest{ 1983 Name: "admin", 1984 Secret: "adminpw", 1985 }) 1986 if err != nil { 1987 t.Fatalf("Failed to enroll bootstrap user: %s", err) 1988 } 1989 admin := eresp.Identity 1990 errs := make(chan error) 1991 users := 30 1992 // Register users 1993 for i := 0; i < users; i++ { 1994 n := "user" + strconv.Itoa(i) 1995 go func(admin *Identity, name string) { 1996 _, err := admin.Register(&api.RegistrationRequest{ 1997 Name: name, 1998 Type: "user", 1999 Affiliation: "hyperledger.fabric.security", 2000 }) 2001 errs <- err 2002 }(admin, n) 2003 } 2004 for i := 0; ; { 2005 err = <-errs 2006 // Should not see "database is locked" error 2007 if err != nil && strings.Contains(err.Error(), "database is locked") { 2008 t.Fatalf("Failed to register: %s", err) 2009 } 2010 // If we have heard from all the go routines, break to exit the test 2011 if i++; i == users { 2012 break 2013 } 2014 } 2015 } 2016 2017 func TestSRVNewUserRegistryMySQL(t *testing.T) { 2018 datasource := "" 2019 2020 // Test with no cert files specified 2021 tlsConfig := &libtls.ClientTLSConfig{ 2022 Enabled: true, 2023 } 2024 csp := util.GetDefaultBCCSP() 2025 _, err := getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2026 assert.Error(t, err) 2027 assert.Contains(t, err.Error(), "No trusted root certificates for TLS were provided") 2028 2029 // Test with with a file that does not exist 2030 tlsConfig = &libtls.ClientTLSConfig{ 2031 Enabled: true, 2032 CertFiles: []string{"doesnotexit.pem"}, 2033 } 2034 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2035 assert.Error(t, err) 2036 assert.Contains(t, err.Error(), "no such file or directory") 2037 2038 // Test with a file that is not of appropriate format 2039 tlsConfig = &libtls.ClientTLSConfig{ 2040 Enabled: true, 2041 CertFiles: []string{"../testdata/empty.json"}, 2042 } 2043 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2044 assert.Error(t, err) 2045 assert.Contains(t, err.Error(), "Failed to process certificate from file") 2046 2047 // Test with a file that does not have read permissions 2048 2049 tmpFile := filepath.Join(os.TempDir(), "root.pem") 2050 err = CopyFile("../testdata/root.pem", tmpFile) 2051 if err != nil { 2052 t.Fatalf("Failed to copy file: %s", err) 2053 } 2054 err = os.Chmod(tmpFile, 0000) 2055 if err != nil { 2056 t.Fatalf("Failed to change file mode: %s", err) 2057 } 2058 2059 tlsConfig = &libtls.ClientTLSConfig{ 2060 Enabled: true, 2061 CertFiles: []string{tmpFile}, 2062 } 2063 _, err = getMysqlDb(mysql.NewDB(datasource, "", tlsConfig, csp, nil)) 2064 assert.Error(t, err) 2065 if err != nil { 2066 t.Logf("%s", err.Error()) 2067 } 2068 assert.Contains(t, err.Error(), "denied") 2069 2070 err = os.RemoveAll(tmpFile) 2071 if err != nil { 2072 t.Logf("%s", err.Error()) 2073 } 2074 } 2075 2076 func TestCSRInputLengthCheck(t *testing.T) { 2077 t.Log("Testing CSR input length check") 2078 err := os.RemoveAll("../testdata/msp/") 2079 if err != nil { 2080 t.Errorf("RemoveAll failed: %s", err) 2081 } 2082 err = os.RemoveAll(rootDir) 2083 if err != nil { 2084 t.Errorf("RemoveAll failed: %s", err) 2085 } 2086 defer func() { 2087 err = os.RemoveAll("../testdata/msp/") 2088 if err != nil { 2089 t.Errorf("RemoveAll failed: %s", err) 2090 } 2091 err = os.RemoveAll(rootDir) 2092 if err != nil { 2093 t.Errorf("RemoveAll failed: %s", err) 2094 } 2095 }() 2096 2097 server := TestGetServer(rootPort, rootDir, "", -1, t) 2098 if server == nil { 2099 return 2100 } 2101 longCN := randSeq(65) 2102 err = server.RegisterBootstrapUser(longCN, "pass", "") 2103 if err != nil { 2104 t.Errorf("Failed to register bootstrap user: %s", err) 2105 } 2106 err = server.Start() 2107 if err != nil { 2108 t.Fatalf("Server start failed: %s", err) 2109 } 2110 defer func() { 2111 err = server.Stop() 2112 if err != nil { 2113 t.Errorf("Failed to stop server: %s", err) 2114 } 2115 }() 2116 2117 // Passing case: all value are of appropriate length 2118 client := getRootClient() 2119 csr1 := api.CSRInfo{ 2120 CN: "test", 2121 Names: []csr.Name{ 2122 csr.Name{ 2123 C: "US", 2124 ST: "North Carolina", 2125 L: "Raleigh", 2126 O: "Hyperledger", 2127 OU: "Fabric", 2128 }, 2129 csr.Name{ 2130 C: "CA", 2131 }, 2132 }, 2133 SerialNumber: "123abc", 2134 } 2135 _, err = client.Enroll(&api.EnrollmentRequest{ 2136 Name: "admin", 2137 Secret: "adminpw", 2138 CSR: &csr1, 2139 }) 2140 if err != nil { 2141 t.Error("Failed to enroll user in passing case: ", err) 2142 } 2143 2144 // Failing case: CN is greater than 64 characters 2145 badCSR := &api.CSRInfo{ 2146 CN: longCN, 2147 } 2148 _, err = client.Enroll(&api.EnrollmentRequest{ 2149 Name: longCN, 2150 Secret: "pass", 2151 CSR: badCSR, 2152 }) 2153 if assert.Error(t, err, fmt.Sprint("Number of characters for CN is greater than the maximum limit, should have resulted in an error")) { 2154 assert.Contains(t, err.Error(), "CN") 2155 } 2156 2157 // CSRs that test failing cases for other fields in the CSR 2158 badCSRs := map[string]*api.CSRInfo{ 2159 "country": &api.CSRInfo{ 2160 Names: []csr.Name{ 2161 csr.Name{ 2162 C: randSeq(3), 2163 }, 2164 }, 2165 }, 2166 "locality": &api.CSRInfo{ 2167 Names: []csr.Name{ 2168 csr.Name{ 2169 L: randSeq(129), 2170 }, 2171 }, 2172 }, 2173 "state": &api.CSRInfo{ 2174 Names: []csr.Name{ 2175 csr.Name{ 2176 ST: randSeq(129), 2177 }, 2178 }, 2179 }, 2180 "organization": &api.CSRInfo{ 2181 Names: []csr.Name{ 2182 csr.Name{ 2183 O: randSeq(65), 2184 }, 2185 }, 2186 }, 2187 "organizational unit": &api.CSRInfo{ 2188 Names: []csr.Name{ 2189 csr.Name{ 2190 OU: randSeq(65), 2191 }, 2192 }, 2193 }, 2194 "serial number": &api.CSRInfo{ 2195 SerialNumber: randSeq(65), 2196 }, 2197 } 2198 2199 for name, badCSR := range badCSRs { 2200 _, err = client.Enroll(&api.EnrollmentRequest{ 2201 Name: "admin", 2202 Secret: "adminpw", 2203 CSR: badCSR, 2204 }) 2205 if assert.Error(t, err, fmt.Sprintf("Number of characters for '%s' is greater than the maximum limit, should have resulted in an error", name)) { 2206 assert.Contains(t, err.Error(), name) 2207 } 2208 } 2209 } 2210 2211 func TestAutoTLSCertificateGeneration(t *testing.T) { 2212 err := os.RemoveAll(rootDir) 2213 if err != nil { 2214 t.Errorf("RemoveAll failed: %s", err) 2215 } 2216 err = os.RemoveAll("../testdata/msp/") 2217 if err != nil { 2218 t.Errorf("RemoveAll failed: %s", err) 2219 } 2220 defer func() { 2221 err = os.RemoveAll(rootDir) 2222 if err != nil { 2223 t.Errorf("RemoveAll failed: %s", err) 2224 } 2225 err = os.RemoveAll("../testdata/msp/") 2226 if err != nil { 2227 t.Errorf("RemoveAll failed: %s", err) 2228 } 2229 }() 2230 2231 srv := TestGetRootServer(t) 2232 2233 srv.Config.TLS.Enabled = true 2234 srv.Config.TLS.CertFile = "tls-cert.pem" 2235 srv.Config.CAcfg.CSR.CN = "fabric-ca-server" 2236 srv.Config.CAcfg.CSR.Hosts = []string{"localhost"} 2237 2238 err = srv.Start() 2239 if !assert.NoError(t, err, "Failed to start server") { 2240 t.Fatalf("Failed to start server: %s", err) 2241 } 2242 2243 cert, err := util.GetX509CertificateFromPEMFile(srv.Config.TLS.CertFile) 2244 assert.NoError(t, err, "Failed to get certificate") 2245 2246 // Check if the certificate has correct extended key usages 2247 clientAuth := false 2248 serverAuth := false 2249 for _, usage := range cert.ExtKeyUsage { 2250 if usage == x509.ExtKeyUsageClientAuth { 2251 clientAuth = true 2252 } 2253 if usage == x509.ExtKeyUsageServerAuth { 2254 serverAuth = true 2255 } 2256 } 2257 2258 if !clientAuth || !serverAuth { 2259 t.Error("Certificate does not have correct extended key usage. Should have ExtKeyUsageServerAuth and ExtKeyUsageClientAuth") 2260 } 2261 2262 trustedTLSCert, err := filepath.Abs(srv.CA.Config.CA.Certfile) 2263 trustedTLSCerts := []string{trustedTLSCert} 2264 2265 // Test enrolling with with client using TLS 2266 client := getTLSTestClient(7075, trustedTLSCerts) 2267 enrollReq := &api.EnrollmentRequest{ 2268 Name: "admin", 2269 Secret: "adminpw", 2270 } 2271 _, err = client.Enroll(enrollReq) 2272 assert.NoError(t, err, "Error occured during enrollment on TLS enabled fabric-ca server") 2273 2274 err = srv.Stop() 2275 assert.NoError(t, err, "Failed to stop server") 2276 2277 // Test the case where TLS key is provided but TLS certificate does not exist 2278 srv.Config.TLS.CertFile = "fake-tls-cert.pem" 2279 srv.Config.TLS.KeyFile = "key.pem" 2280 2281 err = srv.Start() 2282 if assert.Error(t, err, "Should have failed to start server where TLS key is specified but certificate does not exist") { 2283 assert.Contains(t, err.Error(), fmt.Sprintf("File specified by 'tls.keyfile' does not exist: %s", srv.Config.TLS.KeyFile)) 2284 } 2285 } 2286 func TestRegistrationAffiliation(t *testing.T) { 2287 // Start the server 2288 server := TestGetServer(rootPort, rootDir, "", -1, t) 2289 if server == nil { 2290 return 2291 } 2292 server.RegisterBootstrapUser("admin2", "admin2pw", "hyperledger") 2293 err := server.Start() 2294 assert.NoError(t, err, "Server start failed") 2295 defer func() { 2296 err = server.Stop() 2297 if err != nil { 2298 t.Errorf("Failed to stop server: %s", err) 2299 } 2300 err = os.RemoveAll("../testdata/msp") 2301 if err != nil { 2302 t.Errorf("RemoveAll failed: %s", err) 2303 } 2304 err = os.RemoveAll(rootDir) 2305 if err != nil { 2306 t.Errorf("RemoveAll failed: %s", err) 2307 } 2308 }() 2309 2310 // Enroll bootstrap user 2311 client := getRootClient() 2312 eresp, err := client.Enroll(&api.EnrollmentRequest{ 2313 Name: "admin", 2314 Secret: "adminpw", 2315 }) 2316 assert.NoError(t, err, "Failed to enroll bootstrap user") 2317 admin := eresp.Identity 2318 2319 // Registering with no affiliation specified, should default to using the registrar's affiliation 2320 _, err = admin.Register(&api.RegistrationRequest{ 2321 Name: "testuser", 2322 Type: "user", 2323 Affiliation: "", 2324 }) 2325 assert.NoError(t, err, "Client register failed") 2326 2327 db := server.DBAccessor() 2328 user, err := db.GetUser("testuser", nil) 2329 assert.NoError(t, err) 2330 2331 userAff := cadbuser.GetAffiliation(user) 2332 if userAff != "" { 2333 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2334 } 2335 2336 _, err = admin.Register(&api.RegistrationRequest{ 2337 Name: "testuser2", 2338 Type: "user", 2339 Affiliation: ".", 2340 }) 2341 assert.NoError(t, err, "Client register failed") 2342 2343 user, err = db.GetUser("testuser2", nil) 2344 assert.NoError(t, err) 2345 2346 userAff = cadbuser.GetAffiliation(user) 2347 if userAff != "" { 2348 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected '' got %s", userAff) 2349 } 2350 2351 eresp, err = client.Enroll(&api.EnrollmentRequest{ 2352 Name: "admin2", 2353 Secret: "admin2pw", 2354 }) 2355 assert.NoError(t, err, "Failed to enroll bootstrap user") 2356 admin2 := eresp.Identity // admin2 has an affiliation of 'hyperledger' 2357 2358 // Registering with no affiliation specified, should default to using the registrar's affiliation 2359 _, err = admin2.Register(&api.RegistrationRequest{ 2360 Name: "testuser3", 2361 Type: "user", 2362 Affiliation: "", 2363 }) 2364 assert.NoError(t, err, "Client register failed") 2365 2366 db = server.DBAccessor() 2367 user, err = db.GetUser("testuser3", nil) 2368 assert.NoError(t, err) 2369 2370 userAff = cadbuser.GetAffiliation(user) 2371 if userAff != "hyperledger" { 2372 t.Errorf("Incorrect affiliation set for user being registered when no affiliation was specified, expected 'hyperledger' got %s", userAff) 2373 } 2374 2375 _, err = admin2.Register(&api.RegistrationRequest{ 2376 Name: "testuser4", 2377 Type: "user", 2378 Affiliation: ".", 2379 }) 2380 assert.Error(t, err, "Should have failed, can't register a user with root affiliation if the registrar does not have root affiliation") 2381 } 2382 2383 func TestCompEnvVar(t *testing.T) { 2384 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "badVal") 2385 defer os.Unsetenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3") 2386 2387 os.RemoveAll(rootDir) 2388 defer os.RemoveAll(rootDir) 2389 2390 server := TestGetRootServer(t) 2391 err := server.Init(false) 2392 util.ErrorContains(t, err, "parsing \"badVal\": invalid syntax", "Should error if using an invalid boolean value") 2393 2394 os.Setenv("FABRIC_CA_SERVER_COMPATIBILITY_MODE_V1_3", "true") 2395 err = server.Init(false) 2396 assert.NoError(t, err) 2397 } 2398 2399 func cleanMultiCADir(t *testing.T) { 2400 var err error 2401 caFolder := "../testdata/ca" 2402 toplevelFolders := []string{"intermediateca", "rootca"} 2403 nestedFolders := []string{"ca1", "ca2", "ca3"} 2404 removeFiles := []string{"ca-cert.pem", "ca-key.pem", "fabric-ca-server.db", 2405 "fabric-ca2-server.db", "ca-chain.pem", "IssuerPublicKey", "IssuerSecretKey", "IssuerRevocationPublicKey"} 2406 2407 for _, topFolder := range toplevelFolders { 2408 for _, nestedFolder := range nestedFolders { 2409 path := filepath.Join(caFolder, topFolder, nestedFolder) 2410 for _, file := range removeFiles { 2411 err = os.RemoveAll(filepath.Join(path, file)) 2412 if err != nil { 2413 t.Errorf("RemoveAll failed: %s", err) 2414 } 2415 } 2416 err = os.RemoveAll(filepath.Join(path, "msp")) 2417 if err != nil { 2418 t.Errorf("RemoveAll failed: %s", err) 2419 } 2420 } 2421 } 2422 err = os.RemoveAll("../testdata/ca/intermediateca/ca1/msp") 2423 if err != nil { 2424 t.Errorf("RemoveAll failed: %s", err) 2425 } 2426 err = os.RemoveAll("multica") 2427 if err != nil { 2428 t.Errorf("RemoveAll failed: %s", err) 2429 } 2430 err = os.RemoveAll("msp") 2431 if err != nil { 2432 t.Errorf("RemoveAll failed: %s", err) 2433 } 2434 } 2435 2436 func getRootServerURL() string { 2437 return fmt.Sprintf("http://admin:adminpw@localhost:%d", rootPort) 2438 } 2439 2440 func getRootServer(t *testing.T) *Server { 2441 return getServer(rootPort, rootDir, "", -1, t) 2442 } 2443 2444 func getIntermediateServer(idx int, t *testing.T) *Server { 2445 return getServer( 2446 intermediatePort, 2447 path.Join(intermediateDir, strconv.Itoa(idx)), 2448 getRootServerURL(), 2449 -1, 2450 t) 2451 } 2452 2453 func getServer(port int, home, parentURL string, maxEnroll int, t *testing.T) *Server { 2454 if home != testdataDir { 2455 err := os.RemoveAll(home) 2456 if err != nil { 2457 t.Errorf("RemoveAll failed: %s", err) 2458 } 2459 } 2460 affiliations := map[string]interface{}{ 2461 "hyperledger": map[string]interface{}{ 2462 "fabric": []string{"ledger", "orderer", "security"}, 2463 "fabric-ca": nil, 2464 "sdk": nil, 2465 }, 2466 "org2": nil, 2467 } 2468 2469 srv := &Server{ 2470 Config: &ServerConfig{ 2471 Port: port, 2472 Debug: true, 2473 }, 2474 CA: CA{ 2475 Config: &CAConfig{ 2476 Intermediate: IntermediateCA{ 2477 ParentServer: ParentServer{ 2478 URL: parentURL, 2479 }, 2480 }, 2481 Affiliations: affiliations, 2482 Registry: CAConfigRegistry{ 2483 MaxEnrollments: maxEnroll, 2484 }, 2485 }, 2486 }, 2487 HomeDir: home, 2488 } 2489 // The bootstrap user's affiliation is the empty string, which 2490 // means the user is at the affiliation root 2491 err := srv.RegisterBootstrapUser("admin", "adminpw", "") 2492 if err != nil { 2493 t.Errorf("Failed to register bootstrap user: %s", err) 2494 return nil 2495 } 2496 // Error case of empty bootstrap data 2497 err = srv.RegisterBootstrapUser("admin", "", "") 2498 t.Logf("Empty bootstrap id: %s", err) 2499 if err == nil { 2500 t.Errorf("register bootstrap user should have failed") 2501 return nil 2502 } 2503 return srv 2504 } 2505 2506 func getRootClient() *Client { 2507 return getTestClient(rootPort) 2508 } 2509 2510 func getIntermediateClient() *Client { 2511 return getTestClient(intermediatePort) 2512 } 2513 2514 func getTestClient(port int) *Client { 2515 return &Client{ 2516 Config: &ClientConfig{URL: fmt.Sprintf("http://localhost:%d", port)}, 2517 HomeDir: testdataDir, 2518 } 2519 } 2520 2521 func getTLSTestClient(port int, trustedTLSCerts []string) *Client { 2522 return &Client{ 2523 Config: &ClientConfig{ 2524 URL: fmt.Sprintf("https://localhost:%d", port), 2525 TLS: libtls.ClientTLSConfig{ 2526 Enabled: true, 2527 CertFiles: trustedTLSCerts, 2528 }, 2529 }, 2530 HomeDir: testdataDir, 2531 } 2532 } 2533 2534 func getTLSConfig(srv *Server, clientAuthType string, clientRootCerts []string) *Server { 2535 srv.Config.TLS.Enabled = true 2536 srv.Config.TLS.CertFile = "../testdata/tls_server-cert.pem" 2537 srv.Config.TLS.KeyFile = "../testdata/tls_server-key.pem" 2538 srv.Config.TLS.ClientAuth.Type = clientAuthType 2539 srv.Config.TLS.ClientAuth.CertFiles = clientRootCerts 2540 2541 return srv 2542 } 2543 2544 func testRegistration(admin *Identity, t *testing.T) { 2545 name := "testRegistrationUser1" 2546 topAffiliation := "hyperledger" 2547 midAffiliation := "hyperledger.fabric" 2548 botAffiliation := "hyperledger.fabric.security" 2549 _, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2550 Name: name, 2551 Type: "user", 2552 Affiliation: midAffiliation, 2553 Attributes: makeAttrs(t, "hf.Registrar.Roles=user", "hf.Registrar.DelegateRoles=user,peer"), 2554 }) 2555 if err == nil { 2556 t.Error("Should have failed to register delegate roles which exceed roles") 2557 } 2558 id1, err := admin.RegisterAndEnroll(&api.RegistrationRequest{ 2559 Name: name, 2560 Type: "user", 2561 Affiliation: midAffiliation, 2562 Attributes: makeAttrs(t, "hf.Registrar.Roles=user,peer", "hf.Registrar.DelegateRoles=user", "hf.Registrar.Attributes=*"), 2563 }) 2564 if err != nil { 2565 t.Fatalf("%s", err) 2566 } 2567 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2568 Name: name, 2569 Type: "user", 2570 Affiliation: botAffiliation, 2571 Attributes: makeAttrs(t, "hf.Registrar.Roles=peer"), 2572 }) 2573 if err == nil { 2574 t.Error("ID1 should not be allowed to delegate peer registration to another identity") 2575 } 2576 _, err = id1.RegisterAndEnroll(&api.RegistrationRequest{ 2577 Name: name, 2578 Type: "user", 2579 Affiliation: topAffiliation, 2580 }) 2581 if err == nil { 2582 t.Error("ID1 should not be allowed to registrar outside of its affiliation hierarchy") 2583 } 2584 name = "testRegistrationUser2" 2585 id2, err := id1.RegisterAndEnroll(&api.RegistrationRequest{ 2586 Name: name, 2587 Type: "user", 2588 Affiliation: botAffiliation, 2589 }) 2590 if err != nil { 2591 t.Fatalf("ID1 failed to register %s: %s", name, err) 2592 } 2593 name = "testRegistrationUser3" 2594 _, err = id2.RegisterAndEnroll(&api.RegistrationRequest{ 2595 Name: name, 2596 Type: "user", 2597 Affiliation: botAffiliation, 2598 }) 2599 if err == nil { 2600 t.Error("ID2 should not be allowed to register") 2601 } 2602 } 2603 2604 func makeAttrs(t *testing.T, args ...string) []api.Attribute { 2605 attrs := make([]api.Attribute, len(args)) 2606 for idx, attr := range args { 2607 eles := strings.Split(attr, "=") 2608 if len(eles) != 2 { 2609 t.Fatalf("Not two elements in %s", attr) 2610 } 2611 attrs[idx].Name = eles[0] 2612 attrs[idx].Value = eles[1] 2613 } 2614 return attrs 2615 } 2616 2617 func writeCAFile(name, parentcaname, filename, home string, port int, t *testing.T) { 2618 contents := fmt.Sprintf(` 2619 ca: 2620 name: %s 2621 intermediate: 2622 parentserver: 2623 url: http://admin:adminpw@localhost:%d 2624 caname: %s 2625 `, name, port, parentcaname) 2626 os.MkdirAll(home, 0755) 2627 fpath := path.Join(home, fmt.Sprintf("%s.yaml", filename)) 2628 err := ioutil.WriteFile(fpath, []byte(contents), 0644) 2629 if err != nil { 2630 t.Fatalf("Failed to create ca1.yaml: %s", err) 2631 } 2632 } 2633 2634 var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 2635 2636 func randSeq(n int) string { 2637 b := make([]rune, n) 2638 for i := range b { 2639 b[i] = letters[rand.Intn(len(letters))] 2640 } 2641 return string(b) 2642 } 2643 2644 func testBadCryptoData(t *testing.T, s *Server, testData []string) { 2645 config := []string{"ca/rootca/ca1/fabric-ca-server-config.yaml"} 2646 sCert := "../testdata/ca/rootca/ca1/ca-cert.pem" 2647 sKey := "../testdata/ca/rootca/ca1/ca-key.pem" 2648 // Starting server with expired certificate 2649 err := CopyFile(testData[0], sCert) 2650 if err != nil { 2651 t.Errorf("Failed to copy expired cert to %s failed: %v", testData[0], err) 2652 } 2653 err = CopyFile(testData[1], sKey) 2654 if err != nil { 2655 t.Errorf("Failed to copy key to %s failed: %v", testData[1], err) 2656 } 2657 s.Config.CAfiles = config 2658 err = s.Start() 2659 t.Logf("srvStart ERROR %v", err) 2660 if err == nil { 2661 t.Errorf("Should have failed to start server, %s", testData[2]) 2662 err = s.Stop() 2663 if err != nil { 2664 t.Errorf("Failed to stop server: %s", err) 2665 } 2666 } 2667 err = os.Remove(sCert) 2668 if err != nil { 2669 t.Errorf("Remove failed: %s", err) 2670 } 2671 err = os.Remove(sKey) 2672 if err != nil { 2673 t.Errorf("Remove failed: %s", err) 2674 } 2675 } 2676 2677 func cleanTestSlateSRV(t *testing.T) { 2678 err := os.RemoveAll("../testdata/ca-cert.pem") 2679 if err != nil { 2680 t.Errorf("RemoveAll failed: %s", err) 2681 } 2682 err = os.RemoveAll("../testdata/ca-key.pem") 2683 if err != nil { 2684 t.Errorf("RemoveAll failed: %s", err) 2685 } 2686 err = os.RemoveAll("../testdata/fabric-ca-server.db") 2687 if err != nil { 2688 t.Errorf("RemoveAll failed: %s", err) 2689 } 2690 err = os.RemoveAll(rootDir) 2691 if err != nil { 2692 t.Errorf("RemoveAll failed: %s", err) 2693 } 2694 err = os.RemoveAll(intermediateDir) 2695 if err != nil { 2696 t.Errorf("RemoveAll failed: %s", err) 2697 } 2698 err = os.RemoveAll("multica") 2699 if err != nil { 2700 t.Errorf("RemoveAll failed: %s", err) 2701 } 2702 err = os.RemoveAll(serversDir) 2703 if err != nil { 2704 t.Errorf("RemoveAll failed: %s", err) 2705 } 2706 err = os.RemoveAll("../testdata/msp") 2707 if err != nil { 2708 t.Errorf("RemoveAll failed: %s", err) 2709 } 2710 err = os.RemoveAll("msp") 2711 if err != nil { 2712 t.Errorf("RemoveAll failed: %s", err) 2713 } 2714 err = os.RemoveAll("../util/msp") 2715 if err != nil { 2716 t.Errorf("RemoveAll failed: %s", err) 2717 } 2718 cleanMultiCADir(t) 2719 } 2720 2721 func TestStatsdMetricsE2E(t *testing.T) { 2722 gt := NewGomegaWithT(t) 2723 var err error 2724 2725 server := TestGetRootServer(t) 2726 2727 // Statsd 2728 datagramReader := NewDatagramReader(t) 2729 go datagramReader.Start() 2730 defer datagramReader.Close() 2731 2732 server.Config.Metrics = operations.MetricsOptions{ 2733 Provider: "statsd", 2734 Statsd: &operations.Statsd{ 2735 Network: "udp", 2736 Address: datagramReader.Address(), 2737 Prefix: "server", 2738 WriteInterval: time.Duration(time.Millisecond), 2739 }, 2740 } 2741 2742 server.CA.Config.CA.Name = "ca" 2743 err = server.Start() 2744 gt.Expect(err).NotTo(HaveOccurred()) 2745 defer server.Stop() 2746 defer os.RemoveAll(rootDir) 2747 2748 client := TestGetClient(rootPort, "metrics") 2749 _, err = client.Enroll(&api.EnrollmentRequest{ 2750 Name: "admin", 2751 Secret: "badpass", 2752 CAName: "ca", 2753 }) 2754 gt.Expect(err).To(HaveOccurred()) 2755 defer os.RemoveAll("metrics") 2756 2757 _, err = client.Enroll(&api.EnrollmentRequest{ 2758 Name: "admin", 2759 Secret: "adminpw", 2760 CAName: "ca", 2761 }) 2762 gt.Expect(err).NotTo(HaveOccurred()) 2763 2764 eventuallyTimeout := 10 * time.Second 2765 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("serverx.api_request.count.ca.enroll.201:1.000000|c")) 2766 gt.Eventually(datagramReader, eventuallyTimeout).Should(gbytes.Say("server.api_request.duration.ca.enroll.201")) 2767 contents := datagramReader.String() 2768 gt.Expect(contents).To(ContainSubstring("server.api_request.duration.ca.enroll.401")) 2769 gt.Expect(contents).To(ContainSubstring("server.api_request.count.ca.enroll.401:1.000000|c")) 2770 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetRAInfo.Select:1.000000|c")) 2771 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateAffiliationsTable.Exec:2.000000|c")) 2772 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCertificatesTable.Exec:2.000000|c")) 2773 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreatePropertiesTable.Exec:2.000000|c")) 2774 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetProperty.Get:12.000000|c")) 2775 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.InsertAffiliation.Exec:11.000000|c")) 2776 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateTable.Commit:1.000000|c")) 2777 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUserLessThanLevel.Queryx:1.000000|c")) 2778 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateAffiliationsTable.Exec:4.000000|c")) 2779 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.Migration.Commit:1.000000|c")) 2780 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateUsersTable.Exec:3.000000|c")) 2781 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateCertificatesTable.Exec:4.000000|c")) 2782 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.GetUser.Get:1.000000|c")) 2783 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.AddRAInfo.NamedExec:1.000000|c")) 2784 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateCredentialsTable.Exec:1.000000|c")) 2785 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateRevocationAuthorityTable.Exec:1.000000|c")) 2786 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.CreateNoncesTable.Exec:1.000000|c")) 2787 gt.Expect(contents).To(ContainSubstring("server.db_api_request.count.ca.MigrateUsersTable.Exec:7.000000|c")) 2788 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreatePropertiesTable.Exec")) 2789 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUserLessThanLevel.Queryx")) 2790 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateCertificatesTable.Exec")) 2791 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetUser.Get")) 2792 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.Migration.Commit")) 2793 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertUser.NamedExec")) 2794 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateAffiliationsTable.Exec")) 2795 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCredentialsTable.Exec")) 2796 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateRevocationAuthorityTable.Exec")) 2797 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateNoncesTable.Exec")) 2798 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetProperty.Get")) 2799 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.AddRAInfo.NamedExec")) 2800 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateCertificatesTable.Exec")) 2801 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateTable.Commit")) 2802 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateUsersTable.Exec")) 2803 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.InsertAffiliation.Exec")) 2804 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.GetRAInfo.Select")) 2805 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.CreateUsersTable.Exec")) 2806 gt.Expect(contents).To(ContainSubstring("server.db_api_request.duration.ca.MigrateAffiliationsTable.Exec")) 2807 } 2808 2809 func TestPrometheusMetricsE2E(t *testing.T) { 2810 gt := NewGomegaWithT(t) 2811 var err error 2812 2813 server := TestGetRootServer(t) 2814 // Prometheus 2815 server.Config.Metrics.Provider = "prometheus" 2816 server.Config.Operations.ListenAddress = "localhost:0" 2817 2818 server.Config.Operations.TLS = operations.TLS{ 2819 Enabled: true, 2820 CertFile: filepath.Join(testdata, "tls_server-cert.pem"), 2821 KeyFile: filepath.Join(testdata, "tls_server-key.pem"), 2822 ClientCertRequired: true, 2823 ClientCACertFiles: []string{"../testdata/root.pem"}, 2824 } 2825 2826 server.CA.Config.CA.Name = "ca" 2827 err = server.Start() 2828 gt.Expect(err).NotTo(HaveOccurred()) 2829 defer server.Stop() 2830 defer os.RemoveAll(rootDir) 2831 2832 client := TestGetClient(rootPort, "metrics") 2833 _, err = client.Enroll(&api.EnrollmentRequest{ 2834 Name: "admin", 2835 Secret: "badpass", 2836 CAName: "ca", 2837 }) 2838 gt.Expect(err).To(HaveOccurred()) 2839 defer os.RemoveAll("metrics") 2840 2841 _, err = client.Enroll(&api.EnrollmentRequest{ 2842 Name: "admin", 2843 Secret: "adminpw", 2844 CAName: "ca", 2845 }) 2846 gt.Expect(err).NotTo(HaveOccurred()) 2847 2848 // Prometheus client 2849 clientCert, err := tls.LoadX509KeyPair( 2850 filepath.Join(testdata, "tls_client-cert.pem"), 2851 filepath.Join(testdata, "tls_client-key.pem"), 2852 ) 2853 gt.Expect(err).NotTo(HaveOccurred()) 2854 clientCertPool := x509.NewCertPool() 2855 caCert, err := ioutil.ReadFile(filepath.Join(testdata, "root.pem")) 2856 gt.Expect(err).NotTo(HaveOccurred()) 2857 clientCertPool.AppendCertsFromPEM(caCert) 2858 2859 c := &http.Client{ 2860 Transport: &http.Transport{ 2861 TLSClientConfig: &tls.Config{ 2862 Certificates: []tls.Certificate{clientCert}, 2863 RootCAs: clientCertPool, 2864 }, 2865 }, 2866 } 2867 2868 addr := strings.Split(server.Operations.Addr(), ":") 2869 metricsURL := fmt.Sprintf("https://localhost:%s/metrics", addr[1]) 2870 resp, err := c.Get(metricsURL) 2871 gt.Expect(err).NotTo(HaveOccurred()) 2872 gt.Expect(resp.StatusCode).To(Equal(http.StatusOK)) 2873 defer resp.Body.Close() 2874 2875 bodyBytes, err := ioutil.ReadAll(resp.Body) 2876 gt.Expect(err).NotTo(HaveOccurred()) 2877 body := string(bodyBytes) 2878 2879 err = server.Stop() 2880 gt.Expect(err).NotTo(HaveOccurred()) 2881 2882 gt.Expect(body).To(ContainSubstring(`# HELP api_request_count Number of requests made to an API`)) 2883 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_count counter`)) 2884 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2885 gt.Expect(body).To(ContainSubstring(`api_request_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2886 gt.Expect(body).To(ContainSubstring(`# HELP api_request_duration Time taken in seconds for the request to an API to be completed`)) 2887 gt.Expect(body).To(ContainSubstring(`# TYPE api_request_duration histogram`)) 2888 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.005"}`)) 2889 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.01"}`)) 2890 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.025"}`)) 2891 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.05"}`)) 2892 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.1"}`)) 2893 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.25"}`)) 2894 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="0.5"}`)) 2895 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="1.0"}`)) 2896 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="2.5"}`)) 2897 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="5.0"}`)) 2898 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="10.0"}`)) 2899 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="201",le="+Inf"}`)) 2900 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="201"}`)) 2901 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="201"} 1.0`)) 2902 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.005"}`)) 2903 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.01"}`)) 2904 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.025"}`)) 2905 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.05"}`)) 2906 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.1"}`)) 2907 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.25"}`)) 2908 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="0.5"}`)) 2909 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="1.0"}`)) 2910 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="2.5"}`)) 2911 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="5.0"}`)) 2912 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="10.0"}`)) 2913 gt.Expect(body).To(ContainSubstring(`api_request_duration_bucket{api_name="enroll",ca_name="ca",status_code="401",le="+Inf"}`)) 2914 gt.Expect(body).To(ContainSubstring(`api_request_duration_sum{api_name="enroll",ca_name="ca",status_code="401"}`)) 2915 gt.Expect(body).To(ContainSubstring(`api_request_duration_count{api_name="enroll",ca_name="ca",status_code="401"} 1.0`)) 2916 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_count Number of requests made to a database API`)) 2917 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_count counter`)) 2918 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="CreateTable"} 1.0`)) 2919 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Commit",func_name="Migration"} 1.0`)) 2920 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable"} 2.0`)) 2921 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable"} 2.0`)) 2922 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable"} 1.0`)) 2923 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable"} 1.0`)) 2924 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable"} 2.0`)) 2925 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable"} 1.0`)) 2926 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable"} 3.0`)) 2927 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts"} 1.0`)) 2928 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation"} 11.0`)) 2929 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete"} 1.0`)) 2930 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable"} 4.0`)) 2931 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable"} 4.0`)) 2932 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable"} 7.0`)) 2933 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Exec",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2934 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetProperty"} 12.0`)) 2935 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="GetUser"} 5.0`)) 2936 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts"} 1.0`)) 2937 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo"} 1.0`)) 2938 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate"} 1.0`)) 2939 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser"} 1.0`)) 2940 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel"} 1.0`)) 2941 gt.Expect(body).To(ContainSubstring(`db_api_request_count{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo"} 1.0`)) 2942 gt.Expect(body).To(ContainSubstring(`# HELP db_api_request_duration Time taken in seconds for the request to a database API to be completed`)) 2943 gt.Expect(body).To(ContainSubstring(`# TYPE db_api_request_duration histogram`)) 2944 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="CreateTable",le="0.5"}`)) 2945 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Commit",func_name="Migration",le="0.5"}`)) 2946 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateAffiliationsTable",le="0.5"}`)) 2947 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCertificatesTable",le="0.5"}`)) 2948 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateCredentialsTable",le="0.5"}`)) 2949 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateNoncesTable",le="0.5"}`)) 2950 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreatePropertiesTable",le="0.5"}`)) 2951 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateRevocationAuthorityTable",le="0.5"}`)) 2952 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="CreateUsersTable",le="0.5"}`)) 2953 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="IncrementIncorrectPasswordAttempts",le="0.5"}`)) 2954 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="InsertAffiliation",le="0.5"}`)) 2955 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="LoginComplete",le="0.5"}`)) 2956 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateAffiliationsTable",le="0.5"}`)) 2957 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateCertificatesTable",le="0.5"}`)) 2958 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Exec",func_name="MigrateUsersTable",le="0.5"}`)) 2959 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetProperty",le="0.5"}`)) 2960 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="GetUser",le="0.5"}`)) 2961 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Get",func_name="ResetIncorrectLoginAttempts",le="0.5"}`)) 2962 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="AddRAInfo",le="0.5"}`)) 2963 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertCertificate",le="0.5"}`)) 2964 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="NamedExec",func_name="InsertUser",le="0.5"}`)) 2965 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Queryx",func_name="GetUserLessThanLevel",le="0.5"}`)) 2966 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.25"}`)) 2967 gt.Expect(body).To(ContainSubstring(`db_api_request_duration_bucket{ca_name="ca",dbapi_name="Select",func_name="GetRAInfo",le="0.5"}`)) 2968 } 2969 2970 type DatagramReader struct { 2971 buffer *gbytes.Buffer 2972 errCh chan error 2973 sock *net.UDPConn 2974 doneCh chan struct{} 2975 closeOnce sync.Once 2976 err error 2977 } 2978 2979 func NewDatagramReader(t *testing.T) *DatagramReader { 2980 gt := NewGomegaWithT(t) 2981 2982 udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0") 2983 gt.Expect(err).NotTo(HaveOccurred()) 2984 sock, err := net.ListenUDP("udp", udpAddr) 2985 gt.Expect(err).NotTo(HaveOccurred()) 2986 err = sock.SetReadBuffer(1024 * 1024) 2987 gt.Expect(err).NotTo(HaveOccurred()) 2988 2989 return &DatagramReader{ 2990 buffer: gbytes.NewBuffer(), 2991 sock: sock, 2992 errCh: make(chan error, 1), 2993 doneCh: make(chan struct{}), 2994 } 2995 } 2996 2997 func (dr *DatagramReader) Buffer() *gbytes.Buffer { 2998 return dr.buffer 2999 } 3000 3001 func (dr *DatagramReader) Address() string { 3002 return dr.sock.LocalAddr().String() 3003 } 3004 3005 func (dr *DatagramReader) String() string { 3006 return string(dr.buffer.Contents()) 3007 } 3008 3009 func (dr *DatagramReader) Start() { 3010 buf := make([]byte, 1024*1024) 3011 for { 3012 select { 3013 case <-dr.doneCh: 3014 dr.errCh <- nil 3015 return 3016 3017 default: 3018 n, _, err := dr.sock.ReadFrom(buf) 3019 if err != nil { 3020 dr.errCh <- err 3021 return 3022 } 3023 _, err = dr.buffer.Write(buf[0:n]) 3024 if err != nil { 3025 dr.errCh <- err 3026 return 3027 } 3028 } 3029 } 3030 } 3031 3032 func (dr *DatagramReader) Close() error { 3033 dr.closeOnce.Do(func() { 3034 close(dr.doneCh) 3035 err := dr.sock.Close() 3036 dr.err = <-dr.errCh 3037 if dr.err == nil && err != nil && err != io.EOF { 3038 dr.err = err 3039 } 3040 }) 3041 return dr.err 3042 } 3043 3044 func getMysqlDb(m *mysql.Mysql) (*db.DB, error) { 3045 err := m.Connect() 3046 if err != nil { 3047 return nil, err 3048 } 3049 testdb, err := m.Create() 3050 if err != nil { 3051 return nil, err 3052 } 3053 return testdb, nil 3054 }