From fd218eb650c9c97ba6f4a9ca9c4c21f8ad857fb6 Mon Sep 17 00:00:00 2001
From: denyeart <enyeart@us.ibm.com>
Date: Tue, 15 Jun 2021 16:06:40 -0400
Subject: [PATCH] Clarify "identity expired" error messages (#2685)

Peer and Orderer have several "identity expired" error messages.
Clarify error messages to indicate which identity has expired.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
---
 common/deliver/acl.go                          | 2 +-
 common/deliver/acl_test.go                     | 2 +-
 core/handlers/auth/filter/expiration.go        | 2 +-
 core/handlers/auth/filter/expiration_test.go   | 2 +-
 gossip/identity/identity.go                    | 2 +-
 gossip/identity/identity_test.go               | 2 +-
 integration/raft/cft_test.go                   | 4 ++--
 orderer/common/msgprocessor/expiration.go      | 2 +-
 orderer/common/msgprocessor/expiration_test.go | 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/common/deliver/acl.go b/common/deliver/acl.go
index 6f704a60b91..5a2469efb87 100644
--- a/common/deliver/acl.go
+++ b/common/deliver/acl.go
@@ -57,7 +57,7 @@ type SessionAccessControl struct {
 // changes.
 func (ac *SessionAccessControl) Evaluate() error {
 	if !ac.sessionEndTime.IsZero() && time.Now().After(ac.sessionEndTime) {
-		return errors.Errorf("client identity expired %v before", time.Since(ac.sessionEndTime))
+		return errors.Errorf("deliver client identity expired %v before", time.Since(ac.sessionEndTime))
 	}
 
 	policyCheckNeeded := !ac.usedAtLeastOnce
diff --git a/common/deliver/acl_test.go b/common/deliver/acl_test.go
index d7204d4b578..33f529155a1 100644
--- a/common/deliver/acl_test.go
+++ b/common/deliver/acl_test.go
@@ -116,7 +116,7 @@ var _ = Describe("SessionAccessControl", func() {
 			err = sac.Evaluate()
 			Expect(err).NotTo(HaveOccurred())
 
-			Eventually(sac.Evaluate).Should(MatchError(ContainSubstring("client identity expired")))
+			Eventually(sac.Evaluate).Should(MatchError(ContainSubstring("deliver client identity expired")))
 		})
 	})
 
diff --git a/core/handlers/auth/filter/expiration.go b/core/handlers/auth/filter/expiration.go
index d201803140f..71f1ef524ba 100644
--- a/core/handlers/auth/filter/expiration.go
+++ b/core/handlers/auth/filter/expiration.go
@@ -48,7 +48,7 @@ func validateProposal(signedProp *peer.SignedProposal) error {
 	}
 	expirationTime := crypto.ExpiresAt(sh.Creator)
 	if !expirationTime.IsZero() && time.Now().After(expirationTime) {
-		return errors.New("identity expired")
+		return errors.New("proposal client identity expired")
 	}
 	return nil
 }
diff --git a/core/handlers/auth/filter/expiration_test.go b/core/handlers/auth/filter/expiration_test.go
index 477b17f547a..ddefff67bca 100644
--- a/core/handlers/auth/filter/expiration_test.go
+++ b/core/handlers/auth/filter/expiration_test.go
@@ -95,7 +95,7 @@ func TestExpirationCheckFilter(t *testing.T) {
 	// Scenario I: Expired x509 identity
 	sp := createValidSignedProposal(t, createX509Identity(t, "expiredCert.pem"))
 	_, err := auth.ProcessProposal(context.Background(), sp)
-	require.Equal(t, err.Error(), "identity expired")
+	require.Equal(t, err.Error(), "proposal client identity expired")
 	require.False(t, nextEndorser.invoked)
 
 	// Scenario II: Not expired x509 identity
diff --git a/gossip/identity/identity.go b/gossip/identity/identity.go
index 02cac9a6ebf..103206ea771 100644
--- a/gossip/identity/identity.go
+++ b/gossip/identity/identity.go
@@ -133,7 +133,7 @@ func (is *identityMapperImpl) Put(pkiID common.PKIidType, identity api.PeerIdent
 	var expirationTimer *time.Timer
 	if !expirationDate.IsZero() {
 		if time.Now().After(expirationDate) {
-			return errors.New("identity expired")
+			return errors.New("gossipping peer identity expired")
 		}
 		// Identity would be wiped out a millisecond after its expiration date
 		timeToLive := time.Until(expirationDate.Add(time.Millisecond))
diff --git a/gossip/identity/identity_test.go b/gossip/identity/identity_test.go
index 39b3a47c6a8..28da61c0ac5 100644
--- a/gossip/identity/identity_test.go
+++ b/gossip/identity/identity_test.go
@@ -268,7 +268,7 @@ func TestExpiration(t *testing.T) {
 	err := idStore.Put(x509PkiID, x509Identity)
 	require.NoError(t, err)
 	err = idStore.Put(expiredX509PkiID, expiredX509Identity)
-	require.Equal(t, "identity expired", err.Error())
+	require.Equal(t, "gossipping peer identity expired", err.Error())
 	err = idStore.Put(nonX509PkiID, nonX509Identity)
 	require.NoError(t, err)
 	err = idStore.Put(notSupportedPkiID, notSupportedIdentity)
diff --git a/integration/raft/cft_test.go b/integration/raft/cft_test.go
index 59337e88ffa..cfc35567d63 100644
--- a/integration/raft/cft_test.go
+++ b/integration/raft/cft_test.go
@@ -724,7 +724,7 @@ var _ = Describe("EndToEnd Crash Fault Tolerance", func() {
 			p, err := ordererclient.Broadcast(network, orderer, channelCreateTxn)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(p.Status).To(Equal(common.Status_BAD_REQUEST))
-			Expect(p.Info).To(ContainSubstring("identity expired"))
+			Expect(p.Info).To(ContainSubstring("broadcast client identity expired"))
 
 			By("Attempting to fetch a block from orderer and failing")
 			denv := CreateDeliverEnvelope(network, orderer, 0, network.SystemChannel.Name)
@@ -733,7 +733,7 @@ var _ = Describe("EndToEnd Crash Fault Tolerance", func() {
 			block, err := ordererclient.Deliver(network, orderer, denv)
 			Expect(err).To(HaveOccurred())
 			Expect(block).To(BeNil())
-			Eventually(runner.Err(), time.Minute, time.Second).Should(gbytes.Say("client identity expired"))
+			Eventually(runner.Err(), time.Minute, time.Second).Should(gbytes.Say("deliver client identity expired"))
 
 			By("Killing orderer")
 			ordererProc.Signal(syscall.SIGTERM)
diff --git a/orderer/common/msgprocessor/expiration.go b/orderer/common/msgprocessor/expiration.go
index fc6b68224b9..89a131108af 100644
--- a/orderer/common/msgprocessor/expiration.go
+++ b/orderer/common/msgprocessor/expiration.go
@@ -50,5 +50,5 @@ func (exp *expirationRejectRule) Apply(message *common.Envelope) error {
 	if expirationTime.IsZero() || time.Now().Before(expirationTime) {
 		return nil
 	}
-	return errors.New("identity expired")
+	return errors.New("broadcast client identity expired")
 }
diff --git a/orderer/common/msgprocessor/expiration_test.go b/orderer/common/msgprocessor/expiration_test.go
index 1b5086ef021..c4adad44943 100644
--- a/orderer/common/msgprocessor/expiration_test.go
+++ b/orderer/common/msgprocessor/expiration_test.go
@@ -109,7 +109,7 @@ func TestExpirationRejectRule(t *testing.T) {
 		mockCapabilities.ExpirationCheckReturns(true)
 		err := NewExpirationRejectRule(mockResources).Apply(env)
 		require.Error(t, err)
-		require.Equal(t, err.Error(), "identity expired")
+		require.Equal(t, err.Error(), "broadcast client identity expired")
 
 		mockCapabilities.ExpirationCheckReturns(false)
 		err = NewExpirationRejectRule(mockResources).Apply(env)