[FAB-7615] hide anon+combined principals pre v1_3

Manu Drijvers · Manu Drijvers · commit a9e91b487649 · 2018-05-28T16:56:18.000+02:00
This CR makes sure that anonymity and combined principals are
only supported when the MSP version is &gt; MSPv1_1.

Change-Id: I27e67107b65e858e636f6d462a804b810056a6cc
Signed-off-by: Manu Drijvers &lt;mdr@zurich.ibm.com&gt;
diff --git a/msp/factory.go b/msp/factory.go
@@ -60,9 +60,9 @@ func New(opts NewOpts) (MSP, error) {
 	case *IdemixNewOpts:
 		switch opts.GetVersion() {
 		case MSPv1_3:
-			fallthrough
+			return newIdemixMsp(MSPv1_3)
 		case MSPv1_1:
-			return newIdemixMsp()
+			return newIdemixMsp(MSPv1_1)
 		default:
 			return nil, errors.Errorf("Invalid *IdemixNewOpts. Version not recognized [%v]", opts.GetVersion())
 		}
diff --git a/msp/idemixmsp.go b/msp/idemixmsp.go
@@ -61,6 +61,7 @@ const rhIndex = 3
 var discloseFlags = []byte{1, 1, 0, 0}
 
 type idemixmsp struct {
+	version      MSPVersion
 	ipk          *idemix.IssuerPublicKey
 	rng          *amcl.RAND
 	signer       *idemixSigningIdentity
@@ -70,10 +71,11 @@ type idemixmsp struct {
 }
 
 // newIdemixMsp creates a new instance of idemixmsp
-func newIdemixMsp() (MSP, error) {
+func newIdemixMsp(version MSPVersion) (MSP, error) {
 	mspLogger.Debugf("Creating Idemix-based MSP instance")
 
 	msp := idemixmsp{}
+	msp.version = version
 	return &msp, nil
 }
 
@@ -215,7 +217,7 @@ func (msp *idemixmsp) Setup(conf1 *m.MSPConfig) error {
 
 // GetVersion returns the version of this MSP
 func (msp *idemixmsp) GetVersion() MSPVersion {
-	return MSPv1_1
+	return msp.version
 }
 
 func (msp *idemixmsp) GetType() ProviderType {
@@ -392,6 +394,10 @@ func (msp *idemixmsp) satisfiesPrincipalValidated(id Identity, principal *m.MSPP
 
 		return nil
 	case m.MSPPrincipal_COMBINED:
+		if msp.version <= MSPv1_1 {
+			return errors.Errorf("Combined MSP Principals are unsupported in MSPv1_1")
+		}
+
 		// Principal is a combination of multiple principals.
 		principals := &m.CombinedPrincipal{}
 		err := proto.Unmarshal(principal.Principal, principals)
@@ -413,6 +419,10 @@ func (msp *idemixmsp) satisfiesPrincipalValidated(id Identity, principal *m.MSPP
 		// The identity satisfies all the principals
 		return nil
 	case m.MSPPrincipal_ANONYMITY:
+		if msp.version <= MSPv1_1 {
+			return errors.Errorf("Anonymity MSP Principals are unsupported in MSPv1_1")
+		}
+
 		anon := &m.MSPIdentityAnonymity{}
 		err := proto.Unmarshal(principal.Principal, anon)
 		if err != nil {
diff --git a/msp/idemixmsp_test.go b/msp/idemixmsp_test.go
@@ -17,7 +17,11 @@ import (
 )
 
 func setup(configPath string, ID string) (MSP, error) {
-	msp, err := newIdemixMsp()
+	return setupWithVersion(configPath, ID, MSPv1_3)
+}
+
+func setupWithVersion(configPath string, ID string, version MSPVersion) (MSP, error) {
+	msp, err := newIdemixMsp(version)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +69,7 @@ func TestSetupBad(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "Getting MSP config failed")
 
-	msp1, err := newIdemixMsp()
+	msp1, err := newIdemixMsp(MSPv1_3)
 	assert.NoError(t, err)
 
 	// Setup with nil config
@@ -306,6 +310,25 @@ func TestAnonymityPrincipalBad(t *testing.T) {
 	assert.Contains(t, err.Error(), "principal is nominal, but idemix MSP is anonymous")
 }
 
+func TestAnonymityPrincipalV11(t *testing.T) {
+	msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1)
+	assert.NoError(t, err)
+
+	id1, err := getDefaultSigner(msp1)
+	assert.NoError(t, err)
+
+	principalBytes, err := proto.Marshal(&msp.MSPIdentityAnonymity{AnonymityType: msp.MSPIdentityAnonymity_NOMINAL})
+	assert.NoError(t, err)
+
+	principal := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ANONYMITY,
+		Principal:               principalBytes}
+
+	err = id1.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "Anonymity MSP Principals are unsupported in MSPv1_1")
+}
+
 func TestIdemixIsWellFormed(t *testing.T) {
 	idemixMSP, err := setup("testdata/idemix/MSP1OU1", "TestName")
 	assert.NoError(t, err)
@@ -618,3 +641,43 @@ func TestPrincipalCombinedBad(t *testing.T) {
 	assert.Error(t, err, "non-admin member of OU1 in MSP1 should not satisfy principal admin and OU1 in MSP1")
 	assert.Contains(t, err.Error(), "user is not an admin")
 }
+
+func TestPrincipalCombinedV11(t *testing.T) {
+	msp1, err := setupWithVersion("testdata/idemix/MSP1OU1", "MSP1OU1", MSPv1_1)
+	assert.NoError(t, err)
+
+	id1, err := getDefaultSigner(msp1)
+	assert.NoError(t, err)
+
+	ou := &msp.OrganizationUnit{
+		OrganizationalUnitIdentifier: id1.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier,
+		MspIdentifier:                id1.GetMSPIdentifier(),
+		CertifiersIdentifier:         nil,
+	}
+	principalBytes, err := proto.Marshal(ou)
+	assert.NoError(t, err)
+
+	principalOU := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT,
+		Principal:               principalBytes}
+
+	principalBytes, err = proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id1.GetMSPIdentifier()})
+	assert.NoError(t, err)
+
+	principalRole := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ROLE,
+		Principal:               principalBytes}
+
+	principals := []*msp.MSPPrincipal{principalOU, principalRole}
+
+	combinedPrincipal := &msp.CombinedPrincipal{Principals: principals}
+	combinedPrincipalBytes, err := proto.Marshal(combinedPrincipal)
+
+	assert.NoError(t, err)
+
+	principalsCombined := &msp.MSPPrincipal{PrincipalClassification: msp.MSPPrincipal_COMBINED, Principal: combinedPrincipalBytes}
+
+	err = id1.SatisfiesPrincipal(principalsCombined)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "Combined MSP Principals are unsupported in MSPv1_1")
+}
