FAB-14094 Clarify implicitmeta error message

This CR replaces the old rather opaque and unclear: Failed to reach implicit threshold of 1 sub-policies: required 1 \ remaining with implicit policy evaluation failed - 0 sub-policies were satisfied, \ but this policy requires 1 of the 'Readers' sub-policies to be \ satisfied Although the message is a bit verbose, and likely could be made to be even clearer, this attempts to strike a reasonable balance between verbosity, and information leakage about policy structures to users which are unauthorized and might simply be attempting to probe the system for information on membership, etc. Change-Id: Icd53e4438117936ca7254d08040e9fad27e24163 Signed-off-by: Jason Yellick <jyellick@us.ibm.com>

FAB-14094 Clarify implicitmeta error message
This CR replaces the old rather opaque and unclear: Failed to reach implicit threshold of 1 sub-policies: required 1 \ remaining with implicit policy evaluation failed - 0 sub-policies were satisfied, \ but this policy requires 1 of the 'Readers' sub-policies to be \ satisfied Although the message is a bit verbose, and likely could be made to be even clearer, this attempts to strike a reasonable balance between verbosity, and information leakage about policy structures to users which are unauthorized and might simply be attempting to probe the system for information on membership, etc. Change-Id: Icd53e4438117936ca7254d08040e9fad27e24163 Signed-off-by: Jason Yellick <jyellick@us.ibm.com>
00df45f9 · Jason Yellick · Gari Singh · ede53fc6 · 00df45f9 · 00df45f9
Commit 00df45f9 authored Mar 05, 2019 by Jason Yellick Committed by Gari Singh Mar 17, 2019
--- a/common/policies/implicitmeta.go
+++ b/common/policies/implicitmeta.go
@@ -76,7 +76,7 @@ func (imp *implicitMetaPolicy) Evaluate(signatureSet []*cb.SignedData) error {
 				b.WriteString(fmt.Sprintf("Evaluation Failed: Only %d policies were satisfied, but needed %d of [ ", imp.threshold-remaining, imp.threshold))
 				for m := range imp.managers {
 					b.WriteString(m)
-					b.WriteString(".")
+					b.WriteString("/")
 					b.WriteString(imp.subPolicyName)
 					b.WriteString(" ")
 				}
@@ -97,5 +97,5 @@ func (imp *implicitMetaPolicy) Evaluate(signatureSet []*cb.SignedData) error {
 	if remaining == 0 {
 		return nil
 	}
-	return fmt.Errorf("Failed to reach implicit threshold of %d sub-policies, required %d remaining", imp.threshold, remaining)
+	return fmt.Errorf("implicit policy evaluation failed - %d sub-policies were satisfied, but this policy requires %d of the '%s' sub-policies to be satisfied", (imp.threshold - remaining), imp.threshold, imp.subPolicyName)
 }
--- a/common/policies/implicitmeta_test.go
+++ b/common/policies/implicitmeta_test.go
@@ -72,23 +72,33 @@ func TestImplicitMetaAny(t *testing.T) {
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ANY, 1, 1))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ANY, 10, 1))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ANY, 10, 8))
-	assert.Error(t, runPolicyTest(cb.ImplicitMetaPolicy_ANY, 10, 0))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ANY, 0, 0))
+
+	err := runPolicyTest(cb.ImplicitMetaPolicy_ANY, 10, 0)
+	assert.EqualError(t, err, "implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'TestPolicyName' sub-policies to be satisfied")
 }

 func TestImplicitMetaAll(t *testing.T) {
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ALL, 1, 1))
-	assert.Error(t, runPolicyTest(cb.ImplicitMetaPolicy_ALL, 10, 1))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ALL, 10, 10))
-	assert.Error(t, runPolicyTest(cb.ImplicitMetaPolicy_ALL, 10, 0))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_ALL, 0, 0))
+
+	err := runPolicyTest(cb.ImplicitMetaPolicy_ALL, 10, 1)
+	assert.EqualError(t, err, "implicit policy evaluation failed - 1 sub-policies were satisfied, but this policy requires 10 of the 'TestPolicyName' sub-policies to be satisfied")
+
+	err = runPolicyTest(cb.ImplicitMetaPolicy_ALL, 10, 0)
+	assert.EqualError(t, err, "implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 10 of the 'TestPolicyName' sub-policies to be satisfied")
 }

 func TestImplicitMetaMajority(t *testing.T) {
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 1, 1))
-	assert.Error(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 10, 5))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 10, 6))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 3, 2))
-	assert.Error(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 10, 0))
 	assert.NoError(t, runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 0, 0))
+
+	err := runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 10, 5)
+	assert.EqualError(t, err, "implicit policy evaluation failed - 5 sub-policies were satisfied, but this policy requires 6 of the 'TestPolicyName' sub-policies to be satisfied")
+
+	err = runPolicyTest(cb.ImplicitMetaPolicy_MAJORITY, 10, 0)
+	assert.EqualError(t, err, "implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 6 of the 'TestPolicyName' sub-policies to be satisfied")
 }
--- a/orderer/common/server/main_test.go
+++ b/orderer/common/server/main_test.go
@@ -670,7 +670,7 @@ func TestCreateReplicator(t *testing.T) {
 	r := createReplicator(ledgerFactory, bootBlock, &localconfig.TopLevel{}, &comm.SecureOptions{}, signer)

 	err := r.verifierRetriever.RetrieveVerifier("mychannel").VerifyBlockSignature(nil, nil)
-	assert.EqualError(t, err, "Failed to reach implicit threshold of 1 sub-policies, required 1 remaining")
+	assert.EqualError(t, err, "implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied")

 	err = r.verifierRetriever.RetrieveVerifier("system").VerifyBlockSignature(nil, nil)
 	assert.NoError(t, err)