FAB-13517 Add ACLs for _lifecycle chaincode

This CR wires the standard ACL checking stuff into the new _lifecycle
chaincode.

Change-Id: Ie16018fb8e6b7b9904f345cd60b231e7af5326f9
Signed-off-by: Jason Yellick <jyellick@us.ibm.com>

Author: Jason Yellick

core/aclmgmt/defaultaclprovider.go

@@ -58,6 +58,16 @@ func (d *defaultACLProviderImpl) initialize() {
 	d.pResourcePolicyMap = make(map[string]string)
 	d.cResourcePolicyMap = make(map[string]string)
 
+	//-------------- _lifecycle --------------
+	d.pResourcePolicyMap[resources.Lifecycle_InstallChaincode] = mgmt.Admins
+	d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincode] = mgmt.Admins
+	d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincodes] = mgmt.Admins
+	d.pResourcePolicyMap[resources.Lifecycle_ApproveChaincodeDefinitionForMyOrg] = mgmt.Admins
+
+	d.cResourcePolicyMap[resources.Lifecycle_CommitChaincodeDefinition] = CHANNELWRITERS
+	d.cResourcePolicyMap[resources.Lifecycle_QueryChaincodeDefinition] = CHANNELWRITERS
+	d.cResourcePolicyMap[resources.Lifecycle_QueryNamespaceDefinitions] = CHANNELWRITERS
+
 	//-------------- LSCC --------------
 	//p resources (implemented by the chaincode currently)
 	d.pResourcePolicyMap[resources.Lscc_Install] = mgmt.Admins

core/aclmgmt/resources/resources.go

@@ -11,6 +11,15 @@ package resources
 //based on local MSP). These are not currently covered by resource or default
 //ACLProviders
 const (
+	// _lifecycle resources
+	Lifecycle_InstallChaincode                   = "_lifecycle/InstallChaincode"
+	Lifecycle_QueryInstalledChaincode            = "_lifecycle/QueryInstalledChaincode"
+	Lifecycle_QueryInstalledChaincodes           = "_lifecycle/QueryInstalledChaincodes"
+	Lifecycle_ApproveChaincodeDefinitionForMyOrg = "_lifecycle/ApproveChaincodeDefinitionForMyOrg"
+	Lifecycle_CommitChaincodeDefinition          = "_lifecycle/CommitChaincodeDefinition"
+	Lifecycle_QueryChaincodeDefinition           = "_lifecycle/QueryChaincodeDefinition"
+	Lifecycle_QueryNamespaceDefinitions          = "_lifecycle/QueryNamespaceDefinitions"
+
 	//Lscc resources
 	Lscc_Install                   = "lscc/Install"
 	Lscc_Deploy                    = "lscc/Deploy"

core/chaincode/lifecycle/integration_test.go

@@ -35,6 +35,7 @@ var _ = Describe("Integration", func() {
 		fakeCapabilities        *mock.ApplicationCapabilities
 		fakeOrgConfig           *mock.ApplicationOrgConfig
 		fakeStub                *mock.ChaincodeStub
+		fakeACLProvider         *mock.ACLProvider
 
 		fakeOrgKVStore    map[string][]byte
 		fakePublicKVStore map[string][]byte
@@ -53,6 +54,7 @@ var _ = Describe("Integration", func() {
 		fakeCapabilities = &mock.ApplicationCapabilities{}
 		fakeCapabilities.LifecycleV20Returns(true)
 		fakeApplicationConfig.CapabilitiesReturns(fakeCapabilities)
+		fakeACLProvider = &mock.ACLProvider{}
 
 		fakeOrgConfig = &mock.ApplicationOrgConfig{}
 		fakeOrgConfig.MSPIDReturns("fake-mspid")
@@ -68,6 +70,7 @@ var _ = Describe("Integration", func() {
 			Functions:           l,
 			OrgMSPID:            "fake-mspid",
 			ChannelConfigSource: fakeChannelConfigSource,
+			ACLProvider:         fakeACLProvider,
 		}
 
 		fakePublicKVStore = map[string][]byte{}

core/chaincode/lifecycle/lifecycle_suite_test.go

@@ -14,6 +14,7 @@ import (
 	commonledger "github.com/hyperledger/fabric/common/ledger"
 	"github.com/hyperledger/fabric/common/policies"
 	"github.com/hyperledger/fabric/common/util"
+	"github.com/hyperledger/fabric/core/aclmgmt"
 	"github.com/hyperledger/fabric/core/chaincode/lifecycle"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/handlers/validation/api/state"
@@ -22,6 +23,11 @@ import (
 	. "github.com/onsi/gomega"
 )
 
+//go:generate counterfeiter -o mock/aclprovider.go --fake-name ACLProvider . aclProvider
+type aclProvider interface {
+	aclmgmt.ACLProvider
+}
+
 //go:generate counterfeiter -o mock/chaincode_stub.go --fake-name ChaincodeStub . chaincodeStub
 type chaincodeStub interface {
 	shim.ChaincodeStubInterface

core/chaincode/lifecycle/mock/aclprovider.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/hyperledger/fabric/common/chaincode"
 	"github.com/hyperledger/fabric/common/channelconfig"
+	"github.com/hyperledger/fabric/core/aclmgmt"
 	"github.com/hyperledger/fabric/core/chaincode/shim"
 	"github.com/hyperledger/fabric/core/dispatcher"
 	pb "github.com/hyperledger/fabric/protos/peer"
@@ -91,6 +92,8 @@ type ChannelConfigSource interface {
 type SCC struct {
 	OrgMSPID string
 
+	ACLProvider aclmgmt.ACLProvider
+
 	ChannelConfigSource ChannelConfigSource
 
 	// Functions provides the backing implementation of lifecycle.
@@ -170,7 +173,16 @@ func (scc *SCC) Invoke(stub shim.ChaincodeStubInterface) pb.Response {
 		}
 	}
 
-	// TODO add ACLs
+	// Handle ACL:
+	sp, err := stub.GetSignedProposal()
+	if err != nil {
+		return shim.Error(fmt.Sprintf("Failed getting signed proposal from stub: [%s]", err))
+	}
+
+	err = scc.ACLProvider.CheckACL(fmt.Sprintf("%s/%s", LifecycleNamespace, args[0]), stub.GetChannelID(), sp)
+	if err != nil {
+		return shim.Error(fmt.Sprintf("Failed to authorize invocation due to failed ACL check: %s", err))
+	}
 
 	outputBytes, err := scc.Dispatcher.Dispatch(
 		args[1],

core/chaincode/lifecycle/scc.go

@@ -31,6 +31,7 @@ var _ = Describe("SCC", func() {
 		fakeChannelConfig       *mock.ChannelConfig
 		fakeApplicationConfig   *mock.ApplicationConfig
 		fakeCapabilities        *mock.ApplicationCapabilities
+		fakeACLProvider         *mock.ACLProvider
 	)
 
 	BeforeEach(func() {
@@ -43,13 +44,15 @@ var _ = Describe("SCC", func() {
 		fakeCapabilities = &mock.ApplicationCapabilities{}
 		fakeCapabilities.LifecycleV20Returns(true)
 		fakeApplicationConfig.CapabilitiesReturns(fakeCapabilities)
+		fakeACLProvider = &mock.ACLProvider{}
 		scc = &lifecycle.SCC{
 			Dispatcher: &dispatcher.Dispatcher{
 				Protobuf: &dispatcher.ProtobufImpl{},
 			},
 			Functions:           fakeSCCFuncs,
 			OrgMSPID:            "fake-mspid",
 			ChannelConfigSource: fakeChannelConfigSource,
+			ACLProvider:         fakeACLProvider,
 		}
 	})
 
@@ -137,6 +140,27 @@ var _ = Describe("SCC", func() {
 			})
 		})
 
+		Context("when the ACL provider disapproves of the function", func() {
+			BeforeEach(func() {
+				fakeStub.GetArgsReturns([][]byte{[]byte("any-function"), nil})
+				fakeACLProvider.CheckACLReturns(fmt.Errorf("acl-error"))
+			})
+
+			It("returns an error", func() {
+				Expect(scc.Invoke(fakeStub)).To(Equal(shim.Error("Failed to authorize invocation due to failed ACL check: acl-error")))
+			})
+
+			Context("when the signed data for the tx cannot be retrieved", func() {
+				BeforeEach(func() {
+					fakeStub.GetSignedProposalReturns(nil, fmt.Errorf("shim-error"))
+				})
+
+				It("returns an error", func() {
+					Expect(scc.Invoke(fakeStub)).To(Equal(shim.Error("Failed getting signed proposal from stub: [shim-error]")))
+				})
+			})
+		})
+
 		Describe("InstallChaincode", func() {
 			var (
 				arg          *lb.InstallChaincodeArgs

core/chaincode/lifecycle/scc_test.go

@@ -314,6 +314,7 @@ func serve(args []string) error {
 		Functions:           lifecycleImpl,
 		OrgMSPID:            mspID,
 		ChannelConfigSource: peer.Default,
+		ACLProvider:         aclProvider,
 	}
 
 	dockerProvider := dockercontroller.NewProvider(

peer/node/start.go

@@ -145,6 +145,17 @@ Application: &ApplicationDefaults
         # User's can override these defaults with their own policy mapping by defining the
         # mapping under ACLs in their channel definition
 
+        #---New Lifecycle System Chaincode (_lifecycle) function to policy mapping for access control--#
+
+        # ACL policy for _lifecycle's "CommitChaincodeDefinition" function
+        _lifecycle/CommitChaincodeDefinition: /Channel/Application/Writers
+
+        # ACL policy for _lifecycle's "QueryChaincodeDefinition" function
+        _lifecycle/QueryChaincodeDefinition: /Channel/Application/Readers
+
+        # ACL policy for _lifecycle's "QueryNamespaceDefinitions" function
+        _lifecycle/QueryNamespaceDefinitions: /Channel/Application/Readers
+
         #---Lifecycle System Chaincode (lscc) function to policy mapping for access control---#
 
         # ACL policy for lscc's "getid" function