Update MSP config for application org

FAB-17642 Signed-off-by: Tiffany Harris <tiffany.harris@ibm.com> Signed-off-by: Will Lahti <wtlahti@us.ibm.com>
hyperledger · Mar 25, 2020 · edd5908 · edd5908
1 parent cdc2f68
commit edd5908
Show file tree

Hide file tree

Showing 2 changed files with 580 additions and 1 deletion.
diff --git a/pkg/config/msp.go b/pkg/config/msp.go
@@ -554,6 +554,96 @@ func AddRootCAToMSP(config *cb.Config, rootCA *x509.Certificate, orgName string)
 	return nil
 }
 
+// UpdateMSP updates the MSP for the provided config application org group.
+func UpdateMSP(config *cb.Config, updatedMSP MSP, orgName string) error {
+	currentMSP, err := GetMSPConfigurationForApplicationOrg(config, orgName)
+	if err != nil {
+		return fmt.Errorf("retrieving msp: %v", err)
+	}
+
+	if currentMSP.Name != updatedMSP.Name {
+		return errors.New("MSP name cannot be changed")
+	}
+
+	err = validateMSPCACerts(updatedMSP)
+	if err != nil {
+		return err
+	}
+
+	err = setMSPConfigForOrg(config, updatedMSP, orgName)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func setMSPConfigForOrg(config *cb.Config, updatedMSP MSP, orgName string) error {
+	fabricMSPConfig, err := updatedMSP.toProto()
+	if err != nil {
+		return err
+	}
+
+	conf, err := proto.Marshal(fabricMSPConfig)
+	if err != nil {
+		return fmt.Errorf("marshaling msp config: %v", err)
+	}
+
+	mspConfig := &mb.MSPConfig{
+		Config: conf,
+	}
+
+	orgGroup, err := getApplicationOrg(config, orgName)
+	if err != nil {
+		return err
+	}
+
+	err = addValue(orgGroup, mspValue(mspConfig), AdminsPolicyKey)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func validateMSPCACerts(msp MSP) error {
+	err := validateCACerts(msp.RootCerts)
+	if err != nil {
+		return fmt.Errorf("invalid root cert: %v", err)
+	}
+
+	err = validateCACerts(msp.IntermediateCerts)
+	if err != nil {
+		return fmt.Errorf("invalid intermediate cert: %v", err)
+	}
+
+	err = validateCACerts(msp.TLSRootCerts)
+	if err != nil {
+		return fmt.Errorf("invalid tls root cert: %v", err)
+	}
+
+	err = validateCACerts(msp.TLSIntermediateCerts)
+	if err != nil {
+		return fmt.Errorf("invalid tls intermediate cert: %v", err)
+	}
+
+	return nil
+}
+
+func validateCACerts(caCerts []*x509.Certificate) error {
+	for _, caCert := range caCerts {
+		if (caCert.KeyUsage & x509.KeyUsageCertSign) == 0 {
+			return fmt.Errorf("KeyUsage must be x509.KeyUsageCertSign. serial number: %d", caCert.SerialNumber)
+		}
+
+		if !caCert.IsCA {
+			return fmt.Errorf("must be a CA certificate. serial number: %d", caCert.SerialNumber)
+		}
+	}
+
+	return nil
+}
+
 func getFabricMSPConfig(org *cb.ConfigGroup) (*mb.FabricMSPConfig, error) {
 	configValue, err := getOrgMSPValue(org)
 	if err != nil {
@@ -663,7 +753,7 @@ func RevokeCertificateFromMSP(config *cb.Config, orgName string, caCert *x509.Ce
 	return nil
 }
 
-// validateCerts check if a cert was issued by a given MSP based
+// validateCert checks if a cert was issued by a given MSP based
 // on the root and intermediate CA certs.
 func validateCert(cert *x509.Certificate, fabricMSPConfig *mb.FabricMSPConfig) error {
 	caCerts := []*x509.Certificate{}