FAB-10046 Respect LSCC GETCHAINCODES ACL

Jason Yellick · Jason Yellick · commit 99f788da88ed · 2018-05-15T11:34:59.000-04:00
The GETCHAINCODES call is currently erroneously using the local default
ACL rather than the channel scoped ACL.  This CR adds it to the
configtx.yaml and fixes the LSCC code to respect it.

Change-Id: Ic09d41df5f0124d7d6b36b4ad77faa711dfea43c
Signed-off-by: Jason Yellick &lt;jyellick@us.ibm.com&gt;
diff --git a/core/scc/lscc/lscc.go b/core/scc/lscc/lscc.go
@@ -780,8 +780,7 @@ func (lscc *lifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response
 			return shim.Error(InvalidArgsLenErr(len(args)).Error())
 		}
 
-		// 2. check local MSP Admins policy
-		if err = lscc.policyChecker.CheckPolicyNoChannel(mgmt.Admins, sp); err != nil {
+		if err = lscc.aclProvider.CheckACL(resources.Lscc_GetInstantiatedChaincodes, stub.GetChannelID(), sp); err != nil {
 			return shim.Error(fmt.Sprintf("Authorization for GETCHAINCODES on channel %s has been denied with error %s", args[0], err))
 		}
 
diff --git a/core/scc/lscc/lscc_test.go b/core/scc/lscc/lscc_test.go
@@ -331,6 +331,7 @@ func testDeploy(t *testing.T, ccname string, version string, path string, forceB
 		res := stub.MockInit("1", nil)
 		assert.Equal(t, res.Status, int32(shim.OK), res.Message)
 	}
+	stub.ChannelID = chainid
 
 	identityDeserializer := &policymocks.MockIdentityDeserializer{[]byte("Alice"), []byte("msg1")}
 	policyManagerGetter := &policymocks.MockChannelPolicyManagerGetter{
@@ -343,7 +344,7 @@ func testDeploy(t *testing.T, ccname string, version string, path string, forceB
 		identityDeserializer,
 		&policymocks.MockMSPPrincipalGetter{Principal: []byte("Alice")},
 	)
-	sProp, _ := utils.MockSignedEndorserProposalOrPanic("", &pb.ChaincodeSpec{}, []byte("Alice"), []byte("msg1"))
+	sProp, _ := utils.MockSignedEndorserProposalOrPanic(chainid, &pb.ChaincodeSpec{}, []byte("Alice"), []byte("msg1"))
 	identityDeserializer.Msg = sProp.ProposalBytes
 	sProp.Signature = sProp.ProposalBytes
 
@@ -374,6 +375,8 @@ func testDeploy(t *testing.T, ccname string, version string, path string, forceB
 	if expectedErrorMsg == "" {
 		assert.Equal(t, res.Status, int32(shim.OK), res.Message)
 
+		mockAclProvider.Reset()
+		mockAclProvider.On("CheckACL", resources.Lscc_GetInstantiatedChaincodes, chainid, sProp).Return(nil)
 		args = [][]byte{[]byte(GETCHAINCODES)}
 		res = stub.MockInvokeWithSignedProposal("1", args, sProp)
 		assert.Equal(t, res.Status, int32(shim.OK), res.Message)
@@ -649,29 +652,25 @@ func TestGETCHAINCODES(t *testing.T) {
 	scc := New(NewMockProvider(), mockAclProvider)
 	scc.support = &lscc.MockSupport{}
 	stub := shim.NewMockStub("lscc", scc)
+	stub.ChannelID = "test"
 	res := stub.MockInit("1", nil)
 	assert.Equal(t, res.Status, int32(shim.OK), res.Message)
 
 	res = stub.MockInvokeWithSignedProposal("1", [][]byte{[]byte(GETCHAINCODES), []byte("barf")}, nil)
 	assert.NotEqual(t, res.Status, int32(shim.OK), res.Message)
 
-	identityDeserializer := &policymocks.MockIdentityDeserializer{[]byte("Alice"), []byte("msg1")}
-	policyManagerGetter := &policymocks.MockChannelPolicyManagerGetter{
-		Managers: map[string]policies.Manager{
-			"test": &policymocks.MockChannelPolicyManager{MockPolicy: &policymocks.MockPolicy{Deserializer: identityDeserializer}},
-		},
-	}
-	scc.policyChecker = policy.NewPolicyChecker(
-		policyManagerGetter,
-		identityDeserializer,
-		&policymocks.MockMSPPrincipalGetter{Principal: []byte("Alice")},
-	)
-	sProp, _ := utils.MockSignedEndorserProposalOrPanic("", &pb.ChaincodeSpec{}, []byte("Bob"), []byte("msg1"))
-	identityDeserializer.Msg = sProp.ProposalBytes
+	sProp, _ := utils.MockSignedEndorserProposalOrPanic("test", &pb.ChaincodeSpec{}, []byte("Bob"), []byte("msg1"))
 	sProp.Signature = sProp.ProposalBytes
 
-	res = stub.MockInvokeWithSignedProposal("1", [][]byte{[]byte(GETCHAINCODES)}, nil)
+	mockAclProvider.Reset()
+	mockAclProvider.On("CheckACL", resources.Lscc_GetInstantiatedChaincodes, "test", sProp).Return(errors.New("ACL Error"))
+	res = stub.MockInvokeWithSignedProposal("1", [][]byte{[]byte(GETCHAINCODES)}, sProp)
 	assert.NotEqual(t, res.Status, int32(shim.OK), res.Message)
+
+	mockAclProvider.Reset()
+	mockAclProvider.On("CheckACL", resources.Lscc_GetInstantiatedChaincodes, "test", sProp).Return(nil)
+	res = stub.MockInvokeWithSignedProposal("1", [][]byte{[]byte(GETCHAINCODES)}, sProp)
+	assert.Equal(t, res.Status, int32(shim.OK), res.Message)
 }
 
 func TestGETINSTALLEDCHAINCODES(t *testing.T) {
diff --git a/sampleconfig/configtx.yaml b/sampleconfig/configtx.yaml
@@ -328,68 +328,71 @@ Orderer: &OrdererDefaults
 ################################################################################
 Application: &ApplicationDefaults
     ACLs: &ACLsDefault
-        #This section provides defaults for policies for various resources
-        #in the system. These "resources" could be functions on system chaincodes
-        #(e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other resources
-        #(e.g.,who can receive Block events). This section does NOT specify the resource's
-        #definition or API, but just the ACL policy for it.
+        # This section provides defaults for policies for various resources
+        # in the system. These "resources" could be functions on system chaincodes
+        # (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other resources
+        # (e.g.,who can receive Block events). This section does NOT specify the resource's
+        # definition or API, but just the ACL policy for it.
         #
-        #User's can override these defaults with their own policy mapping by defining the
-        #mapping under ACLs in their channel definition
+        # User's can override these defaults with their own policy mapping by defining the
+        # mapping under ACLs in their channel definition
 
         #---Lifecycle System Chaincode (lscc) function to policy mapping for access control---#
 
-        #ACL policy for lscc's "getid" function
+        # ACL policy for lscc's "getid" function
         lscc/ChaincodeExists: /Channel/Application/Readers
 
-        #ACL policy for lscc's "getdepspec" function
+        # ACL policy for lscc's "getdepspec" function
         lscc/GetDeploymentSpec: /Channel/Application/Readers
 
-        #ACL policy for lscc's "getccdata" function
+        # ACL policy for lscc's "getccdata" function
         lscc/GetChaincodeData: /Channel/Application/Readers
 
+        # ACL Policy for lscc's "getchaincodes" function
+        lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
+
         #---Query System Chaincode (qscc) function to policy mapping for access control---#
 
-        #ACL policy for qscc's "GetChainInfo" function
+        # ACL policy for qscc's "GetChainInfo" function
         qscc/GetChainInfo: /Channel/Application/Readers
 
-        #ACL policy for qscc's "GetBlockByNumber" function
+        # ACL policy for qscc's "GetBlockByNumber" function
         qscc/GetBlockByNumber: /Channel/Application/Readers
 
-        #ACL policy for qscc's  "GetBlockByHash" function
+        # ACL policy for qscc's  "GetBlockByHash" function
         qscc/GetBlockByHash: /Channel/Application/Readers
 
-        #ACL policy for qscc's "GetTransactionByID" function
+        # ACL policy for qscc's "GetTransactionByID" function
         qscc/GetTransactionByID: /Channel/Application/Readers
 
-        #ACL policy for qscc's "GetBlockByTxID" function
+        # ACL policy for qscc's "GetBlockByTxID" function
         qscc/GetBlockByTxID: /Channel/Application/Readers
 
         #---Configuration System Chaincode (cscc) function to policy mapping for access control---#
 
-        #ACL policy for cscc's "GetConfigBlock" function
+        # ACL policy for cscc's "GetConfigBlock" function
         cscc/GetConfigBlock: /Channel/Application/Readers
 
-        #ACL policy for cscc's "GetConfigTree" function
+        # ACL policy for cscc's "GetConfigTree" function
         cscc/GetConfigTree: /Channel/Application/Readers
 
-        #ACL policy for cscc's "SimulateConfigTreeUpdate" function
+        # ACL policy for cscc's "SimulateConfigTreeUpdate" function
         cscc/SimulateConfigTreeUpdate: /Channel/Application/Writers
 
         #---Miscellanesous peer function to policy mapping for access control---#
 
-        #ACL policy for invoking chaincodes on peer
+        # ACL policy for invoking chaincodes on peer
         peer/Propose: /Channel/Application/Writers
 
-        #ACL policy for chaincode to chaincode invocation
+        # ACL policy for chaincode to chaincode invocation
         peer/ChaincodeToChaincode: /Channel/Application/Readers
 
         #---Events resource to policy mapping for access control###---#
 
-        #ACL policy for sending block events
+        # ACL policy for sending block events
         event/Block: /Channel/Application/Readers
 
-        #ACL policy for sending filtered block events
+        # ACL policy for sending filtered block events
         event/FilteredBlock: /Channel/Application/Readers
 
     # Organizations lists the orgs participating on the application side of the

Original file line number	Diff line number	Diff line change
`@@ -780,8 +780,7 @@ func (lscc *lifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response`
`780`	`780`	`return shim.Error(InvalidArgsLenErr(len(args)).Error())`
`781`	`781`	`}`
`782`	`782`
`783`		`- // 2. check local MSP Admins policy`
`784`		`- if err = lscc.policyChecker.CheckPolicyNoChannel(mgmt.Admins, sp); err != nil {`
	`783`	`+ if err = lscc.aclProvider.CheckACL(resources.Lscc_GetInstantiatedChaincodes, stub.GetChannelID(), sp); err != nil {`
`785`	`784`	`return shim.Error(fmt.Sprintf("Authorization for GETCHAINCODES on channel %s has been denied with error %s", args[0], err))`
`786`	`785`	`}`
`787`	`786`