github.com/ewagmig/fabric@v2.1.1+incompatible/core/policy/policy_test.go (about)

     1  /*
     2  Copyright IBM Corp. 2017 All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package policy
     8  
     9  import (
    10  	"testing"
    11  
    12  	"github.com/hyperledger/fabric-protos-go/peer"
    13  	"github.com/hyperledger/fabric/common/policies"
    14  	"github.com/hyperledger/fabric/core/policy/mocks"
    15  	"github.com/hyperledger/fabric/msp/mgmt"
    16  	"github.com/hyperledger/fabric/protoutil"
    17  	"github.com/stretchr/testify/assert"
    18  	"github.com/stretchr/testify/mock"
    19  )
    20  
    21  func TestCheckPolicyInvalidArgs(t *testing.T) {
    22  	policyManagerGetter := &mocks.MockChannelPolicyManagerGetter{
    23  		Managers: map[string]policies.Manager{
    24  			"A": &mocks.MockChannelPolicyManager{
    25  				MockPolicy: &mocks.MockPolicy{
    26  					Deserializer: &mocks.MockIdentityDeserializer{
    27  						Identity: []byte("Alice"),
    28  						Msg:      []byte("msg1"),
    29  					},
    30  				},
    31  			},
    32  		},
    33  	}
    34  	pc := &policyChecker{channelPolicyManagerGetter: policyManagerGetter}
    35  
    36  	err := pc.CheckPolicy("B", "admin", &peer.SignedProposal{})
    37  	assert.Error(t, err)
    38  	assert.Contains(t, err.Error(), "Failed to get policy manager for channel [B]")
    39  }
    40  
    41  func TestCheckPolicyBySignedDataInvalidArgs(t *testing.T) {
    42  	policyManagerGetter := &mocks.MockChannelPolicyManagerGetter{
    43  		Managers: map[string]policies.Manager{
    44  			"A": &mocks.MockChannelPolicyManager{
    45  				MockPolicy: &mocks.MockPolicy{
    46  					Deserializer: &mocks.MockIdentityDeserializer{
    47  						Identity: []byte("Alice"),
    48  						Msg:      []byte("msg1"),
    49  					}},
    50  			},
    51  		},
    52  	}
    53  	pc := &policyChecker{channelPolicyManagerGetter: policyManagerGetter}
    54  
    55  	err := pc.CheckPolicyBySignedData("", "admin", []*protoutil.SignedData{{}})
    56  	assert.Error(t, err)
    57  	assert.Contains(t, err.Error(), "Invalid channel ID name during check policy on signed data. Name must be different from nil.")
    58  
    59  	err = pc.CheckPolicyBySignedData("A", "", []*protoutil.SignedData{{}})
    60  	assert.Error(t, err)
    61  	assert.Contains(t, err.Error(), "Invalid policy name during check policy on signed data on channel [A]. Name must be different from nil.")
    62  
    63  	err = pc.CheckPolicyBySignedData("A", "admin", nil)
    64  	assert.Error(t, err)
    65  	assert.Contains(t, err.Error(), "Invalid signed data during check policy on channel [A] with policy [admin]")
    66  
    67  	err = pc.CheckPolicyBySignedData("B", "admin", []*protoutil.SignedData{{}})
    68  	assert.Error(t, err)
    69  	assert.Contains(t, err.Error(), "Failed to get policy manager for channel [B]")
    70  
    71  	err = pc.CheckPolicyBySignedData("A", "admin", []*protoutil.SignedData{{}})
    72  	assert.Error(t, err)
    73  	assert.Contains(t, err.Error(), "Failed evaluating policy on signed data during check policy on channel [A] with policy [admin]")
    74  }
    75  
    76  func TestPolicyCheckerInvalidArgs(t *testing.T) {
    77  	policyManagerGetter := &mocks.MockChannelPolicyManagerGetter{
    78  		Managers: map[string]policies.Manager{
    79  			"A": &mocks.MockChannelPolicyManager{
    80  				MockPolicy: &mocks.MockPolicy{Deserializer: &mocks.MockIdentityDeserializer{
    81  					Identity: []byte("Alice"),
    82  					Msg:      []byte("msg1"),
    83  				}},
    84  			},
    85  			"B": &mocks.MockChannelPolicyManager{
    86  				MockPolicy: &mocks.MockPolicy{Deserializer: &mocks.MockIdentityDeserializer{
    87  					Identity: []byte("Bob"),
    88  					Msg:      []byte("msg2"),
    89  				}},
    90  			},
    91  			"C": &mocks.MockChannelPolicyManager{
    92  				MockPolicy: &mocks.MockPolicy{Deserializer: &mocks.MockIdentityDeserializer{
    93  					Identity: []byte("Alice"),
    94  					Msg:      []byte("msg3"),
    95  				}},
    96  			},
    97  		},
    98  	}
    99  	identityDeserializer := &mocks.MockIdentityDeserializer{
   100  		Identity: []byte("Alice"),
   101  		Msg:      []byte("msg1"),
   102  	}
   103  	pc := NewPolicyChecker(
   104  		policyManagerGetter,
   105  		identityDeserializer,
   106  		&mocks.MockMSPPrincipalGetter{Principal: []byte("Alice")},
   107  	)
   108  
   109  	// Check that (non-empty channel, empty policy) fails
   110  	err := pc.CheckPolicy("A", "", nil)
   111  	assert.Error(t, err)
   112  	assert.Contains(t, err.Error(), "Invalid policy name during check policy on channel [A]. Name must be different from nil.")
   113  
   114  	// Check that (empty channel, empty policy) fails
   115  	err = pc.CheckPolicy("", "", nil)
   116  	assert.Error(t, err)
   117  	assert.Contains(t, err.Error(), "Invalid policy name during channelless check policy. Name must be different from nil.")
   118  
   119  	// Check that (non-empty channel, non-empty policy, nil proposal) fails
   120  	err = pc.CheckPolicy("A", "A", nil)
   121  	assert.Error(t, err)
   122  	assert.Contains(t, err.Error(), "Invalid signed proposal during check policy on channel [A] with policy [A]")
   123  
   124  	// Check that (empty channel, non-empty policy, nil proposal) fails
   125  	err = pc.CheckPolicy("", "A", nil)
   126  	assert.Error(t, err)
   127  	assert.Contains(t, err.Error(), "Invalid signed proposal during channelless check policy with policy [A]")
   128  }
   129  
   130  func TestPolicyChecker(t *testing.T) {
   131  	policyManagerGetter := &mocks.MockChannelPolicyManagerGetter{
   132  		Managers: map[string]policies.Manager{
   133  			"A": &mocks.MockChannelPolicyManager{
   134  				MockPolicy: &mocks.MockPolicy{
   135  					Deserializer: &mocks.MockIdentityDeserializer{Identity: []byte("Alice"), Msg: []byte("msg1")},
   136  				},
   137  			},
   138  			"B": &mocks.MockChannelPolicyManager{
   139  				MockPolicy: &mocks.MockPolicy{
   140  					Deserializer: &mocks.MockIdentityDeserializer{
   141  						Identity: []byte("Bob"),
   142  						Msg:      []byte("msg2"),
   143  					},
   144  				},
   145  			},
   146  			"C": &mocks.MockChannelPolicyManager{
   147  				MockPolicy: &mocks.MockPolicy{
   148  					Deserializer: &mocks.MockIdentityDeserializer{
   149  						Identity: []byte("Alice"),
   150  						Msg:      []byte("msg3"),
   151  					},
   152  				},
   153  			},
   154  		},
   155  	}
   156  	identityDeserializer := &mocks.MockIdentityDeserializer{
   157  		Identity: []byte("Alice"),
   158  		Msg:      []byte("msg1"),
   159  	}
   160  	pc := NewPolicyChecker(
   161  		policyManagerGetter,
   162  		identityDeserializer,
   163  		&mocks.MockMSPPrincipalGetter{Principal: []byte("Alice")},
   164  	)
   165  
   166  	// Validate Alice signatures against channel A's readers
   167  	sProp, _ := protoutil.MockSignedEndorserProposalOrPanic("A", &peer.ChaincodeSpec{}, []byte("Alice"), []byte("msg1"))
   168  	policyManagerGetter.Managers["A"].(*mocks.MockChannelPolicyManager).MockPolicy.(*mocks.MockPolicy).Deserializer.(*mocks.MockIdentityDeserializer).Msg = sProp.ProposalBytes
   169  	sProp.Signature = sProp.ProposalBytes
   170  	err := pc.CheckPolicy("A", "readers", sProp)
   171  	assert.NoError(t, err)
   172  
   173  	// Proposal from Alice for channel A should fail against channel B, where Alice is not involved
   174  	err = pc.CheckPolicy("B", "readers", sProp)
   175  	assert.Error(t, err)
   176  	assert.Contains(t, err.Error(), "Failed evaluating policy on signed data during check policy on channel [B] with policy [readers]: [Invalid Identity]")
   177  
   178  	// Proposal from Alice for channel A should fail against channel C, where Alice is involved but signature is not valid
   179  	err = pc.CheckPolicy("C", "readers", sProp)
   180  	assert.Error(t, err)
   181  	assert.Contains(t, err.Error(), "Failed evaluating policy on signed data during check policy on channel [C] with policy [readers]: [Invalid Signature]")
   182  
   183  	// Alice is a member of the local MSP, policy check must succeed
   184  	identityDeserializer.Msg = sProp.ProposalBytes
   185  	err = pc.CheckPolicyNoChannel(mgmt.Members, sProp)
   186  	assert.NoError(t, err)
   187  
   188  	sProp, _ = protoutil.MockSignedEndorserProposalOrPanic("A", &peer.ChaincodeSpec{}, []byte("Bob"), []byte("msg2"))
   189  	// Bob is not a member of the local MSP, policy check must fail
   190  	err = pc.CheckPolicyNoChannel(mgmt.Members, sProp)
   191  	assert.Error(t, err)
   192  	assert.Contains(t, err.Error(), "Failed deserializing proposal creator during channelless check policy with policy [Members]: [Invalid Identity]")
   193  }
   194  
   195  type MockPolicyCheckerFactory struct {
   196  	mock.Mock
   197  }
   198  
   199  func (m *MockPolicyCheckerFactory) NewPolicyChecker() PolicyChecker {
   200  	args := m.Called()
   201  	return args.Get(0).(PolicyChecker)
   202  }