[FAB-16376] MSP_1.4.3: support for admincerts

This change-sets introduces a new test that check that when Node OU classificationi is enabled, certificates in the admincerts folder are considered administrator even if they carry the Client OU. Notice that certificates in the admincerts folder, when node ou classification is enabled, are required to contain either the client or admin OU. Signed-off-by: Angelo De Caro <adc@zurich.ibm.com> Change-Id: I7a418bfae4ac1490c9e640bb864a6f7b94089db9 (cherry picked from commit 05479d9)
hyperledger · Oct 3, 2019 · 447637f · 447637f
1 parent 911be12
commit 447637f
Show file tree

Hide file tree

Showing 13 changed files with 179 additions and 0 deletions.
diff --git a/msp/nodeous_test.go b/msp/nodeous_test.go
@@ -293,6 +293,37 @@ func TestLoad142MSPWithInvalidAdminConfiguration(t *testing.T) {
 	assert.Equal(t, "administrators must be declared when no admin ou classification is set", err.Error())
 }
 
+func TestAdminInAdmincertsWith143MSP(t *testing.T) {
+	// testdata/nodeouadminclient enables NodeOU classification and contains in the admincerts folder
+	// a certificate classified as client. This test checks that that identity is considered an admin anyway.
+	// testdata/nodeouadminclient2 enables NodeOU classification and contains in the admincerts folder
+	// a certificate classified as client. This test checks that that identity is considered an admin anyway.
+	// Notice that the configuration used is one that is usually expected for MSP version < 1.4.3 which
+	// only define peer and client OU.
+	testFolders := []string{"testdata/nodeouadminclient", "testdata/nodeouadminclient2"}
+
+	for _, testFolder := range testFolders {
+		localMSP := getLocalMSPWithVersion(t, testFolder, MSPv1_4_3)
+
+		cert, err := readFile(filepath.Join(testFolder, "admincerts", "admin.pem"))
+		assert.NoError(t, err)
+
+		id, _, err := localMSP.(*bccspmsp).getIdentityFromConf(cert)
+		assert.NoError(t, err)
+		for _, ou := range id.GetOrganizationalUnits() {
+			assert.NotEqual(t, "admin", ou.OrganizationalUnitIdentifier)
+		}
+
+		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ADMIN, MspIdentifier: "SampleOrg"})
+		assert.NoError(t, err)
+		principal := &msp.MSPPrincipal{
+			PrincipalClassification: msp.MSPPrincipal_ROLE,
+			Principal:               principalBytes}
+		err = id.SatisfiesPrincipal(principal)
+		assert.NoError(t, err)
+	}
+}
+
 func TestSatisfiesPrincipalOrderer(t *testing.T) {
 	// testdata/nodeouorderer:
 	// the configuration enables NodeOUs (with orderOU)

diff --git a/msp/testdata/nodeouadminclient/admincerts/admin.pem b/msp/testdata/nodeouadminclient/admincerts/admin.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAcKgAwIBAgIRAN5DkOBs583C+swyjC7nHS0wCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMQ8wDQYDVQQLEwZjbGllbnQxGjAYBgNVBAMMEUFkbWluQGV4YW1wbGUuY29t
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3H+SsKIPqOTCn2YBHDYTkgsvYtr0
+6Kz3mEp4jfNmRt0Mz/Sjyg+E3AUjBah/Qj6WBqVYhmJeFsMoNvk8OhdHg6NNMEsw
+DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAg3+GALQue
+CGamN/C2yq8S+ET/YsjAltoJS2hjlwUXxZ8wCgYIKoZIzj0EAwIDRwAwRAIgXvE1
+Dsw0Vd2Tz+mxCfyf62lzQ8IN2BE4qsEQNgcsL94CIH26gcvFF7u0j+FVkjA4Awuq
+10yaq8RzytoLpOz4SDkw
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient/cacerts/ca.example.com-cert.pem b/msp/testdata/nodeouadminclient/cacerts/ca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCAeSgAwIBAgIRAONi5v8ImyejqCrCatbAW1QwCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQAfjOlLCdB/6SsdPlbDHUsdK+b
+gRuEN38QOFZ0Ws3aFAsER8ImqV3UIlsbKi5JnDs+OQnzrr3hrKA8downRRy/o20w
+azAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIN/hgC0LnghmpjfwtsqvEvhE/2LI
+wJbaCUtoY5cFF8WfMAoGCCqGSM49BAMCA0kAMEYCIQDhhgAHx0l7V5uAG2hATgCs
+bvsbHiJpHUtiK7f1Qfxf2AIhANeukSgRU+AeGSzyVmAOKhIUS+grsPyspksUwVvB
+ehXv
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient/config.yaml b/msp/testdata/nodeouadminclient/config.yaml
@@ -0,0 +1,14 @@
+NodeOUs:
+  Enable: true
+  ClientOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: client
+  PeerOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: peer
+  AdminOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: admin
+  OrdererOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: orderer
diff --git a/msp/testdata/nodeouadminclient/keystore/priv_sk b/msp/testdata/nodeouadminclient/keystore/priv_sk
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3XkpMssR+HPUfA+C
+SvrEalkm9qz1RvDZzWpeJZJgzHuhRANCAATttnug4BR0dA3fL8XFWdcAz2KBYXNu
+o1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBd
+-----END PRIVATE KEY-----
diff --git a/msp/testdata/nodeouadminclient/signcerts/orderer.example.com-cert.pem b/msp/testdata/nodeouadminclient/signcerts/orderer.example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAcSgAwIBAgIQSEQ9WMdyikoUBDZC1SCNYjAKBggqhkjOPQQDAjBpMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xFzAVBgNVBAMTDmNhLmV4YW1w
+bGUuY29tMB4XDTE5MDcwNDE2MjcwMFoXDTI5MDcwMTE2MjcwMFowajELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
+Y28xEDAOBgNVBAsTB29yZGVyZXIxHDAaBgNVBAMTE29yZGVyZXIuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATttnug4BR0dA3fL8XFWdcAz2KB
+YXNuo1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBdo00w
+SzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCDf4YAt
+C54IZqY38LbKrxL4RP9iyMCW2glLaGOXBRfFnzAKBggqhkjOPQQDAgNIADBFAiEA
+6moSx8Ny5hOtKgR5ixwMclqefiFDW5p1OQ1mOakYe3MCIGuqooZlekXL/xCVpuNZ
+V4ODyvgvMEgQBg7lpg7RapWZ
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient/tlscacerts/tlsca.example.com-cert.pem b/msp/testdata/nodeouadminclient/tlscacerts/tlsca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRTCCAeqgAwIBAgIRAJCUl0CdwlkfiNTXt/gxVlgwCgYIKoZIzj0EAwIwbDEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRowGAYDVQQDExF0bHNjYS5l
+eGFtcGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGwxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEaMBgGA1UEAxMRdGxzY2EuZXhh
+bXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiqvojiDlos4TH6hOh
+2Sg16UMVs4xG/s6M0MxICfAJSkwD3PRwKOinv8wD7OT7FxevPa6THKZONsXJwhWR
+Lbero20wazAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIEcM31EymEUj64aNdHFZ
+0OCICQC3vXXeGLXrrc28liw6MAoGCCqGSM49BAMCA0kAMEYCIQCgfmcPMxf8ojnD
+UbfnxXFHHHqAQ03X+bISVaKVtpcqjwIhAOwrN+SL40ORnkRgKBzyL8SzyiDXwqf0
+RqgngKsp/XOT
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient2/admincerts/admin.pem b/msp/testdata/nodeouadminclient2/admincerts/admin.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAcKgAwIBAgIRAN5DkOBs583C+swyjC7nHS0wCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMQ8wDQYDVQQLEwZjbGllbnQxGjAYBgNVBAMMEUFkbWluQGV4YW1wbGUuY29t
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3H+SsKIPqOTCn2YBHDYTkgsvYtr0
+6Kz3mEp4jfNmRt0Mz/Sjyg+E3AUjBah/Qj6WBqVYhmJeFsMoNvk8OhdHg6NNMEsw
+DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAg3+GALQue
+CGamN/C2yq8S+ET/YsjAltoJS2hjlwUXxZ8wCgYIKoZIzj0EAwIDRwAwRAIgXvE1
+Dsw0Vd2Tz+mxCfyf62lzQ8IN2BE4qsEQNgcsL94CIH26gcvFF7u0j+FVkjA4Awuq
+10yaq8RzytoLpOz4SDkw
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient2/cacerts/ca.example.com-cert.pem b/msp/testdata/nodeouadminclient2/cacerts/ca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICPzCCAeSgAwIBAgIRAONi5v8ImyejqCrCatbAW1QwCgYIKoZIzj0EAwIwaTEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRcwFQYDVQQDEw5jYS5leGFt
+cGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGkxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQAfjOlLCdB/6SsdPlbDHUsdK+b
+gRuEN38QOFZ0Ws3aFAsER8ImqV3UIlsbKi5JnDs+OQnzrr3hrKA8downRRy/o20w
+azAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIN/hgC0LnghmpjfwtsqvEvhE/2LI
+wJbaCUtoY5cFF8WfMAoGCCqGSM49BAMCA0kAMEYCIQDhhgAHx0l7V5uAG2hATgCs
+bvsbHiJpHUtiK7f1Qfxf2AIhANeukSgRU+AeGSzyVmAOKhIUS+grsPyspksUwVvB
+ehXv
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient2/config.yaml b/msp/testdata/nodeouadminclient2/config.yaml
@@ -0,0 +1,8 @@
+NodeOUs:
+  Enable: true
+  ClientOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: client
+  PeerOUIdentifier:
+    Certificate: cacerts/ca.example.com-cert.pem
+    OrganizationalUnitIdentifier: peer
diff --git a/msp/testdata/nodeouadminclient2/keystore/priv_sk b/msp/testdata/nodeouadminclient2/keystore/priv_sk
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg3XkpMssR+HPUfA+C
+SvrEalkm9qz1RvDZzWpeJZJgzHuhRANCAATttnug4BR0dA3fL8XFWdcAz2KBYXNu
+o1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBd
+-----END PRIVATE KEY-----
diff --git a/msp/testdata/nodeouadminclient2/signcerts/orderer.example.com-cert.pem b/msp/testdata/nodeouadminclient2/signcerts/orderer.example.com-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAcSgAwIBAgIQSEQ9WMdyikoUBDZC1SCNYjAKBggqhkjOPQQDAjBpMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xFzAVBgNVBAMTDmNhLmV4YW1w
+bGUuY29tMB4XDTE5MDcwNDE2MjcwMFoXDTI5MDcwMTE2MjcwMFowajELMAkGA1UE
+BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
+Y28xEDAOBgNVBAsTB29yZGVyZXIxHDAaBgNVBAMTE29yZGVyZXIuZXhhbXBsZS5j
+b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATttnug4BR0dA3fL8XFWdcAz2KB
+YXNuo1ZoZtYoXuTBQmIAp9gzE3n4WZlx1Q20auf3LyheORimUmRokuMkzDBdo00w
+SzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADArBgNVHSMEJDAigCDf4YAt
+C54IZqY38LbKrxL4RP9iyMCW2glLaGOXBRfFnzAKBggqhkjOPQQDAgNIADBFAiEA
+6moSx8Ny5hOtKgR5ixwMclqefiFDW5p1OQ1mOakYe3MCIGuqooZlekXL/xCVpuNZ
+V4ODyvgvMEgQBg7lpg7RapWZ
+-----END CERTIFICATE-----
diff --git a/msp/testdata/nodeouadminclient2/tlscacerts/tlsca.example.com-cert.pem b/msp/testdata/nodeouadminclient2/tlscacerts/tlsca.example.com-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRTCCAeqgAwIBAgIRAJCUl0CdwlkfiNTXt/gxVlgwCgYIKoZIzj0EAwIwbDEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
+cmFuY2lzY28xFDASBgNVBAoTC2V4YW1wbGUuY29tMRowGAYDVQQDExF0bHNjYS5l
+eGFtcGxlLmNvbTAeFw0xOTA3MDQxNjI3MDBaFw0yOTA3MDExNjI3MDBaMGwxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRQwEgYDVQQKEwtleGFtcGxlLmNvbTEaMBgGA1UEAxMRdGxzY2EuZXhh
+bXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiqvojiDlos4TH6hOh
+2Sg16UMVs4xG/s6M0MxICfAJSkwD3PRwKOinv8wD7OT7FxevPa6THKZONsXJwhWR
+Lbero20wazAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
+AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIEcM31EymEUj64aNdHFZ
+0OCICQC3vXXeGLXrrc28liw6MAoGCCqGSM49BAMCA0kAMEYCIQCgfmcPMxf8ojnD
+UbfnxXFHHHqAQ03X+bISVaKVtpcqjwIhAOwrN+SL40ORnkRgKBzyL8SzyiDXwqf0
+RqgngKsp/XOT
+-----END CERTIFICATE-----