Merge "Chaincode invocation ACL support functions"

hyperledger · Mar 3, 2017 · 94505fc · 94505fc
2 parents 90a5a26 + 44e4210
commit 94505fc
Show file tree

Hide file tree

Showing 4 changed files with 481 additions and 0 deletions.
diff --git a/core/policy/mocks.go b/core/policy/mocks.go
@@ -0,0 +1,146 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"bytes"
+
+	"fmt"
+
+	"errors"
+
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/msp"
+	"github.com/hyperledger/fabric/protos/common"
+)
+
+type mockChannelPolicyManagerGetter struct {
+	managers map[string]policies.Manager
+}
+
+func (c *mockChannelPolicyManagerGetter) Manager(channelID string) (policies.Manager, bool) {
+	return c.managers[channelID], true
+}
+
+type mockChannelPolicyManager struct {
+	mockPolicy policies.Policy
+}
+
+func (m *mockChannelPolicyManager) GetPolicy(id string) (policies.Policy, bool) {
+	return m.mockPolicy, true
+}
+
+func (m *mockChannelPolicyManager) Manager(path []string) (policies.Manager, bool) {
+	panic("Not implemented")
+}
+
+func (m *mockChannelPolicyManager) BasePath() string {
+	panic("Not implemented")
+}
+
+func (m *mockChannelPolicyManager) PolicyNames() []string {
+	panic("Not implemented")
+}
+
+type mockPolicy struct {
+	deserializer msp.IdentityDeserializer
+}
+
+// Evaluate takes a set of SignedData and evaluates whether this set of signatures satisfies the policy
+func (m *mockPolicy) Evaluate(signatureSet []*common.SignedData) error {
+	fmt.Printf("Evaluate [%s], [% x], [% x]\n", string(signatureSet[0].Identity), string(signatureSet[0].Data), string(signatureSet[0].Signature))
+	identity, err := m.deserializer.DeserializeIdentity(signatureSet[0].Identity)
+	if err != nil {
+		return err
+	}
+
+	return identity.Verify(signatureSet[0].Data, signatureSet[0].Signature)
+}
+
+type mockIdentityDeserializer struct {
+	identity []byte
+	msg      []byte
+}
+
+func (d *mockIdentityDeserializer) DeserializeIdentity(serializedIdentity []byte) (msp.Identity, error) {
+	fmt.Printf("id : [%s], [%s]\n", string(serializedIdentity), string(d.identity))
+	if bytes.Equal(d.identity, serializedIdentity) {
+		fmt.Printf("GOT : [%s], [%s]\n", string(serializedIdentity), string(d.identity))
+		return &mockIdentity{identity: d.identity, msg: d.msg}, nil
+	}
+
+	return nil, errors.New("Invalid identity")
+}
+
+type mockIdentity struct {
+	identity []byte
+	msg      []byte
+}
+
+func (id *mockIdentity) SatisfiesPrincipal(p *common.MSPPrincipal) error {
+	if !bytes.Equal(id.identity, p.Principal) {
+		return fmt.Errorf("Different identities [% x]!=[% x]", id.identity, p.Principal)
+	}
+	return nil
+}
+
+func (id *mockIdentity) GetIdentifier() *msp.IdentityIdentifier {
+	return &msp.IdentityIdentifier{Mspid: "mock", Id: "mock"}
+}
+
+func (id *mockIdentity) GetMSPIdentifier() string {
+	return "mock"
+}
+
+func (id *mockIdentity) Validate() error {
+	return nil
+}
+
+func (id *mockIdentity) GetOrganizationalUnits() []string {
+	return []string{"dunno"}
+}
+
+func (id *mockIdentity) Verify(msg []byte, sig []byte) error {
+	fmt.Printf("VERIFY [% x], [% x], [% x]\n", string(id.msg), string(msg), string(sig))
+	if bytes.Equal(id.msg, msg) {
+		if bytes.Equal(msg, sig) {
+			return nil
+		}
+	}
+
+	return errors.New("Invalid Signature")
+}
+
+func (id *mockIdentity) VerifyOpts(msg []byte, sig []byte, opts msp.SignatureOpts) error {
+	return nil
+}
+
+func (id *mockIdentity) VerifyAttributes(proof []byte, spec *msp.AttributeProofSpec) error {
+	return nil
+}
+
+func (id *mockIdentity) Serialize() ([]byte, error) {
+	return []byte("cert"), nil
+}
+
+type mockMSPPrincipalGetter struct {
+	Principal []byte
+}
+
+func (m *mockMSPPrincipalGetter) Get(role string) (*common.MSPPrincipal, error) {
+	return &common.MSPPrincipal{Principal: m.Principal}, nil
+}
diff --git a/core/policy/policy.go b/core/policy/policy.go
@@ -0,0 +1,186 @@
+/*
+Copyright IBM Corp. 2017 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+
+	"errors"
+
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/msp"
+	"github.com/hyperledger/fabric/msp/mgmt"
+	"github.com/hyperledger/fabric/protos/common"
+	pb "github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
+)
+
+// PolicyChecker offers methods to check a signed proposal against a specific policy
+// defined in a channel or not.
+type PolicyChecker interface {
+	// CheckPolicy checks that the passed signed proposal is valid with the respect to
+	// passed policy on the passed channel.
+	// If no channel is passed, CheckPolicyNoChannel is invoked directly.
+	CheckPolicy(channelID, policyName string, signedProp *pb.SignedProposal) error
+
+	// CheckPolicyBySignedData checks that the passed signed data is valid with the respect to
+	// passed policy on the passed channel.
+	// If no channel is passed, the method will fail.
+	CheckPolicyBySignedData(channelID, policyName string, sd []*common.SignedData) error
+
+	// CheckPolicyNoChannel checks that the passed signed proposal is valid with the respect to
+	// passed policy on the local MSP.
+	CheckPolicyNoChannel(policyName string, signedProp *pb.SignedProposal) error
+}
+
+type policyChecker struct {
+	channelPolicyManagerGetter policies.ChannelPolicyManagerGetter
+	localMSP                   msp.IdentityDeserializer
+	principalGetter            mgmt.MSPPrincipalGetter
+}
+
+// NewPolicyChecker creates a new instance of PolicyChecker
+func NewPolicyChecker(channelPolicyManagerGetter policies.ChannelPolicyManagerGetter, localMSP msp.IdentityDeserializer, principalGetter mgmt.MSPPrincipalGetter) PolicyChecker {
+	return &policyChecker{channelPolicyManagerGetter, localMSP, principalGetter}
+}
+
+// CheckPolicy checks that the passed signed proposal is valid with the respect to
+// passed policy on the passed channel.
+func (p *policyChecker) CheckPolicy(channelID, policyName string, signedProp *pb.SignedProposal) error {
+	if channelID == "" {
+		return p.CheckPolicyNoChannel(policyName, signedProp)
+	}
+
+	if policyName == "" {
+		return fmt.Errorf("Invalid policy name during check policy on channel [%s]. Name must be different from nil.", channelID)
+	}
+
+	if signedProp == nil {
+		return fmt.Errorf("Invalid signed proposal during check policy on channel [%s] with policy [%s]", channelID, policyName)
+	}
+
+	// Get Policy
+	policyManager, _ := p.channelPolicyManagerGetter.Manager(channelID)
+	if policyManager == nil {
+		return fmt.Errorf("Failed to get policy manager for channel [%s]", channelID)
+	}
+
+	// Prepare SignedData
+	proposal, err := utils.GetProposal(signedProp.ProposalBytes)
+	if err != nil {
+		return fmt.Errorf("Failing extracting proposal during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	header, err := utils.GetHeader(proposal.Header)
+	if err != nil {
+		return fmt.Errorf("Failing extracting header during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
+	if err != nil {
+		return fmt.Errorf("Invalid Proposal's SignatureHeader during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	sd := []*common.SignedData{&common.SignedData{
+		Data:      signedProp.ProposalBytes,
+		Identity:  shdr.Creator,
+		Signature: signedProp.Signature,
+	}}
+
+	return p.CheckPolicyBySignedData(channelID, policyName, sd)
+}
+
+// CheckPolicyNoChannel checks that the passed signed proposal is valid with the respect to
+// passed policy on the local MSP.
+func (p *policyChecker) CheckPolicyNoChannel(policyName string, signedProp *pb.SignedProposal) error {
+	if policyName == "" {
+		return errors.New("Invalid policy name during channelless check policy. Name must be different from nil.")
+	}
+
+	if signedProp == nil {
+		return fmt.Errorf("Invalid signed proposal during channelless check policy with policy [%s]", policyName)
+	}
+
+	proposal, err := utils.GetProposal(signedProp.ProposalBytes)
+	if err != nil {
+		return fmt.Errorf("Failing extracting proposal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	header, err := utils.GetHeader(proposal.Header)
+	if err != nil {
+		return fmt.Errorf("Failing extracting header during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	shdr, err := utils.GetSignatureHeader(header.SignatureHeader)
+	if err != nil {
+		return fmt.Errorf("Invalid Proposal's SignatureHeader during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Deserialize proposal's creator with the local MSP
+	id, err := p.localMSP.DeserializeIdentity(shdr.Creator)
+	if err != nil {
+		return fmt.Errorf("Failed deserializing proposal creator during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Load MSPPrincipal for policy
+	principal, err := p.principalGetter.Get(policyName)
+	if err != nil {
+		return fmt.Errorf("Failed getting local MSP principal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Verify that proposal's creator satisfies the principal
+	err = id.SatisfiesPrincipal(principal)
+	if err != nil {
+		return fmt.Errorf("Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [%s}: [%s]", policyName, err)
+	}
+
+	// Verify the signature
+	return id.Verify(signedProp.ProposalBytes, signedProp.Signature)
+}
+
+// CheckPolicyBySignedData checks that the passed signed data is valid with the respect to
+// passed policy on the passed channel.
+func (p *policyChecker) CheckPolicyBySignedData(channelID, policyName string, sd []*common.SignedData) error {
+	if channelID == "" {
+		return errors.New("Invalid channel ID name during check policy on signed data. Name must be different from nil.")
+	}
+
+	if policyName == "" {
+		return fmt.Errorf("Invalid policy name during check policy on signed data on channel [%s]. Name must be different from nil.", channelID)
+	}
+
+	if sd == nil {
+		return fmt.Errorf("Invalid signed data during check policy on channel [%s] with policy [%s]", channelID, policyName)
+	}
+
+	// Get Policy
+	policyManager, _ := p.channelPolicyManagerGetter.Manager(channelID)
+	if policyManager == nil {
+		return fmt.Errorf("Failed to get policy manager for channel [%s]", channelID)
+	}
+
+	// Recall that get policy always returns a policy object
+	policy, _ := policyManager.GetPolicy(policyName)
+
+	// Evaluate the policy
+	err := policy.Evaluate(sd)
+	if err != nil {
+		return fmt.Errorf("Failed evaluating policy on signed data during check policy on channel [%s] with policy [%s}: [%s]", channelID, policyName, err)
+	}
+
+	return nil
+}