[ FAB-3416 ] Enhance fvt image LDAP attributes

In anticipation of [FAB-3416] Map LDAP attrs to fabric CA attrs the ldap server's DIT is updated with user attributes that can be mapped to standard fabric-ca attibutes. Some convenience cmd-line utils will be added to the fabric_ca_utils file, including the ability to list Ldap users and groups, all members of a specific group, add users, delete users, and modify user attributes. Change-Id: I67e21d85a65628a09b7d0890e86a2086c9a48f61 Signed-off-by: Allen Bailey <eabailey@us.ibm.com> (cherry picked from commit 51a86100bcea4430b0f3bb7bbd1e4d2a7ab9c362)
hyperledger · Jan 29, 2018 · b1ed44e · b1ed44e
1 parent 71974f5
commit b1ed44e
Show file tree

Hide file tree

Showing 11 changed files with 1,088 additions and 60 deletions.
diff --git a/images/fabric-ca-fvt/payload/add-users.ldif b/images/fabric-ca-fvt/payload/add-users.ldif
diff --git a/images/fabric-ca-fvt/payload/base.ldif b/images/fabric-ca-fvt/payload/base.ldif
@@ -8,6 +8,70 @@ objectClass: top
 objectClass: domain
 dc: hyperledeger
 
+dn: ou=groups,dc=example,dc=com
+objectclass: OrganizationalUnit
+ou: groups
+
+dn: ou=bank_a,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_a
+
+dn: ou=department1,ou=bank_a,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_a_department1
+
+dn: ou=bank_b,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_b
+
+dn: ou=department1,ou=bank_b,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_b_department1
+
+dn: ou=bank_c,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_c
+
+dn: ou=department1,ou=bank_c,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: bank_c_department1
+
+dn: ou=org1,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org1
+
+dn: ou=department1,ou=org1,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org1_department1
+
+dn: ou=department2,ou=org1,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org1_department2
+
+dn: ou=org2,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org2
+
+dn: ou=department1,ou=org2,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org2_department1
+
+dn: ou=department2,ou=org2,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: org2_department2
+
 dn: ou=fabric,dc=hyperledeger,dc=example,dc=com
 objectClass: top
 objectClass: OrganizationalUnit
@@ -17,3 +81,33 @@ dn: ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
 objectClass: top
 objectClass: OrganizationalUnit
 ou: users
+
+dn: ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: dev
+
+dn: ou=users,ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: devusers
+
+dn: ou=peers,ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: devpeers
+
+dn: ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: tst
+
+dn: ou=users,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: tstusers
+
+dn: ou=peers,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+objectClass: top
+objectClass: OrganizationalUnit
+ou: tstpeers
diff --git a/images/fabric-ca-fvt/payload/groups.ldif b/images/fabric-ca-fvt/payload/groups.ldif
@@ -0,0 +1,129 @@
+dn: cn=pkiAdmin,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: cn=pkiAdmin
+description: All users with revocation authorization
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=devadmin,ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=tstadmin,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Revoker,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Revoker
+description: All users with revocation authorization
+member: uid=rootadmin,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Gencrl,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Gencrl
+description: All users with gencrl authorization
+member: uid=rootadmin,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Ca,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Ca
+description: All users with intermediate CA authorization
+member: uid=rootadmin,dc=example,dc=com
+member: uid=intermediateCa1,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa3,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa4,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa5,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa6,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa7,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa8,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa9,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa10,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa11,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa12,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa13,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa14,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa15,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=intermediateCa16,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Client,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Client
+description: All hyperledeger fabric clients
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=devadmin,ou=dev,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=tstadmin,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=notadmin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=expiryUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser3,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Peer,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Peer
+description: All hyperledeger fabric peers
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=User,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: User
+description: All hyperledeger fabric users
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=notadmin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=expiryUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser3,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser4,ou=users,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser5,ou=users,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser6,ou=users,ou=tst,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=App,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: App
+description: All hyperledeger fabric apps
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=nonrevoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=testUser3,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Auditor,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Auditor
+description: All hyperledeger fabric auditors
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=revoker2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=expiryUser,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+
+dn: cn=Validator,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Validator
+description: All hyperledeger fabric validators
+member: uid=rootadmin,dc=example,dc=com
+member: uid=admin,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
+member: uid=admin2,ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com
diff --git a/images/fabric-ca-fvt/payload/member.ldif b/images/fabric-ca-fvt/payload/member.ldif
@@ -0,0 +1,13 @@
+dn: cn=module,cn=config
+cn: module
+objectclass: olcModuleList
+objectclass: top
+olcmoduleload: memberof.la
+olcmodulepath: /usr/lib/ldap
+
+dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
diff --git a/images/fabric-ca-fvt/payload/refint.ldif b/images/fabric-ca-fvt/payload/refint.ldif
@@ -0,0 +1,14 @@
+dn: cn=module,cn=config
+cn: module
+objectclass: olcModuleList
+objectclass: top
+olcmoduleload: refint.la
+olcmodulepath: /usr/lib/ldap
+
+dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner
diff --git a/images/fabric-ca-fvt/payload/slapd_setup.sh b/images/fabric-ca-fvt/payload/slapd_setup.sh
@@ -35,8 +35,11 @@ i=0;while ! nc -znvt $HOSTADDR $LDAPPORT; do
     fi
 done
 
+ldapadd -Y EXTERNAL -H ldapi:///  -f /etc/ldap/member.ldif || let RC+=1
+ldapadd -Y EXTERNAL -H ldapi:///  -f /etc/ldap/refint.ldif || let RC+=1
 ldapadd -h localhost -p $LDAPPORT -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/base.ldif || let RC+=1
 ldapadd -h localhost -p $LDAPPORT -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/add-users.ldif || let RC+=1
+ldapadd -h localhost -p $LDAPPORT -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/groups.ldif || let RC+=1
 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/certinfo.ldif || let RC+=1
 ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/forceTimeout.ldif
 /etc/init.d/slapd stop

diff --git a/lib/ldap/client.go b/lib/ldap/client.go
@@ -409,7 +409,7 @@ func (u *user) GetAffiliationPath() []string {
 	parts := strings.Split(dn, ",")
 	for i := len(parts) - 1; i >= 0; i-- {
 		p := parts[i]
-		if strings.HasPrefix(p, "OU=") {
+		if strings.HasPrefix(strings.ToUpper(p), "OU=") {
 			path = append(path, strings.Trim(p[3:], " "))
 		}
 	}

diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh
@@ -102,7 +102,8 @@ listFabricCa(){
                runPSQL "SELECT * FROM AFFILIATIONS;" "--dbname=${DBNAME}${dbSuffix}" | sed 's/^/   /'
             fi
          ;;
-         sqlite3) sqlite3 "$DATADIR/ca/ca$i/$DBNAME" 'SELECT * FROM USERS ;;' | sed 's/^/   /'
+         sqlite3) test -z $i && DBDIR=$DATADIR || DBDIR="$DATADIR/ca/ca$i"
+                  sqlite3 "$DBDIR/$DBNAME" 'SELECT * FROM USERS ;;' | sed 's/^/   /'
                   if $($FABRIC_CA_DEBUG); then
                      sqlite3 "$DATASRC" 'SELECT * FROM CERTIFICATES;' | sed 's/^/   /'
                      sqlite3 "$DATASRC" 'SELECT * FROM AFFILIATIONS;' | sed 's/^/   /'