github.com/Hnampk/my-fabric@v0.0.0-20201028083322-75069da399c0/core/aclmgmt/defaultaclprovider.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package aclmgmt 8 9 import ( 10 "fmt" 11 12 "github.com/hyperledger/fabric-protos-go/common" 13 pb "github.com/hyperledger/fabric-protos-go/peer" 14 "github.com/hyperledger/fabric/common/policies" 15 "github.com/hyperledger/fabric/core/aclmgmt/resources" 16 "github.com/hyperledger/fabric/core/policy" 17 "github.com/hyperledger/fabric/msp/mgmt" 18 "github.com/hyperledger/fabric/protoutil" 19 ) 20 21 const ( 22 CHANNELREADERS = policies.ChannelApplicationReaders 23 CHANNELWRITERS = policies.ChannelApplicationWriters 24 ) 25 26 type defaultACLProvider interface { 27 ACLProvider 28 IsPtypePolicy(resName string) bool 29 } 30 31 //defaultACLProvider used if resource-based ACL Provider is not provided or 32 //if it does not contain a policy for the named resource 33 type defaultACLProviderImpl struct { 34 policyChecker policy.PolicyChecker 35 36 //peer wide policy (currently not used) 37 pResourcePolicyMap map[string]string 38 39 //channel specific policy 40 cResourcePolicyMap map[string]string 41 } 42 43 func newDefaultACLProvider(policyChecker policy.PolicyChecker) defaultACLProvider { 44 d := &defaultACLProviderImpl{ 45 policyChecker: policyChecker, 46 pResourcePolicyMap: map[string]string{}, 47 cResourcePolicyMap: map[string]string{}, 48 } 49 50 //-------------- _lifecycle -------------- 51 d.pResourcePolicyMap[resources.Lifecycle_InstallChaincode] = mgmt.Admins 52 d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincode] = mgmt.Admins 53 d.pResourcePolicyMap[resources.Lifecycle_GetInstalledChaincodePackage] = mgmt.Admins 54 d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincodes] = mgmt.Admins 55 d.pResourcePolicyMap[resources.Lifecycle_ApproveChaincodeDefinitionForMyOrg] = mgmt.Admins 56 57 d.cResourcePolicyMap[resources.Lifecycle_CommitChaincodeDefinition] = CHANNELWRITERS 58 d.cResourcePolicyMap[resources.Lifecycle_QueryChaincodeDefinition] = CHANNELWRITERS 59 d.cResourcePolicyMap[resources.Lifecycle_QueryChaincodeDefinitions] = CHANNELWRITERS 60 d.cResourcePolicyMap[resources.Lifecycle_CheckCommitReadiness] = CHANNELWRITERS 61 62 //-------------- LSCC -------------- 63 //p resources (implemented by the chaincode currently) 64 d.pResourcePolicyMap[resources.Lscc_Install] = mgmt.Admins 65 d.pResourcePolicyMap[resources.Lscc_GetInstalledChaincodes] = mgmt.Admins 66 67 //c resources 68 d.cResourcePolicyMap[resources.Lscc_Deploy] = "" //ACL check covered by PROPOSAL 69 d.cResourcePolicyMap[resources.Lscc_Upgrade] = "" //ACL check covered by PROPOSAL 70 d.cResourcePolicyMap[resources.Lscc_ChaincodeExists] = CHANNELREADERS 71 d.cResourcePolicyMap[resources.Lscc_GetDeploymentSpec] = CHANNELREADERS 72 d.cResourcePolicyMap[resources.Lscc_GetChaincodeData] = CHANNELREADERS 73 d.cResourcePolicyMap[resources.Lscc_GetInstantiatedChaincodes] = CHANNELREADERS 74 d.cResourcePolicyMap[resources.Lscc_GetCollectionsConfig] = CHANNELREADERS 75 76 //-------------- QSCC -------------- 77 //p resources (none) 78 79 //c resources 80 d.cResourcePolicyMap[resources.Qscc_GetChainInfo] = CHANNELREADERS 81 d.cResourcePolicyMap[resources.Qscc_GetBlockByNumber] = CHANNELREADERS 82 d.cResourcePolicyMap[resources.Qscc_GetBlockByHash] = CHANNELREADERS 83 d.cResourcePolicyMap[resources.Qscc_GetTransactionByID] = CHANNELREADERS 84 d.cResourcePolicyMap[resources.Qscc_GetBlockByTxID] = CHANNELREADERS 85 86 //--------------- CSCC resources ----------- 87 //p resources (implemented by the chaincode currently) 88 d.pResourcePolicyMap[resources.Cscc_JoinChain] = mgmt.Admins 89 d.pResourcePolicyMap[resources.Cscc_GetChannels] = mgmt.Members 90 91 //c resources 92 d.cResourcePolicyMap[resources.Cscc_GetConfigBlock] = CHANNELREADERS 93 94 //---------------- non-scc resources ------------ 95 //Peer resources 96 d.cResourcePolicyMap[resources.Peer_Propose] = CHANNELWRITERS 97 d.cResourcePolicyMap[resources.Peer_ChaincodeToChaincode] = CHANNELWRITERS 98 99 //Event resources 100 d.cResourcePolicyMap[resources.Event_Block] = CHANNELREADERS 101 d.cResourcePolicyMap[resources.Event_FilteredBlock] = CHANNELREADERS 102 103 return d 104 } 105 106 func (d *defaultACLProviderImpl) IsPtypePolicy(resName string) bool { 107 _, ok := d.pResourcePolicyMap[resName] 108 return ok 109 } 110 111 // CheckACL provides default (v 1.0) behavior by mapping resources to their ACL for a channel. 112 func (d *defaultACLProviderImpl) CheckACL(resName string, channelID string, idinfo interface{}) error { 113 //the default behavior is to use p type if defined and use channeless policy checks 114 policy := d.pResourcePolicyMap[resName] 115 if policy != "" { 116 channelID = "" 117 } else { 118 policy = d.cResourcePolicyMap[resName] 119 if policy == "" { 120 aclLogger.Errorf("Unmapped policy for %s", resName) 121 return fmt.Errorf("Unmapped policy for %s", resName) 122 } 123 } 124 125 switch typedData := idinfo.(type) { 126 case *pb.SignedProposal: 127 return d.policyChecker.CheckPolicy(channelID, policy, typedData) 128 case *common.Envelope: 129 sd, err := protoutil.EnvelopeAsSignedData(typedData) 130 if err != nil { 131 return err 132 } 133 return d.policyChecker.CheckPolicyBySignedData(channelID, policy, sd) 134 case []*protoutil.SignedData: 135 return d.policyChecker.CheckPolicyBySignedData(channelID, policy, typedData) 136 default: 137 aclLogger.Errorf("Unmapped id on checkACL %s", resName) 138 return fmt.Errorf("Unknown id on checkACL %s", resName) 139 } 140 }