Skip to content

Commit

Permalink
FAB-16120 Adding IT for MSP inconsistence (#305)
Browse files Browse the repository at this point in the history 
Signed-off-by: Chongxin Luo <Chongxin.Luo@ibm.com>
  • Loading branch information
@DereckLuo
DereckLuo authored and Jason Yellick committed Jan 6, 2020
1 parent c939f45 commit d35acaa
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 13 deletions.
2 changes: 1 addition & 1 deletion integration/e2e/e2e_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@ var _ = Describe("EndToEnd", func() {
})
})

Describe("basic solo network with containers being interroped", func() {
Describe("basic solo network with containers being interrupted", func() {
BeforeEach(func() {
network = nwo.New(nwo.BasicSolo(), testDir, client, StartPort(), components)

Expand Down
73 changes: 61 additions & 12 deletions integration/msp/msp_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ var _ = Describe("MSP identity test on a network with mutual TLS required", func
By("setting TLS ClientAuthRequired to be true for all peers and orderers")
network.ClientAuthRequired = true

By("disabling NodeOU for org2")
// Org2 Peer0 is used to test chaincode endorsement policy not satisfied due to peer's MSP
// does not define Node OU.
Org2 := network.Organization("Org2")
Org2.EnableNodeOUs = false

network.GenerateConfigTree()
network.Bootstrap()

Expand All @@ -66,7 +72,8 @@ var _ = Describe("MSP identity test on a network with mutual TLS required", func
process = ifrit.Invoke(networkRunner)
Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed())

peer := network.Peers[0]
org1Peer0 := network.Peer("Org1", "peer0")
org2Peer0 := network.Peer("Org2", "peer0")
orderer := network.Orderer("orderer")

By("creating and joining channels")
Expand All @@ -91,16 +98,57 @@ var _ = Describe("MSP identity test on a network with mutual TLS required", func
nwo.DeployChaincode(network, "testchannel", orderer, chaincode)

By("querying and invoking chaincode with mutual TLS enabled")
RunQueryInvokeQuery(network, orderer, peer, 100)
RunQueryInvokeQuery(network, orderer, org1Peer0, 100)

By("replacing org2peer0's identity with a client identity")
org2Peer0 := network.Peer("Org2", "peer0")
org2Peer0MSPDir := network.PeerLocalMSPDir(org2Peer0)
org2User1MSPDir := network.PeerUserMSPDir(org2Peer0, "User1")
By("querying the chaincode with org2 peer")
sess, err := network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{
ChannelID: "testchannel",
Name: "mycc",
Ctor: `{"Args":["query","a"]}`,
})
Expect(err).NotTo(HaveOccurred())
Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
Expect(sess).To(gbytes.Say("90"))

// Testing scenario one: chaincode endorsement policy not satisfied due to peer's MSP does not define
// the peer node OU.
By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has member identity)")
sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeInvoke{
ChannelID: "testchannel",
Orderer: network.OrdererAddress(orderer, nwo.ListenPort),
Name: "mycc",
Ctor: `{"Args":["invoke","a","b","10"]}`,
PeerAddresses: []string{
network.PeerAddress(network.Peer("Org2", "peer1"), nwo.ListenPort),
},
WaitForEvent: true,
ClientAuth: network.ClientAuthRequired,
})
Expect(err).NotTo(HaveOccurred())
Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1))
Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`))

_, err := copyFile(filepath.Join(org2User1MSPDir, "signcerts", "User1@org2.example.com-cert.pem"), filepath.Join(org2Peer0MSPDir, "signcerts", "peer0.org2.example.com-cert.pem"))
By("reverifying the channel was not affected by the unauthorized endorsement")
sess, err = network.PeerUserSession(org2Peer0, "User1", commands.ChaincodeQuery{
ChannelID: "testchannel",
Name: "mycc",
Ctor: `{"Args":["query","a"]}`,
})
Expect(err).NotTo(HaveOccurred())
Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
Expect(sess).To(gbytes.Say("90"))

// Testing scenario two: chaincode endorsement policy not satisfied due to peer's signer cert does not
// satisfy endorsement policy.
By("replacing org1peer0's identity with a client identity")
// Org1 peer0 is used to test chaincode endorsement policy not satisfied due to peer's signer
// cert does not satisfy endorsement policy.
org1Peer0MSPDir := network.PeerLocalMSPDir(org1Peer0)
org1User1MSPDir := network.PeerUserMSPDir(org1Peer0, "User1")

_, err = copyFile(filepath.Join(org1User1MSPDir, "signcerts", "User1@org1.example.com-cert.pem"), filepath.Join(org1Peer0MSPDir, "signcerts", "peer0.org1.example.com-cert.pem"))
Expect(err).NotTo(HaveOccurred())
_, err = copyFile(filepath.Join(org2User1MSPDir, "keystore", "priv_sk"), filepath.Join(org2Peer0MSPDir, "keystore", "priv_sk"))
_, err = copyFile(filepath.Join(org1User1MSPDir, "keystore", "priv_sk"), filepath.Join(org1Peer0MSPDir, "keystore", "priv_sk"))
Expect(err).NotTo(HaveOccurred())

By("restarting all fabric processes to reload MSP identities")
Expand All @@ -110,14 +158,14 @@ var _ = Describe("MSP identity test on a network with mutual TLS required", func
process = ifrit.Invoke(networkRunner)
Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed())

By("attempting to invoke chaincode on a peer that does not have a valid endorser identity")
sess, err := network.PeerUserSession(peer, "User1", commands.ChaincodeInvoke{
By("attempting to invoke chaincode on a peer that does not have a valid endorser identity (endorsing peer has client identity)")
sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeInvoke{
ChannelID: "testchannel",
Orderer: network.OrdererAddress(orderer, nwo.ListenPort),
Name: "mycc",
Ctor: `{"Args":["invoke","a","b","10"]}`,
PeerAddresses: []string{
network.PeerAddress(network.Peer("Org2", "peer0"), nwo.ListenPort),
network.PeerAddress(network.Peer("Org1", "peer0"), nwo.ListenPort),
},
WaitForEvent: true,
ClientAuth: network.ClientAuthRequired,
Expand All @@ -127,14 +175,15 @@ var _ = Describe("MSP identity test on a network with mutual TLS required", func
Expect(sess.Err).To(gbytes.Say(`(ENDORSEMENT_POLICY_FAILURE)`))

By("reverifying the channel was not affected by the unauthorized endorsement")
sess, err = network.PeerUserSession(peer, "User1", commands.ChaincodeQuery{
sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeQuery{
ChannelID: "testchannel",
Name: "mycc",
Ctor: `{"Args":["query","a"]}`,
})
Expect(err).NotTo(HaveOccurred())
Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
Expect(sess).To(gbytes.Say("90"))

})
})

Expand Down
42 changes: 42 additions & 0 deletions integration/nwo/configtx_template.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Organizations:{{ range .PeerOrgs }}
ID: {{ .MSPID }}
MSPDir: {{ $w.PeerOrgMSPDir . }}
Policies:
{{- if .EnableNodeOUs }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.admin', '{{.MSPID}}.peer', '{{.MSPID}}.client')
Expand All @@ -26,6 +27,20 @@ Organizations:{{ range .PeerOrgs }}
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- else }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Writers:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Endorsement:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- end }}
AnchorPeers:{{ range $w.AnchorsInOrg .Name }}
- Host: 127.0.0.1
Port: {{ $w.PeerPort . "Listen" }}
Expand All @@ -38,6 +53,7 @@ Organizations:{{ range .PeerOrgs }}
MSPDir: {{ $w.IdemixOrgMSPDir . }}
MSPType: idemix
Policies:
{{- if .EnableNodeOUs }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.admin', '{{.MSPID}}.peer', '{{.MSPID}}.client')
Expand All @@ -50,13 +66,38 @@ Organizations:{{ range .PeerOrgs }}
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- else }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Writers:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Endorsement:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- end }}
{{ end }}
{{- range .OrdererOrgs }}
- &{{ .MSPID }}
Name: {{ .Name }}
ID: {{ .MSPID }}
MSPDir: {{ $w.OrdererOrgMSPDir . }}
Policies:
{{- if .EnableNodeOUs }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.admin', '{{.MSPID}}.orderer', '{{.MSPID}}.client')
Writers:
Type: Signature
Rule: OR('{{.MSPID}}.admin', '{{.MSPID}}.orderer', '{{.MSPID}}.client')
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- else }}
Readers:
Type: Signature
Rule: OR('{{.MSPID}}.member')
Expand All @@ -66,6 +107,7 @@ Organizations:{{ range .PeerOrgs }}
Admins:
Type: Signature
Rule: OR('{{.MSPID}}.admin')
{{- end }}
OrdererEndpoints:{{ range $w.OrderersInOrg .Name }}
- 127.0.0.1:{{ $w.OrdererPort . "Listen" }}
{{- end }}
Expand Down

0 comments on commit d35acaa

Please sign in to comment.