forked from hyperledger/fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
accesscontrol.go
119 lines (105 loc) · 3.31 KB
/
accesscontrol.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package server
import (
"github.com/hyperledger/fabric/protos/common"
"github.com/hyperledger/fabric/protos/token"
"github.com/pkg/errors"
)
//go:generate counterfeiter -o mock/acl_provider.go -fake-name ACLProvider . ACLProvider
type ACLProvider interface {
// CheckACL checks access control for the resource for the given channel.
// idinfo is an object such as []*common.SignedData from which
// an id can be extracted for testing against a policy
CheckACL(resName string, channelID string, idinfo interface{}) error
}
type ACLResources struct {
IssueTokens string
TransferTokens string
ListTokens string
}
// PolicyBasedAccessControl implements token command access control functions.
type PolicyBasedAccessControl struct {
ACLProvider ACLProvider
ACLResources *ACLResources
}
func (ac *PolicyBasedAccessControl) Check(sc *token.SignedCommand, c *token.Command) error {
signedData := []*common.SignedData{{
Identity: c.Header.Creator,
Data: sc.Command,
Signature: sc.Signature,
}}
switch t := c.GetPayload().(type) {
case *token.Command_ImportRequest:
return ac.ACLProvider.CheckACL(
ac.ACLResources.IssueTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_ListRequest:
return ac.ACLProvider.CheckACL(
ac.ACLResources.ListTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_TransferRequest:
return ac.ACLProvider.CheckACL(
ac.ACLResources.TransferTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_RedeemRequest:
// Redeem has same policy as transfer
return ac.ACLProvider.CheckACL(
ac.ACLResources.TransferTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_ApproveRequest:
// Approve has the same policy as transfer
return ac.ACLProvider.CheckACL(
ac.ACLResources.TransferTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_TransferFromRequest:
// TransferFrom has the same policy as transfer
return ac.ACLProvider.CheckACL(
ac.ACLResources.TransferTokens,
c.Header.ChannelId,
signedData,
)
case *token.Command_ExpectationRequest:
if c.GetExpectationRequest().GetExpectation() == nil {
return errors.New("ExpectationRequest has nil Expectation")
}
plainExpectation := c.GetExpectationRequest().GetExpectation().GetPlainExpectation()
if plainExpectation == nil {
return errors.New("ExpectationRequest has nil PlainExpectation")
}
return ac.checkExpectation(plainExpectation, signedData, c)
default:
return errors.Errorf("command type not recognized: %T", t)
}
}
// checkExpectation checks either issue policy or transfer policy depending on the payload type in expectation
func (ac *PolicyBasedAccessControl) checkExpectation(plainExpectation *token.PlainExpectation, signedData []*common.SignedData, c *token.Command) error {
switch t := plainExpectation.GetPayload().(type) {
case *token.PlainExpectation_ImportExpectation:
return ac.ACLProvider.CheckACL(
ac.ACLResources.IssueTokens,
c.Header.ChannelId,
signedData,
)
case *token.PlainExpectation_TransferExpectation:
return ac.ACLProvider.CheckACL(
ac.ACLResources.TransferTokens,
c.Header.ChannelId,
signedData,
)
default:
return errors.Errorf("expectation payload type not recognized: %T", t)
}
}