[FAB-5721] ACLProvider at QSCC

This change-set does following:
- It modifed the QSCC to use ACLProvider
for access control.

Tests have been updated to validate the changes.

removed sync.Once so we can use RegisterACLProvider for UT

. Uses mocks framework for all tests (removes MockACLProvider2).
. Put back sync.Once and remove SetACLProvider now we use the
  mock for everything
. refactor query_test.go to use the mock

Change-Id: I5f5346c131d6cf715f23a0717fed82c76f58dd43
Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>
Signed-off-by: Srinivasan Muralidharan <srinivasan.muralidharan99@gmail.com>

core/aclmgmt/aclmgmt_test.go

@@ -1,4 +1,5 @@
 /*
+
 Copyright IBM Corp. All Rights Reserved.
 
 SPDX-License-Identifier: Apache-2.0
@@ -7,34 +8,31 @@ SPDX-License-Identifier: Apache-2.0
 package aclmgmt
 
 import (
-	"fmt"
 	"sync"
 	"testing"
 
-	"github.com/hyperledger/fabric/core/ledger"
-	"github.com/hyperledger/fabric/protos/common"
+	"github.com/hyperledger/fabric/core/aclmgmt/mocks"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"github.com/stretchr/testify/assert"
-)
-
-type mockACLProvider struct {
-	retErr error
-}
 
-func (m *mockACLProvider) CheckACL(resName string, channelID string, idinfo interface{}) error {
-	return m.retErr
-}
-
-func (e *mockACLProvider) GenerateSimulationResults(txEnvelop *common.Envelope, simulator ledger.TxSimulator) error {
-	return nil
-}
+	"github.com/pkg/errors"
+)
 
 //treat each test as an independent isolated one
 func reinit() {
 	aclProvider = nil
 	once = sync.Once{}
 }
 
+func registerACLProvider() *mocks.MockACLProvider {
+	aclProv := &mocks.MockACLProvider{}
+	aclProv.Reset()
+
+	RegisterACLProvider(aclProv)
+
+	return aclProv
+}
+
 func TestACLProcessor(t *testing.T) {
 	reinit()
 	assert.NotNil(t, GetConfigTxProcessor().GenerateSimulationResults(nil, nil), "Expected non-nil error")
@@ -82,14 +80,18 @@ func TestOverride(t *testing.T) {
 
 func TestWithProvider(t *testing.T) {
 	reinit()
-	RegisterACLProvider(&mockACLProvider{})
-	err := GetACLProvider().CheckACL(PROPOSE, "somechain", &pb.SignedProposal{})
+	aclprov := registerACLProvider()
+	prop := &pb.SignedProposal{}
+	aclprov.On("CheckACL", PROPOSE, "somechain", prop).Return(nil)
+	err := GetACLProvider().CheckACL(PROPOSE, "somechain", prop)
 	assert.NoError(t, err)
 }
 
 func TestBadACL(t *testing.T) {
 	reinit()
-	RegisterACLProvider(&mockACLProvider{retErr: fmt.Errorf("badacl")})
-	err := GetACLProvider().CheckACL(PROPOSE, "somechain", &pb.SignedProposal{})
+	aclprov := registerACLProvider()
+	prop := &pb.SignedProposal{}
+	aclprov.On("CheckACL", PROPOSE, "somechain", prop).Return(errors.New("badacl"))
+	err := GetACLProvider().CheckACL(PROPOSE, "somechain", prop)
 	assert.Error(t, err, "Expected error")
 }

core/aclmgmt/mocks/mocks.go

@@ -0,0 +1,45 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package mocks
+
+import (
+	"testing"
+
+	"github.com/hyperledger/fabric/core/ledger"
+	"github.com/hyperledger/fabric/protos/common"
+	"github.com/stretchr/testify/mock"
+)
+
+type MockACLProvider struct {
+	//create a mock object that can be reset after
+	//registering a MockACLProvider with aclmgmt
+	mock *mock.Mock
+}
+
+//clear the mock so we can start afresh
+func (m *MockACLProvider) Reset() {
+	m.mock = &mock.Mock{}
+}
+
+func (m *MockACLProvider) CheckACL(resName string, channelID string, idinfo interface{}) error {
+	args := m.mock.Called(resName, channelID, idinfo)
+	return args.Error(0)
+}
+
+func (m *MockACLProvider) GenerateSimulationResults(txEnvelop *common.Envelope, simulator ledger.TxSimulator) error {
+	return nil
+}
+
+//On overrider the mock method for convenience
+func (m *MockACLProvider) On(methodName string, arguments ...interface{}) *mock.Call {
+	return m.mock.On(methodName, arguments...)
+}
+
+//AssertExpectations overrider the mock method for convenience
+func (m *MockACLProvider) AssertExpectations(t *testing.T) {
+	m.mock.AssertExpectations(t)
+}

core/scc/qscc/query.go

@@ -22,12 +22,10 @@ import (
 
 	"github.com/hyperledger/fabric/common/flogging"
 
-	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/core/aclmgmt"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/ledger"
 	"github.com/hyperledger/fabric/core/peer"
-	"github.com/hyperledger/fabric/core/policy"
-	"github.com/hyperledger/fabric/msp/mgmt"
 	pb "github.com/hyperledger/fabric/protos/peer"
 	"github.com/hyperledger/fabric/protos/utils"
 )
@@ -38,7 +36,6 @@ import (
 // - GetBlockByHash returns a block
 // - GetTransactionByID returns a transaction
 type LedgerQuerier struct {
-	policyChecker policy.PolicyChecker
 }
 
 var qscclogger = flogging.MustGetLogger("qscc")
@@ -58,13 +55,6 @@ const (
 func (e *LedgerQuerier) Init(stub shim.ChaincodeStubInterface) pb.Response {
 	qscclogger.Info("Init QSCC")
 
-	// Init policy checker for access control
-	e.policyChecker = policy.NewPolicyChecker(
-		peer.NewChannelPolicyManagerGetter(),
-		mgmt.GetLocalMSP(),
-		mgmt.NewLocalMSPPrincipalGetter(),
-	)
-
 	return shim.Success(nil)
 }
 
@@ -103,8 +93,9 @@ func (e *LedgerQuerier) Invoke(stub shim.ChaincodeStubInterface) pb.Response {
 	}
 
 	// 2. check the channel reader policy
-	if err = e.policyChecker.CheckPolicy(cid, policies.ChannelApplicationReaders, sp); err != nil {
-		return shim.Error(fmt.Sprintf("Authorization request failed %s: %s", cid, err))
+	res := getACLResource(fname)
+	if err = aclmgmt.GetACLProvider().CheckACL(res, cid, sp); err != nil {
+		return shim.Error(fmt.Sprintf("Authorization request for [%s][%cid] failed: [%s]", fname, cid, err))
 	}
 
 	switch fname {
@@ -216,3 +207,7 @@ func getBlockByTxID(vledger ledger.PeerLedger, rawTxID []byte) pb.Response {
 
 	return shim.Success(bytes)
 }
+
+func getACLResource(fname string) string {
+	return "QSCC." + fname
+}