[FAB-3698] def inst. policy needs to include channel

Instantiation policy needs to be defined as part of the
install package. Short of that, the default policy needs to
include all the admin MSPs in the the channel instead of just
the Local MSP of the peer on which the instantiation occurs.

This - among other things -  allows any endorser in the channel
to be part of instantiation.

Change-Id: I16d02e168bcc9a28b0156d734e310268769ea1c7
Signed-off-by: Srinivasan Muralidharan <muralisr@us.ibm.com>

Author: Srinivasan Muralidharan

common/cauthdsl/cauthdsl_builder.go

@@ -113,10 +113,8 @@ func SignedByMspAdmin(mspId string) *cb.SignaturePolicyEnvelope {
 	return p
 }
 
-// SignedByAnyMember returns a policy that requires one valid
-// signature from a member of any of the orgs whose ids are
-// listed in the supplied string array
-func SignedByAnyMember(ids []string) []byte {
+//wrapper for generating "any of a given role" type policies
+func signedByAnyOfGivenRole(role msp.MSPRole_MSPRoleType, ids []string) *cb.SignaturePolicyEnvelope {
 	// we create an array of principals, one principal
 	// per application MSP defined on this chain
 	sort.Strings(ids)
@@ -125,7 +123,7 @@ func SignedByAnyMember(ids []string) []byte {
 	for i, id := range ids {
 		principals[i] = &msp.MSPPrincipal{
 			PrincipalClassification: msp.MSPPrincipal_ROLE,
-			Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: id})}
+			Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: role, MspIdentifier: id})}
 		sigspolicy[i] = SignedBy(int32(i))
 	}
 
@@ -136,7 +134,21 @@ func SignedByAnyMember(ids []string) []byte {
 		Identities: principals,
 	}
 
-	return utils.MarshalOrPanic(p)
+	return p
+}
+
+// SignedByAnyMember returns a policy that requires one valid
+// signature from a member of any of the orgs whose ids are
+// listed in the supplied string array
+func SignedByAnyMember(ids []string) *cb.SignaturePolicyEnvelope {
+	return signedByAnyOfGivenRole(msp.MSPRole_MEMBER, ids)
+}
+
+// SignedByAnyAdmin returns a policy that requires one valid
+// signature from a admin of any of the orgs whose ids are
+// listed in the supplied string array
+func SignedByAnyAdmin(ids []string) *cb.SignaturePolicyEnvelope {
+	return signedByAnyOfGivenRole(msp.MSPRole_ADMIN, ids)
 }
 
 // And is a convenience method which utilizes NOutOf to produce And equivalent behavior

core/chaincode/exectransaction_test.go

@@ -69,6 +69,12 @@ func initPeer(chainIDs ...string) (net.Listener, error) {
 
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	var opts []grpc.ServerOption
 	if viper.GetBool("peer.tls.enabled") {
 		creds, err := credentials.NewServerTLSFromFile(config.GetPath("peer.tls.cert.file"), config.GetPath("peer.tls.key.file"))

core/chaincode/systemchaincode_test.go

@@ -51,6 +51,12 @@ func initSysCCTests() (*oldSysCCInfo, net.Listener, error) {
 
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	//use a different address than what we usually use for "peer"
 	//we override the peerAddress set in chaincode_support.go
 	// FIXME: Use peer.GetLocalAddress()

core/committer/txvalidator/validator.go

@@ -361,6 +361,7 @@ func (v *vsccValidatorImpl) GetInfoForValidate(txid, chID, ccID string) (*sysccp
 	cc := &sysccprovider.ChaincodeInstance{ChainID: chID}
 	vscc := &sysccprovider.ChaincodeInstance{ChainID: chID}
 	var policy []byte
+	var err error
 	if ccID != "lscc" {
 		// when we are validating any chaincode other than
 		// LSCC, we need to ask LSCC to give us the name
@@ -383,7 +384,11 @@ func (v *vsccValidatorImpl) GetInfoForValidate(txid, chID, ccID string) (*sysccp
 		cc.ChaincodeName = "lscc"
 		cc.ChaincodeVersion = coreUtil.GetSysCCVersion()
 		vscc.ChaincodeName = "vscc"
-		policy = cauthdsl.SignedByAnyMember(v.support.GetMSPIDs(chID))
+		p := cauthdsl.SignedByAnyMember(v.support.GetMSPIDs(chID))
+		policy, err = utils.Marshal(p)
+		if err != nil {
+			return nil, nil, nil, err
+		}
 	}
 
 	// Get vscc version

core/committer/txvalidator/validator_test.go

@@ -43,6 +43,11 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func signedByAnyMember(ids []string) []byte {
+	p := cauthdsl.SignedByAnyMember(ids)
+	return utils.MarshalOrPanic(p)
+}
+
 func setupLedgerAndValidator(t *testing.T) (ledger.PeerLedger, Validator) {
 	viper.Set("peer.fileSystemPath", "/tmp/fabric/validatortest")
 	ledgermgmt.InitializeTestEnv()
@@ -193,7 +198,7 @@ func TestInvokeOK(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -210,7 +215,7 @@ func TestInvokeOKSCC(t *testing.T) {
 
 	ccID := "lscc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -227,7 +232,7 @@ func TestInvokeNOKWritesToLSCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "lscc"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -244,7 +249,7 @@ func TestInvokeNOKWritesToESCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "escc"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -261,7 +266,7 @@ func TestInvokeNOKWritesToNotExt(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID, "notext"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -278,7 +283,7 @@ func TestInvokeNOKInvokesNotExt(t *testing.T) {
 
 	ccID := "notext"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -295,7 +300,7 @@ func TestInvokeNOKInvokesEmptyCCName(t *testing.T) {
 
 	ccID := ""
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -312,7 +317,7 @@ func TestInvokeNOKExpiredCC(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfoWithVSCCAndVer(l, ccID, "vscc", "badversion", cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfoWithVSCCAndVer(l, ccID, "vscc", "badversion", signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -329,7 +334,7 @@ func TestInvokeNOKBogusActions(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfo(l, ccID, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfo(l, ccID, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, []byte("barf"), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}
@@ -361,7 +366,7 @@ func TestInvokeNOKVSCCUnspecified(t *testing.T) {
 
 	ccID := "mycc"
 
-	putCCInfoWithVSCCAndVer(l, ccID, "", ccVersion, cauthdsl.SignedByAnyMember([]string{"DEFAULT"}), t)
+	putCCInfoWithVSCCAndVer(l, ccID, "", ccVersion, signedByAnyMember([]string{"DEFAULT"}), t)
 
 	tx := getEnv(ccID, createRWset(t, ccID), t)
 	b := &common.Block{Data: &common.BlockData{Data: [][]byte{utils.MarshalOrPanic(tx)}}}

core/endorser/endorser_test.go

@@ -87,6 +87,12 @@ func initPeer(chainID string) (*testEnvironment, error) {
 	//initialize ledger
 	peer.MockInitialize()
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	getPeerEndpoint := func() (*pb.PeerEndpoint, error) {
 		return &pb.PeerEndpoint{Id: &pb.PeerID{Name: "testpeer"}, Address: peerAddress}, nil
 	}

core/peer/peer.go

@@ -93,6 +93,12 @@ func MockInitialize() {
 
 var chainInitializer func(string)
 
+var mockMSPIDGetter func(string) []string
+
+func MockSetMSPIDGetter(mspIDGetter func(string) []string) {
+	mockMSPIDGetter = mspIDGetter
+}
+
 // Initialize sets up any chains that the peer has from the persistence. This
 // function should be called at the start up when the ledger and gossip
 // ready
@@ -419,6 +425,12 @@ func buildTrustedRootsForChain(cm configtxapi.Manager) {
 func GetMSPIDs(cid string) []string {
 	chains.RLock()
 	defer chains.RUnlock()
+
+	//if mock is set, use it to return MSPIDs
+	//used for tests without a proper join
+	if mockMSPIDGetter != nil {
+		return mockMSPIDGetter(cid)
+	}
 	if c, ok := chains.list[cid]; ok {
 		if c == nil || c.cs == nil ||
 			c.cs.ApplicationConfig() == nil ||

core/scc/lscc/lscc.go

@@ -226,7 +226,7 @@ func (f InvalidCCOnFSError) Error() string {
 type InstantiationPolicyViolatedErr string
 
 func (f InstantiationPolicyViolatedErr) Error() string {
-	return "chaincode instantiation policy violated"
+	return fmt.Sprintf("chaincode instantiation policy violated(%s)", string(f))
 }
 
 //InstantiationPolicyMissing when no existing instantiation policy is found when upgrading CC
@@ -479,8 +479,9 @@ func (lscc *LifeCycleSysCC) executeInstall(stub shim.ChaincodeStubInterface, ccb
 }
 
 // getInstantiationPolicy retrieves the instantiation policy from a SignedCDSPackage
-func (lscc *LifeCycleSysCC) getInstantiationPolicy(stub shim.ChaincodeStubInterface, ccpack ccprovider.CCPackage) ([]byte, error) {
+func (lscc *LifeCycleSysCC) getInstantiationPolicy(channel string, ccpack ccprovider.CCPackage) ([]byte, error) {
 	var ip []byte
+	var err error
 	// if ccpack is a SignedCDSPackage, return its IP, otherwise use a default IP
 	sccpack, isSccpack := ccpack.(*ccprovider.SignedCDSPackage)
 	if isSccpack {
@@ -489,17 +490,16 @@ func (lscc *LifeCycleSysCC) getInstantiationPolicy(stub shim.ChaincodeStubInterf
 			return nil, fmt.Errorf("Instantiation policy cannot be null for a SignedCCDeploymentSpec")
 		}
 	} else {
-		// the default instantiation policy requires the peer's msp admin
-		// it assumes that the peer's MSP does not change over time
-		mspid, err := mspmgmt.GetLocalMSP().GetIdentifier()
-		if err != nil {
-			return nil, fmt.Errorf("Error creating default instantiation policy: could not retrieve local MSP identifier %s", err)
-		}
-		ipEnvelope := cauthdsl.SignedByMspAdmin(mspid)
-		ip, err = proto.Marshal(ipEnvelope)
+		// the default instantiation policy allows any of the channel MSP admins
+		// to be able to instantiate
+		mspids := peer.GetMSPIDs(channel)
+
+		p := cauthdsl.SignedByAnyAdmin(mspids)
+		ip, err = utils.Marshal(p)
 		if err != nil {
-			return nil, fmt.Errorf("Marshalling instantiation policy failed: [%s]", err)
+			return nil, fmt.Errorf("Error marshalling default instantiation policy")
 		}
+
 	}
 	return ip, nil
 }
@@ -542,7 +542,7 @@ func (lscc *LifeCycleSysCC) checkInstantiationPolicy(stub shim.ChaincodeStubInte
 	}}
 	err = instPol.Evaluate(sd)
 	if err != nil {
-		return InstantiationPolicyViolatedErr("")
+		return InstantiationPolicyViolatedErr(err.Error())
 	}
 	return nil
 }
@@ -588,7 +588,7 @@ func (lscc *LifeCycleSysCC) executeDeploy(stub shim.ChaincodeStubInterface, chai
 	cd.Policy = policy
 
 	// retrieve and evaluate instantiation policy
-	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(stub, ccpack)
+	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(chainname, ccpack)
 	if err != nil {
 		return nil, err
 	}
@@ -664,7 +664,7 @@ func (lscc *LifeCycleSysCC) executeUpgrade(stub shim.ChaincodeStubInterface, cha
 	cd.Policy = policy
 
 	// retrieve and evaluate new instantiation policy
-	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(stub, ccpack)
+	cd.InstantiationPolicy, err = lscc.getInstantiationPolicy(chainName, ccpack)
 	if err != nil {
 		return nil, err
 	}
@@ -757,7 +757,11 @@ func (lscc *LifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response
 		if len(args) > 3 && len(args[3]) > 0 {
 			policy = args[3]
 		} else {
-			policy = cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			p := cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			policy, err = utils.Marshal(p)
+			if err != nil {
+				return shim.Error(err.Error())
+			}
 		}
 
 		var escc []byte
@@ -806,7 +810,11 @@ func (lscc *LifeCycleSysCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response
 		if len(args) > 3 && len(args[3]) > 0 {
 			policy = args[3]
 		} else {
-			policy = cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			p := cauthdsl.SignedByAnyMember(peer.GetMSPIDs(chainname))
+			policy, err = utils.Marshal(p)
+			if err != nil {
+				return shim.Error(err.Error())
+			}
 		}
 
 		var escc []byte

core/scc/lscc/lscc_test.go

@@ -22,17 +22,18 @@ import (
 	"strings"
 	"testing"
 
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/common/cauthdsl"
 	"github.com/hyperledger/fabric/common/util"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/common/ccpackage"
 	"github.com/hyperledger/fabric/core/common/ccprovider"
 	"github.com/hyperledger/fabric/core/common/sysccprovider"
-	//"github.com/hyperledger/fabric/core/container"
-	"archive/tar"
-	"bytes"
-	"compress/gzip"
+	"github.com/hyperledger/fabric/core/peer"
 
 	"github.com/stretchr/testify/assert"
 
@@ -1214,6 +1215,12 @@ func TestMain(m *testing.M) {
 	ccprovider.SetChaincodesPath(lscctestpath)
 	sysccprovider.RegisterSystemChaincodeProviderFactory(&scc.MocksccProviderFactory{})
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	peer.MockSetMSPIDGetter(mspGetter)
+
 	var err error
 
 	// setup the MSP manager so that we can sign/verify

core/scc/vscc/validator_onevalidsignature_test.go

@@ -37,6 +37,7 @@ import (
 	"github.com/hyperledger/fabric/core/common/sysccprovider"
 	cutils "github.com/hyperledger/fabric/core/container/util"
 	"github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/rwsetutil"
+	per "github.com/hyperledger/fabric/core/peer"
 	"github.com/hyperledger/fabric/core/policy"
 	"github.com/hyperledger/fabric/core/scc/lscc"
 	"github.com/hyperledger/fabric/msp"
@@ -1393,6 +1394,12 @@ func TestMain(m *testing.M) {
 	sysccprovider.RegisterSystemChaincodeProviderFactory(&scc.MocksccProviderFactory{})
 	policy.RegisterPolicyCheckerFactory(&mockPolicyCheckerFactory{})
 
+	mspGetter := func(cid string) []string {
+		return []string{"DEFAULT"}
+	}
+
+	per.MockSetMSPIDGetter(mspGetter)
+
 	var err error
 
 	// setup the MSP manager so that we can sign/verify