From 22f660a6495ab9fab973bdb82a7edb40cd980df0 Mon Sep 17 00:00:00 2001 From: denyeart Date: Tue, 15 Jun 2021 16:06:40 -0400 Subject: [PATCH] Clarify "identity expired" error messages (#2685) Peer and Orderer have several "identity expired" error messages. Clarify error messages to indicate which identity has expired. Signed-off-by: David Enyeart (cherry picked from commit fd218eb650c9c97ba6f4a9ca9c4c21f8ad857fb6) # Conflicts: # core/handlers/auth/filter/expiration_test.go # gossip/identity/identity_test.go # orderer/common/msgprocessor/expiration_test.go --- common/deliver/acl.go | 2 +- common/deliver/acl_test.go | 2 +- core/handlers/auth/filter/expiration.go | 2 +- core/handlers/auth/filter/expiration_test.go | 5 +++++ gossip/identity/identity.go | 2 +- gossip/identity/identity_test.go | 4 ++++ integration/raft/cft_test.go | 4 ++-- orderer/common/msgprocessor/expiration.go | 2 +- orderer/common/msgprocessor/expiration_test.go | 5 +++++ 9 files changed, 21 insertions(+), 7 deletions(-) diff --git a/common/deliver/acl.go b/common/deliver/acl.go index 6f704a60b91..5a2469efb87 100644 --- a/common/deliver/acl.go +++ b/common/deliver/acl.go @@ -57,7 +57,7 @@ type SessionAccessControl struct { // changes. func (ac *SessionAccessControl) Evaluate() error { if !ac.sessionEndTime.IsZero() && time.Now().After(ac.sessionEndTime) { - return errors.Errorf("client identity expired %v before", time.Since(ac.sessionEndTime)) + return errors.Errorf("deliver client identity expired %v before", time.Since(ac.sessionEndTime)) } policyCheckNeeded := !ac.usedAtLeastOnce diff --git a/common/deliver/acl_test.go b/common/deliver/acl_test.go index d7204d4b578..33f529155a1 100644 --- a/common/deliver/acl_test.go +++ b/common/deliver/acl_test.go @@ -116,7 +116,7 @@ var _ = Describe("SessionAccessControl", func() { err = sac.Evaluate() Expect(err).NotTo(HaveOccurred()) - Eventually(sac.Evaluate).Should(MatchError(ContainSubstring("client identity expired"))) + Eventually(sac.Evaluate).Should(MatchError(ContainSubstring("deliver client identity expired"))) }) }) diff --git a/core/handlers/auth/filter/expiration.go b/core/handlers/auth/filter/expiration.go index d201803140f..71f1ef524ba 100644 --- a/core/handlers/auth/filter/expiration.go +++ b/core/handlers/auth/filter/expiration.go @@ -48,7 +48,7 @@ func validateProposal(signedProp *peer.SignedProposal) error { } expirationTime := crypto.ExpiresAt(sh.Creator) if !expirationTime.IsZero() && time.Now().After(expirationTime) { - return errors.New("identity expired") + return errors.New("proposal client identity expired") } return nil } diff --git a/core/handlers/auth/filter/expiration_test.go b/core/handlers/auth/filter/expiration_test.go index 09c375aeaef..2ff30428a44 100644 --- a/core/handlers/auth/filter/expiration_test.go +++ b/core/handlers/auth/filter/expiration_test.go @@ -95,8 +95,13 @@ func TestExpirationCheckFilter(t *testing.T) { // Scenario I: Expired x509 identity sp := createValidSignedProposal(t, createX509Identity(t, "expiredCert.pem")) _, err := auth.ProcessProposal(context.Background(), sp) +<<<<<<< HEAD assert.Equal(t, err.Error(), "identity expired") assert.False(t, nextEndorser.invoked) +======= + require.Equal(t, err.Error(), "proposal client identity expired") + require.False(t, nextEndorser.invoked) +>>>>>>> fd218eb65 (Clarify "identity expired" error messages (#2685)) // Scenario II: Not expired x509 identity sp = createValidSignedProposal(t, createX509Identity(t, "notExpiredCert.pem")) diff --git a/gossip/identity/identity.go b/gossip/identity/identity.go index 671044dcbde..217fa16b4e5 100644 --- a/gossip/identity/identity.go +++ b/gossip/identity/identity.go @@ -135,7 +135,7 @@ func (is *identityMapperImpl) Put(pkiID common.PKIidType, identity api.PeerIdent var expirationTimer *time.Timer if !expirationDate.IsZero() { if time.Now().After(expirationDate) { - return errors.New("identity expired") + return errors.New("gossipping peer identity expired") } // Identity would be wiped out a millisecond after its expiration date timeToLive := time.Until(expirationDate.Add(time.Millisecond)) diff --git a/gossip/identity/identity_test.go b/gossip/identity/identity_test.go index 69aa9df3cb9..9151a6151e2 100644 --- a/gossip/identity/identity_test.go +++ b/gossip/identity/identity_test.go @@ -268,7 +268,11 @@ func TestExpiration(t *testing.T) { err := idStore.Put(x509PkiID, x509Identity) assert.NoError(t, err) err = idStore.Put(expiredX509PkiID, expiredX509Identity) +<<<<<<< HEAD assert.Equal(t, "identity expired", err.Error()) +======= + require.Equal(t, "gossipping peer identity expired", err.Error()) +>>>>>>> fd218eb65 (Clarify "identity expired" error messages (#2685)) err = idStore.Put(nonX509PkiID, nonX509Identity) assert.NoError(t, err) err = idStore.Put(notSupportedPkiID, notSupportedIdentity) diff --git a/integration/raft/cft_test.go b/integration/raft/cft_test.go index a0f3b270d62..ea0c33a9367 100644 --- a/integration/raft/cft_test.go +++ b/integration/raft/cft_test.go @@ -728,7 +728,7 @@ var _ = Describe("EndToEnd Crash Fault Tolerance", func() { p, err := nwo.Broadcast(network, orderer, channelCreateTxn) Expect(err).NotTo(HaveOccurred()) Expect(p.Status).To(Equal(common.Status_BAD_REQUEST)) - Expect(p.Info).To(ContainSubstring("identity expired")) + Expect(p.Info).To(ContainSubstring("broadcast client identity expired")) By("Attempting to fetch a block from orderer and failing") denv := CreateDeliverEnvelope(network, orderer, 0, network.SystemChannel.Name) @@ -737,7 +737,7 @@ var _ = Describe("EndToEnd Crash Fault Tolerance", func() { block, err := nwo.Deliver(network, orderer, denv) Expect(err).To(HaveOccurred()) Expect(block).To(BeNil()) - Eventually(runner.Err(), time.Minute, time.Second).Should(gbytes.Say("client identity expired")) + Eventually(runner.Err(), time.Minute, time.Second).Should(gbytes.Say("deliver client identity expired")) By("Killing orderer") ordererProc.Signal(syscall.SIGTERM) diff --git a/orderer/common/msgprocessor/expiration.go b/orderer/common/msgprocessor/expiration.go index 796828d7c24..09d6e603ab4 100644 --- a/orderer/common/msgprocessor/expiration.go +++ b/orderer/common/msgprocessor/expiration.go @@ -51,5 +51,5 @@ func (exp *expirationRejectRule) Apply(message *common.Envelope) error { if expirationTime.IsZero() || time.Now().Before(expirationTime) { return nil } - return errors.New("identity expired") + return errors.New("broadcast client identity expired") } diff --git a/orderer/common/msgprocessor/expiration_test.go b/orderer/common/msgprocessor/expiration_test.go index 7dba88b8dad..59998a74aef 100644 --- a/orderer/common/msgprocessor/expiration_test.go +++ b/orderer/common/msgprocessor/expiration_test.go @@ -108,8 +108,13 @@ func TestExpirationRejectRule(t *testing.T) { env := createEnvelope(t, createX509Identity(t, "expiredCert.pem")) mockCapabilities.ExpirationCheckReturns(true) err := NewExpirationRejectRule(mockResources).Apply(env) +<<<<<<< HEAD assert.Error(t, err) assert.Equal(t, err.Error(), "identity expired") +======= + require.Error(t, err) + require.Equal(t, err.Error(), "broadcast client identity expired") +>>>>>>> fd218eb65 (Clarify "identity expired" error messages (#2685)) mockCapabilities.ExpirationCheckReturns(false) err = NewExpirationRejectRule(mockResources).Apply(env)