github.com/osdi23p228/fabric@v0.0.0-20221218062954-77808885f5db/core/aclmgmt/defaultaclprovider.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package aclmgmt 8 9 import ( 10 "fmt" 11 12 "github.com/hyperledger/fabric-protos-go/common" 13 pb "github.com/hyperledger/fabric-protos-go/peer" 14 "github.com/osdi23p228/fabric/common/policies" 15 "github.com/osdi23p228/fabric/core/aclmgmt/resources" 16 "github.com/osdi23p228/fabric/core/policy" 17 "github.com/osdi23p228/fabric/msp/mgmt" 18 "github.com/osdi23p228/fabric/protoutil" 19 ) 20 21 const ( 22 CHANNELREADERS = policies.ChannelApplicationReaders 23 CHANNELWRITERS = policies.ChannelApplicationWriters 24 ) 25 26 type defaultACLProvider interface { 27 ACLProvider 28 IsPtypePolicy(resName string) bool 29 } 30 31 //defaultACLProvider used if resource-based ACL Provider is not provided or 32 //if it does not contain a policy for the named resource 33 type defaultACLProviderImpl struct { 34 policyChecker policy.PolicyChecker 35 36 //peer wide policy (currently not used) 37 pResourcePolicyMap map[string]string 38 39 //channel specific policy 40 cResourcePolicyMap map[string]string 41 } 42 43 func newDefaultACLProvider(policyChecker policy.PolicyChecker) defaultACLProvider { 44 d := &defaultACLProviderImpl{ 45 policyChecker: policyChecker, 46 pResourcePolicyMap: map[string]string{}, 47 cResourcePolicyMap: map[string]string{}, 48 } 49 50 //-------------- _lifecycle -------------- 51 d.pResourcePolicyMap[resources.Lifecycle_InstallChaincode] = mgmt.Admins 52 d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincode] = mgmt.Admins 53 d.pResourcePolicyMap[resources.Lifecycle_GetInstalledChaincodePackage] = mgmt.Admins 54 d.pResourcePolicyMap[resources.Lifecycle_QueryInstalledChaincodes] = mgmt.Admins 55 d.pResourcePolicyMap[resources.Lifecycle_ApproveChaincodeDefinitionForMyOrg] = mgmt.Admins 56 d.pResourcePolicyMap[resources.Lifecycle_QueryApprovedChaincodeDefinition] = mgmt.Admins 57 58 d.cResourcePolicyMap[resources.Lifecycle_CommitChaincodeDefinition] = CHANNELWRITERS 59 d.cResourcePolicyMap[resources.Lifecycle_QueryChaincodeDefinition] = CHANNELWRITERS 60 d.cResourcePolicyMap[resources.Lifecycle_QueryChaincodeDefinitions] = CHANNELWRITERS 61 d.cResourcePolicyMap[resources.Lifecycle_CheckCommitReadiness] = CHANNELWRITERS 62 63 //-------------- LSCC -------------- 64 //p resources (implemented by the chaincode currently) 65 d.pResourcePolicyMap[resources.Lscc_Install] = mgmt.Admins 66 d.pResourcePolicyMap[resources.Lscc_GetInstalledChaincodes] = mgmt.Admins 67 68 //c resources 69 d.cResourcePolicyMap[resources.Lscc_Deploy] = "" //ACL check covered by PROPOSAL 70 d.cResourcePolicyMap[resources.Lscc_Upgrade] = "" //ACL check covered by PROPOSAL 71 d.cResourcePolicyMap[resources.Lscc_ChaincodeExists] = CHANNELREADERS 72 d.cResourcePolicyMap[resources.Lscc_GetDeploymentSpec] = CHANNELREADERS 73 d.cResourcePolicyMap[resources.Lscc_GetChaincodeData] = CHANNELREADERS 74 d.cResourcePolicyMap[resources.Lscc_GetInstantiatedChaincodes] = CHANNELREADERS 75 d.cResourcePolicyMap[resources.Lscc_GetCollectionsConfig] = CHANNELREADERS 76 77 //-------------- QSCC -------------- 78 //p resources (none) 79 80 //c resources 81 d.cResourcePolicyMap[resources.Qscc_GetChainInfo] = CHANNELREADERS 82 d.cResourcePolicyMap[resources.Qscc_GetBlockByNumber] = CHANNELREADERS 83 d.cResourcePolicyMap[resources.Qscc_GetBlockByHash] = CHANNELREADERS 84 d.cResourcePolicyMap[resources.Qscc_GetTransactionByID] = CHANNELREADERS 85 d.cResourcePolicyMap[resources.Qscc_GetBlockByTxID] = CHANNELREADERS 86 87 //--------------- CSCC resources ----------- 88 //p resources (implemented by the chaincode currently) 89 d.pResourcePolicyMap[resources.Cscc_JoinChain] = mgmt.Admins 90 d.pResourcePolicyMap[resources.Cscc_GetChannels] = mgmt.Members 91 92 //c resources 93 d.cResourcePolicyMap[resources.Cscc_GetConfigBlock] = CHANNELREADERS 94 95 //---------------- non-scc resources ------------ 96 //Peer resources 97 d.cResourcePolicyMap[resources.Peer_Propose] = CHANNELWRITERS 98 d.cResourcePolicyMap[resources.Peer_ChaincodeToChaincode] = CHANNELWRITERS 99 100 //Event resources 101 d.cResourcePolicyMap[resources.Event_Block] = CHANNELREADERS 102 d.cResourcePolicyMap[resources.Event_FilteredBlock] = CHANNELREADERS 103 104 return d 105 } 106 107 func (d *defaultACLProviderImpl) IsPtypePolicy(resName string) bool { 108 _, ok := d.pResourcePolicyMap[resName] 109 return ok 110 } 111 112 // CheckACL provides default (v 1.0) behavior by mapping resources to their ACL for a channel. 113 func (d *defaultACLProviderImpl) CheckACL(resName string, channelID string, idinfo interface{}) error { 114 //the default behavior is to use p type if defined and use channeless policy checks 115 policy := d.pResourcePolicyMap[resName] 116 if policy != "" { 117 channelID = "" 118 } else { 119 policy = d.cResourcePolicyMap[resName] 120 if policy == "" { 121 aclLogger.Errorf("Unmapped policy for %s", resName) 122 return fmt.Errorf("Unmapped policy for %s", resName) 123 } 124 } 125 126 switch typedData := idinfo.(type) { 127 case *pb.SignedProposal: 128 return d.policyChecker.CheckPolicy(channelID, policy, typedData) 129 case *common.Envelope: 130 sd, err := protoutil.EnvelopeAsSignedData(typedData) 131 if err != nil { 132 return err 133 } 134 return d.policyChecker.CheckPolicyBySignedData(channelID, policy, sd) 135 case []*protoutil.SignedData: 136 return d.policyChecker.CheckPolicyBySignedData(channelID, policy, typedData) 137 default: 138 aclLogger.Errorf("Unmapped id on checkACL %s", resName) 139 return fmt.Errorf("Unknown id on checkACL %s", resName) 140 } 141 }