[FAB-2410] Encode block validation policy

https://jira.hyperledger.org/browse/FAB-2410 This CR encodes a default block validation policy which requires that some orderer writer have signed blocks for them to be valid. Change-Id: I7ecbdfd4dda8d1d25c80d13c5a1ad0d150db6f3b Signed-off-by: Jason Yellick <jyellick@us.ibm.com>
hyperledger · Feb 23, 2017 · 7b8831f · 7b8831f
1 parent 4eec836
commit 7b8831f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/common/configtx/tool/provisional/provisional.go b/common/configtx/tool/provisional/provisional.go
@@ -63,6 +63,9 @@ const (
 
 	// AcceptAllPolicyKey is the key of the AcceptAllPolicy.
 	AcceptAllPolicyKey = "AcceptAllPolicy"
+
+	// BlockValidationPolicyKey
+	BlockValidationPolicyKey = "BlockValidation"
 )
 
 // DefaultChainCreationPolicyNames is the default value of ChainCreatorsKey.
@@ -107,7 +110,8 @@ func New(conf *genesisconfig.Profile) Generator {
 			configtxorderer.TemplateIngressPolicyNames([]string{AcceptAllPolicyKey}),
 			configtxorderer.TemplateEgressPolicyNames([]string{AcceptAllPolicyKey}),
 
-			// Initialize the default Reader/Writer/Admins orderer policies
+			// Initialize the default Reader/Writer/Admins orderer policies, as well as block validation policy
+			policies.TemplateImplicitMetaPolicyWithSubPolicy([]string{configtxorderer.GroupKey}, BlockValidationPolicyKey, configvaluesmsp.WritersPolicyKey, cb.ImplicitMetaPolicy_ANY),
 			policies.TemplateImplicitMetaAnyPolicy([]string{configtxorderer.GroupKey}, configvaluesmsp.ReadersPolicyKey),
 			policies.TemplateImplicitMetaAnyPolicy([]string{configtxorderer.GroupKey}, configvaluesmsp.WritersPolicyKey),
 			policies.TemplateImplicitMetaMajorityPolicy([]string{configtxorderer.GroupKey}, configvaluesmsp.AdminsPolicyKey),

diff --git a/common/policies/implicitmeta_util.go b/common/policies/implicitmeta_util.go
@@ -21,9 +21,8 @@ import (
 	"github.com/hyperledger/fabric/protos/utils"
 )
 
-// TemplateImplicitMetaPolicy creates a policy at the specified path with the given policyName
-// It utilizes the policyName for the subPolicyName as well, as this is the standard usage pattern
-func TemplateImplicitMetaPolicy(path []string, policyName string, rule cb.ImplicitMetaPolicy_Rule) *cb.ConfigGroup {
+// TemplateImplicitMetaPolicy creates a policy at the specified path with the given policyName and subPolicyName
+func TemplateImplicitMetaPolicyWithSubPolicy(path []string, policyName string, subPolicyName string, rule cb.ImplicitMetaPolicy_Rule) *cb.ConfigGroup {
 	root := cb.NewConfigGroup()
 	group := root
 	for _, element := range path {
@@ -36,13 +35,19 @@ func TemplateImplicitMetaPolicy(path []string, policyName string, rule cb.Implic
 			Type: int32(cb.Policy_IMPLICIT_META),
 			Policy: utils.MarshalOrPanic(&cb.ImplicitMetaPolicy{
 				Rule:      rule,
-				SubPolicy: policyName,
+				SubPolicy: subPolicyName,
 			}),
 		},
 	}
 	return root
 }
 
+// TemplateImplicitMetaPolicy creates a policy at the specified path with the given policyName
+// It utilizes the policyName for the subPolicyName as well, as this is the standard usage pattern
+func TemplateImplicitMetaPolicy(path []string, policyName string, rule cb.ImplicitMetaPolicy_Rule) *cb.ConfigGroup {
+	return TemplateImplicitMetaPolicyWithSubPolicy(path, policyName, policyName, rule)
+}
+
 // TempateImplicitMetaAnyPolicy returns TemplateImplicitMetaPolicy with cb.ImplicitMetaPolicy_ANY as the rule
 func TemplateImplicitMetaAnyPolicy(path []string, policyName string) *cb.ConfigGroup {
 	return TemplateImplicitMetaPolicy(path, policyName, cb.ImplicitMetaPolicy_ANY)

diff --git a/common/policies/policy.go b/common/policies/policy.go
@@ -35,14 +35,20 @@ const (
 	// ApplicationPrefix is used in the path of standard application policy paths
 	ApplicationPrefix = "Application"
 
+	// OrdererPrefix is used in the path of standard orderer policy paths
+	OrdererPrefix = "Orderer"
+
 	// ChannelApplicationReaders is the label for the channel's application readers policy
-	ChannelApplicationReaders = "/" + ChannelPrefix + "/" + ApplicationPrefix + "/Readers"
+	ChannelApplicationReaders = PathSeparator + ChannelPrefix + PathSeparator + ApplicationPrefix + PathSeparator + "Readers"
 
 	// ChannelApplicationWriters is the label for the channel's application writers policy
-	ChannelApplicationWriters = "/" + ChannelPrefix + "/" + ApplicationPrefix + "/Writers"
+	ChannelApplicationWriters = PathSeparator + ChannelPrefix + PathSeparator + ApplicationPrefix + PathSeparator + "Writers"
 
 	// ChannelApplicationAdmins is the label for the channel's application admin policy
-	ChannelApplicationAdmins = "/" + ChannelPrefix + "/" + ApplicationPrefix + "/Admins"
+	ChannelApplicationAdmins = PathSeparator + ChannelPrefix + PathSeparator + ApplicationPrefix + PathSeparator + "Admins"
+
+	// BlockValidation is the label for the policy which should validate the block signatures for the channel
+	BlockValidation = PathSeparator + ChannelPrefix + PathSeparator + OrdererPrefix + PathSeparator + "BlockValidation"
 )
 
 var logger = logging.MustGetLogger("common/policies")
@@ -266,6 +272,16 @@ func (pm *ManagerImpl) CommitProposals() {
 				}
 			}
 		}
+		if _, ok := pm.config.managers[OrdererPrefix]; ok {
+			for _, policyName := range []string{BlockValidation} {
+				_, ok := pm.GetPolicy(policyName)
+				if !ok {
+					logger.Warningf("Current configuration has no policy '%s', this will likely cause problems in production systems", policyName)
+				} else {
+					logger.Debugf("As expected, current configuration has policy '%s'", policyName)
+				}
+			}
+		}
 	}
 }