[FAB-7604] Peer deliver unusable when pol. not defined

After FAB-7521, the peer deliver service is unusable because the BLOCKEVENT policy is not set by default. This CR uses the aclmgmt package, which will check for the policy and, if not set, use the default value (in this case, channel readers). It also restores the behave tests to their previous state to ensure peer deliver remains usable by default. Change-Id: I46e71853881271539e28a110ce8b81d3bd248d19 Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
hyperledger · Jan 5, 2018 · 5fa00ff · 5fa00ff
1 parent 4f1235a
commit 5fa00ff
Show file tree

Hide file tree

Showing 8 changed files with 73 additions and 108 deletions.
diff --git a/bddtests/features/bootstrap.feature b/bddtests/features/bootstrap.feature
@@ -254,14 +254,14 @@ Feature: Bootstrap
            | ChainId                               | Start |  End    |
            | com.acme.blockchain.jdoe.channel1     |   0   |  0      |
 
-    Then user "dev0Org0" should get a delivery "genesisBlockForMyNewChannel" from "peer0" of "0" blocks with "0" messages within "1" seconds
+    Then user "dev0Org0" should get a delivery "genesisBlockForMyNewChannel" from "peer0" of "1" blocks with "1" messages within "1" seconds
 
     When user "dev0Org0" using cert alias "consortium1-cert" connects to deliver function on orderer "peer2" using port "7051"
          And user "dev0Org0" sends deliver a seek request on orderer "peer2" with properties:
            | ChainId                               | Start |  End    |
            | com.acme.blockchain.jdoe.channel1     |   0   |  0      |
 
-    Then user "dev0Org0" should get a delivery "genesisBlockForMyNewChannelFromOtherOrgsPeer" from "peer2" of "0" blocks with "0" messages within "1" seconds
+    Then user "dev0Org0" should get a delivery "genesisBlockForMyNewChannelFromOtherOrgsPeer" from "peer2" of "1" blocks with "1" messages within "1" seconds
 
     # Entry point for invoking on an existing channel
     When user "peer0Admin" creates a chaincode spec "ccSpec" with name "example02" of type "GOLANG" for chaincode "github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02" with args

diff --git a/common/config/api.go b/common/config/api.go
@@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 package config
 
 import (
-	"github.com/hyperledger/fabric/common/resourcesconfig"
 	cb "github.com/hyperledger/fabric/protos/common"
 )
 
@@ -26,7 +25,4 @@ type Manager interface {
 
 	// GetResourceConfig defines methods that are related to resource configuration
 	GetResourceConfig(channel string) Config
-
-	// GetPolicyMapper returns API to the policy mapper
-	GetPolicyMapper(channel string) resourcesconfig.PolicyMapper
 }
diff --git a/common/deliver/deliver.go b/common/deliver/deliver.go
@@ -68,18 +68,19 @@ type Support interface {
 	Errored() <-chan struct{}
 }
 
-// PolicyNameProvider provides a policy name given the channel id
-type PolicyNameProvider func(chainID string) (string, error)
+// PolicyChecker checks the envelope against the policy logic supplied by the
+// function
+type PolicyChecker func(envelope *cb.Envelope, channelID string) error
 
 type deliverServer struct {
 	sm               SupportManager
-	policyProvider   PolicyNameProvider
+	policyChecker    PolicyChecker
 	timeWindow       time.Duration
 	bindingInspector comm.BindingInspector
 }
 
 // NewHandlerImpl creates an implementation of the Handler interface
-func NewHandlerImpl(sm SupportManager, policyProvider PolicyNameProvider, timeWindow time.Duration, mutualTLS bool) Handler {
+func NewHandlerImpl(sm SupportManager, policyChecker PolicyChecker, timeWindow time.Duration, mutualTLS bool) Handler {
 	// function to extract the TLS cert hash from a channel header
 	extract := func(msg proto.Message) []byte {
 		chdr, isChannelHeader := msg.(*cb.ChannelHeader)
@@ -92,7 +93,7 @@ func NewHandlerImpl(sm SupportManager, policyProvider PolicyNameProvider, timeWi
 
 	return &deliverServer{
 		sm:               sm,
-		policyProvider:   policyProvider,
+		policyChecker:    policyChecker,
 		timeWindow:       timeWindow,
 		bindingInspector: bindingInspector,
 	}
@@ -166,13 +167,7 @@ func (ds *deliverServer) deliverBlocks(srv ab.AtomicBroadcast_DeliverServer, env
 
 	lastConfigSequence := chain.Sequence()
 
-	policyName, err := ds.policyProvider(chdr.ChannelId)
-	if err != nil {
-		logger.Warningf("[channel: %s] failed to obtain policy name due to %s", chdr.ChannelId, err)
-		return sendStatusReply(srv, cb.Status_BAD_REQUEST)
-	}
-	sf := NewSigFilter(policyName, chain)
-	if err := sf.Apply(envelope); err != nil {
+	if err := ds.policyChecker(envelope, chdr.ChannelId); err != nil {
 		logger.Warningf("[channel: %s] Received unauthorized deliver request from %s: %s", chdr.ChannelId, addr, err)
 		return sendStatusReply(srv, cb.Status_FORBIDDEN)
 	}
@@ -225,7 +220,7 @@ func (ds *deliverServer) deliverBlocks(srv ab.AtomicBroadcast_DeliverServer, env
 		currentConfigSequence := chain.Sequence()
 		if currentConfigSequence > lastConfigSequence {
 			lastConfigSequence = currentConfigSequence
-			if err := sf.Apply(envelope); err != nil {
+			if err := ds.policyChecker(envelope, chdr.ChannelId); err != nil {
 				logger.Warningf("[channel: %s] Client authorization revoked for deliver request from %s: %s", chdr.ChannelId, addr, err)
 				return sendStatusReply(srv, cb.Status_FORBIDDEN)
 			}