/
access.go
121 lines (104 loc) · 3.41 KB
/
access.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package accesscontrol
import (
"errors"
"fmt"
"github.com/golang/protobuf/proto"
"github.com/hyperledger/fabric/common/flogging"
pb "github.com/hyperledger/fabric/protos/peer"
"google.golang.org/grpc"
)
var logger = flogging.MustGetLogger("accessControl")
// Authenticator wraps a chaincode service and authenticates
// chaincode shims (containers)
type Authenticator interface {
// DisableAccessCheck disables the access control
// enforcement of the Authenticator
DisableAccessCheck()
// Generate returns a pair of certificate and private key,
// and associates the hash of the certificate with the given
// chaincode name
Generate(ccName string) (*CertAndPrivKeyPair, error)
// ChaincodeSupportServer - The Authenticator is registered
// as a chaincode service
pb.ChaincodeSupportServer
}
// CertAndPrivKeyPair contains a certificate
// and its corresponding private key in base64 format
type CertAndPrivKeyPair struct {
// Cert - an x509 certificate encoded in base64
Cert string
// Key - a private key of the corresponding certificate
Key string
}
type authenticator struct {
bypass bool
mapper *certMapper
pb.ChaincodeSupportServer
}
// NewAuthenticator returns a new authenticator that would wrap the given chaincode service
func NewAuthenticator(srv pb.ChaincodeSupportServer, ca CA) Authenticator {
auth := &authenticator{
mapper: newCertMapper(ca.newClientCertKeyPair),
}
auth.ChaincodeSupportServer = newInterceptor(srv, auth.authenticate)
return auth
}
// DisableAccessCheck disables the access control
// enforcement of the Authenticator
func (ac *authenticator) DisableAccessCheck() {
ac.bypass = true
}
// Generate returns a pair of certificate and private key,
// and associates the hash of the certificate with the given
// chaincode name
func (ac *authenticator) Generate(ccName string) (*CertAndPrivKeyPair, error) {
cert, err := ac.mapper.genCert(ccName)
if err != nil {
return nil, err
}
return &CertAndPrivKeyPair{
Key: cert.privKeyString(),
Cert: cert.pubKeyString(),
}, nil
}
func (ac *authenticator) authenticate(msg *pb.ChaincodeMessage, stream grpc.ServerStream) error {
if ac.bypass {
return nil
}
if msg.Type != pb.ChaincodeMessage_REGISTER {
logger.Warning("Got message", msg, "but expected a ChaincodeMessage_REGISTER message")
return errors.New("First message needs to be a register")
}
chaincodeID := &pb.ChaincodeID{}
err := proto.Unmarshal(msg.Payload, chaincodeID)
if err != nil {
logger.Warning("Failed unmarshaling message:", err)
return err
}
ccName := chaincodeID.Name
// Obtain certificate from stream
hash := extractCertificateHashFromContext(stream.Context())
if len(hash) == 0 {
errMsg := fmt.Sprintf("TLS is active but chaincode %s didn't send certificate", ccName)
logger.Warning(errMsg)
return errors.New(errMsg)
}
// Look it up in the mapper
registeredName := ac.mapper.lookup(certHash(hash))
if registeredName == "" {
errMsg := fmt.Sprintf("Chaincode %s with given certificate hash %v not found in registry", ccName, hash)
logger.Warning(errMsg)
return errors.New(errMsg)
}
if registeredName != ccName {
errMsg := fmt.Sprintf("Chaincode %s with given certificate hash %v belongs to a different chaincode", ccName, hash)
logger.Warning(errMsg)
return fmt.Errorf(errMsg)
}
logger.Debug("Chaincode", ccName, "'s authentication is authorized")
return nil
}