[FAB-6710] Remove GetUserInfo call

GetUserInfo function removed from the UserRegistry and
all calls to GetUserInfo now use GetUser instead. User
interface enhanced to allow for this change.

Change-Id: I44b0df95dcac867ed729b914827528f935c14ffe
Signed-off-by: Saad Karim <skarim@us.ibm.com>

api/client.go

@@ -17,10 +17,10 @@ limitations under the License.
 package api
 
 import (
+	"math/big"
 	"time"
 
 	"github.com/cloudflare/cfssl/csr"
-	"github.com/hyperledger/fabric-ca/lib/tcert"
 	"github.com/hyperledger/fabric-ca/util"
 )
 
@@ -161,7 +161,16 @@ type GetTCertBatchRequest struct {
 
 // GetTCertBatchResponse is the return value of identity.GetTCertBatch
 type GetTCertBatchResponse struct {
-	tcert.GetBatchResponse
+	ID     *big.Int  `json:"id"`
+	TS     time.Time `json:"ts"`
+	Key    []byte    `json:"key"`
+	TCerts []TCert   `json:"tcerts"`
+}
+
+// TCert encapsulates a signed transaction certificate and optionally a map of keys
+type TCert struct {
+	Cert []byte            `json:"cert"`
+	Keys map[string][]byte `json:"keys,omitempty"` //base64 encoded string as value
 }
 
 // GetCAInfoRequest is request to get generic CA information

api/net.go

@@ -18,7 +18,6 @@ package api
 
 import (
 	"github.com/cloudflare/cfssl/signer"
-	"github.com/hyperledger/fabric-ca/lib/tcert"
 )
 
 /*
@@ -73,7 +72,7 @@ type GetTCertBatchRequestNet struct {
 
 // GetTCertBatchResponseNet is the network response for a batch of transaction certificates
 type GetTCertBatchResponseNet struct {
-	tcert.GetBatchResponse
+	GetTCertBatchResponse
 }
 
 // KeySig is a public key, signature, and signature algorithm tuple

cmd/fabric-ca-client/main_test.go

@@ -779,7 +779,7 @@ func testRegisterEnvVar(t *testing.T) {
 
 	os.Setenv("FABRIC_CA_CLIENT_HOME", "../../testdata/")
 	os.Setenv("FABRIC_CA_CLIENT_ID_NAME", "testRegister2")
-	os.Setenv("FABRIC_CA_CLIENT_ID_AFFILIATION", "hyperledger")
+	os.Setenv("FABRIC_CA_CLIENT_ID_AFFILIATION", "hyperledger.org2")
 	os.Setenv("FABRIC_CA_CLIENT_ID_TYPE", "client")
 	defer func() {
 		os.Unsetenv("FABRIC_CA_CLIENT_HOME")
@@ -803,7 +803,7 @@ func testRegisterCommandLine(t *testing.T, srv *lib.Server) {
 	fooName := "foo"
 	fooVal := "a=b"
 	roleName := "hf.Registrar.Roles"
-	roleVal := "peer,user,client"
+	roleVal := "peer,user"
 	attributes := fmt.Sprintf("%s=%s,bar=c,\"%s=%s\"", fooName, fooVal, roleName, roleVal)
 
 	err := RunMain([]string{cmdName, "register", "-d", "--id.name", "testRegister3",
@@ -818,20 +818,21 @@ func testRegisterCommandLine(t *testing.T, srv *lib.Server) {
 
 	db := lib.NewDBAccessor()
 	db.SetDB(sqliteDB)
-	user, err := db.GetUserInfo("testRegister3")
+	user, err := db.GetUser("testRegister3", nil)
 	assert.NoError(t, err)
 
-	val := lib.GetAttrValue(user.Attributes, fooName)
+	allAttrs, _ := user.GetAttributes(nil)
+	val := lib.GetAttrValue(allAttrs, fooName)
 	if val != fooVal {
 		t.Errorf("Incorrect value returned for attribute '%s', expected '%s' got '%s'", fooName, fooVal, val)
 	}
-	val = lib.GetAttrValue(user.Attributes, roleName)
+	val = lib.GetAttrValue(allAttrs, roleName)
 	if val != roleVal {
 		t.Errorf("Incorrect value returned for attribute '%s', expected '%s' got '%s'", roleName, roleVal, val)
 	}
 
 	err = RunMain([]string{cmdName, "register", "-d", "--id.name", "testRegister4",
-		"--id.secret", "testRegister4", "--id.affiliation", "hyperledger.org2", "--id.type", "client"})
+		"--id.secret", "testRegister4", "--id.affiliation", "hyperledger.org2", "--id.type", "user"})
 	if err != nil {
 		t.Errorf("client register failed: %s", err)
 	}
@@ -842,9 +843,9 @@ func testRegisterCommandLine(t *testing.T, srv *lib.Server) {
 	err = RunMain([]string{cmdName, "register", "-d", "--id.name", userName,
 		"--id.secret", "testRegister5", "--id.affiliation", "hyperledger.org1"})
 	assert.NoError(t, err, "Failed to register identity "+userName)
-	user, err = db.GetUserInfo(userName)
+	user, err = db.GetUser(userName, nil)
 	assert.NoError(t, err)
-	assert.Equal(t, "user", user.Type, "Identity type for '%s' should have been 'user'", userName)
+	assert.Equal(t, "user", user.GetType(), "Identity type for '%s' should have been 'user'", userName)
 
 	os.Remove(defYaml) // Delete default config file
 
@@ -911,28 +912,35 @@ func testRevoke(t *testing.T) {
 		t.Errorf("The Serial and AKI are not associated with the enrollment ID: %s", err)
 	}
 
-	// Enroll admin with root affiliation and test revoking with root
-	err = RunMain([]string{cmdName, "enroll", "-u", enrollURL})
-	if err != nil {
-		t.Fatalf("client enroll -u failed: %s", err)
-	}
-
-	// Enroll testRegister4, so the next revoke command will revoke atleast one
-	// ecert
+	// Enroll testRegister4
 	testRegister4Home := filepath.Join(os.TempDir(), "testregister4Home")
 	defer os.RemoveAll(testRegister4Home)
 	err = RunMain([]string{cmdName, "enroll", "-u",
-		fmt.Sprintf("http://testRegister4:testRegister4@localhost:%d", serverPort), "-H", testRegister4Home})
+		fmt.Sprintf("http://testRegister4:testRegister4@localhost:%d", serverPort)})
 	if err != nil {
 		t.Fatalf("Failed to enroll testRegister4 user: %s", err)
 	}
 
+	// testRegister2's affiliation: hyperledger.org2, hyperledger.org2
+	err = RunMain([]string{cmdName, "revoke", "-u", serverURL, "--revoke.name",
+		"testRegister2", "--revoke.serial", "", "--revoke.aki", ""})
+	if err == nil {
+		t.Errorf("Revoker has different type than the identity being revoked, should have failed")
+	}
+
+	// Enroll admin with root affiliation and test revoking with root
+	err = RunMain([]string{cmdName, "enroll", "-u", enrollURL})
+	if err != nil {
+		t.Fatalf("client enroll -u failed: %s", err)
+	}
+
 	// testRegister4's affiliation: company2, revoker's affiliation: "" (root)
 	err = RunMain([]string{cmdName, "revoke", "-u", serverURL, "--revoke.name",
 		"testRegister4", "--revoke.serial", "", "--revoke.aki", "", "--gencrl"})
 	if err != nil {
 		t.Errorf("User with root affiliation failed to revoke, error: %s", err)
 	}
+
 	crlFile := filepath.Join(clientHome, "msp/crls/crl.pem")
 	_, err = os.Stat(crlFile)
 	assert.NoError(t, err, "CRL should be created when revoke is called with --gencrl parameter")
@@ -962,13 +970,6 @@ func testRevoke(t *testing.T) {
 	_, err = os.Stat(filepath.Join(clientHome, "msp/crls/crl.pem"))
 	assert.Error(t, err, "CRL should not be created when revoke is called without --gencrl parameter")
 
-	// testRegister2's affiliation: hyperledger, revoker's affiliation: ""
-	err = RunMain([]string{cmdName, "revoke", "-u", serverURL, "--revoke.name",
-		"testRegister2", "--revoke.serial", "", "--revoke.aki", ""})
-	if err != nil {
-		t.Errorf("Failed to revoke proper affiliation hierarchy, error: %s", err)
-	}
-
 	err = RunMain([]string{cmdName, "enroll", "-d", "-u", "http://admin3:adminpw3@localhost:7090"})
 	if err != nil {
 		t.Errorf("client enroll -u failed: %s", err)
@@ -1035,11 +1036,12 @@ func testAffiliation(t *testing.T) {
 
 	db := lib.NewDBAccessor()
 	db.SetDB(sqliteDB)
-	user, err := db.GetUserInfo("testRegister6")
+	user, err := db.GetUser("testRegister6", nil)
 	assert.NoError(t, err)
 
-	if user.Affiliation != "hyperledger" {
-		t.Errorf("Incorrectly set affiliation for user being registered when no affiliation was specified, expected 'hyperledger' got %s", user.Affiliation)
+	userAff := lib.GetUserAffiliation(user)
+	if userAff != "hyperledger" {
+		t.Errorf("Incorrectly set affiliation for user being registered when no affiliation was specified, expected 'hyperledger' got %s", userAff)
 	}
 
 	os.RemoveAll(filepath.Dir(defYaml))

docs/source/users-guide.rst

@@ -1185,13 +1185,16 @@ the certificates owned by the identity and will also prevent the identity from g
 any new certificates. Revoking a certificate will invalidate a single certificate.
 
 In order to revoke a certificate or an identity, the calling identity must have
-the ``hf.Revoker`` attribute. The revoking identity can only revoke a certificate
-or an identity that has an affiliation that is equal to or prefixed by the revoking
-identity's affiliation.
-
-For example, a revoker with affiliation **orgs.org1** can revoke an identity
-affiliated with **orgs.org1** or **orgs.org1.department1** but can't revoke an
-identity affiliated with **orgs.org2**.
+the ``hf.Revoker`` and ``hf.Registrar.Roles`` attribute. The revoking identity
+can only revoke a certificate or an identity that has an affiliation that is
+equal to or prefixed by the revoking identity's affiliation. Furthermore, the
+revoker can only revoke identities with types that are listed in the revoker's
+``hf.Registrar.Roles`` attribute.
+
+For example, a revoker with affiliation **orgs.org1** and 'hf.Registrar.Roles=peer,client'
+attribute can revoke either a **peer** or **client** type identity affiliated with
+**orgs.org1** or **orgs.org1.department1** but can't revoke an identity affiliated with
+**orgs.org2** or of any other type.
 
 The following command disables an identity and revokes all of the certificates
 associated with the identity. All future requests received by the Fabric CA server

lib/ca.go

@@ -885,19 +885,22 @@ func (ca *CA) getUserAttrValue(username, attrname string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	attrval := user.GetAttribute(attrname)
+	attrval, err := user.GetAttribute(attrname)
+	if err != nil {
+		return "", errors.Errorf("Failed to get attribute '%s': %s", attrname, err)
+	}
 	log.Debugf("getUserAttrValue identity=%s, name=%s, value=%s", username, attrname, attrval)
-	return attrval, nil
+	return attrval.Value, nil
 }
 
 // getUserAffiliation returns a user's affiliation
 func (ca *CA) getUserAffiliation(username string) (string, error) {
 	log.Debugf("getUserAffilliation identity=%s", username)
-	user, err := ca.registry.GetUserInfo(username)
+	user, err := ca.registry.GetUser(username, nil)
 	if err != nil {
 		return "", err
 	}
-	aff := user.Affiliation
+	aff := GetUserAffiliation(user)
 	log.Debugf("getUserAffiliation identity=%s, aff=%s", username, aff)
 	return aff, nil
 }

lib/client_test.go

@@ -1056,7 +1056,7 @@ func TestRevokedIdentity(t *testing.T) {
 	// 'admin' registers 'TestUser' user
 	registerReq := &api.RegistrationRequest{
 		Name:           "TestUser",
-		Type:           "Client",
+		Type:           "user",
 		Affiliation:    "hyperledger",
 		MaxEnrollments: 1,
 	}

lib/dasqlite_test.go

@@ -391,11 +391,6 @@ func TestDBErrorMessages(t *testing.T) {
 		assert.Contains(t, err.Error(), fmt.Sprintf(expectedErr, "User"))
 	}
 
-	_, err = ta.Accessor.GetUserInfo("testuser")
-	if assert.Error(t, err, "Should have errored, and not returned any results") {
-		assert.Contains(t, err.Error(), fmt.Sprintf(expectedErr, "User"))
-	}
-
 	newCertDBAcc := NewCertDBAccessor(db)
 	_, err = newCertDBAcc.GetCertificateWithID("serial", "aki")
 	if assert.Error(t, err, "Should have errored, and not returned any results") {