[FAB-9873] Function tests for filtered block ACL

wlahti · wlahti · commit b4d4fd7d174d · 2018-05-25T18:27:52.000-04:00
This CR adds function tests for the filtered block event
ACL policy.

Change-Id: I5401ab364a43f2a61955b8590a0fad8eaab7fc58
Signed-off-by: Will Lahti &lt;wtlahti@us.ibm.com&gt;
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/integration/e2e/acl_test.go b/integration/e2e/acl_test.go
@@ -0,0 +1,231 @@
+/*
+Copyright IBM Corp All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package e2e
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	docker "github.com/fsouza/go-dockerclient"
+	"github.com/gogo/protobuf/proto"
+	"github.com/hyperledger/fabric/common/tools/configtxlator/update"
+	"github.com/hyperledger/fabric/core/aclmgmt/resources"
+	"github.com/hyperledger/fabric/integration/world"
+	"github.com/hyperledger/fabric/protos/common"
+	pb "github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gbytes"
+)
+
+var _ = Describe("EndToEndACL", func() {
+	var (
+		client *docker.Client
+		w      world.World
+	)
+
+	BeforeEach(func() {
+		var err error
+
+		client, err = docker.NewClientFromEnv()
+		Expect(err).NotTo(HaveOccurred())
+
+		// generating files to bootstrap the network
+		w = world.GenerateBasicConfig("solo", 2, 2, testDir, components)
+
+		// sets up the world for all tests
+		setupWorld(&w)
+	})
+
+	AfterEach(func() {
+		// Stop the running chaincode containers
+		filters := map[string][]string{}
+		filters["name"] = []string{fmt.Sprintf("%s-%s", w.Deployment.Chaincode.Name, w.Deployment.Chaincode.Version)}
+		allContainers, _ := client.ListContainers(docker.ListContainersOptions{
+			Filters: filters,
+		})
+		if len(allContainers) > 0 {
+			for _, container := range allContainers {
+				client.RemoveContainer(docker.RemoveContainerOptions{
+					ID:    container.ID,
+					Force: true,
+				})
+			}
+		}
+
+		// Remove chaincode image
+		filters = map[string][]string{}
+		filters["label"] = []string{fmt.Sprintf("org.hyperledger.fabric.chaincode.id.name=%s", w.Deployment.Chaincode.Name)}
+		images, _ := client.ListImages(docker.ListImagesOptions{
+			Filters: filters,
+		})
+		if len(images) > 0 {
+			for _, image := range images {
+				client.RemoveImage(image.ID)
+			}
+		}
+
+		// Stop the orderers and peers
+		for _, localProc := range w.LocalProcess {
+			localProc.Signal(syscall.SIGTERM)
+			Eventually(localProc.Wait(), 5*time.Second).Should(Receive())
+			localProc.Signal(syscall.SIGKILL)
+			Eventually(localProc.Wait(), 5*time.Second).Should(Receive())
+		}
+
+		// Remove any started networks
+		if w.Network != nil {
+			client.RemoveNetwork(w.Network.Name)
+		}
+	})
+
+	It("tests ACL policies", func() {
+		Context("when the ACL policy for DeliverFiltered is satisified", func() {
+			By("setting the filtered block event ACL policy to Org1/Admins")
+			policyName := resources.Event_FilteredBlock
+			policy := "/Channel/Application/Org1/Admins"
+			SetACLPolicy(&w, policyName, policy)
+
+			By("waiting for the transaction to commit to the ledger using an Org1 Admin identity")
+			adminPeer := components.Peer()
+			adminPeer.ConfigDir = filepath.Join(testDir, "org1.example.com_0")
+			adminPeer.MSPConfigPath = filepath.Join(testDir, "crypto", "peerOrganizations", "org1.example.com", "users", "Admin@org1.example.com", "msp")
+
+			adminRunner := adminPeer.InvokeChaincode(w.Deployment.Chaincode.Name, w.Deployment.Channel, `{"Args":["invoke","a","b","10"]}`, w.Deployment.Orderer, "--waitForEvent")
+			execute(adminRunner)
+			Eventually(adminRunner.Err()).Should(gbytes.Say("Chaincode invoke successful. result: status:200"))
+		})
+
+		Context("when the ACL policy for DeliverFiltered is not satisifed", func() {
+			By("setting the filtered block event ACL policy to Org2/Admins")
+			policyName := resources.Event_FilteredBlock
+			policy := "/Channel/Application/Org2/Admins"
+			SetACLPolicy(&w, policyName, policy)
+
+			By("waiting for the transaction to commit to the ledger using an Org1 Admin identity")
+			adminPeer := components.Peer()
+			adminPeer.ConfigDir = filepath.Join(testDir, "org1.example.com_0")
+			adminPeer.MSPConfigPath = filepath.Join(testDir, "crypto", "peerOrganizations", "org1.example.com", "users", "Admin@org1.example.com", "msp")
+
+			adminRunner := adminPeer.InvokeChaincode(w.Deployment.Chaincode.Name, w.Deployment.Channel, `{"Args":["invoke","a","b","10"]}`, w.Deployment.Orderer, "--waitForEvent")
+			execute(adminRunner)
+			Eventually(adminRunner.Err()).Should(gbytes.Say(`\Qdeliver completed with status (FORBIDDEN)\E`))
+		})
+	})
+})
+
+// SetACLPolicy sets the ACL policy for the world on a running network. It resets all
+// previously defined ACL policies. It performs the generation of the config update,
+// signs the configuration with Org2's signer, and then submits the config update
+// using Org1
+func SetACLPolicy(w *world.World, policyName, policy string) {
+	outputFile := filepath.Join(testDir, "updated_config.pb")
+	GenerateACLConfigUpdate(w, policyName, policy, outputFile)
+
+	signConfigDir := filepath.Join(testDir, "org2.example.com_0")
+	signMSPConfigPath := filepath.Join(w.Rootpath, "crypto", "peerOrganizations", "org2.example.com", "users", "Admin@org2.example.com", "msp")
+	SignConfigUpdate(w, outputFile, signConfigDir, signMSPConfigPath)
+
+	sendConfigDir := filepath.Join(testDir, "org1.example.com_0")
+	sendMSPConfigPath := filepath.Join(w.Rootpath, "crypto", "peerOrganizations", "org1.example.com", "users", "Admin@org1.example.com", "msp")
+	SendConfigUpdate(w, outputFile, sendConfigDir, sendMSPConfigPath)
+}
+
+func GenerateACLConfigUpdate(w *world.World, policyName, policy, outputFile string) {
+	// fetch the config block
+	fetchRun := components.Peer()
+	fetchRun.ConfigDir = filepath.Join(testDir, "org1.example.com_0")
+	fetchRun.MSPConfigPath = filepath.Join(w.Rootpath, "crypto", "peerOrganizations", "org1.example.com", "users", "Admin@org1.example.com", "msp")
+	output := filepath.Join(testDir, "config_block.pb")
+	fRunner := fetchRun.FetchChannel(w.Deployment.Channel, output, "config", w.Deployment.Orderer)
+	execute(fRunner)
+	Expect(fRunner.Err()).To(gbytes.Say("Received block: "))
+	// TODO - enable this once the orderer's logs are available here
+	// Expect(ordererRunner.Err()).To(gbytes.Say(`\Q[channel: mychan] Done delivering \E`))
+
+	// read the config block file
+	fileBytes, err := ioutil.ReadFile(output)
+	Expect(err).To(BeNil())
+	Expect(fileBytes).NotTo(BeNil())
+
+	// unmarshal the config block bytes
+	configBlock := &common.Block{}
+	err = proto.Unmarshal(fileBytes, configBlock)
+	Expect(err).To(BeNil())
+
+	// unmarshal the envelope bytes
+	env := &common.Envelope{}
+	err = proto.Unmarshal(configBlock.Data.Data[0], env)
+	Expect(err).To(BeNil())
+
+	// unmarshal the payload bytes
+	payload := &common.Payload{}
+	err = proto.Unmarshal(env.Payload, payload)
+	Expect(err).To(BeNil())
+
+	// unmarshal the config envelope bytes
+	configEnv := &common.ConfigEnvelope{}
+	err = proto.Unmarshal(payload.Data, configEnv)
+	Expect(err).To(BeNil())
+
+	// clone the config
+	config := configEnv.Config
+	updatedConfig := proto.Clone(config).(*common.Config)
+
+	acls := &pb.ACLs{
+		Acls: make(map[string]*pb.APIResource),
+	}
+
+	// set the policy
+	apiResource := &pb.APIResource{}
+	apiResource.PolicyRef = policy
+	acls.Acls[policyName] = apiResource
+	cv := &common.ConfigValue{
+		Value:     utils.MarshalOrPanic(acls),
+		ModPolicy: "Admins",
+	}
+	updatedConfig.ChannelGroup.Groups["Application"].Values["ACLs"] = cv
+
+	// compute the config update and package it into an envelope
+	configUpdate, err := update.Compute(config, updatedConfig)
+	Expect(err).To(BeNil())
+	configUpdate.ChannelId = w.Deployment.Channel
+	configUpdateEnvelope := &common.ConfigUpdateEnvelope{
+		ConfigUpdate: utils.MarshalOrPanic(configUpdate),
+	}
+	signedEnv, err := utils.CreateSignedEnvelope(common.HeaderType_CONFIG_UPDATE, w.Deployment.Channel, nil, configUpdateEnvelope, 0, 0)
+	Expect(err).To(BeNil())
+	Expect(signedEnv).NotTo(BeNil())
+
+	// write the config update envelope to the file system
+	signedEnvelopeBytes := utils.MarshalOrPanic(signedEnv)
+	err = ioutil.WriteFile(outputFile, signedEnvelopeBytes, 0660)
+	Expect(err).To(BeNil())
+}
+
+func SignConfigUpdate(w *world.World, outputFile, configDir, mspConfigPath string) {
+	signRun := components.Peer()
+	signRun.ConfigDir = configDir
+	signRun.MSPConfigPath = mspConfigPath
+	sRunner := signRun.SignConfigTx(outputFile)
+	// signconfigtx doesn't output anything so check that error is nil
+	err := execute(sRunner)
+	Expect(err).To(BeNil())
+}
+
+func SendConfigUpdate(w *world.World, outputFile, configDir, mspConfigPath string) {
+	updateRun := components.Peer()
+	updateRun.ConfigDir = configDir
+	updateRun.MSPConfigPath = mspConfigPath
+	uRunner := updateRun.UpdateChannel(outputFile, w.Deployment.Channel, w.Deployment.Orderer)
+	execute(uRunner)
+	Expect(uRunner.Err()).To(gbytes.Say("Successfully submitted channel update"))
+}
diff --git a/integration/runner/peer.go b/integration/runner/peer.go
@@ -128,6 +128,19 @@ func (p *Peer) JoinChannel(transactionFile string) *ginkgomon.Runner {
 	return r
 }
 
+func (p *Peer) SignConfigTx(transactionFile string) *ginkgomon.Runner {
+	cmd := exec.Command(p.Path, "channel", "signconfigtx", "-f", transactionFile)
+	p.setupEnvironment(cmd)
+
+	r := ginkgomon.New(ginkgomon.Config{
+		Name:          "channel signconfigtx",
+		AnsiColorCode: "4;38m",
+		Command:       cmd,
+	})
+
+	return r
+}
+
 func (p *Peer) UpdateChannel(transactionFile string, channel string, orderer string) *ginkgomon.Runner {
 	cmd := exec.Command(p.Path, "channel", "update", "-c", channel, "-o", orderer, "-f", transactionFile)
 	p.setupEnvironment(cmd)
@@ -180,8 +193,12 @@ func (p *Peer) QueryChaincode(name string, channel string, args string) *ginkgom
 	return r
 }
 
-func (p *Peer) InvokeChaincode(name string, channel string, args string, orderer string) *ginkgomon.Runner {
+func (p *Peer) InvokeChaincode(name string, channel string, args string, orderer string, extraArgs ...string) *ginkgomon.Runner {
 	cmd := exec.Command(p.Path, "chaincode", "invoke", "-n", name, "-C", channel, "-c", args, "-o", orderer)
+	for _, arg := range extraArgs {
+		cmd.Args = append(cmd.Args, arg)
+	}
+
 	p.setupEnvironment(cmd)
 
 	r := ginkgomon.New(ginkgomon.Config{
diff --git a/peer/chaincode/common.go b/peer/chaincode/common.go
@@ -688,6 +688,10 @@ func (dg *deliverGroup) ClientWait(dc *deliverClient) {
 					return
 				}
 			}
+		case *pb.DeliverResponse_Status:
+			err = errors.Errorf("deliver completed with status (%s) before txid received", r.Status)
+			dg.setError(err)
+			return
 		default:
 			err = errors.Errorf("received unexpected response type (%T) from %s", r, dc.Address)
 			dg.setError(err)

Original file line number	Diff line number	Diff line change
`@@ -688,6 +688,10 @@ func (dg deliverGroup) ClientWait(dc deliverClient) {`
`688`	`688`	`return`
`689`	`689`	`}`
`690`	`690`	`}`
	`691`	`+ case *pb.DeliverResponse_Status:`
	`692`	`+ err = errors.Errorf("deliver completed with status (%s) before txid received", r.Status)`
	`693`	`+ dg.setError(err)`
	`694`	`+ return`
`691`	`695`	`default:`
`692`	`696`	`err = errors.Errorf("received unexpected response type (%T) from %s", r, dc.Address)`
`693`	`697`	`dg.setError(err)`