github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/integration/e2e/acl_test.go (about)

     1  /*
     2  Copyright IBM Corp All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package e2e
     8  
     9  import (
    10  	"encoding/json"
    11  	"fmt"
    12  	"io/ioutil"
    13  	"os"
    14  	"path/filepath"
    15  	"syscall"
    16  
    17  	docker "github.com/fsouza/go-dockerclient"
    18  	"github.com/golang/protobuf/proto"
    19  	"github.com/hyperledger/fabric-protos-go/common"
    20  	pb "github.com/hyperledger/fabric-protos-go/peer"
    21  	"github.com/osdi23p228/fabric/core/aclmgmt/resources"
    22  	"github.com/osdi23p228/fabric/integration/nwo"
    23  	"github.com/osdi23p228/fabric/integration/nwo/commands"
    24  	"github.com/osdi23p228/fabric/protoutil"
    25  	. "github.com/onsi/ginkgo"
    26  	. "github.com/onsi/gomega"
    27  	"github.com/onsi/gomega/gbytes"
    28  	"github.com/onsi/gomega/gexec"
    29  	"github.com/tedsuo/ifrit"
    30  )
    31  
    32  var _ = Describe("EndToEndACL", func() {
    33  	var (
    34  		testDir   string
    35  		client    *docker.Client
    36  		network   *nwo.Network
    37  		chaincode nwo.Chaincode
    38  		process   ifrit.Process
    39  
    40  		orderer   *nwo.Orderer
    41  		org1Peer0 *nwo.Peer
    42  		org2Peer0 *nwo.Peer
    43  	)
    44  
    45  	BeforeEach(func() {
    46  		var err error
    47  		testDir, err = ioutil.TempDir("", "acl-e2e")
    48  		Expect(err).NotTo(HaveOccurred())
    49  
    50  		client, err = docker.NewClientFromEnv()
    51  		Expect(err).NotTo(HaveOccurred())
    52  
    53  		// Speed up test by reducing the number of peers we
    54  		// bring up and install chaincode to.
    55  		soloConfig := nwo.BasicSolo()
    56  		soloConfig.RemovePeer("Org1", "peer1")
    57  		soloConfig.RemovePeer("Org2", "peer1")
    58  		Expect(soloConfig.Peers).To(HaveLen(2))
    59  
    60  		network = nwo.New(soloConfig, testDir, client, StartPort(), components)
    61  		network.GenerateConfigTree()
    62  		network.Bootstrap()
    63  
    64  		networkRunner := network.NetworkGroupRunner()
    65  		process = ifrit.Invoke(networkRunner)
    66  		Eventually(process.Ready(), network.EventuallyTimeout).Should(BeClosed())
    67  
    68  		orderer = network.Orderer("orderer")
    69  		org1Peer0 = network.Peer("Org1", "peer0")
    70  		org2Peer0 = network.Peer("Org2", "peer0")
    71  
    72  		chaincode = nwo.Chaincode{
    73  			Name:    "mycc",
    74  			Version: "0.0",
    75  			Path:    "github.com/osdi23p228/fabric/integration/chaincode/simple/cmd",
    76  			Ctor:    `{"Args":["init","a","100","b","200"]}`,
    77  			Policy:  `OR ('Org1MSP.member','Org2MSP.member')`,
    78  		}
    79  		network.CreateAndJoinChannel(orderer, "testchannel")
    80  		nwo.DeployChaincodeLegacy(network, "testchannel", orderer, chaincode)
    81  	})
    82  
    83  	AfterEach(func() {
    84  		process.Signal(syscall.SIGTERM)
    85  		Eventually(process.Wait(), network.EventuallyTimeout).Should(Receive())
    86  		network.Cleanup()
    87  		os.RemoveAll(testDir)
    88  	})
    89  
    90  	It("enforces access control list policies", func() {
    91  		invokeChaincode := commands.ChaincodeInvoke{
    92  			ChannelID:    "testchannel",
    93  			Orderer:      network.OrdererAddress(orderer, nwo.ListenPort),
    94  			Name:         chaincode.Name,
    95  			Ctor:         `{"Args":["invoke","a","b","10"]}`,
    96  			WaitForEvent: true,
    97  		}
    98  
    99  		outputBlock := filepath.Join(testDir, "newest_block.pb")
   100  		fetchNewest := commands.ChannelFetch{
   101  			ChannelID:  "testchannel",
   102  			Block:      "newest",
   103  			OutputFile: outputBlock,
   104  		}
   105  
   106  		//
   107  		// when the ACL policy for DeliverFiltered is satisified
   108  		//
   109  		By("setting the filtered block event ACL policy to Org1/Admins")
   110  		policyName := resources.Event_FilteredBlock
   111  		policy := "/Channel/Application/Org1/Admins"
   112  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   113  
   114  		By("invoking chaincode as a permitted Org1 Admin identity")
   115  		sess, err := network.PeerAdminSession(org1Peer0, invokeChaincode)
   116  		Expect(err).NotTo(HaveOccurred())
   117  		Eventually(sess.Err, network.EventuallyTimeout).Should(gbytes.Say("Chaincode invoke successful. result: status:200"))
   118  
   119  		//
   120  		// when the ACL policy for DeliverFiltered is not satisfied
   121  		//
   122  		By("setting the filtered block event ACL policy to org2/Admins")
   123  		policyName = resources.Event_FilteredBlock
   124  		policy = "/Channel/Application/org2/Admins"
   125  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   126  
   127  		By("invoking chaincode as a forbidden Org1 Admin identity")
   128  		sess, err = network.PeerAdminSession(org1Peer0, invokeChaincode)
   129  		Expect(err).NotTo(HaveOccurred())
   130  		Eventually(sess.Err, network.EventuallyTimeout).Should(gbytes.Say(`\Qdeliver completed with status (FORBIDDEN)\E`))
   131  
   132  		//
   133  		// when the ACL policy for Deliver is satisfied
   134  		//
   135  		By("setting the block event ACL policy to Org1/Admins")
   136  		policyName = resources.Event_Block
   137  		policy = "/Channel/Application/Org1/Admins"
   138  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   139  
   140  		By("fetching the latest block from the peer as a permitted Org1 Admin identity")
   141  		sess, err = network.PeerAdminSession(org1Peer0, fetchNewest)
   142  		Expect(err).NotTo(HaveOccurred())
   143  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   144  		Expect(sess.Err).To(gbytes.Say("Received block: "))
   145  
   146  		//
   147  		// when the ACL policy for Deliver is not satisfied
   148  		//
   149  		By("fetching the latest block from the peer as a forbidden org2 Admin identity")
   150  		sess, err = network.PeerAdminSession(org2Peer0, fetchNewest)
   151  		Expect(err).NotTo(HaveOccurred())
   152  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   153  		Expect(sess.Err).To(gbytes.Say("can't read the block: &{FORBIDDEN}"))
   154  
   155  		//
   156  		// when the ACL policy for lscc/GetInstantiatedChaincodes is satisfied
   157  		//
   158  		By("setting the lscc/GetInstantiatedChaincodes ACL policy to Org1/Admins")
   159  		policyName = resources.Lscc_GetInstantiatedChaincodes
   160  		policy = "/Channel/Application/Org1/Admins"
   161  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   162  
   163  		By("listing the instantiated chaincodes as a permitted Org1 Admin identity")
   164  		sess, err = network.PeerAdminSession(org1Peer0, commands.ChaincodeListInstantiatedLegacy{
   165  			ChannelID: "testchannel",
   166  		})
   167  		Expect(err).NotTo(HaveOccurred())
   168  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   169  		Expect(sess).To(gbytes.Say("Name: mycc, Version: 0.0, Path: .*, Escc: escc, Vscc: vscc"))
   170  
   171  		//
   172  		// when the ACL policy for lscc/GetInstantiatedChaincodes is not satisfied
   173  		//
   174  		By("listing the instantiated chaincodes as a forbidden org2 Admin identity")
   175  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeListInstantiatedLegacy{
   176  			ChannelID: "testchannel",
   177  		})
   178  		Expect(err).NotTo(HaveOccurred())
   179  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   180  		Expect(sess).NotTo(gbytes.Say("Name: mycc, Version: 0.0, Path: .*, Escc: escc, Vscc: vscc"))
   181  		Expect(sess.Err).To(gbytes.Say(`access denied for \[getchaincodes\]\[testchannel\](.*)signature set did not satisfy policy`))
   182  
   183  		//
   184  		// when a system chaincode ACL policy is set and a query is performed
   185  		//
   186  
   187  		// getting a transaction id from a block in the ledger
   188  		sess, err = network.PeerAdminSession(org1Peer0, fetchNewest)
   189  		Expect(err).NotTo(HaveOccurred())
   190  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   191  		Expect(sess.Err).To(gbytes.Say("Received block: "))
   192  		txID := GetTxIDFromBlockFile(outputBlock)
   193  
   194  		ItEnforcesPolicy := func(scc, operation string, args ...string) {
   195  			policyName := fmt.Sprintf("%s/%s", scc, operation)
   196  			policy := "/Channel/Application/Org1/Admins"
   197  			By("setting " + policyName + " to Org1 Admins")
   198  			SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   199  
   200  			args = append([]string{operation}, args...)
   201  			chaincodeQuery := commands.ChaincodeQuery{
   202  				ChannelID: "testchannel",
   203  				Name:      scc,
   204  				Ctor:      ToCLIChaincodeArgs(args...),
   205  			}
   206  
   207  			By("evaluating " + policyName + " for a permitted subject")
   208  			sess, err := network.PeerAdminSession(org1Peer0, chaincodeQuery)
   209  			Expect(err).NotTo(HaveOccurred())
   210  			Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(0))
   211  
   212  			By("evaluating " + policyName + " for a forbidden subject")
   213  			sess, err = network.PeerAdminSession(org2Peer0, chaincodeQuery)
   214  			Expect(err).NotTo(HaveOccurred())
   215  			Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   216  			Expect(sess.Err).To(gbytes.Say(fmt.Sprintf(`access denied for \[%s\]\[%s\](.*)signature set did not satisfy policy`, operation, "testchannel")))
   217  		}
   218  
   219  		//
   220  		// qscc
   221  		//
   222  		ItEnforcesPolicy("qscc", "GetChainInfo", "testchannel")
   223  		ItEnforcesPolicy("qscc", "GetBlockByNumber", "testchannel", "0")
   224  		ItEnforcesPolicy("qscc", "GetBlockByTxID", "testchannel", txID)
   225  		ItEnforcesPolicy("qscc", "GetTransactionByID", "testchannel", txID)
   226  
   227  		//
   228  		// lscc
   229  		//
   230  		ItEnforcesPolicy("lscc", "GetChaincodeData", "testchannel", "mycc")
   231  		ItEnforcesPolicy("lscc", "ChaincodeExists", "testchannel", "mycc")
   232  
   233  		//
   234  		// cscc
   235  		//
   236  		ItEnforcesPolicy("cscc", "GetConfigBlock", "testchannel")
   237  
   238  		//
   239  		// _lifecycle ACL policies
   240  		//
   241  
   242  		chaincode = nwo.Chaincode{
   243  			Name:                "mycc",
   244  			Version:             "0.0",
   245  			Path:                components.Build("github.com/osdi23p228/fabric/integration/chaincode/simple/cmd"),
   246  			Lang:                "binary",
   247  			PackageFile:         filepath.Join(testDir, "simplecc.tar.gz"),
   248  			Ctor:                `{"Args":["init","a","100","b","200"]}`,
   249  			ChannelConfigPolicy: "/Channel/Application/Endorsement",
   250  			Sequence:            "1",
   251  			InitRequired:        true,
   252  			Label:               "my_prebuilt_chaincode",
   253  		}
   254  
   255  		nwo.PackageChaincodeBinary(chaincode)
   256  
   257  		//
   258  		// when the ACL policy for _lifecycle/InstallChaincode is not satisfied
   259  		//
   260  		By("installing the chaincode to an org1 peer as an org2 admin")
   261  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeInstall{
   262  			PackageFile:   chaincode.PackageFile,
   263  			PeerAddresses: []string{network.PeerAddress(org1Peer0, nwo.ListenPort)},
   264  		})
   265  		Expect(err).NotTo(HaveOccurred())
   266  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   267  		Expect(sess.Err).To(gbytes.Say(`access denied: channel \[\] creator org \[Org2MSP\]`))
   268  
   269  		By("installing the chaincode to an org1 peer as a non-admin org1 identity")
   270  		sess, err = network.PeerUserSession(org1Peer0, "User1", commands.ChaincodeInstall{
   271  			PackageFile: chaincode.PackageFile,
   272  		})
   273  		Expect(err).NotTo(HaveOccurred())
   274  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   275  		Expect(sess.Err).To(gbytes.Say(`Error: chaincode install failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy \Q[Admins]\E: \Q[The identity is not an admin under this MSP [Org1MSP]: The identity does not contain OU [ADMIN], MSP: [Org1MSP]]\E`))
   276  
   277  		//
   278  		// when the ACL policy for _lifecycle/InstallChaincode is satisfied
   279  		//
   280  		nwo.InstallChaincode(network, chaincode, org1Peer0, org2Peer0)
   281  
   282  		//
   283  		// when the V2_0 application capabilities flag has not yet been enabled
   284  		//
   285  		By("approving a chaincode definition on a channel without V2_0 capabilities enabled")
   286  		sess, err = network.PeerAdminSession(org1Peer0, commands.ChaincodeApproveForMyOrg{
   287  			ChannelID:           "testchannel",
   288  			Orderer:             network.OrdererAddress(orderer, nwo.ListenPort),
   289  			Name:                chaincode.Name,
   290  			Version:             chaincode.Version,
   291  			Sequence:            chaincode.Sequence,
   292  			EndorsementPlugin:   chaincode.EndorsementPlugin,
   293  			ValidationPlugin:    chaincode.ValidationPlugin,
   294  			SignaturePolicy:     chaincode.SignaturePolicy,
   295  			ChannelConfigPolicy: chaincode.ChannelConfigPolicy,
   296  			InitRequired:        chaincode.InitRequired,
   297  			CollectionsConfig:   chaincode.CollectionsConfig,
   298  		})
   299  		Expect(err).NotTo(HaveOccurred())
   300  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   301  		Expect(sess.Err).To(gbytes.Say("Error: proposal failed with status: 500 - cannot use new lifecycle for channel 'testchannel' as it does not have the required capabilities enabled"))
   302  
   303  		By("committing a chaincode definition on a channel without V2_0 capabilities enabled")
   304  		sess, err = network.PeerAdminSession(org1Peer0, commands.ChaincodeCommit{
   305  			ChannelID:           "testchannel",
   306  			Orderer:             network.OrdererAddress(orderer, nwo.ListenPort),
   307  			Name:                chaincode.Name,
   308  			Version:             chaincode.Version,
   309  			Sequence:            chaincode.Sequence,
   310  			EndorsementPlugin:   chaincode.EndorsementPlugin,
   311  			ValidationPlugin:    chaincode.ValidationPlugin,
   312  			SignaturePolicy:     chaincode.SignaturePolicy,
   313  			ChannelConfigPolicy: chaincode.ChannelConfigPolicy,
   314  			InitRequired:        chaincode.InitRequired,
   315  			CollectionsConfig:   chaincode.CollectionsConfig,
   316  		})
   317  		Expect(err).NotTo(HaveOccurred())
   318  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   319  		Expect(sess.Err).To(gbytes.Say("Error: proposal failed with status: 500 - cannot use new lifecycle for channel 'testchannel' as it does not have the required capabilities enabled"))
   320  
   321  		// enable V2_0 application capabilities on the channel
   322  		By("enabling V2_0 application capabilities on the channel")
   323  		nwo.EnableCapabilities(network, "testchannel", "Application", "V2_0", orderer, org1Peer0, org2Peer0)
   324  
   325  		//
   326  		// when the ACL policy for _lifecycle/ApproveChaincodeDefinitionForOrg is not satisfied
   327  		//
   328  		By("approving a chaincode definition for org1 as an org2 admin")
   329  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeApproveForMyOrg{
   330  			ChannelID:           "testchannel",
   331  			Orderer:             network.OrdererAddress(orderer, nwo.ListenPort),
   332  			Name:                chaincode.Name,
   333  			Version:             chaincode.Version,
   334  			Sequence:            chaincode.Sequence,
   335  			EndorsementPlugin:   chaincode.EndorsementPlugin,
   336  			ValidationPlugin:    chaincode.ValidationPlugin,
   337  			SignaturePolicy:     chaincode.SignaturePolicy,
   338  			ChannelConfigPolicy: chaincode.ChannelConfigPolicy,
   339  			InitRequired:        chaincode.InitRequired,
   340  			CollectionsConfig:   chaincode.CollectionsConfig,
   341  			PeerAddresses:       []string{network.PeerAddress(org1Peer0, nwo.ListenPort)},
   342  		})
   343  		Expect(err).NotTo(HaveOccurred())
   344  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   345  		Expect(sess.Err).To(gbytes.Say(`Error: proposal failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed deserializing proposal creator during channelless check policy with policy \[Admins\]: \[expected MSP ID Org1MSP, received Org2MSP\]`))
   346  
   347  		//
   348  		// when the ACL policy for _lifecycle/ApproveChaincodeDefinitionForOrg is satisfied
   349  		//
   350  		By("approving a chaincode definition for org1 and org2")
   351  		nwo.ApproveChaincodeForMyOrg(network, "testchannel", orderer, chaincode, org1Peer0, org2Peer0)
   352  
   353  		//
   354  		// when the ACL policy for _lifecycle/QueryApprovedChaincodeDefinition is not satisfied
   355  		//
   356  		By("querying the approved chaincode definition for org1 as an org2 admin")
   357  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeQueryApproved{
   358  			ChannelID:     "testchannel",
   359  			Name:          chaincode.Name,
   360  			Sequence:      chaincode.Sequence,
   361  			PeerAddresses: []string{network.PeerAddress(org1Peer0, nwo.ListenPort)},
   362  		})
   363  		Expect(err).NotTo(HaveOccurred())
   364  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   365  		Expect(sess.Err).To(gbytes.Say(`\QError: query failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed deserializing proposal creator during channelless check policy with policy [Admins]: [expected MSP ID Org1MSP, received Org2MSP]\E`))
   366  
   367  		//
   368  		// when the ACL policy for _lifecycle/QueryApprovedChaincodeDefinition is satisfied
   369  		//
   370  		By("querying the approved chaincode definition for org1 as an org1 admin")
   371  		nwo.EnsureChaincodeApproved(network, org1Peer0, "testchannel", chaincode.Name, chaincode.Sequence)
   372  
   373  		//
   374  		// when the ACL policy for CheckCommitReadiness is not satisified
   375  		//
   376  		By("setting the simulate commit chaincode definition ACL policy to Org1/Admins")
   377  		policyName = resources.Lifecycle_CheckCommitReadiness
   378  		policy = "/Channel/Application/Org1/Admins"
   379  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   380  
   381  		By("simulating the commit of a chaincode dwefinition as a forbidden Org2 Admin identity")
   382  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeCheckCommitReadiness{
   383  			ChannelID:           "testchannel",
   384  			Name:                chaincode.Name,
   385  			Version:             chaincode.Version,
   386  			Sequence:            chaincode.Sequence,
   387  			EndorsementPlugin:   chaincode.EndorsementPlugin,
   388  			ValidationPlugin:    chaincode.ValidationPlugin,
   389  			SignaturePolicy:     chaincode.SignaturePolicy,
   390  			ChannelConfigPolicy: chaincode.ChannelConfigPolicy,
   391  			InitRequired:        chaincode.InitRequired,
   392  			CollectionsConfig:   chaincode.CollectionsConfig,
   393  		})
   394  		Expect(err).NotTo(HaveOccurred())
   395  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   396  		Expect(sess.Err).To(gbytes.Say(`\QError: query failed with status: 500 - Failed to authorize invocation due to failed ACL check: failed evaluating policy on signed data during check policy [/Channel/Application/Org1/Admins]: [signature set did not satisfy policy]\E`))
   397  
   398  		//
   399  		// when the ACL policy for CheckCommitReadiness is satisified
   400  		//
   401  		nwo.CheckCommitReadinessUntilReady(network, "testchannel", chaincode, network.PeerOrgs(), org1Peer0)
   402  
   403  		//
   404  		// when the ACL policy for CommitChaincodeDefinition is not satisified
   405  		//
   406  		By("setting the commit chaincode definition ACL policy to Org1/Admins")
   407  		policyName = resources.Lifecycle_CommitChaincodeDefinition
   408  		policy = "/Channel/Application/Org1/Admins"
   409  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   410  
   411  		By("committing the chaincode definition as a forbidden Org2 Admin identity")
   412  		peerAddresses := []string{
   413  			network.PeerAddress(org1Peer0, nwo.ListenPort),
   414  			network.PeerAddress(org2Peer0, nwo.ListenPort),
   415  		}
   416  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeCommit{
   417  			ChannelID:           "testchannel",
   418  			Orderer:             network.OrdererAddress(orderer, nwo.ListenPort),
   419  			Name:                chaincode.Name,
   420  			Version:             chaincode.Version,
   421  			Sequence:            chaincode.Sequence,
   422  			EndorsementPlugin:   chaincode.EndorsementPlugin,
   423  			ValidationPlugin:    chaincode.ValidationPlugin,
   424  			SignaturePolicy:     chaincode.SignaturePolicy,
   425  			ChannelConfigPolicy: chaincode.ChannelConfigPolicy,
   426  			InitRequired:        chaincode.InitRequired,
   427  			CollectionsConfig:   chaincode.CollectionsConfig,
   428  			PeerAddresses:       peerAddresses,
   429  		})
   430  		Expect(err).NotTo(HaveOccurred())
   431  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   432  		Expect(sess.Err).To(gbytes.Say(`\QError: proposal failed with status: 500 - Failed to authorize invocation due to failed ACL check: failed evaluating policy on signed data during check policy [/Channel/Application/Org1/Admins]: [signature set did not satisfy policy]\E`))
   433  
   434  		//
   435  		// when the ACL policy for CommitChaincodeDefinition is satisified
   436  		//
   437  		nwo.CommitChaincode(network, "testchannel", orderer, chaincode, org1Peer0, org1Peer0, org2Peer0)
   438  
   439  		//
   440  		// when the ACL policy for QueryChaincodeDefinition is satisified
   441  		//
   442  		By("setting the query chaincode definition ACL policy to Org1/Admins")
   443  		policyName = resources.Lifecycle_QueryChaincodeDefinition
   444  		policy = "/Channel/Application/Org1/Admins"
   445  		SetACLPolicy(network, "testchannel", policyName, policy, "orderer")
   446  
   447  		By("querying the chaincode definition as a permitted Org1 Admin identity")
   448  		nwo.EnsureChaincodeCommitted(network, "testchannel", "mycc", "0.0", "1", []*nwo.Organization{network.Organization("Org1"), network.Organization("Org2")}, org1Peer0)
   449  
   450  		By("querying the chaincode definition as a forbidden Org2 Admin identity")
   451  		sess, err = network.PeerAdminSession(org2Peer0, commands.ChaincodeListCommitted{
   452  			ChannelID: "testchannel",
   453  			Name:      "mycc",
   454  		})
   455  		Expect(err).NotTo(HaveOccurred())
   456  		Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit())
   457  		Expect(sess.Err).To(gbytes.Say(`\QError: query failed with status: 500 - Failed to authorize invocation due to failed ACL check: failed evaluating policy on signed data during check policy [/Channel/Application/Org1/Admins]: [signature set did not satisfy policy]\E`))
   458  	})
   459  })
   460  
   461  // SetACLPolicy sets the ACL policy for a running network. It resets all
   462  // previously defined ACL policies, generates the config update, signs the
   463  // configuration with Org2's signer, and then submits the config update using
   464  // Org1.
   465  func SetACLPolicy(network *nwo.Network, channel, policyName, policy string, ordererName string) {
   466  	orderer := network.Orderer(ordererName)
   467  	submitter := network.Peer("Org1", "peer0")
   468  	signer := network.Peer("Org2", "peer0")
   469  
   470  	config := nwo.GetConfig(network, submitter, orderer, channel)
   471  	updatedConfig := proto.Clone(config).(*common.Config)
   472  
   473  	// set the policy
   474  	updatedConfig.ChannelGroup.Groups["Application"].Values["ACLs"] = &common.ConfigValue{
   475  		ModPolicy: "Admins",
   476  		Value: protoutil.MarshalOrPanic(&pb.ACLs{
   477  			Acls: map[string]*pb.APIResource{
   478  				policyName: {PolicyRef: policy},
   479  			},
   480  		}),
   481  	}
   482  
   483  	nwo.UpdateConfig(network, orderer, channel, config, updatedConfig, true, submitter, signer)
   484  }
   485  
   486  // GetTxIDFromBlock gets a transaction id from a block that has been
   487  // marshaled and stored on the filesystem
   488  func GetTxIDFromBlockFile(blockFile string) string {
   489  	block := nwo.UnmarshalBlockFromFile(blockFile)
   490  
   491  	txID, err := protoutil.GetOrComputeTxIDFromEnvelope(block.Data.Data[0])
   492  	Expect(err).NotTo(HaveOccurred())
   493  
   494  	return txID
   495  }
   496  
   497  // ToCLIChaincodeArgs converts string args to args for use with chaincode calls
   498  // from the CLI.
   499  func ToCLIChaincodeArgs(args ...string) string {
   500  	type cliArgs struct {
   501  		Args []string
   502  	}
   503  	cArgs := &cliArgs{Args: args}
   504  	cArgsJSON, err := json.Marshal(cArgs)
   505  	Expect(err).NotTo(HaveOccurred())
   506  	return string(cArgsJSON)
   507  }