Added log messages in access control and proof verification

sandeepnRES · sandeepnRES · commit 4a012bf0d2c0 · 2022-03-24T18:39:43.000+05:30
Signed-off-by: sandeep.nishad1 &lt;sandeep.nishad1@ibm.com&gt;
diff --git a/core/network/fabric-interop-cc/contracts/interop/access_control_cc.go b/core/network/fabric-interop-cc/contracts/interop/access_control_cc.go
@@ -137,15 +137,27 @@ func verifyAccessToCC(s *SmartContract, ctx contractapi.TransactionContextInterf
 			// TODO: Check if these will be the same format (Or convert to matching formats at some point)
 			// TODO: Need to use principalType and perform different validation for type "certificate" and "ca".
 			// Code below assumes that requestor's membership has already been authenticated earlier if the type is "ca"
-			if (rule.PrincipalType == "certificate" && query.Certificate == rule.Principal) ||
-				(rule.PrincipalType == "ca" && query.RequestingOrg == rule.Principal) {
+			if (rule.PrincipalType == "certificate" && query.Certificate == rule.Principal) {
 				// Break loop as cert is valid.
+				log.Infof("Access Control Policy PERMITS the request '%s' from '%s:%s'", viewAddressString, query.RequestingNetwork, query.Certificate)
+				return nil
+			}
+			if (rule.PrincipalType == "ca" && query.RequestingOrg == rule.Principal) {
+				// Break loop as cert is valid.
+				log.Infof("Access Control Policy PERMITS the request '%s' from '%s:%s'", viewAddressString, query.RequestingNetwork, query.RequestingOrg)
 				return nil
 			}
 		}
 
 	}
-	errorMessage := fmt.Sprintf("Access Control Policy DOES NOT PERMIT the following request: %s", viewAddressString)
+	var errorMessage string
+	if (query.Certificate != "") {
+        errorMessage = fmt.Sprintf("Access Control Policy DOES NOT PERMIT the request '%s' from '%s:%s'", viewAddressString, query.RequestingNetwork, query.Certificate)
+	} else if (query.RequestingOrg != "") {
+        errorMessage = fmt.Sprintf("Access Control Policy DOES NOT PERMIT the request '%s' from '%s:%s'", viewAddressString, query.RequestingNetwork, query.RequestingOrg)
+	} else {
+		errorMessage = fmt.Sprintf("Access Control Policy DOES NOT PERMIT the request '%s' from a foreign entity", viewAddressString)
+	}
 	log.Error(errorMessage)
 	return errors.New(errorMessage)
 
diff --git a/core/network/fabric-interop-cc/contracts/interop/write_external_state.go b/core/network/fabric-interop-cc/contracts/interop/write_external_state.go
@@ -70,6 +70,7 @@ func (s *SmartContract) ParseAndValidateView(ctx contractapi.TransactionContextI
 	// 1. Verify proof
 	err = s.VerifyView(ctx, b64ViewProto, address)
 	if err != nil {
+		log.Errorf("Proof obtained from foreign network for query '%s' is INVALID", address)
 		return nil, fmt.Errorf("VerifyView error: %s", err)
 	}
 
@@ -149,7 +150,7 @@ func (s *SmartContract) VerifyView(ctx contractapi.TransactionContextInterface,
 	case common.Meta_CORDA:
 		switch view.Meta.ProofType {
 		case "Notarization":
-			return verifyCordaNotarization(s, ctx, view.Data, verificationPolicy, addressStruct.LedgerSegment)
+			return verifyCordaNotarization(s, ctx, view.Data, verificationPolicy, addressStruct.LedgerSegment, address)
 		default:
 			return fmt.Errorf("Proof type not supported: %s", view.Meta.ProofType)
 		}
@@ -180,7 +181,7 @@ func (s *SmartContract) VerifyView(ctx contractapi.TransactionContextInterface,
 // 3. Verify each of the signatures in the Notarization array according to the data bytes and certificate.
 // 4. Check the certificates are valid according to the Membership.
 // 5. Check the notarizations fulfill the verification policy of the request.
-func verifyCordaNotarization(s *SmartContract, ctx contractapi.TransactionContextInterface, data []byte, verificationPolicy *common.Policy, securityDomain string) error {
+func verifyCordaNotarization(s *SmartContract, ctx contractapi.TransactionContextInterface, data []byte, verificationPolicy *common.Policy, securityDomain, address string) error {
 	var cordaViewData corda.ViewData
 	err := protoV2.Unmarshal(data, &cordaViewData)
 	if err != nil {
@@ -222,6 +223,7 @@ func verifyCordaNotarization(s *SmartContract, ctx contractapi.TransactionContex
 			return fmt.Errorf("Notarizations missing signer: %s", signer)
 		}
 	}
+	log.Infof("Proof associated with response '%s' from Corda network for query '%s' is VALID", string(cordaViewData.Payload), address)
 	return nil
 }
 
@@ -294,5 +296,6 @@ func verifyFabricNotarization(s *SmartContract, ctx contractapi.TransactionConte
 			return fmt.Errorf("Notarizations missing signer: %s", signer)
 		}
 	}
+	log.Infof("Proof associated with response '%s' from Fabric network for query '%s' is VALID", string(fabricViewData.Response.Payload), address)
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ func (s *SmartContract) ParseAndValidateView(ctx contractapi.TransactionContextI`
`70`	`70`	`// 1. Verify proof`
`71`	`71`	`err = s.VerifyView(ctx, b64ViewProto, address)`
`72`	`72`	`if err != nil {`
	`73`	`+ log.Errorf("Proof obtained from foreign network for query '%s' is INVALID", address)`
`73`	`74`	`return nil, fmt.Errorf("VerifyView error: %s", err)`
`74`	`75`	`}`
`75`	`76`
`@@ -149,7 +150,7 @@ func (s *SmartContract) VerifyView(ctx contractapi.TransactionContextInterface,`
`149`	`150`	`case common.Meta_CORDA:`
`150`	`151`	`switch view.Meta.ProofType {`
`151`	`152`	`case "Notarization":`
`152`		`- return verifyCordaNotarization(s, ctx, view.Data, verificationPolicy, addressStruct.LedgerSegment)`
	`153`	`+ return verifyCordaNotarization(s, ctx, view.Data, verificationPolicy, addressStruct.LedgerSegment, address)`
`153`	`154`	`default:`
`154`	`155`	`return fmt.Errorf("Proof type not supported: %s", view.Meta.ProofType)`
`155`	`156`	`}`
`@@ -180,7 +181,7 @@ func (s *SmartContract) VerifyView(ctx contractapi.TransactionContextInterface,`
`180`	`181`	`// 3. Verify each of the signatures in the Notarization array according to the data bytes and certificate.`
`181`	`182`	`// 4. Check the certificates are valid according to the Membership.`
`182`	`183`	`// 5. Check the notarizations fulfill the verification policy of the request.`
`183`		`-func verifyCordaNotarization(s SmartContract, ctx contractapi.TransactionContextInterface, data []byte, verificationPolicy common.Policy, securityDomain string) error {`
	`184`	`+func verifyCordaNotarization(s SmartContract, ctx contractapi.TransactionContextInterface, data []byte, verificationPolicy common.Policy, securityDomain, address string) error {`
`184`	`185`	`var cordaViewData corda.ViewData`
`185`	`186`	`err := protoV2.Unmarshal(data, &cordaViewData)`
`186`	`187`	`if err != nil {`
`@@ -222,6 +223,7 @@ func verifyCordaNotarization(s *SmartContract, ctx contractapi.TransactionContex`
`222`	`223`	`return fmt.Errorf("Notarizations missing signer: %s", signer)`
`223`	`224`	`}`
`224`	`225`	`}`
	`226`	`+ log.Infof("Proof associated with response '%s' from Corda network for query '%s' is VALID", string(cordaViewData.Payload), address)`
`225`	`227`	`return nil`
`226`	`228`	`}`
`227`	`229`
`@@ -294,5 +296,6 @@ func verifyFabricNotarization(s *SmartContract, ctx contractapi.TransactionConte`
`294`	`296`	`return fmt.Errorf("Notarizations missing signer: %s", signer)`
`295`	`297`	`}`
`296`	`298`	`}`
	`299`	`+ log.Infof("Proof associated with response '%s' from Fabric network for query '%s' is VALID", string(fabricViewData.Response.Payload), address)`
`297`	`300`	`return nil`
`298`	`301`	`}`