[FAB-3039] Checking Identity's OUs

This change-set does the following: 1. It allows the default MSP implementation to carry information about the OUs to be supported. 2. When an Identity is validated, it is checked that the identity's OUs are compatible with those set at the MSP, meaning that their intersection is not empty. If the MSP does not define any required OU then the check is not performed. Change-Id: If5a59c60f25ee5f40bea4d831ea2d051c24d9f05 Signed-off-by: Angelo De Caro <adc@zurich.ibm.com>
hyperledger · Apr 22, 2017 · bcd9c64 · bcd9c64
1 parent 441b308
commit bcd9c64
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 0 deletions.
diff --git a/msp/msp_test.go b/msp/msp_test.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/bccsp"
 	"github.com/hyperledger/fabric/protos/msp"
 	"github.com/stretchr/testify/assert"
 )
@@ -259,6 +260,24 @@ func TestGetOU(t *testing.T) {
 	assert.Equal(t, "COP", id.GetOrganizationalUnits()[0].OrganizationalUnitIdentifier)
 }
 
+func TestCertificationIdentifierComputation(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	chain, err := localMsp.(*bccspmsp).getCertificationChain(id.GetPublicVersion())
+	assert.NoError(t, err)
+
+	// Hash the chain
+	hf, err := localMsp.(*bccspmsp).bccsp.GetHash(&bccsp.SHA256Opts{})
+	assert.NoError(t, err)
+	for i := 0; i < len(chain); i++ {
+		hf.Write(chain[i].Raw)
+	}
+	sum := hf.Sum(nil)
+
+	assert.Equal(t, sum, id.GetOrganizationalUnits()[0].CertifiersIdentifier)
+}
+
 func TestOUPolicyPrincipal(t *testing.T) {
 	id, err := localMsp.GetDefaultSigningIdentity()
 	assert.NoError(t, err)
@@ -368,6 +387,39 @@ func TestIdentityPolicyPrincipal(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestMSPOus(t *testing.T) {
+	// Set the OUIdentifiers
+	backup := localMsp.(*bccspmsp).ouIdentifiers
+	defer func() { localMsp.(*bccspmsp).ouIdentifiers = backup }()
+
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	localMsp.(*bccspmsp).ouIdentifiers = []*msp.FabricOUIdentifier{
+		&msp.FabricOUIdentifier{
+			OrganizationalUnitIdentifier: "COP",
+			CertifiersIdentifier:         id.GetOrganizationalUnits()[0].CertifiersIdentifier,
+		},
+	}
+	assert.NoError(t, localMsp.Validate(id.GetPublicVersion()))
+
+	localMsp.(*bccspmsp).ouIdentifiers = []*msp.FabricOUIdentifier{
+		&msp.FabricOUIdentifier{
+			OrganizationalUnitIdentifier: "COP2",
+			CertifiersIdentifier:         id.GetOrganizationalUnits()[0].CertifiersIdentifier,
+		},
+	}
+	assert.Error(t, localMsp.Validate(id.GetPublicVersion()))
+
+	localMsp.(*bccspmsp).ouIdentifiers = []*msp.FabricOUIdentifier{
+		&msp.FabricOUIdentifier{
+			OrganizationalUnitIdentifier: "COP",
+			CertifiersIdentifier:         []byte{0, 1, 2, 3, 4},
+		},
+	}
+	assert.Error(t, localMsp.Validate(id.GetPublicVersion()))
+}
+
 const othercert = `-----BEGIN CERTIFICATE-----
 MIIDAzCCAqigAwIBAgIBAjAKBggqhkjOPQQDAjBsMQswCQYDVQQGEwJHQjEQMA4G
 A1UECAwHRW5nbGFuZDEOMAwGA1UECgwFQmFyMTkxDjAMBgNVBAsMBUJhcjE5MQ4w

diff --git a/msp/mspimpl.go b/msp/mspimpl.go
@@ -61,6 +61,9 @@ type bccspmsp struct {
 
 	// list of certificate revocation lists
 	CRL []*pkix.CertificateList
+
+	// list of OUs
+	ouIdentifiers []*m.FabricOUIdentifier
 }
 
 // NewBccspMsp returns an MSP instance backed up by a BCCSP
@@ -341,6 +344,15 @@ func (msp *bccspmsp) Setup(conf1 *m.MSPConfig) error {
 		msp.CRL[i] = crl
 	}
 
+	// setup the OUs
+	msp.ouIdentifiers = make([]*m.FabricOUIdentifier, len(conf.OrganizationalUnitIdentifiers))
+	for i, ou := range conf.OrganizationalUnitIdentifiers {
+		msp.ouIdentifiers[i] = &m.FabricOUIdentifier{
+			CertifiersIdentifier:         ou.CertifiersIdentifier,
+			OrganizationalUnitIdentifier: ou.OrganizationalUnitIdentifier,
+		}
+	}
+
 	return nil
 }
 
@@ -448,6 +460,27 @@ func (msp *bccspmsp) Validate(id Identity) error {
 			}
 		}
 
+		// Check that the identity's OUs are compatible with those recognized by this MSP,
+		// meaning that the intersection is not empty.
+		if len(msp.ouIdentifiers) > 0 {
+			found := false
+			for _, ou := range msp.ouIdentifiers {
+				for _, OU := range id.GetOrganizationalUnits() {
+					if bytes.Equal(ou.CertifiersIdentifier, OU.CertifiersIdentifier) &&
+						ou.OrganizationalUnitIdentifier == OU.OrganizationalUnitIdentifier {
+						found = true
+						break
+					}
+				}
+				if found {
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("None of the identity's organizational units [%v] are in MSP %s", id.GetOrganizationalUnits(), msp.name)
+			}
+		}
+
 		return nil
 	default:
 		return fmt.Errorf("Identity type not recognized")