[FAB-8094] Removing NodeOU.orderer

Currently the MSP allows to identifier the orderer nodes by their organisational units. This functionality does not match the way fabric currently works. Indeed, orderer nodes are named explicitly, given that their identities needs to be known to the entire network. This change-set fixes the above issue. Change-Id: I4479deda4b9d97034befe9a84531496182b3ca60 Signed-off-by: Angelo De Caro <[email protected]>
hyperledger · Feb 7, 2018 · 466e6ac · 466e6ac
1 parent 903d809
commit 466e6ac
Show file tree

Hide file tree

Showing 22 changed files with 88 additions and 297 deletions.
diff --git a/common/cauthdsl/cauthdsl_builder.go b/common/cauthdsl/cauthdsl_builder.go
@@ -95,12 +95,6 @@ func SignedByMspPeer(mspId string) *cb.SignaturePolicyEnvelope {
 	return signedByFabricEntity(mspId, msp.MSPRole_PEER)
 }
 
-// SignedByMspOrderer creates a SignaturePolicyEnvelope
-// requiring 1 signature from any orderer of the specified MSP
-func SignedByMspOrderer(mspId string) *cb.SignaturePolicyEnvelope {
-	return signedByFabricEntity(mspId, msp.MSPRole_ORDERER)
-}
-
 // SignedByFabricEntity creates a SignaturePolicyEnvelope
 // requiring 1 signature from any fabric entity, having the passed role, of the specified MSP
 func signedByFabricEntity(mspId string, role msp.MSPRole_MSPRoleType) *cb.SignaturePolicyEnvelope {
@@ -175,13 +169,6 @@ func SignedByAnyClient(ids []string) *cb.SignaturePolicyEnvelope {
 	return signedByAnyOfGivenRole(msp.MSPRole_CLIENT, ids)
 }
 
-// SignedByAnyOrderer returns a policy that requires one valid
-// signature from an orderer of any of the orgs whose ids are
-// listed in the supplied string array
-func SignedByAnyOrderer(ids []string) *cb.SignaturePolicyEnvelope {
-	return signedByAnyOfGivenRole(msp.MSPRole_ORDERER, ids)
-}
-
 // SignedByAnyPeer returns a policy that requires one valid
 // signature from an orderer of any of the orgs whose ids are
 // listed in the supplied string array

diff --git a/common/cauthdsl/cauthdsl_test.go b/common/cauthdsl/cauthdsl_test.go
@@ -269,25 +269,3 @@ func TestSignedByMspPeer(t *testing.T) {
 	assert.Equal(t, role.MspIdentifier, "A")
 	assert.Equal(t, role.Role, mb.MSPRole_PEER)
 }
-
-func TestSignedByMspOrderer(t *testing.T) {
-	e := SignedByMspOrderer("A")
-	assert.Equal(t, 1, len(e.Identities))
-
-	role := &mb.MSPRole{}
-	err := proto.Unmarshal(e.Identities[0].Principal, role)
-	assert.NoError(t, err)
-
-	assert.Equal(t, role.MspIdentifier, "A")
-	assert.Equal(t, role.Role, mb.MSPRole_ORDERER)
-
-	e = SignedByAnyOrderer([]string{"A"})
-	assert.Equal(t, 1, len(e.Identities))
-
-	role = &mb.MSPRole{}
-	err = proto.Unmarshal(e.Identities[0].Principal, role)
-	assert.NoError(t, err)
-
-	assert.Equal(t, role.MspIdentifier, "A")
-	assert.Equal(t, role.Role, mb.MSPRole_ORDERER)
-}
diff --git a/common/cauthdsl/policyparser.go b/common/cauthdsl/policyparser.go
@@ -158,8 +158,6 @@ func secondPass(args ...interface{}) (interface{}, error) {
 				r = msp.MSPRole_CLIENT
 			case "peer":
 				r = msp.MSPRole_PEER
-			case "orderer":
-				r = msp.MSPRole_ORDERER
 			default:
 				return nil, fmt.Errorf("Error parsing role %s", t)
 			}

diff --git a/common/cauthdsl/policyparser_test.go b/common/cauthdsl/policyparser_test.go
@@ -117,26 +117,6 @@ func TestAndClientPeerOrderer(t *testing.T) {
 
 	assert.True(t, reflect.DeepEqual(p1, p2))
 
-	p1, err = FromString("AND('A.peer', 'B.orderer')")
-	assert.NoError(t, err)
-
-	principals = make([]*msp.MSPPrincipal, 0)
-
-	principals = append(principals, &msp.MSPPrincipal{
-		PrincipalClassification: msp.MSPPrincipal_ROLE,
-		Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: "A"})})
-
-	principals = append(principals, &msp.MSPPrincipal{
-		PrincipalClassification: msp.MSPPrincipal_ROLE,
-		Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: "B"})})
-
-	p2 = &common.SignaturePolicyEnvelope{
-		Version:    0,
-		Rule:       And(SignedBy(0), SignedBy(1)),
-		Identities: principals,
-	}
-
-	assert.True(t, reflect.DeepEqual(p1, p2))
 }
 
 func TestOr(t *testing.T) {

diff --git a/msp/configbuilder.go b/msp/configbuilder.go
@@ -41,8 +41,6 @@ type NodeOUs struct {
 	ClientOUIdentifier *OrganizationalUnitIdentifiersConfiguration `yaml:"ClientOUIdentifier,omitempty"`
 	// PeerOUIdentifier specifies how to recognize peers by OU
 	PeerOUIdentifier *OrganizationalUnitIdentifiersConfiguration `yaml:"PeerOUIdentifier,omitempty"`
-	// OrdererOUIdentifier specifies how to recognize orderers by OU
-	OrdererOUIdentifier *OrganizationalUnitIdentifiersConfiguration `yaml:"OrdererOUIdentifier,omitempty"`
 }
 
 // Configuration represents the accessory configuration an MSP can be equipped with.
@@ -300,15 +298,11 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 			if configuration.NodeOUs.PeerOUIdentifier == nil || len(configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier) == 0 {
 				return nil, errors.New("Failed loading NodeOUs. PeerOU must be different from nil.")
 			}
-			if configuration.NodeOUs.OrdererOUIdentifier == nil || len(configuration.NodeOUs.OrdererOUIdentifier.OrganizationalUnitIdentifier) == 0 {
-				return nil, errors.New("Failed loading NodeOUs. OrdererOU must be different from nil.")
-			}
 
 			nodeOUs = &msp.FabricNodeOUs{
-				Enable:              configuration.NodeOUs.Enable,
-				ClientOUIdentifier:  &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier},
-				PeerOUIdentifier:    &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier},
-				OrdererOUIdentifier: &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.OrdererOUIdentifier.OrganizationalUnitIdentifier},
+				Enable:             configuration.NodeOUs.Enable,
+				ClientOUIdentifier: &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.ClientOUIdentifier.OrganizationalUnitIdentifier},
+				PeerOUIdentifier:   &msp.FabricOUIdentifier{OrganizationalUnitIdentifier: configuration.NodeOUs.PeerOUIdentifier.OrganizationalUnitIdentifier},
 			}
 
 			// Read certificates, if defined
@@ -330,15 +324,6 @@ func getMspConfig(dir string, ID string, sigid *msp.SigningIdentityInfo) (*msp.M
 			} else {
 				nodeOUs.PeerOUIdentifier.Certificate = raw
 			}
-
-			// OrdererOU
-			f = filepath.Join(dir, configuration.NodeOUs.OrdererOUIdentifier.Certificate)
-			raw, err = readFile(f)
-			if err != nil {
-				mspLogger.Debugf("Failed loading OrdererOU certificate at [%s]: [%s]", f, err)
-			} else {
-				nodeOUs.OrdererOUIdentifier.Certificate = raw
-			}
 		}
 	} else {
 		mspLogger.Debugf("MSP configuration file not found at [%s]: [%s]", configFile, err)

diff --git a/msp/mspimpl.go b/msp/mspimpl.go
@@ -87,7 +87,7 @@ type bccspmsp struct {
 	ouEnforcement bool
 	// These are the OUIdentifiers of the clients, peers and orderers.
 	// They are used to tell apart these entities
-	clientOU, peerOU, ordererOU *OUIdentifier
+	clientOU, peerOU *OUIdentifier
 }
 
 // newBccspMsp returns an MSP instance backed up by a BCCSP
@@ -306,8 +306,6 @@ func (msp *bccspmsp) hasOURoleInternal(id *identity, mspRole m.MSPRole_MSPRoleTy
 		nodeOUValue = msp.clientOU.OrganizationalUnitIdentifier
 	case m.MSPRole_PEER:
 		nodeOUValue = msp.peerOU.OrganizationalUnitIdentifier
-	case m.MSPRole_ORDERER:
-		nodeOUValue = msp.ordererOU.OrganizationalUnitIdentifier
 	default:
 		return fmt.Errorf("Invalid MSPRoleType. It must be CLIENT, PEER or ORDERER")
 	}
@@ -409,8 +407,6 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 		case m.MSPRole_CLIENT:
 			fallthrough
 		case m.MSPRole_PEER:
-			fallthrough
-		case m.MSPRole_ORDERER:
 			mspLogger.Debugf("Checking if identity satisfies role [%s] for %s", m.MSPRole_MSPRoleType_name[int32(mspRole.Role)], msp.name)
 			if err := msp.Validate(id); err != nil {
 				return errors.Wrapf(err, "The identity is not valid under this MSP [%s]", msp.name)

diff --git a/msp/mspimplsetup.go b/msp/mspimplsetup.go
@@ -252,15 +252,6 @@ func (msp *bccspmsp) setupNodeOUs(config *m.FabricMSPConfig) error {
 			msp.peerOU.CertifiersIdentifier = certifiersIdentifier
 		}
 
-		// OrdererOU
-		msp.ordererOU = &OUIdentifier{OrganizationalUnitIdentifier: config.FabricNodeOUs.OrdererOUIdentifier.OrganizationalUnitIdentifier}
-		if len(config.FabricNodeOUs.OrdererOUIdentifier.Certificate) != 0 {
-			certifiersIdentifier, err := msp.getCertifiersIdentifier(config.FabricNodeOUs.OrdererOUIdentifier.Certificate)
-			if err != nil {
-				return err
-			}
-			msp.ordererOU.CertifiersIdentifier = certifiersIdentifier
-		}
 	} else {
 		msp.ouEnforcement = false
 	}

diff --git a/msp/mspimplvalidate.go b/msp/mspimplvalidate.go
@@ -184,8 +184,6 @@ func (msp *bccspmsp) validateIdentityOUsV11(id *identity) error {
 			nodeOU = msp.clientOU
 		case msp.peerOU.OrganizationalUnitIdentifier:
 			nodeOU = msp.peerOU
-		case msp.ordererOU.OrganizationalUnitIdentifier:
-			nodeOU = msp.ordererOU
 		default:
 			continue
 		}

diff --git a/msp/nodeous_test.go b/msp/nodeous_test.go
@@ -180,20 +180,6 @@ func TestSatisfiesPrincipalPeer(t *testing.T) {
 		assert.NoError(t, err)
 	}))
 
-	assert.True(t, t.Run("Check that id is not a orderer", func(t *testing.T) {
-		// Check that id is not a orderer
-		mspID, err := thisMSP.GetIdentifier()
-		assert.NoError(t, err)
-		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: mspID})
-		assert.NoError(t, err)
-		principal := &msp.MSPPrincipal{
-			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               principalBytes}
-		err = id.SatisfiesPrincipal(principal)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "The identity is not a [ORDERER] under this MSP [DEFAULT]")
-	}))
-
 	assert.True(t, t.Run("Check that id is not a client", func(t *testing.T) {
 		// Check that id is not a client
 		mspID, err := thisMSP.GetIdentifier()
@@ -235,20 +221,6 @@ func TestSatisfiesPrincipalClient(t *testing.T) {
 		assert.NoError(t, err)
 	}))
 
-	assert.True(t, t.Run("Check that id is not a orderer", func(t *testing.T) {
-		// Check that id is not a orderer
-		mspID, err := thisMSP.GetIdentifier()
-		assert.NoError(t, err)
-		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: mspID})
-		assert.NoError(t, err)
-		principal := &msp.MSPPrincipal{
-			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               principalBytes}
-		err = id.SatisfiesPrincipal(principal)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "The identity is not a [ORDERER] under this MSP [DEFAULT]")
-	}))
-
 	assert.True(t, t.Run("Check that id is not a peer", func(t *testing.T) {
 		// Check that id is not a peer
 		mspID, err := thisMSP.GetIdentifier()
@@ -263,58 +235,3 @@ func TestSatisfiesPrincipalClient(t *testing.T) {
 		assert.Contains(t, err.Error(), "The identity is not a [PEER] under this MSP [DEFAULT]")
 	}))
 }
-
-func TestSatisfiesPrincipalOrderer(t *testing.T) {
-	// testdata/nodeous5:
-	// the configuration enables NodeOUs and admin and signing identity are valid
-	thisMSP := getLocalMSPWithVersion(t, "testdata/nodeous5", MSPv1_1)
-	assert.True(t, thisMSP.(*bccspmsp).ouEnforcement)
-
-	// The default signing identity is an orderer
-	id, err := thisMSP.GetDefaultSigningIdentity()
-	assert.NoError(t, err)
-
-	err = id.Validate()
-	assert.NoError(t, err)
-
-	assert.True(t, t.Run("Check that id is a peer", func(t *testing.T) {
-		// Check that id is a peer
-		mspID, err := thisMSP.GetIdentifier()
-		assert.NoError(t, err)
-		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_ORDERER, MspIdentifier: mspID})
-		assert.NoError(t, err)
-		principal := &msp.MSPPrincipal{
-			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               principalBytes}
-		err = id.SatisfiesPrincipal(principal)
-		assert.NoError(t, err)
-	}))
-
-	assert.True(t, t.Run("Check that id is not a orderer", func(t *testing.T) {
-		// Check that id is not a orderer
-		mspID, err := thisMSP.GetIdentifier()
-		assert.NoError(t, err)
-		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: mspID})
-		assert.NoError(t, err)
-		principal := &msp.MSPPrincipal{
-			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               principalBytes}
-		err = id.SatisfiesPrincipal(principal)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "The identity is not a [PEER] under this MSP [DEFAULT]")
-	}))
-
-	assert.True(t, t.Run("Check that id is not a client", func(t *testing.T) {
-		// Check that id is not a client
-		mspID, err := thisMSP.GetIdentifier()
-		assert.NoError(t, err)
-		principalBytes, err := proto.Marshal(&msp.MSPRole{Role: msp.MSPRole_CLIENT, MspIdentifier: mspID})
-		assert.NoError(t, err)
-		principal := &msp.MSPPrincipal{
-			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               principalBytes}
-		err = id.SatisfiesPrincipal(principal)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "The identity is not a [CLIENT] under this MSP [DEFAULT]")
-	}))
-}
diff --git a/msp/testdata/nodeous1/config.yaml b/msp/testdata/nodeous1/config.yaml
@@ -13,5 +13,3 @@ NodeOUs:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous2/config.yaml b/msp/testdata/nodeous2/config.yaml
@@ -8,5 +8,3 @@ NodeOUs:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous3/config.yaml b/msp/testdata/nodeous3/config.yaml
@@ -8,5 +8,3 @@ NodeOUs:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous4/config.yaml b/msp/testdata/nodeous4/config.yaml
@@ -10,6 +10,3 @@ NodeOUs:
   PeerOUIdentifier:
     Certificate: "cacerts/cacert.pem"
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    Certificate: "cacerts/cacert.pem"
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous5/config.yaml b/msp/testdata/nodeous5/config.yaml
@@ -8,5 +8,3 @@ NodeOUs:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous6/config.yaml b/msp/testdata/nodeous6/config.yaml
@@ -7,14 +7,10 @@ OrganizationalUnitIdentifiers:
     OrganizationalUnitIdentifier: "OU_client"
   - Certificate: "cacerts/cacert.pem"
     OrganizationalUnitIdentifier: "OU_peer"
-  - Certificate: "cacerts/cacert.pem"
-    OrganizationalUnitIdentifier: "OU_orderer"
 
 NodeOUs:
   Enable: true
   ClientOUIdentifier:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous7/config.yaml b/msp/testdata/nodeous7/config.yaml
@@ -12,5 +12,3 @@ NodeOUs:
     OrganizationalUnitIdentifier: "OU_client"
   PeerOUIdentifier:
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    OrganizationalUnitIdentifier: "OU_orderer"
diff --git a/msp/testdata/nodeous8/config.yaml b/msp/testdata/nodeous8/config.yaml
@@ -10,6 +10,3 @@ NodeOUs:
   PeerOUIdentifier:
     Certificate: "cacerts/cacert.pem"
     OrganizationalUnitIdentifier: "OU_peer"
-  OrdererOUIdentifier:
-    Certificate: "cacerts/cacert.pem"
-    OrganizationalUnitIdentifier: "OU_orderer"