[FAB-9255] configtxgen encode policy specs

This CR modifies the encoder for `configtxgen` to generate policies as
provided by configtx.yaml instead of the default policies.  It also
marks the default policy generation as deprecated and emits a warning
when used.

Change-Id: I7dc5524e3f34767acb06523068047d0ace7a22a4
Signed-off-by: Jason Yellick <jyellick@us.ibm.com>

Author: Jason Yellick

common/tools/configtxgen/encoder/encoder.go

@@ -51,6 +51,12 @@ const (
 
 	// OrdererAdminsPolicy is the absolute path to the orderer admins policy
 	OrdererAdminsPolicy = "/Channel/Orderer/Admins"
+
+	// SignaturePolicyType is the 'Type' string for signature policies
+	SignaturePolicyType = "Signature"
+
+	// ImplicitMetaPolicyType is the 'Type' string for implicit meta policies
+	ImplicitMetaPolicyType = "ImplicitMeta"
 )
 
 func addValue(cg *cb.ConfigGroup, value channelconfig.ConfigValue, modPolicy string) {
@@ -67,6 +73,40 @@ func addPolicy(cg *cb.ConfigGroup, policy policies.ConfigPolicy, modPolicy strin
 	}
 }
 
+func addPolicies(cg *cb.ConfigGroup, policyMap map[string]*genesisconfig.Policy, modPolicy string) error {
+	for policyName, policy := range policyMap {
+		switch policy.Type {
+		case ImplicitMetaPolicyType:
+			imp, err := policies.ImplicitMetaFromString(policy.Rule)
+			if err != nil {
+				return errors.Wrapf(err, "invalid implicit meta policy rule '%s'", policy.Rule)
+			}
+			cg.Policies[policyName] = &cb.ConfigPolicy{
+				ModPolicy: modPolicy,
+				Policy: &cb.Policy{
+					Type:  int32(cb.Policy_IMPLICIT_META),
+					Value: utils.MarshalOrPanic(imp),
+				},
+			}
+		case SignaturePolicyType:
+			sp, err := cauthdsl.FromString(policy.Rule)
+			if err != nil {
+				return errors.Wrapf(err, "invalid signature policy rule '%s'", policy.Rule)
+			}
+			cg.Policies[policyName] = &cb.ConfigPolicy{
+				ModPolicy: modPolicy,
+				Policy: &cb.Policy{
+					Type:  int32(cb.Policy_SIGNATURE),
+					Value: utils.MarshalOrPanic(sp),
+				},
+			}
+		default:
+			return errors.Errorf("unknown policy type: %s", policy.Type)
+		}
+	}
+	return nil
+}
+
 // addImplicitMetaPolicyDefaults adds the Readers/Writers/Admins policies, with Any/Any/Majority rules respectively.
 func addImplicitMetaPolicyDefaults(cg *cb.ConfigGroup) {
 	addPolicy(cg, policies.ImplicitMetaMajorityPolicy(channelconfig.AdminsPolicyKey), channelconfig.AdminsPolicyKey)
@@ -79,6 +119,7 @@ func addImplicitMetaPolicyDefaults(cg *cb.ConfigGroup) {
 // the admin role principal.
 func addSignaturePolicyDefaults(cg *cb.ConfigGroup, mspID string, devMode bool) {
 	if devMode {
+		logger.Warningf("Specifying AdminPrincipal is deprecated and will be removed in a future release, override the admin principal with explicit policies.")
 		addPolicy(cg, policies.SignaturePolicy(channelconfig.AdminsPolicyKey, cauthdsl.SignedByMspMember(mspID)), channelconfig.AdminsPolicyKey)
 	} else {
 		addPolicy(cg, policies.SignaturePolicy(channelconfig.AdminsPolicyKey, cauthdsl.SignedByMspAdmin(mspID)), channelconfig.AdminsPolicyKey)
@@ -98,7 +139,15 @@ func NewChannelGroup(conf *genesisconfig.Profile) (*cb.ConfigGroup, error) {
 	}
 
 	channelGroup := cb.NewConfigGroup()
-	addImplicitMetaPolicyDefaults(channelGroup)
+	if len(conf.Policies) == 0 {
+		logger.Warningf("Default policy emission is deprecated, please include policy specificiations for the channel group in configtx.yaml")
+		addImplicitMetaPolicyDefaults(channelGroup)
+	} else {
+		if err := addPolicies(channelGroup, conf.Policies, channelconfig.AdminsPolicyKey); err != nil {
+			return nil, errors.Wrapf(err, "error adding policies to channel group")
+		}
+	}
+
 	addValue(channelGroup, channelconfig.HashingAlgorithmValue(), channelconfig.AdminsPolicyKey)
 	addValue(channelGroup, channelconfig.BlockDataHashingStructureValue(), channelconfig.AdminsPolicyKey)
 	addValue(channelGroup, channelconfig.OrdererAddressesValue(conf.Orderer.Addresses), ordererAdminsPolicyName)
@@ -140,7 +189,14 @@ func NewChannelGroup(conf *genesisconfig.Profile) (*cb.ConfigGroup, error) {
 // It sets the mod_policy of all elements to "Admins".  This group is always present in any channel configuration.
 func NewOrdererGroup(conf *genesisconfig.Orderer) (*cb.ConfigGroup, error) {
 	ordererGroup := cb.NewConfigGroup()
-	addImplicitMetaPolicyDefaults(ordererGroup)
+	if len(conf.Policies) == 0 {
+		logger.Warningf("Default policy emission is deprecated, please include policy specificiations for the orderer group in configtx.yaml")
+		addImplicitMetaPolicyDefaults(ordererGroup)
+	} else {
+		if err := addPolicies(ordererGroup, conf.Policies, channelconfig.AdminsPolicyKey); err != nil {
+			return nil, errors.Wrapf(err, "error adding policies to orderer group")
+		}
+	}
 	ordererGroup.Policies[BlockValidationPolicyKey] = &cb.ConfigPolicy{
 		Policy:    policies.ImplicitMetaAnyPolicy(channelconfig.WritersPolicyKey).Value(),
 		ModPolicy: channelconfig.AdminsPolicyKey,
@@ -187,7 +243,15 @@ func NewOrdererOrgGroup(conf *genesisconfig.Organization) (*cb.ConfigGroup, erro
 	}
 
 	ordererOrgGroup := cb.NewConfigGroup()
-	addSignaturePolicyDefaults(ordererOrgGroup, conf.ID, conf.AdminPrincipal != genesisconfig.AdminRoleAdminPrincipal)
+	if len(conf.Policies) == 0 {
+		logger.Warningf("Default policy emission is deprecated, please include policy specificiations for the orderer org group %s in configtx.yaml", conf.Name)
+		addSignaturePolicyDefaults(ordererOrgGroup, conf.ID, conf.AdminPrincipal != genesisconfig.AdminRoleAdminPrincipal)
+	} else {
+		if err := addPolicies(ordererOrgGroup, conf.Policies, channelconfig.AdminsPolicyKey); err != nil {
+			return nil, errors.Wrapf(err, "error adding policies to orderer org group '%s'", conf.Name)
+		}
+	}
+
 	addValue(ordererOrgGroup, channelconfig.MSPValue(mspConfig), channelconfig.AdminsPolicyKey)
 
 	ordererOrgGroup.ModPolicy = channelconfig.AdminsPolicyKey
@@ -198,7 +262,14 @@ func NewOrdererOrgGroup(conf *genesisconfig.Organization) (*cb.ConfigGroup, erro
 // in application logic like chaincodes, and how these members may interact with the orderer.  It sets the mod_policy of all elements to "Admins".
 func NewApplicationGroup(conf *genesisconfig.Application) (*cb.ConfigGroup, error) {
 	applicationGroup := cb.NewConfigGroup()
-	addImplicitMetaPolicyDefaults(applicationGroup)
+	if len(conf.Policies) == 0 {
+		logger.Warningf("Default policy emission is deprecated, please include policy specificiations for the application group in configtx.yaml")
+		addImplicitMetaPolicyDefaults(applicationGroup)
+	} else {
+		if err := addPolicies(applicationGroup, conf.Policies, channelconfig.AdminsPolicyKey); err != nil {
+			return nil, errors.Wrapf(err, "error adding policies to application group")
+		}
+	}
 
 	if len(conf.Capabilities) > 0 {
 		addValue(applicationGroup, channelconfig.CapabilitiesValue(conf.Capabilities), channelconfig.AdminsPolicyKey)
@@ -225,7 +296,14 @@ func NewApplicationOrgGroup(conf *genesisconfig.Organization) (*cb.ConfigGroup,
 	}
 
 	applicationOrgGroup := cb.NewConfigGroup()
-	addSignaturePolicyDefaults(applicationOrgGroup, conf.ID, conf.AdminPrincipal != genesisconfig.AdminRoleAdminPrincipal)
+	if len(conf.Policies) == 0 {
+		logger.Warningf("Default policy emission is deprecated, please include policy specificiations for the application org group %s in configtx.yaml", conf.Name)
+		addSignaturePolicyDefaults(applicationOrgGroup, conf.ID, conf.AdminPrincipal != genesisconfig.AdminRoleAdminPrincipal)
+	} else {
+		if err := addPolicies(applicationOrgGroup, conf.Policies, channelconfig.AdminsPolicyKey); err != nil {
+			return nil, errors.Wrapf(err, "error adding policies to application org group %s", conf.Name)
+		}
+	}
 	addValue(applicationOrgGroup, channelconfig.MSPValue(mspConfig), channelconfig.AdminsPolicyKey)
 
 	var anchorProtos []*pb.AnchorPeer

common/tools/configtxgen/encoder/encoder_test.go

@@ -196,6 +196,17 @@ func TestNewApplicationGroup(t *testing.T) {
 		assert.NotNil(t, group)
 	})
 
+	t.Run("Application missing policies", func(t *testing.T) {
+		config := genesisconfig.Load(genesisconfig.SampleSingleMSPChannelProfile)
+		config.Application.Policies = nil
+		for _, org := range config.Application.Organizations {
+			org.Policies = nil
+		}
+		group, err := NewApplicationGroup(config.Application)
+		assert.NoError(t, err)
+		assert.NotNil(t, group)
+	})
+
 	t.Run("Application unknown MSP", func(t *testing.T) {
 		config := genesisconfig.Load(genesisconfig.SampleSingleMSPChannelProfile)
 		config.Application.Organizations[0] = &genesisconfig.Organization{Name: "FakeOrg", ID: "FakeOrg"}
@@ -222,6 +233,14 @@ func TestNewChannelGroup(t *testing.T) {
 		assert.NotNil(t, group)
 	})
 
+	t.Run("Channel missing policies", func(t *testing.T) {
+		config := genesisconfig.Load(genesisconfig.SampleDevModeSoloProfile)
+		config.Policies = nil
+		group, err := NewChannelGroup(config)
+		assert.NoError(t, err)
+		assert.NotNil(t, group)
+	})
+
 	t.Run("Add application unknown MSP", func(t *testing.T) {
 		config := genesisconfig.Load(genesisconfig.SampleDevModeSoloProfile)
 		config.Application = &genesisconfig.Application{Organizations: []*genesisconfig.Organization{{Name: "FakeOrg"}}}
@@ -256,6 +275,17 @@ func TestNewOrdererGroup(t *testing.T) {
 		assert.Nil(t, group)
 	})
 
+	t.Run("Orderer missing policies", func(t *testing.T) {
+		config := genesisconfig.Load(genesisconfig.SampleDevModeSoloProfile)
+		config.Orderer.Policies = nil
+		for _, org := range config.Orderer.Organizations {
+			org.Policies = nil
+		}
+		group, err := NewOrdererGroup(config.Orderer)
+		assert.NoError(t, err)
+		assert.NotNil(t, group)
+	})
+
 	t.Run("Unknown MSP org", func(t *testing.T) {
 		config := genesisconfig.Load(genesisconfig.SampleDevModeSoloProfile)
 		config.Orderer.Organizations[0] = &genesisconfig.Organization{Name: "FakeOrg", ID: "FakeOrg"}

sampleconfig/configtx.yaml

@@ -80,6 +80,7 @@ Profiles:
             Organizations:
                 - <<: *SampleOrg
                   Policies:
+                      <<: *SampleOrgPolicies
                       Admins:
                           Type: Signature
                           Rule: "OR('SampleOrg.member')"
@@ -88,6 +89,7 @@ Profiles:
             Organizations:
                 - <<: *SampleOrg
                   Policies:
+                      <<: *SampleOrgPolicies
                       Admins:
                           Type: Signature
                           Rule: "OR('SampleOrg.member')"
@@ -96,6 +98,7 @@ Profiles:
                 Organizations:
                     - <<: *SampleOrg
                       Policies:
+                          <<: *SampleOrgPolicies
                           Admins:
                               Type: Signature
                               Rule: "OR('SampleOrg.member')"
@@ -110,6 +113,7 @@ Profiles:
             Organizations:
                 - <<: *SampleOrg
                   Policies:
+                      <<: *SampleOrgPolicies
                       Admins:
                           Type: Signature
                           Rule: "OR('SampleOrg.member')"
@@ -118,6 +122,7 @@ Profiles:
             Organizations:
                 - <<: *SampleOrg
                   Policies:
+                      <<: *SampleOrgPolicies
                       Admins:
                           Type: Signature
                           Rule: "OR('SampleOrg.member')"
@@ -126,6 +131,7 @@ Profiles:
                 Organizations:
                     - <<: *SampleOrg
                       Policies:
+                          <<: *SampleOrgPolicies
                           Admins:
                               Type: Signature
                               Rule: "OR('SampleOrg.member')"
@@ -170,7 +176,7 @@ Organizations:
         # Policies defines the set of policies at this level of the config tree
         # For organization policies, their canonical path is usually
         #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
-        Policies:
+        Policies: &SampleOrgPolicies
             Readers:
                 Type: Signature
                 Rule: "OR('SampleOrg.member')"