[FAB-9479] Filter out MSP IDs before computing layouts

This change set makes the endorsement analysis logic to filter
out principal sets that have MSP IDs which don't have peers
with the chaincode installed at all.

This is needed for implementing support for cc2cc calls,
because when computing cc2cc endorsement policies we compare
principal sets, and merge principal sets such that one set
contains the other.

However- even though a policy might have an MSP ID in it,
doesn't mean the peers of that MSP ID have the chaincode installed on them.

Therefore, we need to prune these principal sets beforehand in order
for them no to appear as input to the combined endorsement policy evaluation
which would be implemented in future change sets.

The change set also prepares the ground for cc2cc and collection
support by changing the signature of PeersForEndorsement to have
a chaincode interest which aggregate several chaincodes and collections.

Change-Id: If382b4254797684ffef20e182ae744f5c5f3dfa7
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

common/policies/policy.go

@@ -56,6 +56,32 @@ var logger = flogging.MustGetLogger("policies")
 // PrincipalSet is a collection of MSPPrincipals
 type PrincipalSet []*msp.MSPPrincipal
 
+// PrincipalSets aggregates PrincipalSets
+type PrincipalSets []PrincipalSet
+
+// ContainingOnly returns PrincipalSets that contain only principals of the given predicate
+func (psSets PrincipalSets) ContainingOnly(f func(*msp.MSPPrincipal) bool) PrincipalSets {
+	var res PrincipalSets
+	for _, set := range psSets {
+		if !set.ContainingOnly(f) {
+			continue
+		}
+		res = append(res, set)
+	}
+	return res
+}
+
+// ContainingOnly returns whether the given PrincipalSet contains only Principals
+// that satisfy the given predicate
+func (ps PrincipalSet) ContainingOnly(f func(*msp.MSPPrincipal) bool) bool {
+	for _, principal := range ps {
+		if !f(principal) {
+			return false
+		}
+	}
+	return true
+}
+
 // UniqueSet returns a histogram that is induced by the PrincipalSet
 func (ps PrincipalSet) UniqueSet() map[*msp.MSPPrincipal]int {
 	// Create a histogram that holds the MSPPrincipals and counts them

common/policies/policy_test.go

@@ -14,6 +14,8 @@ import (
 	"fmt"
 	"reflect"
 
+	"strconv"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/protos/msp"
 	logging "github.com/op/go-logging"
@@ -212,3 +214,28 @@ func TestPrincipalUniqueSet(t *testing.T) {
 	// This is essential for 'UniqueSet' to work properly
 	assert.Equal(t, 2, v.NumField())
 }
+
+func TestPrincipalSetContainingOnly(t *testing.T) {
+	var principalSets PrincipalSets
+	var principalSet PrincipalSet
+	for j := 0; j < 3; j++ {
+		for i := 0; i < 10; i++ {
+			principalSet = append(principalSet, &msp.MSPPrincipal{
+				PrincipalClassification: msp.MSPPrincipal_IDENTITY,
+				Principal:               []byte(fmt.Sprintf("%d", j*10+i)),
+			})
+		}
+		principalSets = append(principalSets, principalSet)
+		principalSet = nil
+	}
+
+	between20And30 := func(principal *msp.MSPPrincipal) bool {
+		n, _ := strconv.ParseInt(string(principal.Principal), 10, 32)
+		return n >= 20 && n <= 29
+	}
+
+	principalSets = principalSets.ContainingOnly(between20And30)
+
+	assert.Len(t, principalSets, 1)
+	assert.True(t, principalSets[0].ContainingOnly(between20And30))
+}

discovery/api.go

@@ -48,7 +48,7 @@ type GossipSupport interface {
 // for chaincodes
 type EndorsementSupport interface {
 	// PeersForEndorsement returns an EndorsementDescriptor for a given set of peers, channel, and chaincode
-	PeersForEndorsement(chaincode string, channel common.ChainID) (*discovery2.EndorsementDescriptor, error)
+	PeersForEndorsement(channel common.ChainID, interest *discovery2.ChaincodeInterest) (*discovery2.EndorsementDescriptor, error)
 }
 
 // ConfigSupport provides access to channel configuration

discovery/client/client_test.go

@@ -577,6 +577,12 @@ func (mdf *ccMetadataFetcher) Metadata(channel string, cc string) *chaincode.Met
 type principalEvaluator struct {
 }
 
+func (pe *principalEvaluator) MSPOfPrincipal(principal *msp.MSPPrincipal) string {
+	sID := &msp.SerializedIdentity{}
+	proto.Unmarshal(principal.Principal, sID)
+	return sID.Mspid
+}
+
 func (pe *principalEvaluator) SatisfiesPrincipal(channel string, identity []byte, principal *msp.MSPPrincipal) error {
 	sID := &msp.SerializedIdentity{}
 	proto.Unmarshal(identity, sID)
@@ -597,7 +603,7 @@ func (pf *policyFetcher) PolicyByChaincode(channel string, cc string) policies.I
 }
 
 type endorsementAnalyzer interface {
-	PeersForEndorsement(chaincode string, chainID gossipcommon.ChainID) (*discovery.EndorsementDescriptor, error)
+	PeersForEndorsement(chainID gossipcommon.ChainID, interest *discovery.ChaincodeInterest) (*discovery.EndorsementDescriptor, error)
 }
 
 type inquireablePolicy struct {
@@ -722,8 +728,8 @@ func (ms *mockSupport) Peers() discovery3.Members {
 	return ms.Called().Get(0).(discovery3.Members)
 }
 
-func (ms *mockSupport) PeersForEndorsement(chaincode string, channel gossipcommon.ChainID) (*discovery.EndorsementDescriptor, error) {
-	return ms.endorsementAnalyzer.PeersForEndorsement(chaincode, channel)
+func (ms *mockSupport) PeersForEndorsement(channel gossipcommon.ChainID, interest *discovery.ChaincodeInterest) (*discovery.EndorsementDescriptor, error) {
+	return ms.endorsementAnalyzer.PeersForEndorsement(channel, interest)
 }
 
 func (*mockSupport) EligibleForService(channel string, data common.SignedData) error {

discovery/endorsement/endorsement.go

@@ -29,6 +29,9 @@ type principalEvaluator interface {
 	// SatisfiesPrincipal returns whether a given peer identity satisfies a certain principal
 	// on a given channel
 	SatisfiesPrincipal(channel string, identity []byte, principal *msp.MSPPrincipal) error
+
+	// MSPOfPrincipal returns the MSP ID of the given principal
+	MSPOfPrincipal(principal *msp.MSPPrincipal) string
 }
 
 type chaincodeMetadataFetcher interface {
@@ -75,27 +78,41 @@ func NewEndorsementAnalyzer(gs gossipSupport, pf policyFetcher, pe principalEval
 type peerPrincipalEvaluator func(member discovery2.NetworkMember, principal *msp.MSPPrincipal) bool
 
 // PeersForEndorsement returns an EndorsementDescriptor for a given set of peers, channel, and chaincode
-func (ea *endorsementAnalyzer) PeersForEndorsement(chaincode string, chainID common.ChainID) (*discovery.EndorsementDescriptor, error) {
+func (ea *endorsementAnalyzer) PeersForEndorsement(chainID common.ChainID, interest *discovery.ChaincodeInterest) (*discovery.EndorsementDescriptor, error) {
+	chaincode := interest.ChaincodeNames[0]
 	ccMD := ea.Metadata(string(chainID), chaincode)
 	if ccMD == nil {
 		return nil, errors.Errorf("No metadata was found for chaincode %s in channel %s", chaincode, string(chainID))
 	}
-	aliveMembership := ea.Peers()
+	// Filter out peers that don't have the chaincode installed on them
 	chanMembership := ea.PeersOfChannel(chainID).Filter(peersWithChaincode(ccMD))
-	aliveMembership = aliveMembership.Intersect(chanMembership)
-	membersById := aliveMembership.ByID()
 	channelMembersById := chanMembership.ByID()
-	identitiesOfMembers := computeIdentitiesOfMembers(ea.IdentityInfo(), membersById)
+	// Choose only the alive messages of those that have joined the channel
+	aliveMembership := ea.Peers().Intersect(chanMembership)
+	membersById := aliveMembership.ByID()
+	// Compute a mapping between the PKI-IDs of members to their identities
+	identities := ea.IdentityInfo()
+	identitiesOfMembers := computeIdentitiesOfMembers(identities, membersById)
 
+	// Retrieve the policy for the chaincode
 	pol := ea.PolicyByChaincode(string(chainID), chaincode)
 	if pol == nil {
 		logger.Debug("Policy for chaincode '", chaincode, "'doesn't exist")
 		return nil, errors.New("policy not found")
 	}
 
-	// SatisfiedBy computes combinations of principals that each combination, if satisfied-
-	// satisfies the endorsement policy on its own.
-	principalsSets := pol.SatisfiedBy()
+	// Compute the combinations of principals (principal sets) that satisfy the endorsement policy
+	principalsSets := policies.PrincipalSets(pol.SatisfiedBy())
+
+	// Obtain the MSP IDs of the members of the channel that are alive
+	mspIDsOfChannelPeers := mspIDsOfMembers(membersById, identities.ByID())
+	// Filter out principal sets that contain MSP IDs for peers that don't have the chaincode(s) installed
+	principalsSets = principalsSets.ContainingOnly(func(principal *msp.MSPPrincipal) bool {
+		mspID := ea.MSPOfPrincipal(principal)
+		_, exists := mspIDsOfChannelPeers[mspID]
+		return mspID != "" && exists
+	})
+
 	// mapPrincipalsToGroups returns a mapping from principals to their corresponding groups.
 	// groups are just human readable representations that mask the principals behind them
 	principalGroups := mapPrincipalsToGroups(principalsSets)
@@ -105,16 +122,7 @@ func (ea *endorsementAnalyzer) PeersForEndorsement(chaincode string, chainID com
 	satGraph := principalsToPeersGraph(principalAndPeerData{
 		members: aliveMembership,
 		pGrps:   principalGroups,
-	}, func(member discovery2.NetworkMember, principal *msp.MSPPrincipal) bool {
-		err := ea.SatisfiesPrincipal(string(chainID), identitiesOfMembers.identityByPKIID(member.PKIid), principal)
-		if err == nil {
-			// TODO: log the principals in a human readable form
-			logger.Debug(member, "satisfies principal", principal)
-			return true
-		}
-		logger.Debug(member, "doesn't satisfy principal", principal, ":", err)
-		return false
-	})
+	}, ea.satisfiesPrincipal(string(chainID), identitiesOfMembers))
 
 	layouts := computeLayouts(principalsSets, principalGroups, satGraph)
 	if len(layouts) == 0 {
@@ -135,6 +143,19 @@ func (ea *endorsementAnalyzer) PeersForEndorsement(chaincode string, chainID com
 	}, nil
 }
 
+func (ea *endorsementAnalyzer) satisfiesPrincipal(channel string, identitiesOfMembers memberIdentities) peerPrincipalEvaluator {
+	return func(member discovery2.NetworkMember, principal *msp.MSPPrincipal) bool {
+		err := ea.SatisfiesPrincipal(channel, identitiesOfMembers.identityByPKIID(member.PKIid), principal)
+		if err == nil {
+			// TODO: log the principals in a human readable form
+			logger.Debug(member, "satisfies principal", principal)
+			return true
+		}
+		logger.Debug(member, "doesn't satisfy principal", principal, ":", err)
+		return false
+	}
+}
+
 type peerMembershipCriteria struct {
 	satGraph        *principalPeerGraph
 	idOfMembers     memberIdentities
@@ -351,3 +372,13 @@ func peersWithChaincode(ccMD *chaincode.Metadata) func(member discovery2.Network
 		return false
 	}
 }
+
+func mspIDsOfMembers(membersById map[string]discovery2.NetworkMember, identitiesByID map[string]api.PeerIdentityInfo) map[string]struct{} {
+	res := make(map[string]struct{})
+	for pkiID := range membersById {
+		if identity, exists := identitiesByID[string(pkiID)]; exists {
+			res[string(identity.Organization)] = struct{}{}
+		}
+	}
+	return res
+}

discovery/endorsement/endorsement_test.go

@@ -55,7 +55,23 @@ func TestPeersForEndorsement(t *testing.T) {
 		newPeer(12),
 	}
 
-	identities := alivePeers.toIdentitySet()
+	pkiID2MSPID := map[string]string{
+		"p0":  "Org1MSP",
+		"p1":  "Org1MSP",
+		"p2":  "Org1MSP",
+		"p3":  "Org1MSP",
+		"p4":  "Org1MSP",
+		"p5":  "Org2MSP",
+		"p6":  "Org2MSP",
+		"p7":  "Org2MSP",
+		"p8":  "Org2MSP",
+		"p9":  "Org2MSP",
+		"p10": "Org2MSP",
+		"p11": "Org2MSP",
+		"p12": "Org2MSP",
+	}
+
+	identities := identitySet(pkiID2MSPID)
 
 	chanPeers := peerSet{
 		newPeer(0).withChaincode(cc, "1.0"),
@@ -71,7 +87,7 @@ func TestPeersForEndorsement(t *testing.T) {
 	// Scenario I: Policy isn't found
 	pf.On("PolicyByChaincode", ccWithMissingPolicy).Return(nil).Once()
 	analyzer := NewEndorsementAnalyzer(g, pf, &principalEvaluatorMock{}, mf)
-	desc, err := analyzer.PeersForEndorsement(ccWithMissingPolicy, channel)
+	desc, err := analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{ccWithMissingPolicy}})
 	assert.Nil(t, desc)
 	assert.Equal(t, "policy not found", err.Error())
 
@@ -88,9 +104,9 @@ func TestPeersForEndorsement(t *testing.T) {
 		Principal: []byte("p11"),
 	}).buildPolicy()
 
-	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(), mf)
+	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(pkiID2MSPID), mf)
 	pf.On("PolicyByChaincode", cc).Return(policy).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.Nil(t, desc)
 	assert.Equal(t, err.Error(), "cannot satisfy any principal combination")
 
@@ -108,9 +124,9 @@ func TestPeersForEndorsement(t *testing.T) {
 		Principal: []byte("p12"),
 	}).buildPolicy()
 
-	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(), mf)
+	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(pkiID2MSPID), mf)
 	pf.On("PolicyByChaincode", cc).Return(policy).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.NoError(t, err)
 	assert.NotNil(t, desc)
 	assert.Len(t, desc.Layouts, 1)
@@ -132,9 +148,9 @@ func TestPeersForEndorsement(t *testing.T) {
 		Principal: []byte("p12"),
 	}).buildPolicy()
 
-	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(), mf)
+	analyzer = NewEndorsementAnalyzer(g, pf, policy.ToPrincipalEvaluator(pkiID2MSPID), mf)
 	pf.On("PolicyByChaincode", cc).Return(policy).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.NoError(t, err)
 	assert.NotNil(t, desc)
 	assert.Len(t, desc.Layouts, 2)
@@ -153,7 +169,7 @@ func TestPeersForEndorsement(t *testing.T) {
 	}).Once()
 	g.On("PeersOfChannel").Return(chanPeers.toMembers()).Once()
 	pf.On("PolicyByChaincode", cc).Return(policy).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.Nil(t, desc)
 	assert.Equal(t, err.Error(), "cannot satisfy any principal combination")
 
@@ -166,7 +182,7 @@ func TestPeersForEndorsement(t *testing.T) {
 	mf.On("Metadata").Return(&chaincode.Metadata{
 		Name: cc, Version: "1.0",
 	}).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.Nil(t, desc)
 	assert.Equal(t, err.Error(), "cannot satisfy any principal combination")
 
@@ -175,7 +191,7 @@ func TestPeersForEndorsement(t *testing.T) {
 	g.On("PeersOfChannel").Return(chanPeers.toMembers()).Once()
 	pf.On("PolicyByChaincode", cc).Return(policy).Once()
 	mf.On("Metadata").Return(nil).Once()
-	desc, err = analyzer.PeersForEndorsement(cc, channel)
+	desc, err = analyzer.PeersForEndorsement(channel, &discovery2.ChaincodeInterest{ChaincodeNames: []string{cc}})
 	assert.Nil(t, desc)
 	assert.Equal(t, err.Error(), "No metadata was found for chaincode chaincode in channel test")
 }
@@ -190,12 +206,13 @@ func (p peerSet) toMembers() discovery.Members {
 	return members
 }
 
-func (p peerSet) toIdentitySet() api.PeerIdentitySet {
+func identitySet(pkiID2MSPID map[string]string) api.PeerIdentitySet {
 	var res api.PeerIdentitySet
-	for _, peer := range p {
+	for pkiID, mspID := range pkiID2MSPID {
 		res = append(res, api.PeerIdentityInfo{
-			Identity: peer.identity,
-			PKIId:    peer.pkiID,
+			Identity:     api.PeerIdentityType(pkiID),
+			PKIId:        common.PKIidType(pkiID),
+			Organization: api.OrgIdentityType(mspID),
 		})
 	}
 	return res
@@ -291,12 +308,17 @@ func (ip inquireablePolicy) SatisfiedBy() []policies.PrincipalSet {
 	return ip
 }
 
-func (ip inquireablePolicy) ToPrincipalEvaluator() *principalEvaluatorMock {
-	return &principalEvaluatorMock{ip: ip}
+func (ip inquireablePolicy) ToPrincipalEvaluator(pkiID2MSPID map[string]string) *principalEvaluatorMock {
+	return &principalEvaluatorMock{ip: ip, pkiID2MSPID: pkiID2MSPID}
 }
 
 type principalEvaluatorMock struct {
-	ip []policies.PrincipalSet
+	pkiID2MSPID map[string]string
+	ip          []policies.PrincipalSet
+}
+
+func (pe *principalEvaluatorMock) MSPOfPrincipal(principal *msp.MSPPrincipal) string {
+	return pe.pkiID2MSPID[string(principal.Principal)]
 }
 
 func (pe *principalEvaluatorMock) SatisfiesPrincipal(channel string, identity []byte, principal *msp.MSPPrincipal) error {

discovery/service.go

@@ -124,8 +124,7 @@ func (s *service) chaincodeQuery(q *discovery.Query) *discovery.QueryResult {
 		if len(interest.ChaincodeNames) == 0 {
 			return wrapError(errors.Errorf("must include at least one chaincode"))
 		}
-		// Until we have cc2cc support, we just take the first chaincode
-		desc, err := s.PeersForEndorsement(interest.ChaincodeNames[0], common2.ChainID(q.Channel))
+		desc, err := s.PeersForEndorsement(common2.ChainID(q.Channel), interest)
 		if err != nil {
 			logger.Errorf("Failed constructing descriptor for chaincode %s,: %v", interest, err)
 			return wrapError(errors.Errorf("failed constructing descriptor for %v", interest))

discovery/service_test.go

@@ -445,7 +445,8 @@ func (ms *mockSupport) Peers() discovery2.Members {
 	return ms.Called().Get(0).(discovery2.Members)
 }
 
-func (ms *mockSupport) PeersForEndorsement(cc string, channel common2.ChainID) (*discovery.EndorsementDescriptor, error) {
+func (ms *mockSupport) PeersForEndorsement(channel common2.ChainID, interest *discovery.ChaincodeInterest) (*discovery.EndorsementDescriptor, error) {
+	cc := interest.ChaincodeNames[0]
 	args := ms.Called(cc)
 	if args.Get(0) == nil {
 		return nil, args.Error(1)