[FAB-2007] Gossip: External and internal endpoints IV

In the previous commit we extended the comm layer to support deep scanning
of remote peers in order to know whether anchor peers are indeed
in the organization it is claimed (in the genesis block) they are.

This commit connects between the gossip join-channel logic and this
capability into the discovery layer, and makes the gossip logic
pass a predicate into the Connect() method of the discovery layer that
determines at runtime (as soon as the remote peer is available) - whether
the anchor peer is indeed in our organization or not.

Also changed the test in a way to check that such a spoofing doesn't work
anymore:
I added a 3rd anchor peer which is from orgB but is claimed to be in orgA.

When I ran the test, it passed and the gossip code complained as follows:
----------------------------------------------------------
WARN 007 Anchor peer localhost:11616 isn't in our org, but is claimed to be

Signed-off-by: Yacov Manevich <[email protected]>
Change-Id: I2d92628cc5428cc4194a0f3909eb13562b7588a4

Author: yacovm

gossip/discovery/discovery.go

@@ -117,6 +117,6 @@ type Discovery interface {
 
 	// Connect makes this instance to connect to a remote instance
 	// The sendInternalEndpoint param determines whether or not
-	// to include the internal endpoint in the membership request.
-	Connect(member NetworkMember, sendInternalEndpoint bool)
+	// to include the internal endpoint in the membership request,
+	Connect(member NetworkMember, sendInternalEndpoint func() bool)
 }

gossip/discovery/discovery_impl.go

@@ -132,18 +132,17 @@ func (d *gossipDiscoveryImpl) Lookup(PKIID common.PKIidType) *NetworkMember {
 	return nm
 }
 
-func (d *gossipDiscoveryImpl) Connect(member NetworkMember, sendInternalEndpoint bool) {
+func (d *gossipDiscoveryImpl) Connect(member NetworkMember, sendInternalEndpoint func() bool) {
 	d.logger.Debug("Entering", member)
 	defer d.logger.Debug("Exiting")
 
-	req := d.createMembershipRequest(sendInternalEndpoint).NoopSign()
-
 	go func() {
 		for i := 0; i < maxConnectionAttempts && !d.toDie(); i++ {
 			peer := &NetworkMember{
 				InternalEndpoint: member.InternalEndpoint,
 				Endpoint:         member.Endpoint,
 			}
+
 			if !d.comm.Ping(peer) {
 				if d.toDie() {
 					return
@@ -152,6 +151,7 @@ func (d *gossipDiscoveryImpl) Connect(member NetworkMember, sendInternalEndpoint
 				time.Sleep(getReconnectInterval())
 				continue
 			}
+			req := d.createMembershipRequest(sendInternalEndpoint()).NoopSign()
 			d.comm.SendToPeer(peer, req)
 			return
 		}

gossip/discovery/discovery_test.go

@@ -355,7 +355,7 @@ func TestConnect(t *testing.T) {
 		j := (i + 1) % 10
 		endpoint := fmt.Sprintf("localhost:%d", 7611+j)
 		netMember2Connect2 := NetworkMember{Endpoint: endpoint, PKIid: []byte(endpoint)}
-		inst.Connect(netMember2Connect2, false)
+		inst.Connect(netMember2Connect2, func() bool { return false })
 	}
 
 	time.Sleep(time.Second * 3)

gossip/gossip/gossip_impl.go

@@ -196,8 +196,22 @@ func (g *gossipServiceImpl) JoinChan(joinMsg api.JoinChannelMessage, chainID com
 			g.logger.Infof("Anchor peer %s:%d isn't in our org(%v) and we have no external endpoint, skipping", ap.Host, ap.Port, string(ap.OrgID))
 			continue
 		}
+		anchorPeerOrg := ap.OrgID
+		isInOurOrg := func() bool {
+			identity, err := g.comm.Handshake(&comm.RemotePeer{Endpoint: endpoint})
+			if err != nil {
+				g.logger.Warning("Deep probe of", endpoint, "failed:", err)
+				return false
+			}
+			isAnchorPeerInMyOrg := bytes.Equal(g.selfOrg, g.secAdvisor.OrgByPeerIdentity(identity))
+			if bytes.Equal(anchorPeerOrg, g.selfOrg) && !isAnchorPeerInMyOrg {
+				g.logger.Warning("Anchor peer", endpoint, "isn't in our org, but is claimed to be")
+			}
+			return isAnchorPeerInMyOrg
+		}
+
 		g.disc.Connect(discovery.NetworkMember{
-			InternalEndpoint: endpoint, Endpoint: endpoint}, inOurOrg)
+			InternalEndpoint: endpoint, Endpoint: endpoint}, isInOurOrg)
 	}
 }
 

gossip/gossip/orgs_test.go

@@ -195,6 +195,7 @@ func TestMultipleOrgEndpointLeakage(t *testing.T) {
 		anchorPeers: []api.AnchorPeer{
 			{Host: "localhost", Port: 11611, OrgID: api.OrgIdentityType(orgA)},
 			{Host: "localhost", Port: 11615, OrgID: api.OrgIdentityType(orgB)},
+			{Host: "localhost", Port: 11616, OrgID: api.OrgIdentityType(orgA)},
 		},
 	}