Merge "[FAB-11992] idemix role from boolean to int"

hyperledger · Sep 17, 2018 · 95daa61 · 95daa61
2 parents 6efd5e2 + d47dbf6
commit 95daa61
Show file tree

Hide file tree

Showing 9 changed files with 65 additions and 31 deletions.
diff --git a/lib/client.go b/lib/client.go
@@ -458,13 +458,13 @@ func (c *Client) newIdemixEnrollmentResponse(identity *Identity, result *common.
 
 	// Create SignerConfig object with credential bytes from the response
 	// and secret key
-	isAdmin, _ := result.Attrs["IsAdmin"].(bool)
+	role, _ := result.Attrs["Role"].(int)
 	ou, _ := result.Attrs["OU"].(string)
 	enrollmentID, _ := result.Attrs["EnrollmentID"].(string)
 	signerConfig := &idemixcred.SignerConfig{
-		Cred:    credBytes,
-		Sk:      idemix.BigToBytes(sk),
-		IsAdmin: isAdmin,
+		Cred: credBytes,
+		Sk:   idemix.BigToBytes(sk),
+		Role: role,
 		OrganizationalUnitIdentifier:    ou,
 		EnrollmentID:                    enrollmentID,
 		CredentialRevocationInformation: criBytes,

diff --git a/lib/client/credential/idemix/credential_test.go b/lib/client/credential/idemix/credential_test.go
@@ -17,6 +17,7 @@ import (
 
 	lib "github.com/hyperledger/fabric-ca/lib"
 	. "github.com/hyperledger/fabric-ca/lib/client/credential/idemix"
+	"github.com/hyperledger/fabric-ca/lib/server/idemix"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -119,8 +120,8 @@ func TestIdemixCredential(t *testing.T) {
 	assert.True(t, len(sk) > 0, "Secret key bytes length should be more than zero")
 
 	signercfg.GetOrganizationalUnitIdentifier()
-	isAdmin := signercfg.GetIsAdmin()
-	assert.False(t, isAdmin)
+	role := signercfg.GetRole()
+	assert.False(t, idemix.CheckRole(role, idemix.ADMIN))
 
 	err = idemixCred.SetVal(val)
 	assert.NoError(t, err, "Setting the value that we got from the credential should not return an error")

diff --git a/lib/client/credential/idemix/signerconfig.go b/lib/client/credential/idemix/signerconfig.go
@@ -14,8 +14,8 @@ type SignerConfig struct {
 	Sk []byte `protobuf:"bytes,2,opt,name=Sk,proto3" json:"Sk,omitempty"`
 	// OrganizationalUnitIdentifier defines the organizational unit the default signer is in
 	OrganizationalUnitIdentifier string `protobuf:"bytes,3,opt,name=organizational_unit_identifier,json=organizationalUnitIdentifier" json:"organizational_unit_identifier,omitempty"`
-	// IsAdmin defines whether the default signer is admin or not
-	IsAdmin bool `protobuf:"varint,4,opt,name=is_admin,json=isAdmin" json:"is_admin,omitempty"`
+	// Role defines whether the default signer is admin, member, peer, or client
+	Role int `protobuf:"varint,4,opt,name=role,json=role" json:"role,omitempty"`
 	// EnrollmentID contains the enrollment id of this signer
 	EnrollmentID string `protobuf:"bytes,5,opt,name=enrollment_id,json=enrollmentId" json:"enrollment_id,omitempty"`
 	// CRI contains a serialized Credential Revocation Information
@@ -38,10 +38,10 @@ func (s *SignerConfig) GetOrganizationalUnitIdentifier() string {
 	return s.OrganizationalUnitIdentifier
 }
 
-// GetIsAdmin returns true if the user associated with this signer config is an admin, else
-// returns false
-func (s *SignerConfig) GetIsAdmin() bool {
-	return s.IsAdmin
+// GetRole returns true if the user associated with this signer config is an admin, else
+// returns role
+func (s *SignerConfig) GetRole() int {
+	return s.Role
 }
 
 // GetEnrollmentID returns enrollment ID of the user associated with this signer config

diff --git a/lib/server/idemix/enroll.go b/lib/server/idemix/enroll.go
@@ -204,20 +204,16 @@ func (h *EnrollRequestHandler) GetAttributeValues(caller spi.User, ipk *idemix.I
 			rc = append(rc, rh)
 			attrMap[attrName] = util.B64Encode(idemix.BigToBytes(rh))
 		} else if attrName == AttrRole {
-			isAdmin := false
-			attrObj, err := caller.GetAttribute("isAdmin")
+			role := MEMBER.getValue()
+			attrObj, err := caller.GetAttribute("role")
 			if err == nil {
-				isAdmin, err = strconv.ParseBool(attrObj.GetValue())
+				role, err = strconv.Atoi(attrObj.GetValue())
 				if err != nil {
-					log.Debugf("isAdmin attribute of user %s must be a boolean value", caller.GetName())
+					log.Debugf("role attribute of user %s must be a integer value", caller.GetName())
 				}
 			}
-			role := 0
-			if isAdmin {
-				role = 1
-			}
 			rc = append(rc, fp256bn.NewBIGint(role))
-			attrMap[attrName] = isAdmin
+			attrMap[attrName] = role
 		} else {
 			attrObj, err := caller.GetAttribute(attrName)
 			if err != nil {

diff --git a/lib/server/idemix/enroll_test.go b/lib/server/idemix/enroll_test.go
@@ -283,7 +283,7 @@ func TestHandleIdemixEnrollNewCredError(t *testing.T) {
 	caller := new(mocks.User)
 	caller.On("GetName").Return("foo")
 	caller.On("GetAffiliationPath").Return([]string{"a", "b", "c"})
-	caller.On("GetAttribute", "isAdmin").Return(&api.Attribute{Name: "isAdmin", Value: "true"}, nil)
+	caller.On("GetAttribute", "role").Return(&api.Attribute{Name: "role", Value: "2"}, nil)
 	caller.On("LoginComplete").Return(nil)
 
 	credReq, _, err := newIdemixCredentialRequest(t, nonce)
@@ -347,7 +347,7 @@ func TestHandleIdemixEnrollInsertCredError(t *testing.T) {
 	caller := new(mocks.User)
 	caller.On("GetName").Return("foo")
 	caller.On("GetAffiliationPath").Return([]string{"a", "b", "c"})
-	caller.On("GetAttribute", "isAdmin").Return(&api.Attribute{Name: "isAdmin", Value: "true"}, nil)
+	caller.On("GetAttribute", "role").Return(&api.Attribute{Name: "role", Value: "2"}, nil)
 	caller.On("LoginComplete").Return(nil)
 
 	credReq, _, err := newIdemixCredentialRequest(t, nonce)
@@ -427,7 +427,7 @@ func TestHandleIdemixEnrollForCredentialSuccess(t *testing.T) {
 	caller := new(mocks.User)
 	caller.On("GetName").Return("foo")
 	caller.On("GetAffiliationPath").Return([]string{"a", "b", "c"})
-	caller.On("GetAttribute", "isAdmin").Return(&api.Attribute{Name: "isAdmin", Value: "true"}, nil)
+	caller.On("GetAttribute", "role").Return(&api.Attribute{Name: "role", Value: "2"}, nil)
 	caller.On("LoginComplete").Return(nil)
 
 	credReq, _, err := newIdemixCredentialRequest(t, nonce)
@@ -482,7 +482,7 @@ func TestGetAttributeValues(t *testing.T) {
 	caller := new(mocks.User)
 	caller.On("GetName").Return("foo")
 	caller.On("GetAffiliationPath").Return([]string{"a", "b", "c"})
-	caller.On("GetAttribute", "isAdmin").Return(&api.Attribute{Name: "isAdmin", Value: "true"}, nil)
+	caller.On("GetAttribute", "role").Return(&api.Attribute{Name: "role", Value: "2"}, nil)
 	caller.On("GetAttribute", "type").Return(&api.Attribute{Name: "type", Value: "client"}, nil)
 	caller.On("LoginComplete").Return(nil)
 

diff --git a/lib/server/idemix/idemix_roles.go b/lib/server/idemix/idemix_roles.go
@@ -0,0 +1,37 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package idemix
+
+// Role : Represents a IdemixRole
+type Role int32
+
+// The expected roles are 4; We can combine them using a bitmask
+const (
+	MEMBER Role = 1
+	ADMIN  Role = 2
+	CLIENT Role = 4
+	PEER   Role = 8
+	// Next role values: 16, 32, 64 ...
+)
+
+func (role Role) getValue() int {
+	return int(role)
+}
+
+// CheckRole Prove that the desired role is contained or not in the bitmask
+func CheckRole(bitmask int, role Role) bool {
+	return (bitmask & role.getValue()) == role.getValue()
+}
+
+// GetRoleMask Receive a list of roles to combine in a single bitmask
+func GetRoleMask(roles []Role) int {
+	mask := 0
+	for _, role := range roles {
+		mask = mask | role.getValue()
+	}
+	return mask
+}
diff --git a/lib/server/idemix/issuer.go b/lib/server/idemix/issuer.go
@@ -187,7 +187,7 @@ func (i *issuer) VerifyToken(authHdr string, body []byte) (string, error) {
 		return "", errors.New("Issuer is not initialized")
 	}
 	// Disclosure array indicates which attributes are disclosed. 1 means disclosed. Currently four attributes are
-	// supported: OU, isAdmin, enrollmentID and revocationHandle. Third element of disclosure array is set to 1
+	// supported: OU, role, enrollmentID and revocationHandle. Third element of disclosure array is set to 1
 	// to indicate that the server expects enrollmentID to be disclosed in the signature sent in the authorization token.
 	// EnrollmentID is disclosed to check if the signature was infact created using credential of a user whose
 	// enrollment ID is the one specified in the token. So, enrollment ID in the token is used to check if the user

diff --git a/lib/serveridentities.go b/lib/serveridentities.go
@@ -300,7 +300,7 @@ func processDeleteRequest(ctx *serverRequestContextImpl, caname string) (*api.Id
 
 	_, err = registry.DeleteUser(removeID)
 	if err != nil {
-		return nil, caerrors.NewHTTPErr(500, caerrors.ErrRemoveIdentity, "Failed to remove identity: ", err)
+		return nil, caerrors.NewHTTPErr(500, caerrors.ErrRemoveIdentity, "Failed to remove identity: %s", err)
 	}
 
 	resp, err := getIDResp(userToRemove, "", caname)

diff --git a/swagger/swagger-fabric-ca.json b/swagger/swagger-fabric-ca.json
@@ -482,9 +482,9 @@
                           "type": "string",
                           "description": "The Organizational Unit of the identity that requested the credential"
                         },
-                        "IsAdmin": {
-                          "type": "boolean",
-                          "description": "true if the identity that requested the credential is an admin"
+                        "Role": {
+                          "type": "integer",
+                          "description": "Represent the role value of an identity"
                         },
                         "EnrollmentID": {
                           "type": "string",
@@ -493,7 +493,7 @@
                       },
                       "required": [
                         "OU",
-                        "IsAdmin",
+                        "Role",
                         "EnrollmentID"
                       ]
                     },