[FAB-6651] check instantiation policy upon upgrade

ale-linux · ale-linux · commit a491bbe90e18 · 2017-12-23T09:04:27.000+01:00
When a chaincode is being upgrade, there might be 2 instantiation policies
worth checking: that of the current chaincode and that of the upgraded
chaincode. The existing code checks that the request complies with the
existing instantiation policy (i.e. the one on the ledger). The new code
also checks whether the request complies with the new instantiation policy
(i.e. the one on the rwset). This code change affects the behaviour of the
committer and is therefore enclosed in a capability block.

Change-Id: I6dbdba3ee13a48f165e07c4cee802042a76ab92d
Signed-off-by: Alessandro Sorniotti &lt;ale.linux@sopit.net&gt;
diff --git a/core/scc/vscc/validator_onevalidsignature.go b/core/scc/vscc/validator_onevalidsignature.go
@@ -459,7 +459,7 @@ func (vscc *ValidatorOneValidSignature) ValidateLSCCInvocation(
 			/*****************************************************/
 			pol := cdRWSet.InstantiationPolicy
 			if pol == nil {
-				return fmt.Errorf("No installation policy was specified")
+				return fmt.Errorf("No instantiation policy was specified")
 			}
 			// FIXME: could we actually pull the cds package from the
 			// file system to verify whether the policy that is specified
@@ -499,7 +499,7 @@ func (vscc *ValidatorOneValidSignature) ValidateLSCCInvocation(
 			/*****************************************************/
 			pol := cdLedger.InstantiationPolicy
 			if pol == nil {
-				return fmt.Errorf("No installation policy was specified")
+				return fmt.Errorf("No instantiation policy was specified")
 			}
 			// FIXME: could we actually pull the cds package from the
 			// file system to verify whether the policy that is specified
@@ -517,6 +517,24 @@ func (vscc *ValidatorOneValidSignature) ValidateLSCCInvocation(
 			if cdLedger.Version == cdsArgs.ChaincodeSpec.ChaincodeId.Version {
 				return fmt.Errorf("Existing version of the cc on the ledger (%s) should be different from the upgraded one", cdsArgs.ChaincodeSpec.ChaincodeId.Version)
 			}
+
+			/******************************************************************/
+			/* security check 4 - check the instantiation policy in the rwset */
+			/******************************************************************/
+			if ac.V1_1Validation() {
+				polNew := cdRWSet.InstantiationPolicy
+				if polNew == nil {
+					return errors.New("No instantiation policy was specified")
+				}
+
+				// no point in checking it again if they are the same policy
+				if !bytes.Equal(polNew, pol) {
+					err = vscc.checkInstantiationPolicy(chid, env, polNew, payl)
+					if err != nil {
+						return errors.WithMessage(err, "a failure occurred during the verfication of the upgraded instantiation policy")
+					}
+				}
+			}
 		}
 
 		// all is good!
diff --git a/core/scc/vscc/validator_onevalidsignature_test.go b/core/scc/vscc/validator_onevalidsignature_test.go
@@ -1373,6 +1373,118 @@ func TestValidateUpgradeWithPoliciesOK(t *testing.T) {
 	}
 }
 
+func TestValidateUpgradeWithNewFailAllIP(t *testing.T) {
+	// we're testing upgrade.
+	// In particular, we want to test the scenario where the upgrader
+	// complies with the instantiation policy of the current version
+	// BUT NOT the instantiation policy of the new version. For this
+	// reason we first deploy a cc with IP whic is equal to the AcceptAllPolicy
+	// and then try to upgrade with a cc with the RejectAllPolicy.
+	// We run this test twice, once with the V11 capability (and expect
+	// a failure) and once without (and we expect success).
+
+	validateUpgradeWithNewFailAllIP(t, true, true)
+	validateUpgradeWithNewFailAllIP(t, false, false)
+}
+
+func validateUpgradeWithNewFailAllIP(t *testing.T, v11capability, expecterr bool) {
+	// create the validator
+	v := new(ValidatorOneValidSignature)
+	stub := shim.NewMockStub("validatoronevalidsignature", v)
+
+	lccc := lscc.NewLifeCycleSysCC()
+	stublccc := shim.NewMockStub("lscc", lccc)
+
+	State := make(map[string]map[string][]byte)
+	State["lscc"] = stublccc.State
+	sysccprovider.RegisterSystemChaincodeProviderFactory(&scc.MocksccProviderFactory{
+		Qe: lm.NewMockQueryExecutor(State),
+		ApplicationConfigBool: true,
+		ApplicationConfigRv:   &mc.MockApplication{&mc.MockApplicationCapabilities{V1_1ValidationRv: v11capability}},
+	})
+	stub.MockPeerChaincode("lscc", stublccc)
+
+	// init both chaincodes
+	r1 := stub.MockInit("1", [][]byte{})
+	if r1.Status != shim.OK {
+		fmt.Println("Init failed", string(r1.Message))
+		t.FailNow()
+	}
+
+	r := stublccc.MockInit("1", [][]byte{})
+	if r.Status != shim.OK {
+		fmt.Println("Init failed", string(r.Message))
+		t.FailNow()
+	}
+
+	// deploy the chaincode with an accept all policy
+
+	ccname := "mycc"
+	ccver := "1"
+	path := "github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02"
+	ppath := lccctestpath + "/" + ccname + "." + ccver
+
+	os.Remove(ppath)
+
+	cds, err := constructDeploymentSpec(ccname, path, ccver, [][]byte{[]byte("init"), []byte("a"), []byte("100"), []byte("b"), []byte("200")}, false)
+	if err != nil {
+		fmt.Printf("%s\n", err)
+		t.FailNow()
+	}
+	_, err = processSignedCDS(cds, cauthdsl.AcceptAllPolicy)
+	assert.NoError(t, err)
+	defer os.Remove(ppath)
+	var b []byte
+	if b, err = proto.Marshal(cds); err != nil || b == nil {
+		t.FailNow()
+	}
+
+	sProp2, _ := utils.MockSignedEndorserProposal2OrPanic(chainId, &peer.ChaincodeSpec{}, id)
+	args := [][]byte{[]byte("deploy"), []byte(ccname), b}
+	if res := stublccc.MockInvokeWithSignedProposal("1", args, sProp2); res.Status != shim.OK {
+		fmt.Printf("%#v\n", res)
+		t.FailNow()
+	}
+
+	// if we're here, we have a cc deployed with an accept all IP
+
+	// now we upgrade, with v 2 of the same cc, with the crucial difference that it has a reject all IP
+
+	ccver = "2"
+
+	simresres, err := createCCDataRWset(ccname, ccname, ccver,
+		cauthdsl.MarshaledRejectAllPolicy, // here's where we specify the IP of the upgraded cc
+	)
+	assert.NoError(t, err)
+
+	tx, err := createLSCCTx(ccname, ccver, lscc.UPGRADE, simresres)
+	if err != nil {
+		t.Fatalf("createTx returned err %s", err)
+	}
+
+	envBytes, err := utils.GetBytesEnvelope(tx)
+	if err != nil {
+		t.Fatalf("GetBytesEnvelope returned err %s", err)
+	}
+
+	policy, err := getSignedByMSPMemberPolicy(mspid)
+	if err != nil {
+		t.Fatalf("failed getting policy, err %s", err)
+	}
+
+	// execute the upgrade tx
+	args = [][]byte{[]byte("dv"), envBytes, policy}
+	if expecterr {
+		if res := stub.MockInvoke("1", args); res.Status == shim.OK {
+			t.Fatalf("vscc invoke should have failed")
+		}
+	} else {
+		if res := stub.MockInvoke("1", args); res.Status != shim.OK {
+			t.Fatalf("vscc invoke failed with %s", res.Message)
+		}
+	}
+}
+
 func TestValidateUpgradeWithPoliciesFail(t *testing.T) {
 	v := new(ValidatorOneValidSignature)
 	stub := shim.NewMockStub("validatoronevalidsignature", v)
