CCF/tests/membership.py

351 строка
13 KiB
Python

# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the Apache 2.0 License.
import http
import infra.e2e_args
import infra.network
import infra.consortium
import random
from infra.runner import ConcurrentRunner
import memberclient
import suite.test_requirements as reqs
from loguru import logger as LOG
@reqs.description("Add and activate a new member to the consortium")
def test_add_member(network, args, recovery_member=True):
primary, _ = network.find_primary()
member_data = {
"example": "of",
"structured": ["and", {"nested": "arbitrary data"}],
}
new_member = network.consortium.generate_and_add_new_member(
primary,
curve=infra.network.EllipticCurve(args.participants_curve).next(),
member_data=member_data,
recovery_member=recovery_member,
)
r = new_member.ack(primary)
with primary.client() as nc:
nc.wait_for_commit(r)
return network
@reqs.description("Retire existing member")
def test_remove_member_no_reqs(
network, args, member_to_remove=None, recovery_member=True
):
primary, _ = network.find_primary()
if member_to_remove is None:
member_to_remove = network.consortium.get_any_active_member(recovery_member)
network.consortium.remove_member(primary, member_to_remove)
# Check that remove member cannot be authenticated by the service
try:
member_to_remove.ack(primary)
except infra.member.UnauthenticatedMember:
pass
else:
assert False, "Member should have been removed"
return network
# Called by test suite. membership test deliberately attempts to remove recovery member.
@reqs.sufficient_recovery_member_count()
def test_remove_member(network, args, member_to_remove=None, recovery_member=True):
return test_remove_member_no_reqs(network, args, member_to_remove, recovery_member)
@reqs.description("Issue new recovery shares (without re-key)")
def test_update_recovery_shares(network, args):
primary, _ = network.find_primary()
network.consortium.trigger_recovery_shares_refresh(primary)
return network
@reqs.description("Set recovery threshold")
def test_set_recovery_threshold(network, args, recovery_threshold=None):
if recovery_threshold is None:
# If the recovery threshold is not specified, a new threshold is
# randomly selected based on the number of active recovery members.
# The new recovery threshold is guaranteed to be different from the
# previous one.
list_recovery_threshold = list(
range(1, len(network.consortium.get_active_recovery_members()) + 1)
)
list_recovery_threshold.remove(network.consortium.recovery_threshold)
recovery_threshold = random.choice(list_recovery_threshold)
primary, _ = network.find_primary()
network.consortium.set_recovery_threshold(primary, recovery_threshold)
return network
def assert_recovery_shares_update(are_shared_updated, func, network, args, **kwargs):
primary, _ = network.find_primary()
saved_recovery_shares = {}
for m in network.consortium.get_active_recovery_members():
saved_recovery_shares[m] = m.get_and_decrypt_recovery_share(primary)
if func is test_remove_member:
recovery_member = kwargs.pop("recovery_member")
member_to_remove = network.consortium.get_any_active_member(
recovery_member=recovery_member
)
if recovery_member:
saved_recovery_shares.pop(member_to_remove)
func(network, args, member_to_remove)
elif func is test_set_recovery_threshold and "recovery_threshold" in kwargs:
func(network, args, recovery_threshold=kwargs["recovery_threshold"])
else:
func(network, args, **kwargs)
for m, share_before in saved_recovery_shares.items():
if are_shared_updated:
assert share_before != m.get_and_decrypt_recovery_share(primary)
else:
assert share_before == m.get_and_decrypt_recovery_share(primary)
def service_startups(args):
LOG.info("Starting service with insufficient number of recovery members")
args.initial_member_count = 2
args.initial_recovery_member_count = 0
args.initial_operator_count = 1
with infra.network.network(args.nodes, args.binary_dir, pdb=args.pdb) as network:
try:
network.start_and_join(args)
assert False, "Service cannot be opened with no recovery members"
except AssertionError:
primary, _ = network.find_primary()
network.consortium.check_for_service(
primary, infra.network.ServiceStatus.OPENING
)
LOG.success(
"Service could not be opened with insufficient number of recovery mmebers"
)
LOG.info(
"Starting service with a recovery operator member, a non-recovery operator member and a non-recovery non-operator member"
)
args.initial_member_count = 3
args.initial_recovery_member_count = 1
args.initial_operator_count = 2
with infra.network.network(args.nodes, args.binary_dir, pdb=args.pdb) as network:
network.start_and_join(args)
LOG.info(
"Starting service with a recovery operator member, a recovery non-operator member and a non-recovery non-operator member"
)
args.initial_member_count = 3
args.initial_recovery_member_count = 2
args.initial_operator_count = 1
with infra.network.network(args.nodes, args.binary_dir, pdb=args.pdb) as network:
network.start_and_join(args)
def recovery_shares_scenario(args):
# Members 0 and 1 are recovery members, member 2 isn't
args.initial_member_count = 3
args.initial_recovery_member_count = 2
non_recovery_member_id = "member2"
# Recovery threshold is initially set to number of recovery members (2)
with infra.network.network(
args.nodes, args.binary_dir, args.debug_nodes, args.perf_nodes, pdb=args.pdb
) as network:
network.start_and_join(args)
# Membership changes trigger re-sharing and re-keying and are
# only supported with CFT
if args.consensus != "CFT":
LOG.warning("Skipping test recovery threshold as consensus is not CFT")
return
LOG.info("Update recovery shares")
assert_recovery_shares_update(True, test_update_recovery_shares, network, args)
LOG.info("Non-recovery member does not have a recovery share")
primary, _ = network.find_primary()
with primary.client(non_recovery_member_id) as mc:
r = mc.get("/gov/recovery_share")
assert r.status_code == http.HTTPStatus.NOT_FOUND.value
assert (
f"Recovery share not found for member {network.consortium.get_member_by_local_id(non_recovery_member_id).service_id}"
in r.body.json()["error"]["message"]
)
# Removing a recovery number is not possible as the number of recovery
# members would be under recovery threshold (2)
LOG.info("Removing a recovery member should not be possible")
try:
test_remove_member_no_reqs(network, args, recovery_member=True)
assert False, "Removing a recovery member should not be possible"
except infra.proposal.ProposalNotAccepted as e:
# This is an apply() time failure, so the proposal remains Open
# since the last vote is effectively discarded
assert e.proposal.state == infra.proposal.ProposalState.OPEN
# However, removing a non-recovery member is allowed
LOG.info("Removing a non-recovery member is still possible")
member_to_remove = network.consortium.get_member_by_local_id(
non_recovery_member_id
)
test_remove_member(network, args, member_to_remove=member_to_remove)
LOG.info("Removing an already-removed member succeeds with no effect")
test_remove_member(network, args, member_to_remove=member_to_remove)
LOG.info("Adding one non-recovery member")
assert_recovery_shares_update(
False, test_add_member, network, args, recovery_member=False
)
LOG.info("Adding one recovery member")
assert_recovery_shares_update(
True, test_add_member, network, args, recovery_member=True
)
LOG.info("Removing one non-recovery member")
assert_recovery_shares_update(
False, test_remove_member, network, args, recovery_member=False
)
LOG.info("Removing one recovery member")
assert_recovery_shares_update(
True, test_remove_member, network, args, recovery_member=True
)
LOG.info("Reduce recovery threshold")
assert_recovery_shares_update(
True,
test_set_recovery_threshold,
network,
args,
recovery_threshold=network.consortium.recovery_threshold - 1,
)
# Removing a recovery member now succeeds
LOG.info("Removing one recovery member")
assert_recovery_shares_update(
True, test_remove_member, network, args, recovery_member=True
)
LOG.info("Set recovery threshold to 0 is impossible")
exception = infra.proposal.ProposalNotCreated
try:
test_set_recovery_threshold(network, args, recovery_threshold=0)
assert False, "Setting recovery threshold to 0 should not be possible"
except exception as e:
assert (
e.response.status_code == 400
and e.response.body.json()["error"]["code"]
== "ProposalFailedToValidate"
), e.response.body.text()
LOG.info(
"Set recovery threshold to more that number of active recovery members is impossible"
)
try:
test_set_recovery_threshold(
network,
args,
recovery_threshold=len(network.consortium.get_active_recovery_members())
+ 1,
)
assert (
False
), "Setting recovery threshold to more than number of active recovery members should not be possible"
except infra.proposal.ProposalNotAccepted as e:
# This is an apply() time failure, so the proposal remains Open
# since the last vote is effectively discarded
assert e.proposal.state == infra.proposal.ProposalState.OPEN
try:
test_set_recovery_threshold(network, args, recovery_threshold=256)
assert False, "Recovery threshold cannot be set to > 255"
except exception as e:
assert (
e.response.status_code == 400
and e.response.body.json()["error"]["code"]
== "ProposalFailedToValidate"
), e.response.body.text()
try:
network.consortium.set_recovery_threshold(primary, recovery_threshold=None)
assert False, "Recovery threshold value must be passed as proposal argument"
except exception as e:
assert (
e.response.status_code == 400
and e.response.body.json()["error"]["code"]
== "ProposalFailedToValidate"
), e.response.body.text()
LOG.info(
"Setting recovery threshold to current threshold does not update shares"
)
assert_recovery_shares_update(
False,
test_set_recovery_threshold,
network,
args,
recovery_threshold=network.consortium.recovery_threshold,
)
@reqs.description("Send an unsigned request where signature is required")
def test_missing_signature_header(network, args):
node = network.find_node_by_role()
member = network.consortium.get_any_active_member()
with node.client(member.local_id) as mc:
r = mc.post("/gov/proposals")
assert r.status_code == http.HTTPStatus.UNAUTHORIZED, r.status_code
www_auth = "www-authenticate"
assert www_auth in r.headers, r.headers
auth_header = r.headers[www_auth]
assert auth_header.startswith("Signature"), auth_header
elements = {
e[0].strip(): e[1]
for e in (element.split("=") for element in auth_header.split(","))
}
assert "headers" in elements, elements
required_headers = elements["headers"]
assert required_headers.startswith('"'), required_headers
assert required_headers.endswith('"'), required_headers
assert "(request-target)" in required_headers, required_headers
assert "digest" in required_headers, required_headers
return network
def run(args):
service_startups(args)
recovery_shares_scenario(args)
if __name__ == "__main__":
cr = ConcurrentRunner()
cr.add(
"membership",
run,
package="samples/apps/logging/liblogging",
nodes=infra.e2e_args.max_nodes(cr.args, f=0),
initial_user_count=0,
)
cr.add(
"member_client",
memberclient.run,
package="samples/apps/logging/liblogging",
nodes=infra.e2e_args.max_nodes(cr.args, f=1),
)
cr.run()