def get_submitter(store):
ca = ca_service()
user = User(USER_ID, USER_PASSWD, store)
enrollment = ca.enroll(USER_ID, USER_PASSWD)
user.enrollment = enrollment
return user
def test_enroll(self):
casvc = ca_service("http://" + self._ca_server_address)
adminEnrollment = casvc.enroll(self._enrollment_id,
self._enrollment_secret)
new_in_memory_wallet = inmemorywalletstore.InMemoryWalletStore()
new_in_memory_wallet.put(self._enrollment_id, adminEnrollment)
self.assertTrue(new_in_memory_wallet.exists(self._enrollment_id))
def test_enroll(self):
casvc = ca_service("http://" + self._ca_server_address)
adminEnrollment = casvc.enroll(self._enrollment_id,
self._enrollment_secret)
new_wallet = wallet.FileSystenWallet()
user_identity = wallet.Identity(self._enrollment_id, adminEnrollment)
user_identity.CreateIdentity(new_wallet)
self.assertTrue(new_wallet.exists(self._enrollment_id))
def __enter__(self):
temp = tempfile.mkstemp()
os.write(temp[0], base64.b64decode(self.certificate_authority.pem))
os.close(temp[0])
self.pem_path = temp[1]
self.ca_service = ca_service(
self.certificate_authority.api_url,
self.pem_path,
ca_name=self.certificate_authority.ca_name)
self.identity_service = self.ca_service.newIdentityService()
return self
def test_enroll(self):
casvc = ca_service("http://" + self._ca_server_address)
adminEnrollment = casvc.enroll(self._enrollment_id,
self._enrollment_secret)
config = f'http://localhost:5984'
server = CouchDBWalletStore(DB_NAME, config)
server.put(self._enrollment_id, adminEnrollment)
self.assertTrue(server.exists(self._enrollment_id))
server.remove(self._enrollment_id)
self.assertFalse(server.exists(self._enrollment_id))
def enroll_user(
hf_client: hfc.fabric.Client,
org_name: str,
user_name: str,
user_password: str,
) -> hfc.fabric.user.User:
"""
Enrolls a user to the Org's Fabric CA Server
Args:
hf_client: Network HF Client object
org_name: Organization's name
user_name: Username to enroll
user_password: User's password
Returns:
Enrolled User object
"""
# Create/Open a wallet on a temp path including the org name
# Org name must be included, otherwise usernames must be unique
# over all orgs
wallet_path = os.path.join(os.getcwd(), 'tmp', 'hfc-kvs', org_name)
cred_wallet = wallet.FileSystenWallet(path=wallet_path) # [sic]
# Extract CA info
network_info = hf_client.get_net_info()
org_info = network_info['organizations'][org_name]
ca_name = org_info['certificateAuthorities'][0]
ca_info = network_info['certificateAuthorities'][ca_name]
# if user already exists, pull ID from storage
if cred_wallet.exists(user_name):
user = cred_wallet.create_user(user_name, org_name, org_info['mspid'])
#if user.enrollment_secret != user_password:
# # TODO: Check passwords in a *much* more secure way than this
# raise ValidationError('Invalid username/password')
return user
casvc = ca_service(target=ca_info['url'])
user_enrollment = casvc.enroll(user_name,
user_password,
attr_reqs=[{
'name': 'id',
'optional': True
}])
# Store credentials in file kvs wallet; will be stored in ./tmp/hfc-kvs
user_identity = wallet.Identity(user_name, user_enrollment)
user_identity.CreateIdentity(cred_wallet)
return cred_wallet.create_user(user_name, org_name, org_info['mspid'])
def revokeFabricUserAndGenerateCRL():
username = org['users']['user']['name']
port = org['ca']['port'][os.environ.get('ENV', 'external')]
ca_certs_path = org['ca']['certfile']['external']
cacli = ca_service(target=f"https://{org['ca']['host']}:{port}",
ca_certs_path=ca_certs_path,
ca_name=org['ca']['name'])
enrolledAdmin = cacli.enroll(org['users']['admin']['name'],
org['users']['admin']['pass'])
revoked_certs, crl = enrolledAdmin.revoke(username, gencrl=True)
return crl
def __init__(self, ca_addr="localhost:7054",
ADMIN_ID="admin", ADMIN_SECRET="adminpw"):
if cli.CAs():
"client 객체에 CA 서버가 등록되어 있으면 그걸 사용"
self._ca_server = cli._CAs
else:
"CA 서버(컨테이너) 주소로 CA서버 객체 생성"
if os.getenv("CA_ADDR"):
self._ca_server = ca_service(os.getenv("CA_ADDR"))
else:
self._ca_server = ca_service(ca_addr)
"관리자 계정의 사용자 등록관리 객체를 CA 서버에서 얻어옴"
if self._ca_server:
self._admin_enroll_x509 = self._ca_server.enroll(ADMIN_ID,ADMIN_SECRET)
else:
self._admin_enroll_x509 = self._ca_server.enroll("admin","adminpw")
"user 체크용 서비스 : 권한 토큰으로 ca 서버와 통신. 반환값이 json 응답 raw객체"
self._identity_service = self._ca_server.newIdentityService()
"key-value 저장소(./tmp/hfc-kvs)에 user 정보 저장"
self._key_value_userinfo = wallet.FileSystemWallet()
def __enter__(self):
temp = tempfile.mkstemp()
os.write(temp[0], base64.b64decode(self.certificate_authority.pem))
os.close(temp[0])
self.pem_path = temp[1]
if self.hsm:
self.crypto = PKCS11Crypto(self.hsm['pkcs11library'], self.hsm['label'], self.hsm['pin'])
else:
self.crypto = ecies()
ca_name = self.certificate_authority.ca_name
if self.tls:
ca_name = self.certificate_authority.tlsca_name
self.ca_service = ca_service(self.certificate_authority.api_url, False, ca_name=ca_name, crypto=self.crypto)
self.identity_service = self.ca_service.newIdentityService()
self.certificate_service = self.ca_service.newCertificateService()
return self
def enrollCABootstrapAdmin(org):
waitPort(f"{org['ca']['name']} to start", 90, org['ca']['logfile'],
org['ca']['host'], org['ca']['port']['internal'])
print(f"Enrolling with {org['ca']['name']} as bootstrap identity ...",
flush=True)
# enroll booststrap admin
target = f"https://{org['ca']['host']}:{org['ca']['port']['internal']}"
cacli = ca_service(target=target,
ca_certs_path=org['ca']['certfile']['internal'],
ca_name=org['ca']['name'])
bootstrap_admin = cacli.enroll(
org['ca']['users']['bootstrap_admin']['name'],
org['ca']['users']['bootstrap_admin']['pass'])
return bootstrap_admin
def genTLSCert(node, org, cert_file, key_file, ca_file):
# Generate our key
pkey = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
name = org['csr']['names'][0]
# Generate a CSR
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, name['C']),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, name['ST']),
x509.NameAttribute(NameOID.LOCALITY_NAME, name['L']),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, name['O']),
x509.NameAttribute(NameOID.COMMON_NAME, node['host']),
])).add_extension(
# Describe what sites we want this certificate for.
x509.SubjectAlternativeName([
# Describe what sites we want this certificate for.
x509.DNSName(node['host']),
]),
critical=False,
# Sign the CSR with our private key.
).sign(pkey, hashes.SHA256(), default_backend())
target = f"https://{org['ca']['host']}:{org['ca']['port']['internal']}"
cacli = ca_service(target=target,
ca_certs_path=org['ca']['certfile']['internal'],
ca_name=org['ca']['name'])
enrollment = cacli.enroll(node['name'],
node['pass'],
csr=csr,
profile='tls')
# cert
writeFile(cert_file, enrollment._cert)
# private key
private_key = pkey.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
writeFile(key_file, private_key)
# ca
writeFile(ca_file, enrollment._caCert)
def enrollWithFiles(user,
org,
msp_dir,
csr=None,
profile='',
attr_reqs=None,
admincerts=False):
target = f"https://{org['ca']['host']}:{org['ca']['port']['internal']}"
cacli = ca_service(target=target,
ca_certs_path=org['ca']['certfile']['internal'],
ca_name=org['ca']['name'])
enrollment = cacli.enroll(user['name'],
user['pass'],
csr=csr,
profile=profile,
attr_reqs=attr_reqs)
saveMSP(msp_dir, enrollment, admincerts=admincerts)
return enrollment
async def register_user(org_name: str,
request: constants.RegisterUserRequest) -> str:
"""
Registers a user to the Org's Fabric CA Server
Args:
org_name: Organization's name
request: RegisterUserRequest object containing
registration information
Returns:
Pre-generated user secret
"""
# Create/Open a wallet on a temp path including the org name
# Org name must be included, otherwise usernames must be unique
# over all orgs
wallet_path = os.path.join(os.getcwd(), 'tmp', 'hfc-kvs', org_name)
cred_wallet = wallet.FileSystenWallet(path=wallet_path) # [sic]
# Setup a HF network client
hf_client = Client(net_profile=constants.config_path)
hf_client.new_channel(constants.channel_name)
# Extract CA info
network_info = hf_client.get_net_info()
org_info = network_info['organizations'][org_name]
ca_name = org_info['certificateAuthorities'][0]
ca_info = network_info['certificateAuthorities'][ca_name]
# if user already exists, pull ID from storage
if cred_wallet.exists(request.user_name):
return None
casvc = ca_service(target=ca_info['url'])
admin_enrollment = casvc.enroll(request.admin_user_name,
request.admin_password)
secret = admin_enrollment.register(enrollmentID=request.user_name,
enrollmentSecret=request.user_password,
role=request.role,
affiliation=request.affiliation,
attrs=[dict(x) for x in request.attrs])
return secret
from substrabac.settings.common import PROJECT_ROOT
dir_path = os.path.dirname(os.path.realpath(__file__))
cli = Client(net_profile=os.path.join(dir_path, '../network.json'))
admin_owkin = cli.get_user('owkin', 'admin')
cli.new_channel('mychannel')
loop = asyncio.get_event_loop()
from hfc.fabric_ca.caservice import ca_service
cacli = ca_service(target="https://rca-owkin:7054",
ca_certs_path='/substra/data/orgs/owkin/ca-cert.pem',
ca_name='rca-owkin')
print('Will try to enroll admin')
try:
admin = cacli.enroll('admin-owkin', 'admin-owkinpw')
except ValueError as e:
print(e)
except Exception as e:
print(e)
else:
print('Admin enrolled')
os.environ['FABRIC_CFG_PATH'] = '/substra/conf/owkin/peer1'
os.environ['CORE_PEER_MSPCONFIGPATH'] = '/substra/data/orgs/owkin/user/msp'
def get_submitter():
ca = ca_service()
user = User(USER_ID, USER_PASSWD, msp_impl=msp('DEFAULT', ecies()), ca=ca)
user.enroll()
return user
