100% coverage

onelapahead · onelapahead · commit 338b5f3c6b9e · 2025-03-02T09:23:27.000-05:00
Signed-off-by: hfuss &lt;hayden.fuss@kaleido.io&gt;
diff --git a/internal/dataexchange/ffdx/ffdx.go b/internal/dataexchange/ffdx/ffdx.go
@@ -466,9 +466,15 @@ func (h *FFDX) TransferBlob(ctx context.Context, nsOpID string, peer, sender fft
 }
 
 func (h *FFDX) CheckNodeIdentityStatus(ctx context.Context, dxPeer fftypes.JSONObject, node *core.Identity) error {
-	if err := h.checkInitialized(h.ctx); err != nil {
+	if err := h.checkInitialized(ctx); err != nil {
 		return err
 	}
+	var mismatchState = metrics.NodeIdentityDXCertMismatchStatusUnknown
+	defer func() {
+		if h.metrics != nil && h.metrics.IsMetricsEnabled() {
+			h.metrics.NodeIdentityDXCertMismatch(node.Namespace, mismatchState)
+		}
+	}()
 
 	if dxPeer.GetString("cert") == "" {
 		log.L(ctx).Warnf("DX peer does not have a 'cert', DX plugin may be unsupported")
@@ -479,20 +485,15 @@ func (h *FFDX) CheckNodeIdentityStatus(ctx context.Context, dxPeer fftypes.JSONO
 		return i18n.NewError(ctx, coremsgs.MsgDXInfoMissingID) // TODO
 	}
 
-	var mismatchState = metrics.NodeIdentityDXCertMismatchStatusUnknown
-	defer func() {
-		if h.metrics != nil && h.metrics.IsMetricsEnabled() {
-			h.metrics.NodeIdentityDXCertMismatch(node.Namespace, mismatchState)
-		}
-	}()
-
 	mismatchState = metrics.NodeIdentityDXCertMismatchStatusHealthy
 	if dxPeer.GetString("cert") != node.Profile.GetString("cert") {
 		mismatchState = metrics.NodeIdentityDXCertMismatchStatusMismatched
 	}
 
 	if h.metrics != nil && h.metrics.IsMetricsEnabled() {
-		expiry, err := extractSoonestExpiryFromCertBundle(dxPeer.GetString("cert"))
+		h.metrics.NodeIdentityDXCertMismatch(node.Namespace, mismatchState)
+
+		expiry, err := extractSoonestExpiryFromCertBundle(strings.ReplaceAll(dxPeer.GetString("cert"), `\n`, "\n"))
 		if err == nil {
 			if expiry.Before(time.Now()) {
 				log.L(ctx).Warnf("Certificate for node '%s' has expired", node.Name)
diff --git a/internal/dataexchange/ffdx/ffdx_test.go b/internal/dataexchange/ffdx/ffdx_test.go
@@ -22,10 +22,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/hyperledger/firefly/internal/metrics"
 	"io/ioutil"
 	"net/http"
 	"net/url"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/hyperledger/firefly/mocks/metricsmocks"
 
@@ -49,6 +52,8 @@ import (
 var utConfig = config.RootSection("ffdx_unit_tests")
 
 const (
+	// NOTE: the CA cert expires on Monday, February 28, 2035 7:30:57 PM,
+	//       and the leaf cert expires on Monday, February 28, 2028 7:30:57 PM
 	testCertBundle = `
 -----BEGIN CERTIFICATE-----
 MIIDqTCCApGgAwIBAgIUbZT+Ds4f2oDmGpgVi+SaQq9gxvcwDQYJKoZIhvcNAQEL
@@ -94,6 +99,30 @@ rNTfiFZbc7eHmFRTkKXWW4j6b6ElygrBvV999BhCRNf6NS0/syjqsbALHkFGeIcl
 R0gnXX/IZFnLhLh6UpLOBB0KIGENh75EEU7755jMKDKFj16D0uA1Lzrh5YxicTMy
 ydFYQLpLycsWl2oV3JB4pO5TIzjY9awkRE0MeMMc
 -----END CERTIFICATE-----
+`
+	testExpiredCert = `
+-----BEGIN CERTIFICATE-----
+MIIDqjCCApKgAwIBAgIUWnobAQ4vq8gWBAXZBf7XZG3oSicwDQYJKoZIhvcNAQEL
+BQAwZDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkV4YW1wbGUgQ0ExEzARBgNVBAMMCmV4
+YW1wbGUtY2EwHhcNMjUwMzAyMTQxNDA1WhcNMjUwMzAyMTQxNDA1WjB2MQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEcMBoGA1UECgwTSHlwZXJsZWRnZXIgRmlyZWZseTEcMBoGA1UEAwwTaHlw
+ZXJsZWRnZXItZmlyZWZseTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKlbQ+7cWWS0+QPp03PrdxsnAAtG2tWOk2CEG7HS3AlBU82YImhCidKOw+jQPS68
+2f2d0tYBhugqB2Ki6HsfYMGTjHDLbUQ5y+cLk6PFbvhjm39Ayd+WGmhWht5qFtRN
+gllTa/SbG8+iGaSPIVFCyvg1IzxsFnBGn+05Gu+KjpL4i0l1RqDmy5ItxKGP77in
+RPEUkejiUozg/X3v2TWAGagIVF5+EQ2Cswot9W1faAvyu/QmSGLLfSH22GdEDHXa
+U4DV5ArJ2U2eNkOuasSWGKBopa/Wh1SZjKrNsy5Gw84ihAI4k7ARoP+vu1dIPdaX
+ElipmGMtUWu0Azn2l9QJZpMCAwEAAaNCMEAwHQYDVR0OBBYEFL798jEmX2+hw70t
+SmfJA78PZnnHMB8GA1UdIwQYMBaAFJfNoXmIn5S6W7Lcj5G/huW5q1YQMA0GCSqG
+SIb3DQEBCwUAA4IBAQA1dY8UCf1YSLG3Vu/u20ucw5q9tnYYoTi4fHm/g+imTvEQ
+KgTQBd5s9EHmj0BSjVFy9eSSTx5XiH6JqzGhCJRSbOIQ8RwrXpUlTuLr7gp0cO9c
+Ykxz6wt0k1F+9Iq+K8Eb6jzXoZe/ebMz611zUqY7+9lIl1AIIgx96MoZcDS/LA0e
+p/TUQ6q+Mg3W9pSXqLm8jmWNBfDViQF1v9Z3ASFYHUF/yak8jMdBEUpAqDadd/ay
+BHm9m8IvFevQjpUw6kyyg77ehEBBn7H/ISTL3HTCpUbkR3qUnFjOyBJ0G02XoozB
+I/hI0mpd6y+/JwyvG0smbD2lioiO/JQaUEZGU8pU
+-----END CERTIFICATE-----
 `
 )
 
@@ -1047,16 +1076,109 @@ BAYTAkFVMRMwEQYDVQQIDApxdWVlbnNsYW5kMREwDwYDVQQHDAhCcm9va2ZpZWxk
 
 	_, err := extractSoonestExpiryFromCertBundle(nonCertPEMBundle)
 	assert.ErrorContains(t, err, "failed to parse non-certificate within bundle")
+}
 
+func TestCheckNodeIdentityStatusReturnsErrorWhenNotInitialized(t *testing.T) {
+	h := &FFDX{initialized: false}
+	err := h.CheckNodeIdentityStatus(context.Background(), fftypes.JSONObject{}, &core.Identity{})
+	assert.Regexp(t, "FF10342", err)
 }
 
-//
-//matchingProfile := fftypes.JSONAnyPtr(fmt.Sprintf(`{"cert": "%s" }`, strings.ReplaceAll(testCertBundle, "\n", `\n`))).JSONObject()
-//
-//nm.identity.(*identitymanagermocks.Manager).On("GetLocalNode", ctx).Return(&core.Identity{
-//IdentityProfile: core.IdentityProfile{
-//Profile: matchingProfile,
-//},
-//}, nil)
-//
-//expiry := time.Unix(1835379057, 0).UTC()
+func TestCheckNodeIdentityStatusReturnsNilWhenCertIsEmpty(t *testing.T) {
+	mmm := metricsmocks.NewManager(t)
+
+	h := &FFDX{initialized: true, metrics: mmm}
+	dxPeer := fftypes.JSONObject{"cert": ""}
+	node := &core.Identity{
+		IdentityBase: core.IdentityBase{
+			Namespace: "ns1",
+		},
+	}
+
+	mmm.On("IsMetricsEnabled").Return(true)
+	mmm.On("NodeIdentityDXCertMismatch", "ns1", metrics.NodeIdentityDXCertMismatchStatusUnknown).Return(true)
+
+	err := h.CheckNodeIdentityStatus(context.Background(), dxPeer, node)
+	assert.NoError(t, err)
+}
+
+func TestCheckNodeIdentityStatusReturnsErrorWhenNodeProfileIsNil(t *testing.T) {
+	mmm := metricsmocks.NewManager(t)
+
+	h := &FFDX{initialized: true, metrics: mmm}
+	dxPeer := fftypes.JSONObject{"cert": "cert"}
+	node := &core.Identity{
+		IdentityBase: core.IdentityBase{
+			Namespace: "ns1",
+		},
+	}
+	mmm.On("IsMetricsEnabled").Return(false)
+
+	err := h.CheckNodeIdentityStatus(context.Background(), dxPeer, node)
+	assert.Error(t, err)
+	//assert.Equal(t, coremsgs.MsgDXInfoMissingID, err.(*i18n.Error).ID)
+}
+
+func TestCheckNodeIdentityStatusSetsMismatchStateWhenCertsDiffer(t *testing.T) {
+
+	mmm := &metricsmocks.Manager{}
+	h := &FFDX{initialized: true, metrics: mmm}
+	dxPeer := fftypes.JSONObject{"cert": "a-cert"}
+	node := &core.Identity{
+		IdentityBase: core.IdentityBase{
+			Namespace: "ns1",
+		},
+		IdentityProfile: core.IdentityProfile{
+			Profile: fftypes.JSONObject{"cert": "b-cert"},
+		},
+	}
+
+	mmm.On("IsMetricsEnabled").Return(true)
+	mmm.On("NodeIdentityDXCertMismatch", "ns1", metrics.NodeIdentityDXCertMismatchStatusMismatched).Return(true)
+	err := h.CheckNodeIdentityStatus(context.Background(), dxPeer, node)
+	assert.NoError(t, err)
+}
+
+func TestCheckNodeIdentityStatusSetsHealthyStateWhenCertsMatch(t *testing.T) {
+	mmm := metricsmocks.NewManager(t)
+	h := &FFDX{initialized: true, metrics: mmm}
+	dxPeer := fftypes.JSONObject{"cert": strings.ReplaceAll(testCertBundle, "\n", `\n`)}
+	node := &core.Identity{
+		IdentityBase: core.IdentityBase{
+			Namespace: "ns1",
+		},
+		IdentityProfile: core.IdentityProfile{
+			Profile: fftypes.JSONObject{"cert": strings.ReplaceAll(testCertBundle, "\n", `\n`)},
+		},
+	}
+
+	mmm.On("IsMetricsEnabled").Return(true)
+	mmm.On("NodeIdentityDXCertMismatch", "ns1", metrics.NodeIdentityDXCertMismatchStatusHealthy).Return(true)
+	expiry := time.Unix(1835379057, 0).UTC()
+	mmm.On("NodeIdentityDXCertExpiry", "ns1", expiry).Return(true)
+
+	err := h.CheckNodeIdentityStatus(context.Background(), dxPeer, node)
+	assert.NoError(t, err)
+}
+
+func TestCheckNodeIdentityStatusSetsHealthyStateWhenCertsExpire(t *testing.T) {
+	mmm := metricsmocks.NewManager(t)
+	h := &FFDX{initialized: true, metrics: mmm}
+	dxPeer := fftypes.JSONObject{"cert": strings.ReplaceAll(testExpiredCert, "\n", `\n`)}
+	node := &core.Identity{
+		IdentityBase: core.IdentityBase{
+			Namespace: "ns1",
+		},
+		IdentityProfile: core.IdentityProfile{
+			Profile: fftypes.JSONObject{"cert": strings.ReplaceAll(testExpiredCert, "\n", `\n`)},
+		},
+	}
+
+	mmm.On("IsMetricsEnabled").Return(true)
+	mmm.On("NodeIdentityDXCertMismatch", "ns1", metrics.NodeIdentityDXCertMismatchStatusHealthy).Return(true)
+	expiry := time.Unix(1740924845, 0).UTC()
+	mmm.On("NodeIdentityDXCertExpiry", "ns1", expiry).Return(true)
+
+	err := h.CheckNodeIdentityStatus(context.Background(), dxPeer, node)
+	assert.NoError(t, err)
+}
diff --git a/internal/networkmap/update_identity.go b/internal/networkmap/update_identity.go
@@ -31,6 +31,8 @@ func (nm *networkMap) UpdateIdentity(ctx context.Context, uuidStr string, dto *c
 		return nil, err
 	}
 	return nm.updateIdentityID(ctx, id, dto, waitConfirm)
+
+	// TODO check node status if its the same as our local node ??
 }
 
 func (nm *networkMap) updateIdentityID(ctx context.Context, id *fftypes.UUID, dto *core.IdentityUpdateDTO, waitConfirm bool) (identity *core.Identity, err error) {

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,8 @@ func (nm networkMap) UpdateIdentity(ctx context.Context, uuidStr string, dto c`
`31`	`31`	`return nil, err`
`32`	`32`	`}`
`33`	`33`	`return nm.updateIdentityID(ctx, id, dto, waitConfirm)`
	`34`	`+`
	`35`	`+ // TODO check node status if its the same as our local node ??`
`34`	`36`	`}`
`35`	`37`
`36`	`38`	`func (nm networkMap) updateIdentityID(ctx context.Context, id fftypes.UUID, dto core.IdentityUpdateDTO, waitConfirm bool) (identity core.Identity, err error) {`