Chaincode invocation ACL support functions

This change-set does the followin:
1. Introduce a CheckPolicy function that checks that the passed
signed proposal is valid with the respect to passed policy on the passed channel.
2. Introduce a  CheckPolicyNoChannel function that checks that
the passed signed proposal is valid with the respect to passed policy on the local MSP.

This functions will offer support for implementing
access control at chaincode invocation

Change-Id: I099ca3175aa8d4c5a82ddad87768a73a735eecdf
Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>

core/policy/mocks.go

@@ -0,0 +1,146 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"bytes"
+
+	"fmt"
+
+	"errors"
+
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/msp"
+	"github.com/hyperledger/fabric/protos/common"
+)
+
+type mockChannelPolicyManagerGetter struct {
+	managers map[string]policies.Manager
+}
+
+func (c *mockChannelPolicyManagerGetter) Manager(channelID string) (policies.Manager, bool) {
+	return c.managers[channelID], true
+}
+
+type mockChannelPolicyManager struct {
+	mockPolicy policies.Policy
+}
+
+func (m *mockChannelPolicyManager) GetPolicy(id string) (policies.Policy, bool) {
+	return m.mockPolicy, true
+}
+
+func (m *mockChannelPolicyManager) Manager(path []string) (policies.Manager, bool) {
+	panic("Not implemented")
+}
+
+func (m *mockChannelPolicyManager) BasePath() string {
+	panic("Not implemented")
+}
+
+func (m *mockChannelPolicyManager) PolicyNames() []string {
+	panic("Not implemented")
+}
+
+type mockPolicy struct {
+	deserializer msp.IdentityDeserializer
+}
+
+// Evaluate takes a set of SignedData and evaluates whether this set of signatures satisfies the policy
+func (m *mockPolicy) Evaluate(signatureSet []*common.SignedData) error {
+	fmt.Printf("Evaluate [%s], [% x], [% x]\n", string(signatureSet[0].Identity), string(signatureSet[0].Data), string(signatureSet[0].Signature))
+	identity, err := m.deserializer.DeserializeIdentity(signatureSet[0].Identity)
+	if err != nil {
+		return err
+	}
+
+	return identity.Verify(signatureSet[0].Data, signatureSet[0].Signature)
+}
+
+type mockIdentityDeserializer struct {
+	identity []byte
+	msg      []byte
+}
+
+func (d *mockIdentityDeserializer) DeserializeIdentity(serializedIdentity []byte) (msp.Identity, error) {
+	fmt.Printf("id : [%s], [%s]\n", string(serializedIdentity), string(d.identity))
+	if bytes.Equal(d.identity, serializedIdentity) {
+		fmt.Printf("GOT : [%s], [%s]\n", string(serializedIdentity), string(d.identity))
+		return &mockIdentity{identity: d.identity, msg: d.msg}, nil
+	}
+
+	return nil, errors.New("Invalid identity")
+}
+
+type mockIdentity struct {
+	identity []byte
+	msg      []byte
+}
+
+func (id *mockIdentity) SatisfiesPrincipal(p *common.MSPPrincipal) error {
+	if !bytes.Equal(id.identity, p.Principal) {
+		return fmt.Errorf("Different identities [% x]!=[% x]", id.identity, p.Principal)
+	}
+	return nil
+}
+
+func (id *mockIdentity) GetIdentifier() *msp.IdentityIdentifier {
+	return &msp.IdentityIdentifier{Mspid: "mock", Id: "mock"}
+}
+
+func (id *mockIdentity) GetMSPIdentifier() string {
+	return "mock"
+}
+
+func (id *mockIdentity) Validate() error {
+	return nil
+}
+
+func (id *mockIdentity) GetOrganizationalUnits() []string {
+	return []string{"dunno"}
+}
+
+func (id *mockIdentity) Verify(msg []byte, sig []byte) error {
+	fmt.Printf("VERIFY [% x], [% x], [% x]\n", string(id.msg), string(msg), string(sig))
+	if bytes.Equal(id.msg, msg) {
+		if bytes.Equal(msg, sig) {
+			return nil
+		}
+	}
+
+	return errors.New("Invalid Signature")
+}
+
+func (id *mockIdentity) VerifyOpts(msg []byte, sig []byte, opts msp.SignatureOpts) error {
+	return nil
+}
+
+func (id *mockIdentity) VerifyAttributes(proof []byte, spec *msp.AttributeProofSpec) error {
+	return nil
+}
+
+func (id *mockIdentity) Serialize() ([]byte, error) {
+	return []byte("cert"), nil
+}
+
+type mockMSPPrincipalGetter struct {
+	Principal []byte
+}
+
+func (m *mockMSPPrincipalGetter) Get(role string) (*common.MSPPrincipal, error) {
+	return &common.MSPPrincipal{Principal: m.Principal}, nil
+}

core/policy/policy.go

@@ -0,0 +1,186 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+
+	"errors"
+
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/msp"
+	"github.com/hyperledger/fabric/msp/mgmt"
+	"github.com/hyperledger/fabric/protos/common"
+	pb "github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
+)
+
+// PolicyChecker offers methods to check a signed proposal against a specific policy
+// defined in a channel or not.
+type PolicyChecker interface {
+	// CheckPolicy checks that the passed signed proposal is valid with the respect to
+	// passed policy on the passed channel.
+	// If no channel is passed, CheckPolicyNoChannel is invoked directly.
+	CheckPolicy(channelID, policyName string, signedProp *pb.SignedProposal) error
+
+	// CheckPolicyBySignedData checks that the passed signed data is valid with the respect to
+	// passed policy on the passed channel.
+	// If no channel is passed, the method will fail.
+	CheckPolicyBySignedData(channelID, policyName string, sd []*common.SignedData) error
+
+	// CheckPolicyNoChannel checks that the passed signed proposal is valid with the respect to
+	// passed policy on the local MSP.
+	CheckPolicyNoChannel(policyName string, signedProp *pb.SignedProposal) error
+}
+
+type policyChecker struct {
+	channelPolicyManagerGetter policies.ChannelPolicyManagerGetter
+	localMSP                   msp.IdentityDeserializer
+	principalGetter            mgmt.MSPPrincipalGetter
+}
+
+// NewPolicyChecker creates a new instance of PolicyChecker
+func NewPolicyChecker(channelPolicyManagerGetter policies.ChannelPolicyManagerGetter, localMSP msp.IdentityDeserializer, principalGetter mgmt.MSPPrincipalGetter) PolicyChecker {
+	return &policyChecker{channelPolicyManagerGetter, localMSP, principalGetter}
+}
+
+// CheckPolicy checks that the passed signed proposal is valid with the respect to
+// passed policy on the passed channel.
+func (p *policyChecker) CheckPolicy(channelID, policyName string, signedProp *pb.SignedProposal) error {
+	if channelID == "" {
+		return p.CheckPolicyNoChannel(policyName, signedProp)
+	}
+
+	if policyName == "" {
+		return fmt.Errorf("Invalid policy name during check policy on channel [%s]. Name must be different from nil.", channelID)
+	}
+
+	if signedProp == nil {
+		return fmt.Errorf("Invalid signed proposal during check policy on channel [%s] with policy [%s]", channelID, policyName)
+	}
+
+	// Get Policy
+	policyManager, _ := p.channelPolicyManagerGetter.Manager(channelID)
+	if policyManager == nil {
+		return fmt.Errorf("Failed to get policy manager for channel [%s]", channelID)
+	}
+
+	// Prepare SignedData
+	proposal, err := utils.GetProposal(signedProp.ProposalBytes)
+	if err != nil {
+		return fmt.Errorf("Failing extracting proposal during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	header, err := utils.GetHeader(proposal.Header)
+	if err != nil {
+		return fmt.Errorf("Failing extracting header during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
+	if err != nil {
+		return fmt.Errorf("Invalid Proposal's SignatureHeader during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	sd := []*common.SignedData{&common.SignedData{
+		Data:      signedProp.ProposalBytes,
+		Identity:  shdr.Creator,
+		Signature: signedProp.Signature,
+	}}
+
+	return p.CheckPolicyBySignedData(channelID, policyName, sd)
+}
+
+// CheckPolicyNoChannel checks that the passed signed proposal is valid with the respect to
+// passed policy on the local MSP.
+func (p *policyChecker) CheckPolicyNoChannel(policyName string, signedProp *pb.SignedProposal) error {
+	if policyName == "" {
+		return errors.New("Invalid policy name during channelless check policy. Name must be different from nil.")
+	}
+
+	if signedProp == nil {
+		return fmt.Errorf("Invalid signed proposal during channelless check policy with policy [%s]", policyName)
+	}
+
+	proposal, err := utils.GetProposal(signedProp.ProposalBytes)
+	if err != nil {
+		return fmt.Errorf("Failing extracting proposal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	header, err := utils.GetHeader(proposal.Header)
+	if err != nil {
+		return fmt.Errorf("Failing extracting header during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
+	if err != nil {
+		return fmt.Errorf("Invalid Proposal's SignatureHeader during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Deserialize proposal's creator with the local MSP
+	id, err := p.localMSP.DeserializeIdentity(shdr.Creator)
+	if err != nil {
+		return fmt.Errorf("Failed deserializing proposal creator during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Load MSPPrincipal for policy
+	principal, err := p.principalGetter.Get(policyName)
+	if err != nil {
+		return fmt.Errorf("Failed getting local MSP principal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Verify that proposal's creator satisfies the principal
+	err = id.SatisfiesPrincipal(principal)
+	if err != nil {
+		return fmt.Errorf("Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Verify the signature
+	return id.Verify(signedProp.ProposalBytes, signedProp.Signature)
+}
+
+// CheckPolicyBySignedData checks that the passed signed data is valid with the respect to
+// passed policy on the passed channel.
+func (p *policyChecker) CheckPolicyBySignedData(channelID, policyName string, sd []*common.SignedData) error {
+	if channelID == "" {
+		return errors.New("Invalid channel ID name during check policy on signed data. Name must be different from nil.")
+	}
+
+	if policyName == "" {
+		return fmt.Errorf("Invalid policy name during check policy on signed data on channel [%s]. Name must be different from nil.", channelID)
+	}
+
+	if sd == nil {
+		return fmt.Errorf("Invalid signed data during check policy on channel [%s] with policy [%s]", channelID, policyName)
+	}
+
+	// Get Policy
+	policyManager, _ := p.channelPolicyManagerGetter.Manager(channelID)
+	if policyManager == nil {
+		return fmt.Errorf("Failed to get policy manager for channel [%s]", channelID)
+	}
+
+	// Recall that get policy always returns a policy object
+	policy, _ := policyManager.GetPolicy(policyName)
+
+	// Evaluate the policy
+	err := policy.Evaluate(sd)
+	if err != nil {
+		return fmt.Errorf("Failed evaluating policy on signed data during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	return nil
+}