[FAB-8123] Error out if --cacount is set for int CA

Currently, starting an intemediate CA server with --cacount
fails with this error:

"CN 'fabric-ca-server-ca1' cannot be specified for an intermediate CA"

This is because, server creates number of CAs specified by cacount,
with each CA's CN set to 'fabric-ca-server-ca<num>'. But server also
prohibits specifying CN for intermediate CAs. These two functions
conflict with each other. Moreover, --cacount is only recommended for
development/testing purpose. Instead, --cafiles is recommended for production
environment, which requires the user to provide config file for each
CA hosted on the server. For this reason, we will return an error if --cacount
is specified when Fabric CA server is started as an intermediate CA server and
also document that --cacount option is not applicable to an intermediate CA server

Change-Id: Iea948d00ff82c16dd6af1f89da7e3b4f4fa7e69e
Signed-off-by: Anil Ambati <[email protected]>

cmd/fabric-ca-server/config.go

@@ -394,7 +394,9 @@ bccsp:
 # Automatically generate <number-of-CAs> non-default CAs.  The names of these
 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
 # This is particularly useful in a development environment to quickly set up
-# multiple CAs.
+# multiple CAs. Note that, this config option is not applicable to intermediate CA server
+# i.e., Fabric CA server that is started with intermediate.parentserver.url config
+# option (-u command line option)
 #
 # 2) --cafiles <CA-config-files>
 # For each CA config file in the list, generate a separate signing CA.  Each CA

docs/source/serverconfig.rst

@@ -367,7 +367,9 @@ Fabric-CA Server's Configuration File
     # Automatically generate <number-of-CAs> non-default CAs.  The names of these
     # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
     # This is particularly useful in a development environment to quickly set up
-    # multiple CAs.
+    # multiple CAs. Note that, this config option is not applicable to intermediate CA server
+    # i.e., Fabric CA server that is started with intermediate.parentserver.url config
+    # option (-u command line option)
     #
     # 2) --cafiles <CA-config-files>
     # For each CA config file in the list, generate a separate signing CA.  Each CA

lib/server.go

@@ -254,6 +254,9 @@ func (s *Server) initMultiCAConfig() (err error) {
 	if cfg.CAcount != 0 && len(cfg.CAfiles) > 0 {
 		return errors.New("The --cacount and --cafiles options are mutually exclusive")
 	}
+	if cfg.CAcfg.Intermediate.ParentServer.URL != "" && cfg.CAcount > 0 {
+		return errors.New("The --cacount option is not permissible for an intermediate server; use the --cafiles option instead")
+	}
 	cfg.CAfiles, err = util.NormalizeFileList(cfg.CAfiles, s.HomeDir)
 	if err != nil {
 		return err

lib/server_test.go

@@ -1258,9 +1258,20 @@ func TestSRVMultiCAWithIntermediate(t *testing.T) {
 	}
 
 	intermediatesrv := TestGetServer(intermediatePort, testdataDir, "", -1, t)
-	intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"}
+	intermediatesrv.Config.CAcount = 2
+	intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = fmt.Sprintf("http://adminca1:adminca1pw@localhost:%d", rootPort)
 	intermediatesrv.CA.Config.CSR.Hosts = []string{"hostname"}
 
+	err = intermediatesrv.Start()
+	assert.Error(t, err, "Error is expected if cacount is greater than 0 for intermediate CA")
+
+	intermediatesrv.Config.CAfiles = []string{"ca/intermediateca/ca1/fabric-ca-server-config.yaml", "ca/intermediateca/ca2/fabric-ca-server-config.yaml"}
+	err = intermediatesrv.Start()
+	assert.Error(t, err, "Error is expected if both cacount and cafiles are specified")
+
+	intermediatesrv.Config.CAcount = 0
+	intermediatesrv.Config.CAcfg.Intermediate.ParentServer.URL = ""
+
 	// Start it
 	err = intermediatesrv.Start()
 	if err != nil {

scripts/fvt/cluster_test.sh

@@ -1,4 +1,9 @@
 #!/bin/bash
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
 
 : ${TESTCASE="ca_cluster"}
 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca"
@@ -199,9 +204,12 @@ for DRIVER in mysql postgres; do
    echo -e "   >>>>>>>>>>  Initializing Root CAs"
    $SCRIPTDIR/fabric-ca_setup.sh -x $ROOTDIR -I -n 1 -u $NUMCAS \
                                  -n $NUMSERVER -D -d $DRIVER > $ROOTDIR/log.txt 2>&1
+
    echo -e "   >>>>>>>>>>  Initializing Intermediate CAs"
-   DBNAME=$INTDBNAME $SCRIPTDIR/fabric-ca_setup.sh -D -d $DRIVER -u $NUMCAS -I -r $INTERMEDIATE_CA_DEFAULT_PORT -x $INTDIR \
-        -U "${PROTO}$INTUSER:$INTPSWD@$ROOT_CA_ADDR:$CA_DEFAULT_PORT" > $INTDIR/log.txt 2>&1
+
+   # Copy root CA config file to int CA home and change the database name
+   cp "$ROOTDIR/$DEFAULT_RUN_CONFIG_FILE_NAME" "$INTDIR/$DEFAULT_RUN_CONFIG_FILE_NAME"
+   sed -i "/datasource:/ s/datasource:\(.*\)fabric_ca\(.*\)/datasource:\1intfabric_ca\2/" "$INTDIR/$DEFAULT_RUN_CONFIG_FILE_NAME"
 
    ##################################################################
    ## Customize enrollment for each CA
@@ -213,6 +221,11 @@ for DRIVER in mysql postgres; do
    intermediateDBconfig=""
    # append the customized DB config to each CA's config file
    while test $((ca++)) -lt $NUMCAS; do
+      # Copy CA config files of root CA server to int CA home and change the database name
+      mkdir -p "$INTDIR/ca/ca$ca" || true
+      cp "$ROOTDIR/ca/ca$ca/fabric-ca-config.yaml" "$INTDIR/ca/ca$ca/fabric-ca-config.yaml"
+      sed -i "/datasource:/ s/datasource:\(.*\)fabric_ca_ca$ca\(.*\)/datasource:\1intfabric_ca_ca$ca\2/" "$INTDIR/ca/ca$ca/fabric-ca-config.yaml"
+
       # build the list of cafiles to be passed to server start
       rootCafiles="$rootCafiles,$ROOTDIR/ca/ca$ca/${DEFAULT_CA_CONFIG}"
       intermediateCafiles="$intermediateCafiles,$INTDIR/ca/ca$ca/${DEFAULT_CA_CONFIG}"
@@ -253,10 +266,11 @@ EOF
                                  -- "--cafiles" "$rootCafiles" >> $ROOTDIR/log.txt 2>&1 ||
                                  ErrorExit "Failed to start root servers"
    echo -e "   >>>>>>>>>>  Starting $NUMSERVER Intermediate CA instances with $NUMCAS servers each"
+
    $SCRIPTDIR/fabric-ca_setup.sh -n $NUMSERVER -S -r $INTERMEDIATE_CA_DEFAULT_PORT -x $INTDIR \
                                  -U "https://$INTUSER:$INTPSWD@$ROOT_CA_ADDR:$PROXY_PORT" \
                                  --  "--cafiles" "$intermediateCafiles" >> $INTDIR/log.txt 2>&1 ||
-                                 ErrorExit "Failed to intermediate servers"
+                                 ErrorExit "Failed to start intermediate servers"
 
    #########################################################
    # The bulk of the work comes here  --
@@ -415,4 +429,4 @@ echo -e "   >>>>>>>>>>  Deleting all databases"
 $SCRIPTDIR/fabric-ca_setup.sh -x $ROOTDIR -R -u $NUMCAS
 DBNAME=$INTDBNAME $SCRIPTDIR/fabric-ca_setup.sh -x $ROOTDIR -R -u $NUMCAS
 CleanUp $RC
-exit $RC
+exit $RC

scripts/fvt/fabric-ca_setup.sh

@@ -418,7 +418,7 @@ DST_KEY="fabric-ca-key.pem"
 DST_CERT="fabric-ca-cert.pem"
 test -n "$SRC_CERT" && cp "$SRC_CERT" $DATADIR/$DST_CERT
 test -n "$SRC_KEY" && cp "$SRC_KEY" $DATADIR/$DST_KEY
-RUNCONFIG="$DATADIR/runFabricCaFvt.yaml"
+RUNCONFIG="$DATADIR/$DEFAULT_RUN_CONFIG_FILE_NAME"
 
 case $DRIVER in
    postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=$sslmode" ;;

scripts/fvt/fabric-ca_utils

@@ -40,6 +40,7 @@ export LDAPHOST="-h localhost"
 export LDAPAUTH="-D "cn=$LDAPUSER,dc=example,dc=com" -w $LDAPPASWD"
 export LDAPBASE="-b "dc=example,dc=com""
 export LDAPUSERBASE="-b ou=users,ou=fabric,dc=hyperledeger,dc=example,dc=com"
+export DEFAULT_RUN_CONFIG_FILE_NAME="runFabricCaFvt.yaml"
 
 DATE='date +%Y-%m-%d'
 TIME='date +%I:%M:%S%p'