Handle empty policies when traversing the policy tree in discovery po…

…licy analysis (#3335) Discovery policy analysis engine assumed that the inner policy passed to it is of the correct type and cannot be empty. Added a nil check and a test. Change-Id: Ia6eaf0211d8d9f4b7f2881547934dc32c725a458 Signed-off-by: Yacov Manevich <yacovm@il.ibm.com> (cherry picked from commit bcfe00b) Co-authored-by: Yacov Manevich <yacovm@il.ibm.com>
hyperledger · Apr 18, 2022 · 1fb499a · 1fb499a
1 parent 0396bf9
commit 1fb499a
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/common/policies/inquire/inquire.go b/common/policies/inquire/inquire.go
@@ -62,6 +62,10 @@ func principalsOfTree(tree *graph.Tree, principals policies.PrincipalSet) polici
 			continue
 		}
 		pol := v.Data.(*common.SignaturePolicy)
+		if pol == nil {
+			logger.Warnf("Malformed policy, it is either not composed of signature policy envelopes or is missing some")
+			return nil
+		}
 		switch principalIndex := pol.Type.(type) {
 		case *common.SignaturePolicy_SignedBy:
 			if len(principals) <= int(principalIndex.SignedBy) {

diff --git a/common/policies/inquire/inquire_test.go b/common/policies/inquire/inquire_test.go
@@ -11,10 +11,13 @@ import (
 	"testing"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric-protos-go/common"
 	"github.com/hyperledger/fabric-protos-go/msp"
 	"github.com/hyperledger/fabric/common/policydsl"
 	"github.com/hyperledger/fabric/protoutil"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 )
 
 type testCase struct {
@@ -107,6 +110,30 @@ func TestSatisfiedBy(t *testing.T) {
 	}
 }
 
+func TestSatisfiedByEmptyPolicy(t *testing.T) {
+	backupLogger := logger
+	defer func() {
+		logger = backupLogger
+	}()
+
+	logged := make(map[string]struct{})
+
+	logger = logger.WithOptions(zap.Hooks(func(entry zapcore.Entry) error {
+		logged[entry.Message] = struct{}{}
+		return nil
+	}))
+
+	ip := NewInquireableSignaturePolicy(&common.SignaturePolicyEnvelope{
+		Identities: []*msp.MSPPrincipal{{}},
+	})
+
+	require.Nil(t, ip.SatisfiedBy())
+
+	require.Equal(t, map[string]struct{}{
+		"Malformed policy, it is either not composed of signature policy envelopes or is missing some": {},
+	}, logged)
+}
+
 func TestSatisfiedByTooManyCombinations(t *testing.T) {
 	// We have 26 choose 15 members which is 7,726,160
 	// and we ensure we don't return so many combinations,