[FAB-3300] default chaincode instantiation policy

If a chaincode does not come with an instantiation policy, have the LSCC
set a default instantiation policy. The default instantiation policy
allows only the peer's MSP admin to instantiate chaincode.

Change-Id: I766041f40d16e5ab5daf6adc1e96c1ade36ee144
Signed-off-by: Matthias Neugschwandtner <[email protected]>

Author: Matthias Neugschwandtner

core/chaincode/exectransaction_test.go

@@ -107,6 +107,10 @@ func initPeer(chainIDs ...string) (net.Listener, error) {
 			return nil, err
 		}
 		scc.DeploySysCCs(id)
+		// any chain other than the default testchainid does not have a MSP set up -> create one
+		if id != util.GetTestChainID() {
+			mspmgmt.XXXSetMSPManager(id, mspmgmt.GetManagerForChain(util.GetTestChainID()))
+		}
 	}
 
 	go grpcServer.Serve(lis)
@@ -326,14 +330,13 @@ func deploy2(ctx context.Context, cccid *ccprovider.CCContext, chaincodeDeployme
 	ccprovider.PutChaincodeIntoFS(chaincodeDeploymentSpec)
 
 	sysCCVers := util.GetSysCCVersion()
-	sprop, prop := putils.MockSignedEndorserProposalOrPanic(cccid.ChainID, cis.ChaincodeSpec, []byte("Admin"), []byte("msg1"))
+	sprop, prop := putils.MockSignedEndorserProposal2OrPanic(cccid.ChainID, cis.ChaincodeSpec, signer)
 	lsccid := ccprovider.NewCCContext(cccid.ChainID, cis.ChaincodeSpec.ChaincodeId.Name, sysCCVers, uuid, true, sprop, prop)
 
 	//write to lscc
 	if _, _, err = ExecuteWithErrorFilter(ctx, lsccid, cis); err != nil {
 		return nil, fmt.Errorf("Error deploying chaincode (1): %s", err)
 	}
-
 	if b, _, err = ExecuteWithErrorFilter(ctx, cccid, chaincodeDeploymentSpec); err != nil {
 		return nil, fmt.Errorf("Error deploying chaincode(2): %s", err)
 	}
@@ -1748,8 +1751,8 @@ func TestMain(m *testing.M) {
 	msptesttools.LoadMSPSetupForTesting()
 	signer, err = mspmgmt.GetLocalMSP().GetDefaultSigningIdentity()
 	if err != nil {
-		os.Exit(-1)
 		fmt.Print("Could not initialize msp/signer")
+		os.Exit(-1)
 		return
 	}
 
@@ -1758,7 +1761,6 @@ func TestMain(m *testing.M) {
 }
 
 func deployChaincode(ctx context.Context, name string, version string, chaincodeType pb.ChaincodeSpec_Type, path string, args [][]byte, creator []byte, channel string, nextBlockNumber uint64) ([]byte, *ccprovider.CCContext, error) {
-
 	chaincodeSpec := &pb.ChaincodeSpec{
 		ChaincodeId: &pb.ChaincodeID{
 			Name:    name,
@@ -1771,7 +1773,7 @@ func deployChaincode(ctx context.Context, name string, version string, chaincode
 		},
 	}
 
-	signedProposal, proposal := putils.MockSignedEndorserProposalOrPanic(channel, chaincodeSpec, creator, nil)
+	signedProposal, proposal := putils.MockSignedEndorserProposal2OrPanic(channel, chaincodeSpec, signer)
 
 	chaincodeCtx := ccprovider.NewCCContext(channel, name, version, "", false, signedProposal, proposal)
 

core/chaincode/upgrade_test.go

@@ -24,6 +24,7 @@ import (
 	"github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	pb "github.com/hyperledger/fabric/protos/peer"
+	putils "github.com/hyperledger/fabric/protos/utils"
 
 	"github.com/golang/protobuf/proto"
 	"golang.org/x/net/context"
@@ -84,7 +85,8 @@ func upgrade2(ctx context.Context, cccid *ccprovider.CCContext,
 	ccprovider.PutChaincodeIntoFS(chaincodeDeploymentSpec)
 
 	sysCCVers := util.GetSysCCVersion()
-	lsccid := ccprovider.NewCCContext(cccid.ChainID, cis.ChaincodeSpec.ChaincodeId.Name, sysCCVers, uuid, true, nil, nil)
+	sprop, prop := putils.MockSignedEndorserProposal2OrPanic(cccid.ChainID, cis.ChaincodeSpec, signer)
+	lsccid := ccprovider.NewCCContext(cccid.ChainID, cis.ChaincodeSpec.ChaincodeId.Name, sysCCVers, uuid, true, sprop, prop)
 
 	var cdbytes []byte
 	//write to lscc

core/scc/lscc/lscc.go

@@ -229,6 +229,13 @@ func (f InstantiationPolicyViolatedErr) Error() string {
 	return "chaincode instantiation policy violated"
 }
 
+//InstantiationPolicyMissing when no existing instantiation policy is found when upgrading CC
+type InstantiationPolicyMissing string
+
+func (f InstantiationPolicyMissing) Error() string {
+	return "instantiation policy missing"
+}
+
 //-------------- helper functions ------------------
 //create the chaincode on the given chain
 func (lscc *LifeCycleSysCC) createChaincode(stub shim.ChaincodeStubInterface, cd *ccprovider.ChaincodeData) error {
@@ -473,16 +480,28 @@ func (lscc *LifeCycleSysCC) executeInstall(stub shim.ChaincodeStubInterface, ccb
 
 // getInstantiationPolicy retrieves the instantiation policy from a SignedCDSPackage
 func (lscc *LifeCycleSysCC) getInstantiationPolicy(stub shim.ChaincodeStubInterface, ccpack ccprovider.CCPackage) ([]byte, error) {
-	//if ccpack is a SignedCDSPackage, evaluate submitter against instantiation policy
+	var ip []byte
+	// if ccpack is a SignedCDSPackage, return its IP, otherwise use a default IP
 	sccpack, isSccpack := ccpack.(*ccprovider.SignedCDSPackage)
 	if isSccpack {
-		ip := sccpack.GetInstantiationPolicy()
+		ip = sccpack.GetInstantiationPolicy()
 		if ip == nil {
 			return nil, fmt.Errorf("Instantiation policy cannot be null for a SignedCCDeploymentSpec")
 		}
-		return ip, nil
+	} else {
+		// the default instantiation policy requires the peer's msp admin
+		// it assumes that the peer's MSP does not change over time
+		mspid, err := mspmgmt.GetLocalMSP().GetIdentifier()
+		if err != nil {
+			return nil, fmt.Errorf("Error creating default instantiation policy: could not retrieve local MSP identifier %s", err)
+		}
+		ipEnvelope := cauthdsl.SignedByMspAdmin(mspid)
+		ip, err = proto.Marshal(ipEnvelope)
+		if err != nil {
+			return nil, fmt.Errorf("Marshalling instantiation policy failed: [%s]", err)
+		}
 	}
-	return nil, nil
+	return ip, nil
 }
 
 // checkInstantiationPolicy evaluates an instantiation policy against a signed proposal
@@ -573,11 +592,9 @@ func (lscc *LifeCycleSysCC) executeDeploy(stub shim.ChaincodeStubInterface, chai
 	if err != nil {
 		return nil, err
 	}
-	if cd.InstantiationPolicy != nil {
-		err = lscc.checkInstantiationPolicy(stub, chainname, cd.InstantiationPolicy)
-		if err != nil {
-			return nil, err
-		}
+	err = lscc.checkInstantiationPolicy(stub, chainname, cd.InstantiationPolicy)
+	if err != nil {
+		return nil, err
 	}
 
 	err = lscc.createChaincode(stub, cd)
@@ -625,11 +642,12 @@ func (lscc *LifeCycleSysCC) executeUpgrade(stub shim.ChaincodeStubInterface, cha
 	}
 
 	//do not upgrade if instantiation policy is violated
-	if cd.InstantiationPolicy != nil {
-		err = lscc.checkInstantiationPolicy(stub, chainName, cd.InstantiationPolicy)
-		if err != nil {
-			return nil, err
-		}
+	if cd.InstantiationPolicy == nil {
+		return nil, InstantiationPolicyMissing("")
+	}
+	err = lscc.checkInstantiationPolicy(stub, chainName, cd.InstantiationPolicy)
+	if err != nil {
+		return nil, err
 	}
 
 	ccpack, err := ccprovider.GetChaincodeFromFS(chaincodeName, cds.ChaincodeSpec.ChaincodeId.Version)
@@ -650,11 +668,9 @@ func (lscc *LifeCycleSysCC) executeUpgrade(stub shim.ChaincodeStubInterface, cha
 	if err != nil {
 		return nil, err
 	}
-	if cd.InstantiationPolicy != nil {
-		err = lscc.checkInstantiationPolicy(stub, chainName, cd.InstantiationPolicy)
-		if err != nil {
-			return nil, err
-		}
+	err = lscc.checkInstantiationPolicy(stub, chainName, cd.InstantiationPolicy)
+	if err != nil {
+		return nil, err
 	}
 
 	err = lscc.upgradeChaincode(stub, cd)