[FAB-7607] Add Envelope based valid. to RSCC/defaultACL

Extend RSCC and default ACL provider's policy support to extract signed data from a Envelope for doing CheckACL on it. Currently RSCC supports only SignedProposal. Change-Id: I917298fb827abce797206146664951f9e396c49b Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
hyperledger · Jan 5, 2018 · 4f1235a · 4f1235a
1 parent 5db5b21
commit 4f1235a
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 26 deletions.
diff --git a/core/aclmgmt/defaultaclprovider.go b/core/aclmgmt/defaultaclprovider.go
@@ -119,6 +119,12 @@ func (d *defaultACLProvider) CheckACL(resName string, channelID string, idinfo i
 	switch idinfo.(type) {
 	case *pb.SignedProposal:
 		return d.policyChecker.CheckPolicy(channelID, policy, idinfo.(*pb.SignedProposal))
+	case *common.Envelope:
+		sd, err := idinfo.(*common.Envelope).AsSignedData()
+		if err != nil {
+			return err
+		}
+		return d.policyChecker.CheckPolicyBySignedData(channelID, policy, sd)
 	default:
 		aclLogger.Errorf("Unmapped id on checkACL %s", resName)
 		return fmt.Errorf("Unknown id on checkACL %s", resName)

diff --git a/core/scc/rscc/rsccpolicy.go b/core/scc/rscc/rsccpolicy.go
@@ -92,37 +92,45 @@ func newRsccPolicyProvider(channel string, pEvaluator policyEvaluator) rsccPolic
 func (rp *rsccPolicyProviderImpl) CheckACL(polName string, idinfo interface{}) error {
 	rsccLogger.Debugf("rscc  acl check(%s)", polName)
 
-	//we will implemented other identifiers. In the end we just need a SignedData`
-	signedProp, _ := idinfo.(*pb.SignedProposal)
-	if signedProp == nil {
+	//we will implement other identifiers. In the end we just need a SignedData
+	var sd []*common.SignedData
+	var err error
+	switch idinfo.(type) {
+	case *pb.SignedProposal:
+		signedProp, _ := idinfo.(*pb.SignedProposal)
+		// Prepare SignedData
+		proposal, err := utils.GetProposal(signedProp.ProposalBytes)
+		if err != nil {
+			return fmt.Errorf("Failing extracting proposal during check policy with policy [%s]: [%s]", polName, err)
+		}
+
+		header, err := utils.GetHeader(proposal.Header)
+		if err != nil {
+			return fmt.Errorf("Failing extracting header during check policy [%s]: [%s]", polName, err)
+		}
+
+		shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
+		if err != nil {
+			return fmt.Errorf("Invalid Proposal's SignatureHeader during check policy [%s]: [%s]", polName, err)
+		}
+
+		sd = []*common.SignedData{{
+			Data:      signedProp.ProposalBytes,
+			Identity:  shdr.Creator,
+			Signature: signedProp.Signature,
+		}}
+	case *common.Envelope:
+		sd, err = idinfo.(*common.Envelope).AsSignedData()
+		if err != nil {
+			return err
+		}
+	default:
 		return InvalidIdInfo(polName)
 	}
 
-	// Prepare SignedData
-	proposal, err := utils.GetProposal(signedProp.ProposalBytes)
-	if err != nil {
-		return fmt.Errorf("Failing extracting proposal during check policy with policy [%s]: [%s]", polName, err)
-	}
-
-	header, err := utils.GetHeader(proposal.Header)
-	if err != nil {
-		return fmt.Errorf("Failing extracting header during check policy [%s]: [%s]", polName, err)
-	}
-
-	shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
-	if err != nil {
-		return fmt.Errorf("Invalid Proposal's SignatureHeader during check policy [%s]: [%s]", polName, err)
-	}
-
-	sd := []*common.SignedData{{
-		Data:      signedProp.ProposalBytes,
-		Identity:  shdr.Creator,
-		Signature: signedProp.Signature,
-	}}
-
 	err = rp.pEvaluator.Evaluate(polName, sd)
 	if err != nil {
-		return fmt.Errorf("Failed evaluating policy on signed data during check policy [%s]: [%s]", polName, err)
+		return fmt.Errorf("failed evaluating policy on signed data during check policy [%s]: [%s]", polName, err)
 	}
 
 	return nil

diff --git a/core/scc/rscc/rsccpolicy_test.go b/core/scc/rscc/rsccpolicy_test.go
@@ -16,9 +16,13 @@ limitations under the License.
 package rscc
 
 import (
+	"fmt"
+	"os"
 	"testing"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/common/localmsp"
+	"github.com/hyperledger/fabric/msp/mgmt/testtools"
 	"github.com/hyperledger/fabric/protos/common"
 	"github.com/hyperledger/fabric/protos/peer"
 	"github.com/hyperledger/fabric/protos/utils"
@@ -53,6 +57,11 @@ func TestRsccPolicyBase(t *testing.T) {
 	sProp, _ := utils.MockSignedEndorserProposalOrPanic("A", &peer.ChaincodeSpec{}, []byte("Alice"), []byte("msg1"))
 	err := pprov.CheckACL("pol", sProp)
 	assert.NoError(t, err)
+
+	env, err := utils.CreateSignedEnvelope(common.HeaderType_CONFIG, "myc", localmsp.NewSigner(), &common.ConfigEnvelope{}, 0, 0)
+	assert.NoError(t, err)
+	err = pprov.CheckACL("pol", env)
+	assert.NoError(t, err)
 }
 
 func TestRsccPolicyBad(t *testing.T) {
@@ -82,3 +91,14 @@ func TestRsccPolicyBad(t *testing.T) {
 	err = pprov.CheckACL("res", sProp)
 	assert.Error(t, err)
 }
+
+func init() {
+	var err error
+	// setup the MSP manager so that we can sign/verify
+	err = msptesttools.LoadMSPSetupForTesting()
+	if err != nil {
+		fmt.Printf("Could not load msp config, err %s", err)
+		os.Exit(-1)
+		return
+	}
+}