FIX [FAB-11993] idemix role from boolean to int

Replacing boolean type of idemix role with integer
to support more role types.
Provides "idemix roles" to map multiple MSP Roles
to only one bitsmak integer value.

Change-Id: I942dab4168f8da83551c646e0d4245f31e73120a
Signed-off-by: Rafa Torres <rtm@zurich.ibm.com>
Signed-off-by: Keith Smith <bksmith@us.ibm.com>
Signed-off-by: Maria Dubovitskaya <mdu@zurich.ibm.com>

Author: Rafa Torres

src/main/java/org/hyperledger/fabric/sdk/identity/IdemixEnrollment.java

@@ -23,17 +23,17 @@ public class IdemixEnrollment implements Enrollment {
     protected final IdemixCredential cred;
     protected final CredentialRevocationInformation cri;
     protected final String ou;
-    protected final boolean role;
+    protected final int roleMask;
 
-    public IdemixEnrollment(IdemixIssuerPublicKey ipk, PublicKey revocationPk, String mspId, BIG sk, IdemixCredential cred, CredentialRevocationInformation cri, String ou, boolean role) {
+    public IdemixEnrollment(IdemixIssuerPublicKey ipk, PublicKey revocationPk, String mspId, BIG sk, IdemixCredential cred, CredentialRevocationInformation cri, String ou, int roleMask) {
         this.ipk = ipk;
         this.revocationPk = revocationPk;
         this.mspId = mspId;
         this.sk = sk;
         this.cred = cred;
         this.cri = cri;
         this.ou = ou;
-        this.role = role;
+        this.roleMask = roleMask;
     }
 
     public PrivateKey getKey() {
@@ -72,7 +72,7 @@ public String getOu() {
         return this.ou;
     }
 
-    public boolean getRole() {
-        return this.role;
+    public int getRoleMask() {
+        return this.roleMask;
     }
-}
+}

src/main/java/org/hyperledger/fabric/sdk/identity/IdemixIdentity.java

@@ -54,12 +54,12 @@ public class IdemixIdentity implements Identity {
     // Organization Unit attribute
     private final String ou;
 
-    // Role attribute
-    private final boolean role;
+    // Role mask its a bitmask that represent all the roles attached to this identity
+    private final int roleMask;
 
     // Proof of possession of Idemix credential
     // with respect to the pseudonym (nym)
-    // and the corresponding attributes (ou, role)
+    // and the corresponding attributes (ou, roleMask)
     private final IdemixSignature associationProof;
 
     /**
@@ -89,7 +89,7 @@ public IdemixIdentity(Identities.SerializedIdentity proto) throws CryptoExceptio
             MspPrincipal.MSPRole role = MspPrincipal.MSPRole.parseFrom(idemixProto.getRole());
 
             this.ou = ou.getOrganizationalUnitIdentifier();
-            this.role = role.getRole().getNumber() == 1;
+            this.roleMask = IdemixRoles.getRoleMask(role);
             this.ipkHash = ou.getCertifiersIdentifier().toByteArray();
 
             logger.trace("Deserializing Proof");
@@ -106,10 +106,10 @@ public IdemixIdentity(Identities.SerializedIdentity proto) throws CryptoExceptio
      * @param mspId is MSP ID sting
      * @param nym   is Identity Mixer Pseudonym
      * @param ou    is OU attribute
-     * @param role  is Role attribute
+     * @param roleMask  is a bitmask that represent all the roles attached to this identity
      * @param proof is Proof
      */
-    public IdemixIdentity(String mspId, IdemixIssuerPublicKey ipk, ECP nym, String ou, boolean role, IdemixSignature proof)
+    public IdemixIdentity(String mspId, IdemixIssuerPublicKey ipk, ECP nym, String ou, int roleMask, IdemixSignature proof)
             throws InvalidArgumentException {
 
         if (mspId == null) {
@@ -145,7 +145,7 @@ public IdemixIdentity(String mspId, IdemixIssuerPublicKey ipk, ECP nym, String o
         this.ipkHash = ipk.getHash();
         this.pseudonym = nym;
         this.ou = ou;
-        this.role = role;
+        this.roleMask = roleMask;
         this.associationProof = proof;
     }
 
@@ -160,8 +160,10 @@ public Identities.SerializedIdentity createSerializedIdentity() {
                 .setOrganizationalUnitIdentifier(this.ou)
                 .build();
 
+        //Warning, this does not support multi-roleMask.
+        //Serialize the bitmask is the correct way to support multi-roleMask in the future
         MspPrincipal.MSPRole role = MspPrincipal.MSPRole.newBuilder()
-                .setRole(this.role ? MspPrincipal.MSPRole.MSPRoleType.ADMIN : MspPrincipal.MSPRole.MSPRoleType.MEMBER)
+                .setRole(IdemixRoles.getMSPRoleFromIdemixRole(this.roleMask))
                 .setMspIdentifier(this.mspId)
                 .build();
 
@@ -183,8 +185,8 @@ public String getOuValue() {
         return this.ou;
     }
 
-    public boolean getRoleValue() {
-        return this.role;
+    public int getRoleMask() {
+        return this.roleMask;
     }
 
     @Override
@@ -194,7 +196,7 @@ public String toString() {
                 " Issuer Public Key Hash: " + Arrays.toString(this.ipkHash) +
                 " Pseudonym: " + this.pseudonym.toRawString() +
                 " OU: " + this.ou +
-                " Role: " + this.role +
+                " Role mask: " + this.roleMask +
                 " Association Proof: " + this.associationProof.toProto().toString() +
                 " ]";
     }

src/main/java/org/hyperledger/fabric/sdk/identity/IdemixRoles.java

@@ -0,0 +1,133 @@
+package org.hyperledger.fabric.sdk.identity;
+
+import org.hyperledger.fabric.protos.common.MspPrincipal;
+
+/**
+ * IdemixRoles is ENUM type that represent a Idemix Role and provide some functionality to operate with Bitmasks
+ * and to operate between MSPRoles and IdemixRoles.
+ */
+public enum IdemixRoles {
+    MEMBER(1),
+    ADMIN(2),
+    CLIENT(4),
+    PEER(8);
+    // Next roles values: 8, 16, 32 ..
+
+    private int value;
+
+    IdemixRoles(int value) {
+        this.value = value;
+    }
+
+    int getValue() {
+        return this.value;
+    }
+
+    /**
+     * Receives an array of IdemixRoles and returns the bitmask combination of all
+     * @param roles that we want to combine
+     * @return bitmask
+     */
+     static int getRoleMask(IdemixRoles[] roles) {
+        int mask = 0;
+        for (IdemixRoles role: roles) {
+            mask = mask | role.value;
+        }
+        return mask;
+    }
+
+    /**
+     * Receives an array of MspPrincipal.MSPRole and returns the bitmask combination of all
+     * @param roles that we want to combine
+     * @return bitmask
+     */
+     static int getRoleMask(MspPrincipal.MSPRole [] roles) {
+        int mask = 0;
+        for (MspPrincipal.MSPRole role: roles) {
+            mask =  mask | getIdemixRoleFromMSPRole(role);
+        }
+        return mask;
+    }
+
+    /**
+     * Receives a MspPrincipal.MSPRole and returns the bitmask
+     * @param role that we want to combine
+     * @return bitmask
+     */
+     static int getRoleMask(MspPrincipal.MSPRole role) {
+        return getRoleMask(new MspPrincipal.MSPRole[]{role});
+    }
+
+    /**
+     * Receives a bitmask and a roleMask to test. If the roleMask is contained in the bit mask returns true.
+     * @param bitmask where to test the roleMask
+     * @param searchRole roleMask to test
+     * @return true if roleMask contained
+     */
+     static boolean checkRole(int bitmask, IdemixRoles searchRole) {
+        return (bitmask & searchRole.value) == searchRole.value;
+    }
+
+    /**
+     * Receives a MSPRole and returns the correspondent IdemixRole value
+     * @param role to transform to int
+     * @return IdemixRole value
+     */
+     static int getIdemixRoleFromMSPRole(MspPrincipal.MSPRole role) {
+        return getIdemixRoleFromMSPRole(role.getRole());
+    }
+
+    /**
+     * Receives a MSPRole Type and returns the correspondent IdemixRole value
+     * @param type to transform to int
+     * @return IdemixRole value
+     */
+     static int getIdemixRoleFromMSPRole(MspPrincipal.MSPRole.MSPRoleType type) {
+        return getIdemixRoleFromMSPRole(type.getNumber());
+    }
+
+    /**
+     * Receives a MSPRole int value and returns the correspondent IdemixRole value
+     * @param type to transform to int
+     * @return IdemixRole value
+     */
+     static int getIdemixRoleFromMSPRole(int type) {
+        switch (type) {
+            case MspPrincipal.MSPRole.MSPRoleType.ADMIN_VALUE:
+                return ADMIN.getValue();
+            case MspPrincipal.MSPRole.MSPRoleType.MEMBER_VALUE:
+                return MEMBER.getValue();
+            case MspPrincipal.MSPRole.MSPRoleType.PEER_VALUE:
+                return PEER.getValue();
+            case MspPrincipal.MSPRole.MSPRoleType.CLIENT_VALUE:
+                return CLIENT.getValue();
+            default:
+                throw new IllegalArgumentException("The provided role is not valid: " + type);
+        }
+    }
+
+    /**
+     * Receives an integer that represents a roleMask and return the correspondent MSPRole value
+     * @param role to transform to MSProle
+     * @return MSPRole
+     */
+     static MspPrincipal.MSPRole.MSPRoleType getMSPRoleFromIdemixRole(int role) {
+        if (role == ADMIN.getValue()) {
+            return MspPrincipal.MSPRole.MSPRoleType.ADMIN;
+        }
+
+        if (role == MEMBER.getValue()) {
+            return MspPrincipal.MSPRole.MSPRoleType.MEMBER;
+        }
+
+        if (role == CLIENT.getValue()) {
+            return MspPrincipal.MSPRole.MSPRoleType.CLIENT;
+        }
+
+        if (role == PEER.getValue()) {
+            return MspPrincipal.MSPRole.MSPRoleType.PEER;
+        }
+
+        throw new IllegalArgumentException("The provided role value is not valid: " + role);
+    }
+}

src/main/java/org/hyperledger/fabric/sdk/identity/IdemixSigningIdentity.java

@@ -82,7 +82,7 @@ public class IdemixSigningIdentity implements SigningIdentity {
 
     public IdemixSigningIdentity(IdemixEnrollment enrollment) throws CryptoException, InvalidArgumentException {
         this(enrollment.ipk, enrollment.revocationPk, enrollment.mspId, enrollment.sk, enrollment.cred,
-                enrollment.cri, enrollment.ou, enrollment.role);
+                enrollment.cri, enrollment.ou, enrollment.roleMask);
     }
 
     /**
@@ -99,7 +99,7 @@ public IdemixSigningIdentity(IdemixEnrollment enrollment) throws CryptoException
      * @throws CryptoException
      * @throws InvalidArgumentException
      */
-    public IdemixSigningIdentity(IdemixIssuerPublicKey ipk, PublicKey revocationPk, String mspId, BIG sk, IdemixCredential cred, Idemix.CredentialRevocationInformation cri, String ou, boolean role)
+    public IdemixSigningIdentity(IdemixIssuerPublicKey ipk, PublicKey revocationPk, String mspId, BIG sk, IdemixCredential cred, Idemix.CredentialRevocationInformation cri, String ou, int role)
             throws CryptoException, InvalidArgumentException {
 
         // input checks
@@ -174,14 +174,7 @@ public IdemixSigningIdentity(IdemixIssuerPublicKey ipk, PublicKey revocationPk,
             throw new CryptoException("Error: There are " + cred.getAttrs().length + " attributes and the expected are 4");
         }
         byte[] ouBytes = cred.getAttrs()[0];
-        byte[] ouProtoBytes = MspPrincipal.OrganizationUnit.newBuilder()
-                .setMspIdentifier(mspId)
-                .setOrganizationalUnitIdentifier(new String(ouBytes))
-                .build().toByteArray();
         byte[] roleBytes = cred.getAttrs()[1];
-        byte[] roleProtoBytes = MspPrincipal.MSPRole.newBuilder()
-                .setRoleValue(ByteBuffer.wrap(roleBytes).getInt())
-                .build().toByteArray();
         byte[] eIdBytes = cred.getAttrs()[2];
         byte[] rHBytes = cred.getAttrs()[3];
 
@@ -197,7 +190,7 @@ public IdemixSigningIdentity(IdemixIssuerPublicKey ipk, PublicKey revocationPk,
         }
 
         // check that the role matches the credential's attribute value
-        if (!Arrays.equals(IdemixUtils.bigToBytes(new BIG(role ? 1 : 0)), roleBytes)) {
+        if (!Arrays.equals(IdemixUtils.bigToBytes(new BIG(role)), roleBytes)) {
             throw new IllegalArgumentException("the role does not match the credential");
         }
 

src/main/java/org/hyperledger/fabric/sdk/user/IdemixUser.java

@@ -77,7 +77,7 @@ public String getOu() {
         return this.enrollment.getOu();
     }
 
-    public boolean getRole() {
-        return this.enrollment.getRole();
+    public int getRoleMask() {
+        return this.enrollment.getRoleMask();
     }
 }

src/main/java/org/hyperledger/fabric/sdk/user/IdemixUserStore.java

@@ -49,7 +49,7 @@ public User getUser(String id) throws IOException, NoSuchAlgorithmException, Inv
         IdemixCredential cred = new IdemixCredential(Idemix.Credential.parseFrom(signerConfig.getCred()));
         Idemix.CredentialRevocationInformation cri = Idemix.CredentialRevocationInformation.parseFrom(signerConfig.getCredentialRevocationInformation());
 
-        IdemixEnrollment enrollment = new IdemixEnrollment(this.ipk, revocationPk, this.mspId, sk, cred, cri, signerConfig.getOrganizationalUnitIdentifier(), signerConfig.getIsAdmin());
+        IdemixEnrollment enrollment = new IdemixEnrollment(this.ipk, revocationPk, this.mspId, sk, cred, cri, signerConfig.getOrganizationalUnitIdentifier(), signerConfig.getRole());
         return new IdemixUser(id, this.mspId, enrollment);
     }
 

src/main/java/org/hyperledger/fabric_ca/sdk/HFCAClient.java

@@ -100,6 +100,7 @@
 import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.util.io.pem.PemReader;
+import org.hyperledger.fabric.protos.common.MspPrincipal;
 import org.hyperledger.fabric.protos.idemix.Idemix;
 import org.hyperledger.fabric.sdk.Enrollment;
 import org.hyperledger.fabric.sdk.NetworkConfig;
@@ -110,6 +111,7 @@
 import org.hyperledger.fabric.sdk.idemix.IdemixIssuerPublicKey;
 import org.hyperledger.fabric.sdk.idemix.IdemixUtils;
 import org.hyperledger.fabric.sdk.identity.IdemixEnrollment;
+import org.hyperledger.fabric.sdk.identity.IdemixRoles;
 import org.hyperledger.fabric.sdk.identity.X509Enrollment;
 import org.hyperledger.fabric.sdk.security.CryptoPrimitives;
 import org.hyperledger.fabric.sdk.security.CryptoSuite;
@@ -1171,7 +1173,7 @@ public Enrollment idemixEnroll(Enrollment enrollment, String mspID) throws Enrol
             if (Utils.isNullOrEmpty(ou)) {
                 throw new InvalidArgumentException("fabric-ca-server did not return a 'ou' attribute in the response from " + HFCA_IDEMIXCRED);
             }
-            boolean role = attrs.getBoolean("Role");
+            int role = attrs.getInt("Role"); // Encoded IdemixRole from Fabric-Ca
 
             // Return the idemix enrollment
             return new IdemixEnrollment(ipk, rpk, mspID, sk, cred, cri, ou, role);

src/main/proto/msp/msp_config.proto

@@ -135,8 +135,8 @@ message IdemixMSPSignerConfig {
     // organizational_unit_identifier defines the organizational unit the default signer is in
     string organizational_unit_identifier = 3;
 
-    // is_admin defines whether the default signer is admin or not
-    bool is_admin = 4;
+    // role defines whether the default signer is admin, peer, member or client
+    int32 role = 4;
 
     // enrollment_id contains the enrollment id of this signer
     string enrollment_id = 5;