[FAB-9014] Add new config element for peer ACLs

Implements protos for ACL Resources and use it to
parse and generate config for the Application:ACLs defined in
configtx.yaml

Change-Id: I6796171dab05f33eca257fd0e61c300ff98699e3
Signed-off-by: Srinivasan Muralidharan <srinivasan.muralidharan99@gmail.com>

Author: muralisrini

common/channelconfig/api.go

@@ -39,6 +39,9 @@ type Application interface {
 	// Organizations returns a map of org ID to ApplicationOrg
 	Organizations() map[string]ApplicationOrg
 
+	// ACLs returns map of string to APIResource
+	ACLs() map[string]*pb.APIResource
+
 	// Capabilities defines the capabilities for the application portion of a channel
 	Capabilities() ApplicationCapabilities
 }

common/channelconfig/application.go

@@ -9,17 +9,22 @@ package channelconfig
 import (
 	"github.com/hyperledger/fabric/common/capabilities"
 	cb "github.com/hyperledger/fabric/protos/common"
+	pb "github.com/hyperledger/fabric/protos/peer"
 
 	"github.com/pkg/errors"
 )
 
 const (
 	// ApplicationGroupKey is the group name for the Application config
 	ApplicationGroupKey = "Application"
+
+	// ACLsKey is the name of the ACLs config
+	ACLsKey = "ACLs"
 )
 
 // ApplicationProtos is used as the source of the ApplicationConfig
 type ApplicationProtos struct {
+	ACLs         *pb.ACLs
 	Capabilities *cb.Capabilities
 }
 
@@ -60,3 +65,8 @@ func (ac *ApplicationConfig) Organizations() map[string]ApplicationOrg {
 func (ac *ApplicationConfig) Capabilities() ApplicationCapabilities {
 	return capabilities.NewApplicationProvider(ac.protos.Capabilities.Capabilities)
 }
+
+// ACLs returns a map of resource name to APIResource
+func (ac *ApplicationConfig) ACLs() map[string]*pb.APIResource {
+	return ac.protos.ACLs.Acls
+}

common/channelconfig/util.go

@@ -205,3 +205,20 @@ func ChannelCreationPolicyValue(policy *cb.Policy) *StandardConfigValue {
 		value: policy,
 	}
 }
+
+// ACLsValues returns the config definition for an applications resources based ACL definitions.
+// It is a value for the /Channel/Application/.
+func ACLValues(acls map[string]string) *StandardConfigValue {
+	a := &pb.ACLs{
+		Acls: make(map[string]*pb.APIResource),
+	}
+
+	for apiResource, policyRef := range acls {
+		a.Acls[apiResource] = &pb.APIResource{PolicyRef: policyRef}
+	}
+
+	return &StandardConfigValue{
+		key:   ACLsKey,
+		value: a,
+	}
+}

common/channelconfig/util_test.go

@@ -42,4 +42,5 @@ func TestUtilsBasic(t *testing.T) {
 	basicTest(t, CapabilitiesValue(map[string]bool{"foo": true, "bar": false}))
 	basicTest(t, AnchorPeersValue([]*pb.AnchorPeer{{}, {}}))
 	basicTest(t, ChannelCreationPolicyValue(&cb.Policy{}))
+	basicTest(t, ACLValues(map[string]string{"foo": "fooval", "bar": "barval"}))
 }

common/mocks/config/application.go

@@ -6,10 +6,14 @@ SPDX-License-Identifier: Apache-2.0
 
 package config
 
-import "github.com/hyperledger/fabric/common/channelconfig"
+import (
+	"github.com/hyperledger/fabric/common/channelconfig"
+	pb "github.com/hyperledger/fabric/protos/peer"
+)
 
 type MockApplication struct {
 	CapabilitiesRv channelconfig.ApplicationCapabilities
+	Acls           map[string]*pb.APIResource
 }
 
 func (m *MockApplication) Organizations() map[string]channelconfig.ApplicationOrg {
@@ -20,6 +24,10 @@ func (m *MockApplication) Capabilities() channelconfig.ApplicationCapabilities {
 	return m.CapabilitiesRv
 }
 
+func (m *MockApplication) ACLs() map[string]*pb.APIResource {
+	return m.Acls
+}
+
 type MockApplicationCapabilities struct {
 	SupportedRv                  error
 	ForbidDuplicateTXIdInBlockRv bool

common/tools/configtxgen/encoder/encoder.go

@@ -271,6 +271,10 @@ func NewApplicationGroup(conf *genesisconfig.Application) (*cb.ConfigGroup, erro
 		}
 	}
 
+	if len(conf.ACLs) > 0 {
+		addValue(applicationGroup, channelconfig.ACLValues(conf.ACLs), channelconfig.AdminsPolicyKey)
+	}
+
 	if len(conf.Capabilities) > 0 {
 		addValue(applicationGroup, channelconfig.CapabilitiesValue(conf.Capabilities), channelconfig.AdminsPolicyKey)
 	}

common/tools/configtxgen/encoder/encoder_test.go

@@ -77,13 +77,17 @@ func TestGoodChannelCreateConfigUpdate(t *testing.T) {
 
 	createConfig := genesisconfig.Load(genesisconfig.SampleSingleMSPChannelProfile)
 
+	//ACLs does not marshal deterministically. Set it to nil is ok as its not
+	//updated anyway
+	createConfig.Application.ACLs = nil
+
 	configUpdate, err := NewChannelCreateConfigUpdate("channel.id", nil, createConfig)
 	assert.NoError(t, err)
 	assert.NotNil(t, configUpdate)
 
 	defaultConfigUpdate, err := NewChannelCreateConfigUpdate("channel.id", systemChannel, createConfig)
 	assert.NoError(t, err)
-	assert.NotNil(t, configUpdate)
+	assert.NotNil(t, defaultConfigUpdate)
 
 	assert.True(t, proto.Equal(configUpdate, defaultConfigUpdate), "the config used has had no updates, so should equal default")
 }

core/chaincode/chaincode_support_test.go

@@ -146,7 +146,7 @@ var theChaincodeSupport *ChaincodeSupport
 //initialize peer and start up. If security==enabled, login as vp
 func initMockPeer(chainIDs ...string) error {
 	msi := &cmp.MockSupportImpl{
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetApplicationConfigBoolRv: true,
 	}
 	sysccprovider.RegisterSystemChaincodeProviderFactory(

core/endorser/endorser_test.go

@@ -60,7 +60,7 @@ func TestEndorserNilProp(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -76,7 +76,7 @@ func TestEndorserUninvokableSysCC(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv:       true,
-		GetApplicationConfigRv:           &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:           &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:            errors.New(""),
 		IsSysCCAndNotInvokableExternalRv: true,
 	})
@@ -92,7 +92,7 @@ func TestEndorserCCInvocationFailed(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 1000, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -110,7 +110,7 @@ func TestEndorserNoCCDef(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionError:   errors.New(""),
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -128,7 +128,7 @@ func TestEndorserBadInstPolicy(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv:    true,
-		GetApplicationConfigRv:        &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:        &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:         errors.New(""),
 		CheckInstantiationPolicyError: errors.New(""),
 		ChaincodeDefinitionRv:         &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -147,7 +147,7 @@ func TestEndorserSysCC(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		IsSysCCRv:                  true,
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -166,7 +166,7 @@ func TestEndorserCCInvocationError(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ExecuteError:               errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -184,7 +184,7 @@ func TestEndorserLSCCBadType(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -210,7 +210,7 @@ func TestEndorserDupTXId(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
 		GetTxSimulatorRv:           &ccprovider.MockTxSim{&ledger.TxSimulationResults{PubSimulationResults: &rwset.TxReadWriteSet{}}},
@@ -227,7 +227,7 @@ func TestEndorserBadACL(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		CheckACLErr:                errors.New(""),
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -246,7 +246,7 @@ func TestEndorserGoodPathEmptyChannel(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -264,7 +264,7 @@ func TestEndorserLSCCInitFails(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -294,7 +294,7 @@ func TestEndorserLSCCDeploySysCC(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -325,7 +325,7 @@ func TestEndorserLSCCJava1(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		IsJavaRV:                   true,
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -356,7 +356,7 @@ func TestEndorserLSCCJava2(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		IsJavaErr:                  errors.New(""),
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
@@ -383,7 +383,7 @@ func TestEndorserGoodPathWEvents(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -402,7 +402,7 @@ func TestEndorserBadChannel(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -420,7 +420,7 @@ func TestEndorserGoodPath(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -438,7 +438,7 @@ func TestEndorserLSCC(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -464,7 +464,7 @@ func TestSimulateProposal(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},
@@ -484,7 +484,7 @@ func TestEndorserJavaChecks(t *testing.T) {
 		return nil
 	}, &em.MockSupport{
 		GetApplicationConfigBoolRv: true,
-		GetApplicationConfigRv:     &mc.MockApplication{&mc.MockApplicationCapabilities{}},
+		GetApplicationConfigRv:     &mc.MockApplication{CapabilitiesRv: &mc.MockApplicationCapabilities{}},
 		GetTransactionByIDErr:      errors.New(""),
 		ChaincodeDefinitionRv:      &resourceconfig.MockChaincodeDefinition{EndorsementStr: "ESCC"},
 		ExecuteResp:                &pb.Response{Status: 200, Payload: utils.MarshalOrPanic(&pb.ProposalResponse{Response: &pb.Response{}})},