Added support for TLS; deleted trailing spaces

enhanced error message reporting added auth checking to reenroll test removed system-level authorization requirement for haproxy Change-Id: I5225097a0a9257b6f618fe248e43fde6fe415a96 Signed-off-by: rennman <eabailey@us.ibm.com>
hyperledger · Jan 30, 2017 · 9fde6f4 · 9fde6f4
1 parent d8d192e
commit 9fde6f4
Show file tree

Hide file tree

Showing 15 changed files with 282 additions and 124 deletions.
diff --git a/scripts/fvt/auth_test.sh b/scripts/fvt/auth_test.sh
@@ -3,15 +3,35 @@ FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
 SCRIPTDIR="$FABRIC_CA/scripts/fvt"
 . $SCRIPTDIR/fabric-ca_utils
 RC=0
-HOST="localhost:10888"
 SERVERCONFIG="/tmp/config.json.$RANDOM"
 
+if test -n "$TLS_ON"; then
+   TLS_DISABLE='false'
+else
+   case "$FABRIC_TLS" in
+      true) TLS_DISABLE='false' ;;
+     false) TLS_DISABLE='true'  ;;
+         *) TLS_DISABLE='true'  ;;
+   esac
+fi
+
 # default value
 cat > "$SERVERCONFIG" <<EOF
 {
- "tls_disable":true,
+ "tls_disable":$TLS_DISABLE,
  "driver":"sqlite3",
- "data_source":"fabric-ca.db",
+ "data_source":"fabric_ca.db",
+ "ca_cert":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-cert.pem",
+ "ca_key":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-key.pem",
+ "tls":{
+   "tls_cert":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/tls_server-cert.pem",
+   "tls_key":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/tls_server-key.pem",
+   "mutual_tls_ca":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/root.pem",
+   "db_client":{
+     "ca_certfiles":["/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/root.pem"],
+     "client":{"keyfile":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/tls_server-key.pem","certfile":"/home/ibmadmin/gopath/src/github.com/hyperledger/fabric-ca/testdata/tls_server-cert.pem"}
+   }
+ },
  "users": {
     "admin": {
       "pass": "adminpw",
@@ -52,40 +72,41 @@ for driver in sqlite3 ; do
    test $? -ne 0 && ErrorExit "Failed to setup server"
    # Success case - send passwd
    $SCRIPTDIR/enroll.sh -u admin -p adminpw
-   RC=$((RC+$?))
+   test $? -ne 0 && ErrorMsg "Failed to enroll admin"
    # Fail case - send null passwd
    $SCRIPTDIR/enroll.sh -u admin -p ""
-   test $? -eq 0 && RC=$((RC+1))
+   test $? -eq 0 && ErrorMsg "Improperly enrolled admin with null passwd"
    # Fail case - send bogus passwd
    $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
-   test $? -eq 0 && RC=$((RC+1))
+   test $? -eq 0 && ErrorMsg "Improperly enrolled admin with bad passwd"
 
    # - auth disabled
-   $SCRIPTDIR/fabric-ca_setup.sh -R
-   $SCRIPTDIR/fabric-ca_setup.sh -A -I -S -X -d $driver
+   $SCRIPTDIR/fabric-ca_setup.sh  -R
+   $SCRIPTDIR/fabric-ca_setup.sh  -A -I -S -X -d $driver
+   test $? -ne 0 && ErrorExit "Failed to setup server"
    # Success case - send correct passwd
    $SCRIPTDIR/enroll.sh -u admin -p adminpw
-   RC=$((RC+$?))
+   test $? -ne 0 && ErrorMsg "Authentication disabled: failed to enroll admin with vaild passwd"
    # Success case - send null passwd
    $SCRIPTDIR/enroll.sh -u admin -p ""
-   RC=$((RC+$?))
+   test $? -ne 0 && ErrorMsg "Authentication disabled: failed to enroll admin with null passwd"
    # Success case - send bogus passwd
    $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
-   RC=$((RC+$?))
+   test $? -ne 0 && ErrorMsg "Authentication disabled: failed to enroll admin with bad passwd"
 
    # - default (auth enabled)
-   $SCRIPTDIR/fabric-ca_setup.sh -R
-   $SCRIPTDIR/fabric-ca_setup.sh -I -S -X -d $driver -g "$SERVERCONFIG"
+   $SCRIPTDIR/fabric-ca_setup.sh  -R
+   $SCRIPTDIR/fabric-ca_setup.sh  -I -S -X -d $driver -g "$SERVERCONFIG"
    test $? -ne 0 && ErrorExit "Failed to setup server"
    # Success case - send passwd
    $SCRIPTDIR/enroll.sh -u admin -p adminpw
-   RC=$((RC+$?))
+   test $? -ne 0 && ErrorMsg "Failed to enroll admin"
    # Fail case - send null passwd
    $SCRIPTDIR/enroll.sh -u admin -p ""
-   test $? -eq 0 && RC=$((RC+1))
+   test $? -eq 0 && ErrorMsg "Improperly enrolled admin with null passwd"
    # Fail case - send bogus passwd
    $SCRIPTDIR/enroll.sh -u admin -p xxxxxx
-   test $? -eq 0 && RC=$((RC+1))
+   test $? -eq 0 && ErrorMsg "Improperly enrolled admin with bad passwd"
 
 done
 rm $SERVERCONFIG

diff --git a/scripts/fvt/enroll.sh b/scripts/fvt/enroll.sh
@@ -6,6 +6,7 @@ SCRIPTDIR="$FABRIC_CA/scripts/fvt"
 . $SCRIPTDIR/fabric-ca_utils
 HOST="http://localhost:8888"
 RC=0
+$($FABRIC_TLS) && HOST="https://localhost:8888"
 
 while getopts "du:p:t:l:x:" option; do
   case "$option" in
@@ -34,7 +35,6 @@ $($AUTH) || unset USERPSWD
 
 test "$KEYTYPE" = "ecdsa" && sslcmd="ec"
 
-
 genClientConfig "$FABRIC_CA_HOME/client-config.json"
 $FABRIC_CAEXEC client enroll "$USERNAME" "$USERPSWD" "$HOST" <(echo "{
     \"hosts\": [

diff --git a/scripts/fvt/enrollments_test.sh b/scripts/fvt/enrollments_test.sh
@@ -4,7 +4,6 @@ SCRIPTDIR="$FABRIC_CA/scripts/fvt"
 TESTDATA="$FABRIC_CA/testdata"
 . $SCRIPTDIR/fabric-ca_utils
 RC=0
-HOST="localhost:10888"
 SERVERCONFIG="/tmp/serverConfig.json"
 export FABRIC_CA_HOME="$HOME/fabric-ca"
 CLIENTCONFIG="$FABRIC_CA_HOME/fabric-ca/fabric-ca_client.json"
@@ -15,13 +14,19 @@ MAX_ENROLL="$1"
 : ${MAX_ENROLL:="32"}
 UNLIMITED=100
 
+case "$FABRIC_TLS" in
+   true) TLS_DISABLE='false' ;;
+  false) TLS_DISABLE='true'  ;;
+      *) TLS_DISABLE='true'  ;;
+esac
+
 # default value
 cat > "$SERVERCONFIG" <<EOF
 {
- "tls_disable":true,
+ "tls_disable":$TLS_DISABLE,
  "authentication": true,
  "driver":"sqlite3",
- "data_source":"fabric-ca.db",
+ "data_source":"fabric_ca.db",
  "users": {
     "admin": {
       "pass": "adminpw",
@@ -32,6 +37,17 @@ cat > "$SERVERCONFIG" <<EOF
                 {"name":"hf.Revoker", "value": "true"}]
     }
  },
+ "ca_cert":"ec.pem",
+ "ca_key":"ec-key.pem",
+ "tls":{
+   "tls_cert":"tls_server-cert.pem",
+   "tls_key":"tls_server-key.pem",
+   "mutual_tls_ca":"root.pem",
+   "db_client":{
+     "ca_certfiles":["root.pem"],
+     "client":{"keyfile":"tls_server-key.pem","certfile":"tls_server-cert.pem"}
+   }
+ },
  "groups": {
    "banks_and_institutions": {
      "banks": ["bank_a"]
@@ -61,16 +77,16 @@ trap "rm $SERVERCONFIG; CleanUp" INT
    i=0
    while test $((i++)) -lt "$MAX_ENROLL"; do
       $SCRIPTDIR/enroll.sh
-      RC=$((RC+$?))
+      test $? -eq 0 || ErrorMsg "Failed enrollment prematurely"
       currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-      test "$currId" == "$prevId" && RC=$((RC+1))
+      test "$currId" == "$prevId" && ErrorMsg "Prior and current certificates do not differ"
       prevId="$currId"
    done
    # max reached -- should fail
    $SCRIPTDIR/enroll.sh
-   test "$?" -eq 0 && RC=$((RC+1))
+   test "$?" -eq 0 && ErrorMsg "Surpassed enrollment maximum"
    currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-   test "$currId" != "$prevId" && RC=$((RC+1))
+   test "$currId" != "$prevId" && ErrorMsg "Prior and current certificates are different"
    prevId="$currId"
 
 
@@ -82,16 +98,16 @@ trap "rm $SERVERCONFIG; CleanUp" INT
    i=0
    while test $((i++)) -lt "$MAX_ENROLL"; do
       $SCRIPTDIR/enroll.sh
-      RC=$((RC+$?))
+      test $? -eq 0 || ErrorMsg "Failed enrollment prematurely"
       currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-      test "$currId" == "$prevId" && RC=$((RC+1))
+      test "$currId" == "$prevId" && ErrorMsg "Prior and current certificates do not differ"
       prevId="$currId"
    done
    # max reached -- should fail
    $SCRIPTDIR/enroll.sh
-   test "$?" -eq 0 && RC=$((RC+1))
+   test "$?" -eq 0 && ErrorMsg "Surpassed enrollment maximum"
    currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-   test "$currId" != "$prevId" && RC=$((RC+1))
+   test "$currId" != "$prevId" && ErrorMsg "Prior and current certificates are different"
    prevId="$currId"
 
 # explicitly set value to '0'
@@ -102,9 +118,9 @@ trap "rm $SERVERCONFIG; CleanUp" INT
    i=0
    while test $((i++)) -lt "$UNLIMITED"; do
       $SCRIPTDIR/enroll.sh
-      RC=$((RC+$?))
+      test $? -eq 0 || ErrorMsg "Failed enrollment prematurely"
       currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-      test "$currId" == "$prevId" && RC=$((RC+1))
+      test "$currId" == "$prevId" && ErrorMsg "Prior and current certificates do not differ"
       prevId="$currId"
    done
 
@@ -115,9 +131,9 @@ trap "rm $SERVERCONFIG; CleanUp" INT
    i=0
    while test $((i++)) -lt "$UNLIMITED"; do
       $SCRIPTDIR/enroll.sh
-      RC=$((RC+$?))
+      test $? -eq 0 || ErrorMsg "Failed enrollment prematurely"
       currId=$($PKI -f display -c $CLIENTCERT | awk '/Subject Key Identifier:/ {getline;print $1}')
-      test "$currId" == "$prevId" && RC=$((RC+1))
+      test "$currId" == "$prevId" && ErrorMsg "Prior and current certificates do not differ"
       prevId="$currId"
    done
 rm $SERVERCONFIG

diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh
@@ -306,6 +306,7 @@ function listFabricCa(){
          echo "Users:"
          runPSQL 'SELECT * FROM "users";' '--dbname=fabric_ca' | sed 's/^/   /'
       ;;
+      sqlite3) sqlite3 "$dbfile" 'SELECT * FROM "users" ;;' | sed 's/^/   /'
    esac
 }
 
@@ -342,11 +343,39 @@ function initFabricCa() {
 function startHaproxy() {
    local inst=$1
    local i=0
-   /etc/init.d/haproxy stop
+   local proxypids=$(lsof -n -i tcp | awk '$1=="haproxy" && !($2 in a) {a[$2]=$2;print a[$2]}')
+   test -n "$proxypids" && kill $proxypids
    #sudo sed -i 's/ *# *$UDPServerRun \+514/$UDPServerRun 514/' /etc/rsyslog.conf
    #sudo sed -i 's/ *# *$ModLoad \+imudp/$ModLoad imudp/' /etc/rsyslog.conf
+   case $TLS_DISABLE in
+     false)
+   haproxy -f  <(echo "global
+      log /dev/log	local0 debug
+      log /dev/log	local1 debug
+      daemon
+defaults
+      log     global
+      option  dontlognull
+      maxconn 1024
+      timeout connect 5000
+      timeout client 50000
+      timeout server 50000
+
+frontend haproxy
+      bind *:8888
+      mode tcp
+      option tcplog
+      default_backend fabric-cas
+
+backend fabric-cas
+      mode tcp
+      balance roundrobin";
+   while test $((i++)) -lt $inst; do
+      echo "      server server$i  127.0.0.$i:9888"
+   done)
+   ;;
+   true)
    haproxy -f  <(echo "global
-      #log localhost local0 debug
       log /dev/log	local0 debug
       log /dev/log	local1 debug
       daemon
@@ -370,16 +399,18 @@ listen stats
 frontend haproxy
       bind *:8888
       mode http
+      option tcplog
       default_backend fabric-cas
 
-
 backend fabric-cas
       mode http
       http-request set-header X-Forwarded-Port %[dst_port]
       balance roundrobin";
    while test $((i++)) -lt $inst; do
       echo "      server server$i  127.0.0.$i:9888"
    done)
+   ;;
+   esac
 
 }
 
@@ -441,20 +472,31 @@ while getopts "\?hPRCBISKXLDTAd:t:l:n:i:c:k:x:g:m:p:" option; do
      X)   PROXY="true" ;;
      K)   KILL="true" ;;
      L)   LIST="true" ;;
-     T)   TLS_DISABLE="false" ;;
+     T)   TLS_ON="true" ;;
    \?|h)  usage
           exit 1
           ;;
   esac
 done
 
+# regarding tls:
+#    honor the command-line setting to turn on TLS
+#      else honor the envvar
+#        else (default) turn off tls
+if test -n "$TLS_ON"; then
+   TLS_DISABLE='false'
+else
+   case "$FABRIC_TLS" in
+      true) TLS_DISABLE='false' ;;
+     false) TLS_DISABLE='true'  ;;
+         *) TLS_DISABLE='true'  ;;
+   esac
+fi
 
 test -z "$DATADIR" && DATADIR="$HOME/fabric-ca"
 test -z "$SRC_KEY" && SRC_KEY="$DATADIR/server-key.pem"
 test -z "$SRC_CERT" && SRC_CERT="$DATADIR/server-cert.pem"
-
 : ${HTTP_PORT="3755"}
-: ${TLS_DISABLE="true"}
 : ${MAXENROLL="1"}
 : ${AUTH="true"}
 : ${DRIVER="sqlite3"}
@@ -477,7 +519,7 @@ test $KEYTYPE = "rsa" && SSLKEYCMD=$KEYTYPE || SSLKEYCMD="ec"
 
 case $DRIVER in
    postgres) DATASRC="dbname=fabric_ca host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=disable" ;;
-   sqlite3)   DATASRC="fabric_ca.db" ;;
+   sqlite3)   DATASRC="fabric_ca.db"; dbfile="$TESTDATA/fabric_ca.db" ;;
    mysql)    DATASRC="root:mysql@tcp(localhost:$MYSQL_PORT)/fabric_ca?parseTime=true" ;;
 esac