Skip to content

Commit 3852561

Browse files
author
Jason Yellick
committed
[FAB-5753] Deduplicate identities in cauthdsl
Backport from v1.1 for v1.0.2. The cauthdsl policy evaluation by spec deduplicates the identities prior to evaluating the policy. However, the deduplication portion of the spec was never implemented. Some hacky deduplication was added in the VSCC path for some reason, but this is the right place to fix it. Although this CR does mean that it is possible the results of policy evaluation between versions will be different, the actual exposure to non-determinism is quite low, as the only typical place where multiple signatures are allowed is in endorsement which is already covered by the VSCC hack. There is some minor exposure because the config processing allows multiple signatures, however, none of the default policies repeat the same principal, so unless the config has been customized with odd policies, this should also be a non-issue. Change-Id: Id2026475767549b4eaa4bcd1c5cc39f70bcf5b6b Signed-off-by: Jason Yellick <jyellick@us.ibm.com>
1 parent ae4e37d commit 3852561

File tree

3 files changed

+63
-38
lines changed

3 files changed

+63
-38
lines changed

common/cauthdsl/cauthdsl.go

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,7 @@
11
/*
2-
Copyright IBM Corp. 2016 All Rights Reserved.
2+
Copyright IBM Corp. All Rights Reserved.
33
4-
Licensed under the Apache License, Version 2.0 (the "License");
5-
you may not use this file except in compliance with the License.
6-
You may obtain a copy of the License at
7-
8-
http://www.apache.org/licenses/LICENSE-2.0
9-
10-
Unless required by applicable law or agreed to in writing, software
11-
distributed under the License is distributed on an "AS IS" BASIS,
12-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13-
See the License for the specific language governing permissions and
14-
limitations under the License.
4+
SPDX-License-Identifier: Apache-2.0
155
*/
166

177
package cauthdsl
@@ -30,7 +20,23 @@ import (
3020

3121
var cauthdslLogger = flogging.MustGetLogger("cauthdsl")
3222

33-
// compile recursively builds a go evaluatable function corresponding to the policy specified
23+
// deduplicate removes any duplicated identities while otherwise preserving identity order
24+
func deduplicate(sds []*cb.SignedData) []*cb.SignedData {
25+
ids := make(map[string]struct{})
26+
result := make([]*cb.SignedData, 0, len(sds))
27+
for i, sd := range sds {
28+
if _, ok := ids[string(sd.Identity)]; ok {
29+
cauthdslLogger.Warningf("De-duplicating identity %x at index %d in signature set", sd.Identity, i)
30+
} else {
31+
result = append(result, sd)
32+
ids[string(sd.Identity)] = struct{}{}
33+
}
34+
}
35+
return result
36+
}
37+
38+
// compile recursively builds a go evaluatable function corresponding to the policy specified, remember to call deduplicate on identities before
39+
// passing them to this function for evaluation
3440
func compile(policy *cb.SignaturePolicy, identities []*mb.MSPPrincipal, deserializer msp.IdentityDeserializer) (func([]*cb.SignedData, []bool) bool, error) {
3541
if policy == nil {
3642
return nil, fmt.Errorf("Empty policy element")

common/cauthdsl/cauthdsl_test.go

Lines changed: 41 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,7 @@
11
/*
2-
Copyright IBM Corp. 2016 All Rights Reserved.
2+
Copyright IBM Corp. All Rights Reserved.
33
4-
Licensed under the Apache License, Version 2.0 (the "License");
5-
you may not use this file except in compliance with the License.
6-
You may obtain a copy of the License at
7-
8-
http://www.apache.org/licenses/LICENSE-2.0
9-
10-
Unless required by applicable law or agreed to in writing, software
11-
distributed under the License is distributed on an "AS IS" BASIS,
12-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13-
See the License for the specific language governing permissions and
14-
limitations under the License.
4+
SPDX-License-Identifier: Apache-2.0
155
*/
166

177
package cauthdsl
@@ -179,3 +169,42 @@ func TestNilSignaturePolicyEnvelope(t *testing.T) {
179169
_, err := compile(nil, nil, &mockDeserializer{})
180170
assert.Error(t, err, "Fail to compile")
181171
}
172+
173+
func TestDeduplicate(t *testing.T) {
174+
ids := []*cb.SignedData{
175+
&cb.SignedData{
176+
Identity: []byte("id1"),
177+
},
178+
&cb.SignedData{
179+
Identity: []byte("id2"),
180+
},
181+
&cb.SignedData{
182+
Identity: []byte("id3"),
183+
},
184+
}
185+
186+
t.Run("Empty", func(t *testing.T) {
187+
result := deduplicate([]*cb.SignedData{})
188+
assert.Equal(t, []*cb.SignedData{}, result, "Should have no identities")
189+
})
190+
191+
t.Run("NoDuplication", func(t *testing.T) {
192+
result := deduplicate(ids)
193+
assert.Equal(t, ids, result, "No identities should have been removed")
194+
})
195+
196+
t.Run("AllDuplication", func(t *testing.T) {
197+
result := deduplicate([]*cb.SignedData{ids[0], ids[0], ids[0]})
198+
assert.Equal(t, []*cb.SignedData{ids[0]}, result, "All but the first identity should have been removed")
199+
})
200+
201+
t.Run("DuplicationPreservesOrder", func(t *testing.T) {
202+
result := deduplicate([]*cb.SignedData{ids[1], ids[0], ids[0]})
203+
assert.Equal(t, []*cb.SignedData{ids[1], ids[0]}, result, "The third identity should have been dropped")
204+
})
205+
206+
t.Run("ComplexDuplication", func(t *testing.T) {
207+
result := deduplicate([]*cb.SignedData{ids[1], ids[0], ids[0], ids[1], ids[2], ids[0], ids[2], ids[1]})
208+
assert.Equal(t, []*cb.SignedData{ids[1], ids[0], ids[2]}, result, "Expected only three non-duplicate identities")
209+
})
210+
}

common/cauthdsl/policy.go

Lines changed: 3 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,7 @@
11
/*
2-
Copyright IBM Corp. 2016 All Rights Reserved.
2+
Copyright IBM Corp. All Rights Reserved.
33
4-
Licensed under the Apache License, Version 2.0 (the "License");
5-
you may not use this file except in compliance with the License.
6-
You may obtain a copy of the License at
7-
8-
http://www.apache.org/licenses/LICENSE-2.0
9-
10-
Unless required by applicable law or agreed to in writing, software
11-
distributed under the License is distributed on an "AS IS" BASIS,
12-
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13-
See the License for the specific language governing permissions and
14-
limitations under the License.
4+
SPDX-License-Identifier: Apache-2.0
155
*/
166

177
package cauthdsl
@@ -70,7 +60,7 @@ func (p *policy) Evaluate(signatureSet []*cb.SignedData) error {
7060
return fmt.Errorf("No such policy")
7161
}
7262

73-
ok := p.evaluator(signatureSet, make([]bool, len(signatureSet)))
63+
ok := p.evaluator(deduplicate(signatureSet), make([]bool, len(signatureSet)))
7464
if !ok {
7565
return errors.New("Failed to authenticate policy")
7666
}

0 commit comments

Comments
 (0)