[FAB-1934] admin validation for chain-scoped syscc

This change set validates proposals for chain-scoped system chaincodes
against the admin policy of the chain.

Change-Id: I1dc2211fd3e2170b31a62a22b4b95287d7b1acf4
Signed-off-by: Alessandro Sorniotti <[email protected]>

Author: ale-linux

common/policies/policy.go

@@ -40,6 +40,9 @@ const (
 
 	// ChannelApplicationWriters is the label for the channel's application writers policy
 	ChannelApplicationWriters = "/" + ChannelPrefix + "/" + ApplicationPrefix + "/Writers"
+
+	// ChannelApplicationAdmins is the label for the channel's application admin policy
+	ChannelApplicationAdmins = "/" + ChannelPrefix + "/" + ApplicationPrefix + "/Admins"
 )
 
 var logger = logging.MustGetLogger("common/policies")
@@ -251,7 +254,10 @@ func (pm *ManagerImpl) CommitProposals() {
 	if pm.parent == nil && pm.basePath == ChannelPrefix {
 		if _, ok := pm.config.managers[ApplicationPrefix]; ok {
 			// Check for default application policies if the application component is defined
-			for _, policyName := range []string{ChannelApplicationReaders, ChannelApplicationWriters} {
+			for _, policyName := range []string{
+				ChannelApplicationReaders,
+				ChannelApplicationWriters,
+				ChannelApplicationAdmins} {
 				_, ok := pm.GetPolicy(policyName)
 				if !ok {
 					logger.Warningf("Current configuration has no policy '%s', this will likely cause problems in production systems", policyName)

core/endorser/endorser.go

@@ -55,15 +55,26 @@ func NewEndorserServer() pb.EndorserServer {
 	return e
 }
 
-func (*Endorser) checkACL(signedProp *pb.SignedProposal, chdr *common.ChannelHeader, shdr *common.SignatureHeader) error {
+// checkACL checks that the supplied proposal complies
+// with the policies of the chain; for a system chaincode
+// we use the admins policy, whereas for normal chaincodes
+// we use the writers policy
+func (*Endorser) checkACL(signedProp *pb.SignedProposal, chdr *common.ChannelHeader, shdr *common.SignatureHeader, hdrext *pb.ChaincodeHeaderExtension) error {
 	// get policy manager to check ACLs
 	pm := peer.GetPolicyManager(chdr.ChannelId)
 	if pm == nil {
 		return fmt.Errorf("No policy manager available for chain %s", chdr.ChannelId)
 	}
 
-	// access the writers policy
-	policy, _ := pm.GetPolicy(policies.ChannelApplicationWriters)
+	// access the policy to use to validate this proposal
+	var policy policies.Policy
+	if syscc.IsSysCC(hdrext.ChaincodeId.Name) {
+		// in the case of a system chaincode, we use the admin policy
+		policy, _ = pm.GetPolicy(policies.ChannelApplicationAdmins)
+	} else {
+		// in the case of a normal chaincode, we use the writers policy
+		policy, _ = pm.GetPolicy(policies.ChannelApplicationWriters)
+	}
 
 	// evaluate that this proposal complies with the writers
 	err := policy.Evaluate(
@@ -317,9 +328,8 @@ func (e *Endorser) ProcessProposal(ctx context.Context, signedProp *pb.SignedPro
 		return &pb.ProposalResponse{Response: &pb.Response{Status: 500, Message: err.Error()}}, err
 	}
 
-	//chainless proposals do not/cannot affect ledger and cannot be submitted as transactions
-	//ignore uniqueness checks
 	if chainID != "" {
+		// here we handle uniqueness check and ACLs for proposals targeting a chain
 		lgr := peer.GetLedger(chainID)
 		if lgr == nil {
 			return nil, errors.New(fmt.Sprintf("Failure while looking up the ledger %s", chainID))
@@ -329,10 +339,15 @@ func (e *Endorser) ProcessProposal(ctx context.Context, signedProp *pb.SignedPro
 		}
 
 		// check ACL - we verify that this proposal
-		// complies with the "writers" policy of the chain
-		if err = e.checkACL(signedProp, chdr, shdr); err != nil {
+		// complies with the policy of the chain
+		if err = e.checkACL(signedProp, chdr, shdr, hdrExt); err != nil {
 			return &pb.ProposalResponse{Response: &pb.Response{Status: 500, Message: err.Error()}}, err
 		}
+	} else {
+		// chainless proposals do not/cannot affect ledger and cannot be submitted as transactions
+		// ignore uniqueness checks; also, chainless proposals are not validated using the policies
+		// of the chain since by definition there is no chain; they are validated against the local
+		// MSP of the peer instead by the call to ValidateProposalMessage above
 	}
 
 	// obtaining once the tx simulator for this proposal. This will be nil

core/endorser/endorser_test.go

@@ -509,11 +509,11 @@ func TestDeployAndUpgrade(t *testing.T) {
 	chaincode.GetChain().Stop(ctxt, cccid2, &pb.ChaincodeDeploymentSpec{ChaincodeSpec: &pb.ChaincodeSpec{ChaincodeId: chaincodeID2}})
 }
 
-// TestACLFail deploys a chaincode and then tries to invoke it;
+// TestWritersACLFail deploys a chaincode and then tries to invoke it;
 // however we inject a special policy for writers to simulate
 // the scenario in which the creator of this proposal is not among
 // the writers for the chain
-func TestACLFail(t *testing.T) {
+func TestWritersACLFail(t *testing.T) {
 	chainID := util.GetTestChainID()
 	var ctxt = context.Background()
 
@@ -567,8 +567,51 @@ func TestACLFail(t *testing.T) {
 		return
 	}
 
-	fmt.Println("TestACLFail passed")
-	t.Logf("TestACLFail passed")
+	fmt.Println("TestWritersACLFail passed")
+	t.Logf("TestWritersACLFail passed")
+
+	chaincode.GetChain().Stop(ctxt, cccid, &pb.ChaincodeDeploymentSpec{ChaincodeSpec: &pb.ChaincodeSpec{ChaincodeId: chaincodeID}})
+}
+
+// TestAdminACLFail deploys tried to deploy a chaincode;
+// however we inject a special policy for admins to simulate
+// the scenario in which the creator of this proposal is not among
+// the admins for the chain
+func TestAdminACLFail(t *testing.T) {
+	chainID := util.GetTestChainID()
+
+	// here we inject a reject policy for admins
+	// to simulate the scenario in which the invoker
+	// is not authorized to issue this proposal
+	rejectpolicy := &mockpolicies.Policy{
+		Err: errors.New("The creator of this proposal does not fulfil the writers policy of this chain"),
+	}
+	pm := peer.GetPolicyManager(chainID)
+	pm.(*mockpolicies.Manager).PolicyMap = map[string]*mockpolicies.Policy{policies.ChannelApplicationAdmins: rejectpolicy}
+
+	var ctxt = context.Background()
+
+	url := "github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example01"
+	chaincodeID := &pb.ChaincodeID{Path: url, Name: "ex01-fail1", Version: "0"}
+
+	defer deleteChaincodeOnDisk("ex01-fail1.0")
+
+	f := "init"
+	argsDeploy := util.ToChaincodeArgs(f, "a", "100", "b", "200")
+	spec := &pb.ChaincodeSpec{Type: 1, ChaincodeId: chaincodeID, Input: &pb.ChaincodeInput{Args: argsDeploy}}
+
+	cccid := ccprovider.NewCCContext(chainID, "ex01-fail1", "0", "", false, nil, nil)
+
+	_, _, err := deploy(endorserServer, chainID, spec, nil)
+	if err == nil {
+		t.Fail()
+		t.Logf("Deploying chaincode should have failed!")
+		chaincode.GetChain().Stop(ctxt, cccid, &pb.ChaincodeDeploymentSpec{ChaincodeSpec: &pb.ChaincodeSpec{ChaincodeId: chaincodeID}})
+		return
+	}
+
+	fmt.Println("TestAdminACLFail passed")
+	t.Logf("TestATestAdminACLFailCLFail passed")
 
 	chaincode.GetChain().Stop(ctxt, cccid, &pb.ChaincodeDeploymentSpec{ChaincodeSpec: &pb.ChaincodeSpec{ChaincodeId: chaincodeID}})
 }