[FAB-9723] Infrastructure for pluggable endorsement

This change set adds support in the handlers for pluggable
endorsement plugins.

Change-Id: Id738e131b3444b2f56f5ac0af1d9f113fbd0cfe5
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

core/handlers/endorsement/builtin/escc.go

@@ -0,0 +1,57 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package builtin
+
+import (
+	"github.com/hyperledger/fabric/core/handlers/endorsement/api"
+	endorsement2 "github.com/hyperledger/fabric/core/handlers/endorsement/api/identities"
+	"github.com/hyperledger/fabric/protos/peer"
+	"github.com/pkg/errors"
+)
+
+type DefaultESCCFactory struct {
+}
+
+func (*DefaultESCCFactory) New() endorsement.Plugin {
+	return &DefaultESCC{}
+}
+
+type DefaultESCC struct {
+	endorsement2.SigningIdentityFetcher
+}
+
+func (e *DefaultESCC) Endorse(prpBytes []byte, sp *peer.SignedProposal) (*peer.Endorsement, []byte, error) {
+	signer, err := e.SigningIdentityForRequest(sp)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed fetching signing identity")
+	}
+	// serialize the signing identity
+	identityBytes, err := signer.Serialize()
+	if err != nil {
+		return nil, nil, errors.Wrapf(err, "could not serialize the signing identity")
+	}
+
+	// sign the concatenation of the proposal response and the serialized endorser identity with this endorser's key
+	signature, err := signer.Sign(append(prpBytes, identityBytes...))
+	if err != nil {
+		return nil, nil, errors.Wrapf(err, "could not sign the proposal response payload")
+	}
+	endorsement := &peer.Endorsement{Signature: signature, Endorser: identityBytes}
+	return endorsement, prpBytes, nil
+}
+
+func (e *DefaultESCC) Init(dependencies ...endorsement.Dependency) error {
+	for _, dep := range dependencies {
+		sIDFetcher, isSigningIdentityFetcher := dep.(endorsement2.SigningIdentityFetcher)
+		if !isSigningIdentityFetcher {
+			continue
+		}
+		e.SigningIdentityFetcher = sIDFetcher
+		return nil
+	}
+	return errors.New("could not find SigningIdentityFetcher in dependencies")
+}

core/handlers/endorsement/plugin/escc_plugin.go

@@ -0,0 +1,78 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	endorsement2 "github.com/hyperledger/fabric/core/handlers/endorsement/api"
+	endorsement3 "github.com/hyperledger/fabric/core/handlers/endorsement/api/identities"
+	"github.com/hyperledger/fabric/protos/peer"
+)
+
+// To build the plugin,
+// run:
+//    go build -buildmode=plugin -o escc.so escc_plugin.go
+
+// DefaultESCCFactory returns an endorsement plugin factory which returns plugins
+// that behave as the default endorsement system chaincode
+type DefaultESCCFactory struct {
+}
+
+// New returns an endorsement plugin that behaves as the default endorsement system chaincode
+func (*DefaultESCCFactory) New() endorsement2.Plugin {
+	return &DefaultESCC{}
+}
+
+// DefaultESCC is an endorsement plugin that behaves as the default endorsement system chaincode
+type DefaultESCC struct {
+	endorsement3.SigningIdentityFetcher
+}
+
+// Endorse signs the given payload(ProposalResponsePayload bytes), and optionally mutates it.
+// Returns:
+// The Endorsement: A signature over the payload, and an identity that is used to verify the signature
+// The payload that was given as input (could be modified within this function)
+// Or error on failure
+func (e *DefaultESCC) Endorse(prpBytes []byte, sp *peer.SignedProposal) (*peer.Endorsement, []byte, error) {
+	signer, err := e.SigningIdentityForRequest(sp)
+	if err != nil {
+		return nil, nil, errors.New(fmt.Sprintf("failed fetching signing identity: %v", err))
+	}
+	// serialize the signing identity
+	identityBytes, err := signer.Serialize()
+	if err != nil {
+		return nil, nil, errors.New(fmt.Sprintf("could not serialize the signing identity: %v", err))
+	}
+
+	// sign the concatenation of the proposal response and the serialized endorser identity with this endorser's key
+	signature, err := signer.Sign(append(prpBytes, identityBytes...))
+	if err != nil {
+		return nil, nil, errors.New(fmt.Sprintf("could not sign the proposal response payload: %v", err))
+	}
+	endorsement := &peer.Endorsement{Signature: signature, Endorser: identityBytes}
+	return endorsement, prpBytes, nil
+}
+
+// Init injects dependencies into the instance of the Plugin
+func (e *DefaultESCC) Init(dependencies ...endorsement2.Dependency) error {
+	for _, dep := range dependencies {
+		sIDFetcher, isSigningIdentityFetcher := dep.(endorsement3.SigningIdentityFetcher)
+		if !isSigningIdentityFetcher {
+			continue
+		}
+		e.SigningIdentityFetcher = sIDFetcher
+		return nil
+	}
+	return errors.New("could not find SigningIdentityFetcher in dependencies")
+}
+
+// NewPluginFactory is the function ran by the plugin infrastructure to create an endorsement plugin factory.
+func NewPluginFactory() endorsement2.PluginFactory {
+	return &DefaultESCCFactory{}
+}

core/handlers/endorsement/testdata/noop_endorser.go

@@ -0,0 +1,35 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package main
+
+import (
+	"github.com/hyperledger/fabric/core/handlers/endorsement/api"
+	"github.com/hyperledger/fabric/protos/peer"
+)
+
+type NoOpEndorser struct {
+}
+
+func (*NoOpEndorser) Endorse(payload []byte, sp *peer.SignedProposal) (*peer.Endorsement, []byte, error) {
+	return nil, payload, nil
+}
+
+func (*NoOpEndorser) Init(dependencies ...endorsement.Dependency) error {
+	return nil
+}
+
+type NoOpEndorserFactory struct {
+}
+
+func (*NoOpEndorserFactory) New() endorsement.Plugin {
+	return &NoOpEndorser{}
+}
+
+// NewPluginFactory is the function ran by the plugin infrastructure to create an endorsement plugin factory.
+func NewPluginFactory() endorsement.PluginFactory {
+	return &NoOpEndorserFactory{}
+}

core/handlers/library/library.go

@@ -11,6 +11,8 @@ import (
 	"github.com/hyperledger/fabric/core/handlers/auth/filter"
 	"github.com/hyperledger/fabric/core/handlers/decoration"
 	"github.com/hyperledger/fabric/core/handlers/decoration/decorator"
+	endorsement "github.com/hyperledger/fabric/core/handlers/endorsement/api"
+	"github.com/hyperledger/fabric/core/handlers/endorsement/builtin"
 )
 
 // HandlerLibrary is used to assert
@@ -39,3 +41,7 @@ func (r *HandlerLibrary) ExpirationCheck() auth.Filter {
 func (r *HandlerLibrary) DefaultDecorator() decoration.Decorator {
 	return decorator.NewDecorator()
 }
+
+func (r *HandlerLibrary) ESCC() endorsement.PluginFactory {
+	return &builtin.DefaultESCCFactory{}
+}

core/handlers/library/registry.go

@@ -13,10 +13,14 @@ import (
 	"reflect"
 	"sync"
 
+	"github.com/hyperledger/fabric/common/flogging"
 	"github.com/hyperledger/fabric/core/handlers/auth"
 	"github.com/hyperledger/fabric/core/handlers/decoration"
+	endorsement2 "github.com/hyperledger/fabric/core/handlers/endorsement/api"
 )
 
+var logger = flogging.MustGetLogger("core/handlers")
+
 // Registry defines an object that looks up
 // handlers by name
 type Registry interface {
@@ -35,14 +39,17 @@ const (
 	// Decoration handler - append or mutate the chaincode input
 	// passed to the chaincode
 	Decoration
+	Endorsement
 
-	authPluginFactory      = "NewFilter"
-	decoratorPluginFactory = "NewDecorator"
+	authPluginFactory        = "NewFilter"
+	decoratorPluginFactory   = "NewDecorator"
+	endorsementPluginFactory = "NewPluginFactory"
 )
 
 type registry struct {
 	filters    []auth.Filter
 	decorators []decoration.Decorator
+	endorsers  map[string]endorsement2.PluginFactory
 }
 
 var once sync.Once
@@ -53,8 +60,11 @@ var reg registry
 type Config struct {
 	AuthFilters []*HandlerConfig `mapstructure:"authFilters" yaml:"authFilters"`
 	Decorators  []*HandlerConfig `mapstructure:"decorators" yaml:"decorators"`
+	Endorsers   PluginMapping    `mapstructure:"endorsers" yaml:"endorsers"`
 }
 
+type PluginMapping map[string]*HandlerConfig
+
 // HandlerConfig defines configuration for a plugin or compiled handler
 type HandlerConfig struct {
 	Name    string `mapstructure:"name" yaml:"name"`
@@ -65,7 +75,7 @@ type HandlerConfig struct {
 // of the registry
 func InitRegistry(c Config) Registry {
 	once.Do(func() {
-		reg = registry{}
+		reg = registry{endorsers: make(map[string]endorsement2.PluginFactory)}
 		reg.loadHandlers(c)
 	})
 	return &reg
@@ -79,24 +89,28 @@ func (r *registry) loadHandlers(c Config) {
 	for _, config := range c.Decorators {
 		r.evaluateModeAndLoad(config, Decoration)
 	}
+
+	for chaincodeID, config := range c.Endorsers {
+		r.evaluateModeAndLoad(config, Endorsement, chaincodeID)
+	}
 }
 
 // evaluateModeAndLoad if a library path is provided, load the shared object
-func (r *registry) evaluateModeAndLoad(c *HandlerConfig, handlerType HandlerType) {
+func (r *registry) evaluateModeAndLoad(c *HandlerConfig, handlerType HandlerType, extraArgs ...string) {
 	if c.Library != "" {
-		r.loadPlugin(c.Library, handlerType)
+		r.loadPlugin(c.Library, handlerType, extraArgs...)
 	} else {
-		r.loadCompiled(c.Name, handlerType)
+		r.loadCompiled(c.Name, handlerType, extraArgs...)
 	}
 }
 
 // loadCompiled loads a statically compiled handler
-func (r *registry) loadCompiled(handlerFactory string, handlerType HandlerType) {
+func (r *registry) loadCompiled(handlerFactory string, handlerType HandlerType, extraArgs ...string) {
 	registryMD := reflect.ValueOf(&HandlerLibrary{})
 
 	o := registryMD.MethodByName(handlerFactory)
 	if !o.IsValid() {
-		panic(fmt.Errorf("Method %s isn't a method of HandlerLibrary", handlerFactory))
+		logger.Panicf(fmt.Sprintf("Method %s isn't a method of HandlerLibrary", handlerFactory))
 	}
 
 	inst := o.Call(nil)[0].Interface()
@@ -105,24 +119,30 @@ func (r *registry) loadCompiled(handlerFactory string, handlerType HandlerType)
 		r.filters = append(r.filters, inst.(auth.Filter))
 	} else if handlerType == Decoration {
 		r.decorators = append(r.decorators, inst.(decoration.Decorator))
+	} else if handlerType == Endorsement {
+		if len(extraArgs) != 1 {
+			logger.Panicf("expected 1 argument in extraArgs")
+		}
+		r.endorsers[extraArgs[0]] = inst.(endorsement2.PluginFactory)
 	}
 }
 
 // loadPlugin loads a pluggagle handler
-func (r *registry) loadPlugin(pluginPath string, handlerType HandlerType) {
+func (r *registry) loadPlugin(pluginPath string, handlerType HandlerType, extraArgs ...string) {
 	if _, err := os.Stat(pluginPath); err != nil {
-		panic(fmt.Errorf("Could not find plugin at path %s: %s", pluginPath, err))
+		logger.Panicf(fmt.Sprintf("Could not find plugin at path %s: %s", pluginPath, err))
 	}
-
 	p, err := plugin.Open(pluginPath)
 	if err != nil {
-		panic(fmt.Errorf("Error opening plugin at path %s: %s", pluginPath, err))
+		logger.Panicf(fmt.Sprintf("Error opening plugin at path %s: %s", pluginPath, err))
 	}
 
 	if handlerType == Auth {
 		r.initAuthPlugin(p)
 	} else if handlerType == Decoration {
 		r.initDecoratorPlugin(p)
+	} else if handlerType == Endorsement {
+		r.initEndorsementPlugin(p, extraArgs...)
 	}
 }
 
@@ -159,17 +179,37 @@ func (r *registry) initDecoratorPlugin(p *plugin.Plugin) {
 	}
 }
 
+func (r *registry) initEndorsementPlugin(p *plugin.Plugin, extraArgs ...string) {
+	if len(extraArgs) != 1 {
+		logger.Panicf("expected 1 argument in extraArgs")
+	}
+	factorySymbol, err := p.Lookup(endorsementPluginFactory)
+	if err != nil {
+		panicWithLookupError(endorsementPluginFactory, err)
+	}
+
+	constructor, ok := factorySymbol.(func() endorsement2.PluginFactory)
+	if !ok {
+		panicWithDefinitionError(endorsementPluginFactory)
+	}
+	factory := constructor()
+	if factory == nil {
+		logger.Panicf("factory instance returned nil")
+	}
+	r.endorsers[extraArgs[0]] = factory
+}
+
 // panicWithLookupError panics when a handler constructor lookup fails
 func panicWithLookupError(factory string, err error) {
-	panic(fmt.Errorf("Filter must contain constructor with name %s. Error from lookup: %s",
+	logger.Panicf(fmt.Sprintf("Plugin must contain constructor with name %s. Error from lookup: %s",
 		factory, err))
 }
 
 // panicWithDefinitionError panics when a handler constructor does not match
 // the expected function definition
 func panicWithDefinitionError(factory string) {
-	panic(fmt.Errorf("Constructor method %s does not match expected definition",
-		authPluginFactory))
+	logger.Panicf(fmt.Sprintf("Constructor method %s does not match expected definition",
+		factory))
 }
 
 // Lookup returns a list of handlers with the given
@@ -179,6 +219,8 @@ func (r *registry) Lookup(handlerType HandlerType) interface{} {
 		return r.filters
 	} else if handlerType == Decoration {
 		return r.decorators
+	} else if handlerType == Endorsement {
+		return r.endorsers
 	}
 
 	return nil