Merge "[FAB-3698] def inst. policy needs to include channel"

khusnetdinov · May 8, 2017 · e182390 · e182390
2 parents 82277c8 + 84ea4a7
commit e182390
Show file tree

Hide file tree

Showing 10 changed files with 111 additions and 37 deletions.
diff --git a/common/cauthdsl/cauthdsl_builder.go b/common/cauthdsl/cauthdsl_builder.go
@@ -113,10 +113,8 @@ func SignedByMspAdmin(mspId string) *cb.SignaturePolicyEnvelope {
 	return p
 }
 
-// SignedByAnyMember returns a policy that requires one valid
-// signature from a member of any of the orgs whose ids are
-// listed in the supplied string array
-func SignedByAnyMember(ids []string) []byte {
+//wrapper for generating "any of a given role" type policies
+func signedByAnyOfGivenRole(role msp.MSPRole_MSPRoleType, ids []string) *cb.SignaturePolicyEnvelope {
 	// we create an array of principals, one principal
 	// per application MSP defined on this chain
 	sort.Strings(ids)
@@ -125,7 +123,7 @@ func SignedByAnyMember(ids []string) []byte {
 	for i, id := range ids {
 		principals[i] = &msp.MSPPrincipal{
 			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id})}
+			Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: role, MspIdentifier: id})}
 		sigspolicy[i] = SignedBy(int32(i))
 	}
 
@@ -136,7 +134,21 @@ func SignedByAnyMember(ids []string) []byte {
 		Identities: principals,
 	}
 
-	return utils.MarshalOrPanic(p)
+	return p
+}
+
+// SignedByAnyMember returns a policy that requires one valid
+// signature from a member of any of the orgs whose ids are
+// listed in the supplied string array
+func SignedByAnyMember(ids []string) *cb.SignaturePolicyEnvelope {
+	return signedByAnyOfGivenRole(msp.MSPRole_MEMBER, ids)
+}
+
+// SignedByAnyAdmin returns a policy that requires one valid
+// signature from a admin of any of the orgs whose ids are
+// listed in the supplied string array
+func SignedByAnyAdmin(ids []string) *cb.SignaturePolicyEnvelope {
+	return signedByAnyOfGivenRole(msp.MSPRole_ADMIN, ids)
 }
 
 // And is a convenience method which utilizes NOutOf to produce And equivalent behavior

diff --git a/core/chaincode/exectransaction_test.go b/core/chaincode/exectransaction_test.go
@@ -69,6 +69,12 @@ func initPeer(chainIDs ...string) (net.Listener, error) {
 
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	var opts []grpc.ServerOption
 	if viper.GetBool("peer.tls.enabled") {
 		creds, err := credentials.NewServerTLSFromFile(config.GetPath("peer.tls.cert.file"), config.GetPath("peer.tls.key.file"))

diff --git a/core/chaincode/systemchaincode_test.go b/core/chaincode/systemchaincode_test.go
@@ -51,6 +51,12 @@ func initSysCCTests() (*oldSysCCInfo, net.Listener, error) {
 
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	//use a different address than what we usually use for "peer"
 	//we override the peerAddress set in chaincode_support.go
 	// FIXME: Use peer.GetLocalAddress()

diff --git a/core/committer/txvalidator/validator.go b/core/committer/txvalidator/validator.go
@@ -361,6 +361,7 @@ func (v *vsccValidatorImpl) GetInfoForValidate(txid, chID, ccID string) (*sysccp
 	cc := &sysccprovider.ChaincodeInstance{ChainID: chID}
 	vscc := &sysccprovider.ChaincodeInstance{ChainID: chID}
 	var policy []byte
+	var err error
 	if ccID != "lscc" {
 		// when we are validating any chaincode other than
 		// LSCC, we need to ask LSCC to give us the name
@@ -383,7 +384,11 @@ func (v *vsccValidatorImpl) GetInfoForValidate(txid, chID, ccID string) (*sysccp
 		cc.ChaincodeName = "lscc"
 		cc.ChaincodeVersion = coreUtil.GetSysCCVersion()
 		vscc.ChaincodeName = "vscc"
-		policy = cauthdsl.SignedByAnyMember(v.support.GetMSPIDs(chID))
+		p := cauthdsl.SignedByAnyMember(v.support.GetMSPIDs(chID))
+		policy, err = utils.Marshal(p)
+		if err != nil {
+			return nil, nil, nil, err
+		}
 	}
 
 	// Get vscc version

diff --git a/core/committer/txvalidator/validator_test.go b/core/committer/txvalidator/validator_test.go
@@ -43,6 +43,11 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func signedByAnyMember(ids []string) []byte {
+	p := cauthdsl.SignedByAnyMember(ids)
+	return utils.MarshalOrPanic(p)
+}
+
 func setupLedgerAndValidator(t *testing.T) (ledger.PeerLedger, Validator) {
 	viper.Set("peer.fileSystemPath", "/tmp/fabric/validatortest")
 	ledgermgmt.InitializeTestEnv()
@@ -193,7 +198,7 @@ func TestInvokeOK(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -210,7 +215,7 @@ func TestInvokeOKSCC(t *testing.T) {
 
 	ccID := "lscc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -227,7 +232,7 @@ func TestInvokeNOKWritesToLSCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "lscc"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -244,7 +249,7 @@ func TestInvokeNOKWritesToESCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "escc"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -261,7 +266,7 @@ func TestInvokeNOKWritesToNotExt(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "notext"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -278,7 +283,7 @@ func TestInvokeNOKInvokesNotExt(t *testing.T) {
 
 	ccID := "notext"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -295,7 +300,7 @@ func TestInvokeNOKInvokesEmptyCCName(t *testing.T) {
 
 	ccID := ""
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -312,7 +317,7 @@ func TestInvokeNOKExpiredCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfoWithVSCCAndVer(l, ccID, "vscc", "badversion", cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfoWithVSCCAndVer(l, ccID, "vscc", "badversion", signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -329,7 +334,7 @@ func TestInvokeNOKBogusActions(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, []byte("barf"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -361,7 +366,7 @@ func TestInvokeNOKVSCCUnspecified(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfoWithVSCCAndVer(l, ccID, "", ccVersion, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfoWithVSCCAndVer(l, ccID, "", ccVersion, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}

diff --git a/core/endorser/endorser_test.go b/core/endorser/endorser_test.go
@@ -87,6 +87,12 @@ func initPeer(chainID string) (*testEnvironment, error) {
 	//initialize ledger
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	getPeerEndpoint := func() (*pb.PeerEndpoint, error) {
 		return &pb.PeerEndpoint{Id: &pb.PeerID{Name: "testpeer"}, Address: peerAddress}, nil
 	}

diff --git a/core/peer/peer.go b/core/peer/peer.go
@@ -93,6 +93,12 @@ func MockInitialize() {
 
 var chainInitializer func(string)
 
+var mockMSPIDGetter func(string) []string
+
+func MockSetMSPIDGetter(mspIDGetter func(string) []string) {
+	mockMSPIDGetter = mspIDGetter
+}
+
 // Initialize sets up any chains that the peer has from the persistence. This
 // function should be called at the start up when the ledger and gossip
 // ready
@@ -438,6 +444,12 @@ func buildTrustedRootsForChain(cm configtxapi.Manager) {
 func GetMSPIDs(cid string) []string {
 	chains.RLock()
 	defer chains.RUnlock()
+
+	//if mock is set, use it to return MSPIDs
+	//used for tests without a proper join
+	if mockMSPIDGetter != nil {
+		return mockMSPIDGetter(cid)
+	}
 	if c, ok := chains.list[cid]; ok {
 		if c == nil || c.cs == nil ||
 			c.cs.ApplicationConfig() == nil ||

diff --git a/core/scc/lscc/lscc.go b/core/scc/lscc/lscc.go
@@ -226,7 +226,7 @@ func (f InvalidCCOnFSError) Error() string {
 type InstantiationPolicyViolatedErr string
 
 func (f InstantiationPolicyViolatedErr) Error() string {
-	return "chaincode instantiation policy violated"
+	return fmt.Sprintf("chaincode instantiation policy violated(%s)", string(f))
 }
 
 //InstantiationPolicyMissing when no existing instantiation policy is found when upgrading CC
@@ -479,8 +479,9 @@ func (lscc *LifeCycleSysCC) executeInstall(stub shim.ChaincodeStubInterface, ccb
 }
 
 // getInstantiationPolicy retrieves the instantiation policy from a SignedCDSPackage
-func (lscc *LifeCycleSysCC) getInstantiationPolicy(stub shim.ChaincodeStubInterface, ccpack ccprovider.CCPackage) ([]byte, error) {
+func (lscc *LifeCycleSysCC) getInstantiationPolicy(channel string, ccpack ccprovider.CCPackage) ([]byte, error) {
 	var ip []byte
+	var err error
 	// if ccpack is a SignedCDSPackage, return its IP, otherwise use a default IP
 	sccpack, isSccpack := ccpack.(*ccprovider.SignedCDSPackage)
 	if isSccpack {
@@ -489,17 +490,16 @@ func (lscc *LifeCycleSysCC) getInstantiationPolicy(stub shim.ChaincodeStubInterf
 			return nil, fmt.Errorf("Instantiation policy cannot be null for a SignedCCDeploymentSpec")
 		}
 	} else {
-		// the default instantiation policy requires the peer's msp admin
-		// it assumes that the peer's MSP does not change over time
-		mspid, err := mspmgmt.GetLocalMSP().GetIdentifier()
-		if err != nil {
-			return nil, fmt.Errorf("Error creating default instantiation policy: could not retrieve local MSP identifier %s", err)
-		}
-		ipEnvelope := cauthdsl.SignedByMspAdmin(mspid)
-		ip, err = proto.Marshal(ipEnvelope)
+		// the default instantiation policy allows any of the channel MSP admins
+		// to be able to instantiate
+		mspids := peer.GetMSPIDs(channel)
+
+		p := cauthdsl.SignedByAnyAdmin(mspids)
+		ip, err = utils.Marshal(p)
 		if err != nil {
-			return nil, fmt.Errorf("Marshalling instantiation policy failed: [%s]", err)
+			return nil, fmt.Errorf("Error marshalling default instantiation policy")
 		}
+
 	}
 	return ip, nil
 }
@@ -542,7 +542,7 @@ func (lscc *LifeCycleSysCC) checkInstantiationPolicy(stub shim.ChaincodeStubInte
 	}}
 	err = instPol.Evaluate(sd)
 	if err != nil {
-		return InstantiationPolicyViolatedErr("")
+		return InstantiationPolicyViolatedErr(err.Error())
 	}
 	return nil
 }
@@ -588,7 +588,7 @@ func (lscc *LifeCycleSysCC) executeDeploy(stub shim.ChaincodeStubInterface, chai
 	cd.Policy = policy
 
 	// retrieve and evaluate instantiation policy
-	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(stub, ccpack)
+	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(chainname, ccpack)
 	if err != nil {
 		return nil, err
 	}
@@ -664,7 +664,7 @@ func (lscc *LifeCycleSysCC) executeUpgrade(stub shim.ChaincodeStubInterface, cha
 	cd.Policy = policy
 
 	// retrieve and evaluate new instantiation policy
-	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(stub, ccpack)
+	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(chainName, ccpack)
 	if err != nil {
 		return nil, err
 	}
@@ -757,7 +757,11 @@ func (lscc *LifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response
 		if len(args) > 3 && len(args[3]) > 0 {
 			policy = args[3]
 		} else {
-			policy = cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			p := cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			policy, err = utils.Marshal(p)
+			if err != nil {
+				return shim.Error(err.Error())
+			}
 		}
 
 		var escc []byte
@@ -806,7 +810,11 @@ func (lscc *LifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response
 		if len(args) > 3 && len(args[3]) > 0 {
 			policy = args[3]
 		} else {
-			policy = cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			p := cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			policy, err = utils.Marshal(p)
+			if err != nil {
+				return shim.Error(err.Error())
+			}
 		}
 
 		var escc []byte

diff --git a/core/scc/lscc/lscc_test.go b/core/scc/lscc/lscc_test.go
@@ -22,17 +22,18 @@ import (
 	"strings"
 	"testing"
 
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/common/cauthdsl"
 	"github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/common/ccpackage"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/common/sysccprovider"
-	//"github.com/hyperledger/fabric/core/container"
-	"archive/tar"
-	"bytes"
-	"compress/gzip"
+	"github.com/hyperledger/fabric/core/peer"
 
 	"github.com/stretchr/testify/assert"
 
@@ -1214,6 +1215,12 @@ func TestMain(m *testing.M) {
 	ccprovider.SetChaincodesPath(lscctestpath)
 	sysccprovider.RegisterSystemChaincodeProviderFactory(&scc.MocksccProviderFactory{})
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	var err error
 
 	// setup the MSP manager so that we can sign/verify

diff --git a/core/scc/vscc/validator_onevalidsignature_test.go b/core/scc/vscc/validator_onevalidsignature_test.go
@@ -37,6 +37,7 @@ import (
 	"github.com/hyperledger/fabric/core/common/sysccprovider"
 	cutils "github.com/hyperledger/fabric/core/container/util"
 	"github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/rwsetutil"
+	per "github.com/hyperledger/fabric/core/peer"
 	"github.com/hyperledger/fabric/core/policy"
 	"github.com/hyperledger/fabric/core/scc/lscc"
 	"github.com/hyperledger/fabric/msp"
@@ -1393,6 +1394,12 @@ func TestMain(m *testing.M) {
 	sysccprovider.RegisterSystemChaincodeProviderFactory(&scc.MocksccProviderFactory{})
 	policy.RegisterPolicyCheckerFactory(&mockPolicyCheckerFactory{})
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	per.MockSetMSPIDGetter(mspGetter)
+
 	var err error
 
 	// setup the MSP manager so that we can sign/verify