From 5ccc63f269c3a1f2fae18c6afed7130d57395b50 Mon Sep 17 00:00:00 2001 From: kopaygorodsky Date: Sat, 3 Oct 2020 17:11:59 +0300 Subject: [PATCH] generation of verifying options based only on simulated config, fixes Signed-off-by: kopaygorodsky --- integration/raft/config_test.go | 35 ----- orderer/consensus/etcdraft/chain.go | 2 +- orderer/consensus/etcdraft/consenter.go | 2 +- orderer/consensus/etcdraft/util.go | 141 ++++--------------- orderer/consensus/etcdraft/util_test.go | 12 +- orderer/consensus/etcdraft/validator_test.go | 112 ++++++++++----- 6 files changed, 111 insertions(+), 193 deletions(-) diff --git a/integration/raft/config_test.go b/integration/raft/config_test.go index 2f8d275c68c..564c15fc0a6 100644 --- a/integration/raft/config_test.go +++ b/integration/raft/config_test.go @@ -391,41 +391,6 @@ var _ = Describe("EndToEnd reconfiguration and onboarding", func() { By("Waiting for orderer3 to see the leader") findLeader([]*ginkgomon.Runner{ordererRunners[2]}) - By("Removing orderer3's TLS root CA certificate") - nwo.UpdateOrdererMSP(network, peer, orderer, "systemchannel", "OrdererOrg", func(config msp.FabricMSPConfig) msp.FabricMSPConfig { - config.TlsRootCerts = config.TlsRootCerts[:len(config.TlsRootCerts)-1] - return config - }) - - By("Killing orderer3") - o3Proc := ordererProcesses[2] - o3Proc.Signal(syscall.SIGKILL) - Eventually(o3Proc.Wait(), network.EventuallyTimeout).Should(Receive(MatchError("exit status 137"))) - - By("Restarting orderer3") - o3Runner := network.OrdererRunner(orderer3) - ordererRunners[2] = o3Runner - o3Proc = ifrit.Invoke(o3Runner) - Eventually(o3Proc.Ready(), network.EventuallyTimeout).Should(BeClosed()) - ordererProcesses[2] = o3Proc - - By("Ensuring TLS handshakes fail with the other orderers") - for i, oRunner := range ordererRunners { - if i < 2 { - Eventually(oRunner.Err(), network.EventuallyTimeout).Should(gbytes.Say("TLS handshake failed with error tls: failed to verify client certificate")) - continue - } - Eventually(oRunner.Err(), network.EventuallyTimeout).Should(gbytes.Say("TLS handshake failed with error remote error: tls: bad certificate")) - Eventually(oRunner.Err(), network.EventuallyTimeout).Should(gbytes.Say("Suspecting our own eviction from the channel")) - } - - //we removed caCert a few steps before and now consensus metadata is invalid bacause orderer3's cert is signed by unknown authority. - By("Adding orderer3's TLS root CA certificate back after removal") - nwo.UpdateOrdererMSP(network, peer, orderer, "systemchannel", "OrdererOrg", func(config msp.FabricMSPConfig) msp.FabricMSPConfig { - config.TlsRootCerts = append(config.TlsRootCerts, caCert) - return config - }) - By("Attemping to add a consenter with invalid certs") // create new certs that are not in the channel config ca, err := tlsgen.NewCA() diff --git a/orderer/consensus/etcdraft/chain.go b/orderer/consensus/etcdraft/chain.go index 6aa064a2cf6..43abf8ab78f 100644 --- a/orderer/consensus/etcdraft/chain.go +++ b/orderer/consensus/etcdraft/chain.go @@ -1309,7 +1309,7 @@ func (c *Chain) ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig cha return errors.Wrap(err, "failed to unmarshal new etcdraft metadata configuration") } - verifyOpts, err := createX509VerifyOptions(oldOrdererConfig, newOrdererConfig) + verifyOpts, err := createX509VerifyOptions(newOrdererConfig) if err != nil { return errors.Wrapf(err, "failed to create x509 verify options from old and new orderer config") } diff --git a/orderer/consensus/etcdraft/consenter.go b/orderer/consensus/etcdraft/consenter.go index b6c376f3211..2880174f7f9 100644 --- a/orderer/consensus/etcdraft/consenter.go +++ b/orderer/consensus/etcdraft/consenter.go @@ -266,7 +266,7 @@ func (c *Consenter) IsChannelMember(joinBlock *common.Block) (bool, error) { return false, err } - verifyOpts, err := createX509VerifyOptions(oc, nil) + verifyOpts, err := createX509VerifyOptions(oc) if err != nil { return false, errors.Wrapf(err, "failed to create x509 verify options from orderer config") } diff --git a/orderer/consensus/etcdraft/util.go b/orderer/consensus/etcdraft/util.go index bc410e1c243..9e51b90b309 100644 --- a/orderer/consensus/etcdraft/util.go +++ b/orderer/consensus/etcdraft/util.go @@ -7,11 +7,8 @@ SPDX-License-Identifier: Apache-2.0 package etcdraft import ( - "bytes" - "crypto/sha1" "crypto/x509" "encoding/pem" - "fmt" "time" "github.com/golang/protobuf/proto" @@ -203,7 +200,7 @@ func ConsensusMetadataFromConfigBlock(block *common.Block) (*etcdraft.ConfigMeta // VerifyConfigMetadata validates Raft config metadata. // If x509.VerifyOpts is nil, it will do only sanity check of certificates. // If ignoreCertExpiration is true, it will verify certificate and ignore expiration errors. -func VerifyConfigMetadata(metadata *etcdraft.ConfigMetadata, verifyOpts *x509.VerifyOptions, ignoreCertExpiration bool) error { +func VerifyConfigMetadata(metadata *etcdraft.ConfigMetadata, verifyOpts x509.VerifyOptions, ignoreCertExpiration bool) error { if metadata == nil { // defensive check. this should not happen as CheckConfigMetadata // should always be called with non-nil config metadata @@ -284,106 +281,30 @@ func parseCertificateListFromBytes(certs [][]byte) ([]*x509.Certificate, error) return certificateList, nil } -func getCertFingerprint(cert *x509.Certificate) (string, error) { - fingerprint := sha1.Sum(cert.Raw) - var buf bytes.Buffer - for i, f := range fingerprint { - if i > 0 { - if _, err := fmt.Fprintf(&buf, ":"); err != nil { - return "", errors.Wrapf(err, "building fingerprint of %s", cert.Raw) - } - } - - if _, err := fmt.Fprintf(&buf, "%02X", f); err != nil { - return "", errors.Wrapf(err, "building fingerprint of %s", cert.Raw) - } - } - - return buf.String(), nil -} - -func createX509VerifyOptions(oldOrdererConfig, newOrdererConfig channelconfig.Orderer) (*x509.VerifyOptions, error) { +func createX509VerifyOptions(ordererConfig channelconfig.Orderer) (x509.VerifyOptions, error) { tlsRoots := x509.NewCertPool() tlsIntermediates := x509.NewCertPool() - tlsRootsMap := make(map[string]*x509.Certificate) - tlsIntermediatesMap := make(map[string]*x509.Certificate) - - if oldOrdererConfig != nil { - for _, org := range oldOrdererConfig.Organizations() { - rootCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSRootCerts()) - if err != nil { - return nil, errors.Wrap(err, "parsing tls root certs") - } - intermediateCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSIntermediateCerts()) - if err != nil { - return nil, errors.Wrap(err, "parsing tls intermediate certs") - } - - for _, cert := range rootCerts { - fingerprint, err := getCertFingerprint(cert) - if err != nil { - return nil, errors.WithStack(err) - } - - if _, exists := tlsRootsMap[fingerprint]; !exists { - tlsRoots.AddCert(cert) - tlsRootsMap[fingerprint] = cert - } - } - - for _, cert := range intermediateCerts { - fingerprint, err := getCertFingerprint(cert) - if err != nil { - return nil, errors.WithStack(err) - } - - if _, exists := tlsIntermediatesMap[fingerprint]; !exists { - tlsIntermediates.AddCert(cert) - tlsIntermediatesMap[fingerprint] = cert - } - } + for _, org := range ordererConfig.Organizations() { + rootCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSRootCerts()) + if err != nil { + return x509.VerifyOptions{}, errors.Wrap(err, "parsing tls root certs") + } + intermediateCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSIntermediateCerts()) + if err != nil { + return x509.VerifyOptions{}, errors.Wrap(err, "parsing tls intermediate certs") } - } - - if newOrdererConfig != nil { - for _, org := range newOrdererConfig.Organizations() { - rootCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSRootCerts()) - if err != nil { - return nil, errors.Wrap(err, "parsing tls root certs") - } - intermediateCerts, err := parseCertificateListFromBytes(org.MSP().GetTLSIntermediateCerts()) - if err != nil { - return nil, errors.Wrap(err, "parsing tls intermediate certs") - } - - for _, cert := range rootCerts { - fingerprint, err := getCertFingerprint(cert) - if err != nil { - return nil, errors.WithStack(err) - } - - if _, exists := tlsRootsMap[fingerprint]; !exists { - tlsRoots.AddCert(cert) - tlsRootsMap[fingerprint] = cert - } - } - for _, cert := range intermediateCerts { - fingerprint, err := getCertFingerprint(cert) - if err != nil { - return nil, errors.WithStack(err) - } + for _, cert := range rootCerts { + tlsRoots.AddCert(cert) + } - if _, exists := tlsIntermediatesMap[fingerprint]; !exists { - tlsIntermediates.AddCert(cert) - tlsIntermediatesMap[fingerprint] = cert - } - } + for _, cert := range intermediateCerts { + tlsIntermediates.AddCert(cert) } } - return &x509.VerifyOptions{ + return x509.VerifyOptions{ Roots: tlsRoots, Intermediates: tlsIntermediates, KeyUsages: []x509.ExtKeyUsage{ @@ -393,8 +314,8 @@ func createX509VerifyOptions(oldOrdererConfig, newOrdererConfig channelconfig.Or }, nil } -//validateConsenterTLSCerts decodes PEM cert, parses and validates it. If opts is nil, then only sanity check is done. -func validateConsenterTLSCerts(c *etcdraft.Consenter, opts *x509.VerifyOptions, ignoreExpiration bool) error { +//validateConsenterTLSCerts decodes PEM cert, parses and validates it. +func validateConsenterTLSCerts(c *etcdraft.Consenter, opts x509.VerifyOptions, ignoreExpiration bool) error { clientCert, err := parseCertificateFromBytes(c.ClientTlsCert) if err != nil { return errors.Wrapf(err, "parsing tls client cert of %s:%d", c.Host, c.Port) @@ -405,24 +326,20 @@ func validateConsenterTLSCerts(c *etcdraft.Consenter, opts *x509.VerifyOptions, return errors.Wrapf(err, "parsing tls server cert of %s:%d", c.Host, c.Port) } - if opts != nil { - verifyOpts := *opts - - var verify = func(certType string, cert *x509.Certificate, opts x509.VerifyOptions) error { - if _, err := clientCert.Verify(verifyOpts); err != nil { - if validationRes, ok := err.(x509.CertificateInvalidError); !ok || (!ignoreExpiration || validationRes.Reason != x509.Expired) { - return errors.Errorf("verifying tls %s cert with serial number %d: %v", certType, clientCert.SerialNumber, err) - } + var verify = func(certType string, cert *x509.Certificate, opts x509.VerifyOptions) error { + if _, err := clientCert.Verify(opts); err != nil { + if validationRes, ok := err.(x509.CertificateInvalidError); !ok || (!ignoreExpiration || validationRes.Reason != x509.Expired) { + return errors.Errorf("verifying tls %s cert with serial number %d: %v", certType, clientCert.SerialNumber, err) } - return nil } + return nil + } - if err := verify("client", clientCert, verifyOpts); err != nil { - return err - } - if err := verify("server", serverCert, verifyOpts); err != nil { - return err - } + if err := verify("client", clientCert, opts); err != nil { + return err + } + if err := verify("server", serverCert, opts); err != nil { + return err } return nil diff --git a/orderer/consensus/etcdraft/util_test.go b/orderer/consensus/etcdraft/util_test.go index b651aae1add..108dbb81c60 100644 --- a/orderer/consensus/etcdraft/util_test.go +++ b/orderer/consensus/etcdraft/util_test.go @@ -161,7 +161,7 @@ func TestVerifyConfigMetadata(t *testing.T) { rootCertPool := x509.NewCertPool() rootCertPool.AddCert(caRootCert) - goodVerifyingOpts := &x509.VerifyOptions{ + goodVerifyingOpts := x509.VerifyOptions{ Roots: rootCertPool, KeyUsages: []x509.ExtKeyUsage{ x509.ExtKeyUsageClientAuth, @@ -182,7 +182,7 @@ func TestVerifyConfigMetadata(t *testing.T) { for _, testCase := range []struct { description string metadata *etcdraftproto.ConfigMetadata - verifyOpts *x509.VerifyOptions + verifyOpts x509.VerifyOptions errRegex string }{ { @@ -336,7 +336,7 @@ func TestVerifyConfigMetadata(t *testing.T) { singleConsenter, }, }, - verifyOpts: &x509.VerifyOptions{}, + verifyOpts: x509.VerifyOptions{}, errRegex: "certificate signed by unknown authority", }, } { @@ -354,7 +354,7 @@ func TestVerifyConfigMetadata(t *testing.T) { tlsClientCert, err := ioutil.ReadFile(filepath.Join(ca1Dir, "client3.pem")) require.Nil(t, err) - expiredCertVerifyOpts := *goodVerifyingOpts + expiredCertVerifyOpts := goodVerifyingOpts expiredCertVerifyOpts.Roots.AddCert(tlsCaCert) consenterWithExpiredCerts := &etcdraftproto.Consenter{ Host: "host1", @@ -370,6 +370,6 @@ func TestVerifyConfigMetadata(t *testing.T) { }, } - require.Nil(t, VerifyConfigMetadata(medatadaWithExpiredConsenter, &expiredCertVerifyOpts, true)) - require.NotNil(t, VerifyConfigMetadata(medatadaWithExpiredConsenter, &expiredCertVerifyOpts, false)) + require.Nil(t, VerifyConfigMetadata(medatadaWithExpiredConsenter, expiredCertVerifyOpts, true)) + require.NotNil(t, VerifyConfigMetadata(medatadaWithExpiredConsenter, expiredCertVerifyOpts, false)) } diff --git a/orderer/consensus/etcdraft/validator_test.go b/orderer/consensus/etcdraft/validator_test.go index b10fb51ce3a..90ff53ab094 100644 --- a/orderer/consensus/etcdraft/validator_test.go +++ b/orderer/consensus/etcdraft/validator_test.go @@ -122,14 +122,14 @@ var _ = Describe("Metadata Validation", func() { Context("valid old consensus metadata", func() { var ( - newMetadata *etcdraftproto.ConfigMetadata + metadata etcdraftproto.ConfigMetadata oldOrdererConfig *mocks.OrdererConfig newOrdererConfig *mocks.OrdererConfig newChannel bool ) BeforeEach(func() { - oldMetadata := &etcdraftproto.ConfigMetadata{ + metadata = etcdraftproto.ConfigMetadata{ Options: &etcdraftproto.Options{ TickInterval: "500ms", ElectionTick: 10, @@ -158,22 +158,30 @@ var _ = Describe("Metadata Validation", func() { }, }, } - newMetadata = oldMetadata - oldBytes, _ := proto.Marshal(oldMetadata) + + oldBytes, err := proto.Marshal(&metadata) + Expect(err).NotTo(HaveOccurred()) oldOrdererConfig = mockOrderer(oldBytes) org1 := makeOrdererOrg(tlsCA.CertBytes()) oldOrdererConfig.OrganizationsReturns(map[string]channelconfig.OrdererOrg{ "org1": org1, }) + newOrdererConfig = mockOrderer(oldBytes) + newOrdererConfig.OrganizationsReturns(map[string]channelconfig.OrdererOrg{ + "org1": org1, + }) + newChannel = false }) It("fails when new consensus metadata has invalid options", func() { // NOTE: we are not checking all failures here since tests for CheckConfigMetadata does that + newMetadata := metadata newMetadata.Options.TickInterval = "" - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) @@ -183,44 +191,52 @@ var _ = Describe("Metadata Validation", func() { }) It("fails when the new consenters are an empty set", func() { + newMetadata := metadata newMetadata.Consenters = []*etcdraftproto.Consenter{} - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("succeeds when the new consenters are the same as the existing consenters", func() { - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newMetadata := metadata + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("succeeds when the new consenters are a subset of the existing consenters", func() { + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[:2] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("fails when the new consenters are not a subset of the existing consenters", func() { + newMetadata := metadata newMetadata.Consenters[2].ClientTlsCert = clientTLSCert(tlsCA) - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("fails when the new consenter has certificate which not signed by any CA of an orderer org", func() { anotherCa, err := tlsgen.NewCA() Expect(err).NotTo(HaveOccurred()) + newMetadata := metadata newMetadata.Consenters[2].ClientTlsCert = clientTLSCert(anotherCa) - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("succeeds when the new consenters are a subset of the system consenters and certificates signed by MSP participant on a channel", func() { - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) }) @@ -232,32 +248,39 @@ var _ = Describe("Metadata Validation", func() { }) It("fails when the new consenters are an empty set", func() { + newMetadata := metadata // NOTE: This also takes care of the case when we remove node from a singleton consenter set newMetadata.Consenters = []*etcdraftproto.Consenter{} - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("succeeds when the new consenters are the same as the existing consenters", func() { - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newMetadata := metadata + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("succeeds on addition of a single consenter", func() { + newMetadata := metadata newMetadata.Consenters = append(newMetadata.Consenters, &etcdraftproto.Consenter{ Host: "host4", Port: 10004, ClientTlsCert: clientTLSCert(tlsCA), ServerTlsCert: serverTLSCert(tlsCA), }) - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("fails on addition of more than one consenter", func() { + newMetadata := metadata newMetadata.Consenters = append(newMetadata.Consenters, &etcdraftproto.Consenter{ Host: "host4", @@ -272,50 +295,61 @@ var _ = Describe("Metadata Validation", func() { ServerTlsCert: serverTLSCert(tlsCA), }, ) - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("succeeds on removal of a single consenter", func() { + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[:2] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("fails on removal of more than one consenter", func() { + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[:1] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).NotTo(Succeed()) }) It("succeeds on rotating certs in case of both addition and removal of a node each to reuse the raft NodeId", func() { + newMetadata := metadata newMetadata.Consenters = append(newMetadata.Consenters[:2], &etcdraftproto.Consenter{ Host: "host4", Port: 10004, ClientTlsCert: clientTLSCert(tlsCA), ServerTlsCert: serverTLSCert(tlsCA), }) - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("succeeds on removal of inactive node in 2/3 cluster", func() { chain.ActiveNodes.Store([]uint64{1, 2}) + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[:2] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) It("fails on removal of active node in 2/3 cluster", func() { chain.ActiveNodes.Store([]uint64{1, 2}) + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[1:] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To( MatchError("2 out of 3 nodes are alive, configuration will result in quorum loss")) }) @@ -349,9 +383,11 @@ var _ = Describe("Metadata Validation", func() { It("succeeds on removal of inactive node in 2/3 cluster", func() { chain.ActiveNodes.Store([]uint64{2, 3}) // 4 is inactive + newMetadata := metadata newMetadata.Consenters = newMetadata.Consenters[:2] - newBytes, _ := proto.Marshal(newMetadata) - newOrdererConfig = mockOrderer(newBytes) + newBytes, err := proto.Marshal(&newMetadata) + Expect(err).NotTo(HaveOccurred()) + newOrdererConfig.ConsensusMetadataReturns(newBytes) Expect(chain.ValidateConsensusMetadata(oldOrdererConfig, newOrdererConfig, newChannel)).To(Succeed()) }) })