[FAB-5309] Set mod_policy for new channel policies

Jason Yellick · Jason Yellick · commit 3a2dd8e97c38 · 2017-07-17T01:52:23.000-04:00
The current configtxgen creates a channel creation tx with policies of
Reader/Writer/Admin, where these each do not have a mod_policy set.
This makes it difficult to change these policies, because the policy
does not exist.

It is possible through a roundabout way to change these policies (by
removing and re-adding the policy with a different mod_policy), but this
is certainly not a painless procedure and requires assistance of the
orderer org.

This CR updates to configtx processing to validate mod_policy values
such that they are valid names.  This means that the policy is not
empty, and if the policy is path specified (ie using '/'), that each
component of the path can be described as a valid config element (does
not violate the config element naming rules).

This CR additionally sets the mod_policy on the policies generated by
configtxgen to "Admins".

For users of the old v1.0.0 configtxgen, channel creation will fail with
an error for v1.0.1 orderers.  However, v1.0.1 configtxgen users will
have their transaction appropriately consumed by v1.0.0 orderers.

So in summary, upgrading configtxgen without fabric is okay.  Upgrading
fabric without configtxgen will cause breakage for new channel creation.

An additional bug in the configtxgen output was discovered which was not
setting a mod_policy on the anchor peers element.  There was also an
error in the bddtests which mimic the missing policies for the
application level policies.

Change-Id: Ic2bc120cfb6170f3e4e6cbeac5be145363a64861
Signed-off-by: Jason Yellick &lt;jyellick@us.ibm.com&gt;
diff --git a/bddtests/steps/bootstrap_util.py b/bddtests/steps/bootstrap_util.py
@@ -1102,7 +1102,7 @@ def create_channel_config_update(system_channel_version, channel_id, consortium_
         Policy(type=typeImplicitMeta, value=IMP(
             rule=ruleMajority, sub_policy=BootstrapHelper.KEY_POLICY_ADMINS).SerializeToString()))
     write_set.groups[ApplicationGroup].mod_policy = "Admins"
-    for k, v in write_set.groups[ApplicationGroup].groups.iteritems():
+    for k, v in write_set.groups[ApplicationGroup].policies.iteritems():
         v.mod_policy=BootstrapHelper.KEY_POLICY_ADMINS
     config_update = common_dot_configtx_pb2.ConfigUpdate(channel_id=channel_id,
                                                          read_set=read_set,
diff --git a/common/configtx/template.go b/common/configtx/template.go
@@ -229,8 +229,11 @@ func (cct *channelCreationTemplate) Envelope(channelID string) (*cb.ConfigUpdate
 
 	wSet.Groups[config.ApplicationGroupKey].ModPolicy = configmsp.AdminsPolicyKey
 	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.AdminsPolicyKey] = policies.ImplicitMetaPolicyWithSubPolicy(configmsp.AdminsPolicyKey, cb.ImplicitMetaPolicy_MAJORITY)
+	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.AdminsPolicyKey].ModPolicy = configmsp.AdminsPolicyKey
 	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.WritersPolicyKey] = policies.ImplicitMetaPolicyWithSubPolicy(configmsp.WritersPolicyKey, cb.ImplicitMetaPolicy_ANY)
+	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.WritersPolicyKey].ModPolicy = configmsp.AdminsPolicyKey
 	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.ReadersPolicyKey] = policies.ImplicitMetaPolicyWithSubPolicy(configmsp.ReadersPolicyKey, cb.ImplicitMetaPolicy_ANY)
+	wSet.Groups[config.ApplicationGroupKey].Policies[configmsp.ReadersPolicyKey].ModPolicy = configmsp.AdminsPolicyKey
 	wSet.Groups[config.ApplicationGroupKey].Version = 1
 
 	return &cb.ConfigUpdateEnvelope{
diff --git a/common/configtx/template_test.go b/common/configtx/template_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	"github.com/hyperledger/fabric/common/config"
+	configmsp "github.com/hyperledger/fabric/common/config/msp"
 	mmsp "github.com/hyperledger/fabric/common/mocks/msp"
 	cb "github.com/hyperledger/fabric/protos/common"
 	"github.com/hyperledger/fabric/protos/utils"
@@ -144,8 +145,11 @@ func TestNewChainTemplate(t *testing.T) {
 	assert.Len(t, configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups, len(orgs))
 
 	for _, org := range orgs {
-		_, ok := configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org]
+		group, ok := configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org]
 		assert.True(t, ok, "Expected to find %s but did not", org)
+		for _, policy := range group.Policies {
+			assert.Equal(t, configmsp.AdminsPolicyKey, policy.ModPolicy)
+		}
 	}
 }
 
diff --git a/common/configtx/tool/configtxgen/main.go b/common/configtx/tool/configtxgen/main.go
@@ -123,6 +123,7 @@ func doOutputAnchorPeersUpdate(conf *genesisconfig.Profile, channelID string, ou
 	}
 
 	configGroup := config.TemplateAnchorPeers(org.Name, anchorPeers)
+	configGroup.Groups[config.ApplicationGroupKey].Groups[org.Name].Values[config.AnchorPeersKey].ModPolicy = mspconfig.AdminsPolicyKey
 	configUpdate := &cb.ConfigUpdate{
 		ChannelId: channelID,
 		WriteSet:  configGroup,
@@ -132,6 +133,7 @@ func doOutputAnchorPeersUpdate(conf *genesisconfig.Profile, channelID string, ou
 	// Add all the existing config to the readset
 	configUpdate.ReadSet.Groups[config.ApplicationGroupKey] = cb.NewConfigGroup()
 	configUpdate.ReadSet.Groups[config.ApplicationGroupKey].Version = 1
+	configUpdate.ReadSet.Groups[config.ApplicationGroupKey].ModPolicy = mspconfig.AdminsPolicyKey
 	configUpdate.ReadSet.Groups[config.ApplicationGroupKey].Groups[org.Name] = cb.NewConfigGroup()
 	configUpdate.ReadSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Values[config.MSPKey] = &cb.ConfigValue{}
 	configUpdate.ReadSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Policies[mspconfig.ReadersPolicyKey] = &cb.ConfigPolicy{}
@@ -140,7 +142,9 @@ func doOutputAnchorPeersUpdate(conf *genesisconfig.Profile, channelID string, ou
 
 	// Add all the existing at the same versions to the writeset
 	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Version = 1
+	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].ModPolicy = mspconfig.AdminsPolicyKey
 	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Version = 1
+	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org.Name].ModPolicy = mspconfig.AdminsPolicyKey
 	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Values[config.MSPKey] = &cb.ConfigValue{}
 	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Policies[mspconfig.ReadersPolicyKey] = &cb.ConfigPolicy{}
 	configUpdate.WriteSet.Groups[config.ApplicationGroupKey].Groups[org.Name].Policies[mspconfig.WritersPolicyKey] = &cb.ConfigPolicy{}
diff --git a/common/configtx/update.go b/common/configtx/update.go
@@ -18,6 +18,7 @@ package configtx
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/hyperledger/fabric/common/policies"
 	cb "github.com/hyperledger/fabric/protos/common"
@@ -54,12 +55,36 @@ func ComputeDeltaSet(readSet, writeSet map[string]comparable) map[string]compara
 	return result
 }
 
+func validateModPolicy(modPolicy string) error {
+	if modPolicy == "" {
+		return fmt.Errorf("mod_policy not set")
+	}
+
+	trimmed := modPolicy
+	if modPolicy[0] == '/' {
+		trimmed = modPolicy[1:]
+	}
+
+	for i, pathElement := range strings.Split(trimmed, PathSeparator) {
+		err := validateConfigID(pathElement)
+		if err != nil {
+			return fmt.Errorf("path element at %d is invalid: %s", i, err)
+		}
+	}
+	return nil
+
+}
+
 func (cm *configManager) verifyDeltaSet(deltaSet map[string]comparable, signedData []*cb.SignedData) error {
 	if len(deltaSet) == 0 {
 		return fmt.Errorf("Delta set was empty.  Update would have no effect.")
 	}
 
 	for key, value := range deltaSet {
+		if err := validateModPolicy(value.modPolicy()); err != nil {
+			return fmt.Errorf("invalid mod_policy for element %s: %s", key, err)
+		}
+
 		existing, ok := cm.current.configMap[key]
 		if !ok {
 			if value.version() != 0 {
diff --git a/common/configtx/update_test.go b/common/configtx/update_test.go
@@ -89,31 +89,39 @@ func TestVerifyDeltaSet(t *testing.T) {
 	t.Run("Green path", func(t *testing.T) {
 		deltaSet := make(map[string]comparable)
 
-		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1}}
+		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1, ModPolicy: "foo"}}
 
 		assert.NoError(t, cm.verifyDeltaSet(deltaSet, nil), "Good update")
 	})
 
+	t.Run("Bad mod policy", func(t *testing.T) {
+		deltaSet := make(map[string]comparable)
+
+		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1}}
+
+		assert.Regexp(t, "invalid mod_policy for element", cm.verifyDeltaSet(deltaSet, nil))
+	})
+
 	t.Run("Big Skip", func(t *testing.T) {
 		deltaSet := make(map[string]comparable)
 
-		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 2}}
+		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 2, ModPolicy: "foo"}}
 
 		assert.Error(t, cm.verifyDeltaSet(deltaSet, nil), "Version skip from 0 to 2")
 	})
 
 	t.Run("New item high version", func(t *testing.T) {
 		deltaSet := make(map[string]comparable)
 
-		deltaSet["bar"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1}}
+		deltaSet["bar"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1, ModPolicy: "foo"}}
 
 		assert.Error(t, cm.verifyDeltaSet(deltaSet, nil), "New key not at version 0")
 	})
 
 	t.Run("Policy evalaution to false", func(t *testing.T) {
 		deltaSet := make(map[string]comparable)
 
-		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1}}
+		deltaSet["foo"] = comparable{ConfigValue: &cb.ConfigValue{Version: 1, ModPolicy: "foo"}}
 		cm.Resources.(*mockconfigtx.Resources).PolicyManagerVal.Policy = &mockpolicies.Policy{Err: fmt.Errorf("Err")}
 
 		assert.Error(t, cm.verifyDeltaSet(deltaSet, nil), "Policy evaluation should have failed")
@@ -182,3 +190,21 @@ func TestPolicyForItem(t *testing.T) {
 	assert.True(t, ok)
 	assert.Equal(t, policy, fooPolicy, "Should have found relative foo policy for foo group")
 }
+
+func TestValidateModPolicy(t *testing.T) {
+	t.Run("Valid", func(t *testing.T) {
+		assert.Nil(t, validateModPolicy("/foo/bar"))
+	})
+	t.Run("Empty", func(t *testing.T) {
+		assert.Regexp(t, "mod_policy not set", validateModPolicy(""))
+	})
+	t.Run("InvalidFirstChar", func(t *testing.T) {
+		assert.Regexp(t, "path element at 0 is invalid", validateModPolicy("^foo"))
+	})
+	t.Run("InvalidRootPath", func(t *testing.T) {
+		assert.Regexp(t, "path element at 0 is invalid", validateModPolicy("/"))
+	})
+	t.Run("InvalidSubPath", func(t *testing.T) {
+		assert.Regexp(t, "path element at 1 is invalid", validateModPolicy("foo//bar"))
+	})
+}
