/
support.go
158 lines (135 loc) · 4.86 KB
/
support.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
//<developer>
// <name>linapex 曹一峰</name>
// <email>linapex@163.com</email>
// <wx>superexc</wx>
// <qqgroup>128148617</qqgroup>
// <url>https://jsq.ink</url>
// <role>pku engineer</role>
// <date>2019-03-16 19:40:18</date>
//</624456048551399424>
/*
版权所有IBM公司。保留所有权利。
SPDX许可证标识符:Apache-2.0
**/
package acl
import (
"github.com/hyperledger/fabric/common/channelconfig"
"github.com/hyperledger/fabric/common/flogging"
"github.com/hyperledger/fabric/common/policies"
cb "github.com/hyperledger/fabric/protos/common"
"github.com/hyperledger/fabric/protos/msp"
"github.com/pkg/errors"
)
var (
logger = flogging.MustGetLogger("discovery.acl")
)
//channelconfiggetter允许检索频道配置资源
type ChannelConfigGetter interface {
//getchannelconfig返回通道配置的资源
GetChannelConfig(cid string) channelconfig.Resources
}
//channelconfiggetterfunc返回通道配置的资源
type ChannelConfigGetterFunc func(cid string) channelconfig.Resources
//getchannelconfig返回通道配置的资源
func (f ChannelConfigGetterFunc) GetChannelConfig(cid string) channelconfig.Resources {
return f(cid)
}
//验证程序验证签名和消息
type Verifier interface {
//VerifyByChannel检查签名是否为消息的有效签名
//在对等机的验证密钥下,也在特定通道的上下文中。
//如果验证成功,则verify返回nil,表示没有发生错误。
//如果peerIdentity为零,则验证失败。
VerifyByChannel(channel string, sd *cb.SignedData) error
}
//评估器评估签名。
//它用于评估本地MSP的签名
type Evaluator interface {
//Evaluate获取一组SignedData并评估该组签名是否满足策略
Evaluate(signatureSet []*cb.SignedData) error
}
//DiscoverySupport实现用于服务发现的支持
//与访问控制有关
type DiscoverySupport struct {
ChannelConfigGetter
Verifier
Evaluator
}
//新建DiscoverySupport创建新的DiscoverySupport
func NewDiscoverySupport(v Verifier, e Evaluator, chanConf ChannelConfigGetter) *DiscoverySupport {
return &DiscoverySupport{Verifier: v, Evaluator: e, ChannelConfigGetter: chanConf}
}
//合格返回给定对等方是否有资格接收
//来自给定通道的发现服务的服务
func (s *DiscoverySupport) EligibleForService(channel string, data cb.SignedData) error {
if channel == "" {
return s.Evaluate([]*cb.SignedData{&data})
}
return s.VerifyByChannel(channel, &data)
}
//configSequence返回给定通道的配置序列
func (s *DiscoverySupport) ConfigSequence(channel string) uint64 {
//如果通道为空,则没有序列
if channel == "" {
return 0
}
conf := s.GetChannelConfig(channel)
if conf == nil {
logger.Panic("Failed obtaining channel config for channel", channel)
}
v := conf.ConfigtxValidator()
if v == nil {
logger.Panic("ConfigtxValidator for channel", channel, "is nil")
}
return v.Sequence()
}
func (s *DiscoverySupport) SatisfiesPrincipal(channel string, rawIdentity []byte, principal *msp.MSPPrincipal) error {
conf := s.GetChannelConfig(channel)
if conf == nil {
return errors.Errorf("channel %s doesn't exist", channel)
}
mspMgr := conf.MSPManager()
if mspMgr == nil {
return errors.Errorf("could not find MSP manager for channel %s", channel)
}
identity, err := mspMgr.DeserializeIdentity(rawIdentity)
if err != nil {
return errors.Wrap(err, "failed deserializing identity")
}
return identity.SatisfiesPrincipal(principal)
}
//go:generate mokery-name channelpolicymanagergetter-case underline-output../mocks/
//ChannelPolicyManagerGetter是一个支持接口
//访问给定通道的策略管理器
type ChannelPolicyManagerGetter interface {
//返回与传递的通道关联的策略管理器
//如果是经理请求的,则为true;如果是默认经理,则为false。
Manager(channelID string) (policies.Manager, bool)
}
//NewChannelVerifier从给定的策略和策略管理器getter返回新的通道验证程序
func NewChannelVerifier(policy string, polMgr policies.ChannelPolicyManagerGetter) *ChannelVerifier {
return &ChannelVerifier{
Policy: policy,
ChannelPolicyManagerGetter: polMgr,
}
}
//ChannelVerifier在通道上下文中验证签名和消息
type ChannelVerifier struct {
policies.ChannelPolicyManagerGetter
Policy string
}
//VerifyByChannel检查签名是否为消息的有效签名
//在对等机的验证密钥下,也在特定通道的上下文中。
//如果验证成功,则verify返回nil,表示没有发生错误。
//如果peerIdentity为零,则验证失败。
func (cv *ChannelVerifier) VerifyByChannel(channel string, sd *cb.SignedData) error {
mgr, _ := cv.Manager(channel)
if mgr == nil {
return errors.Errorf("policy manager for channel %s doesn't exist", channel)
}
pol, _ := mgr.GetPolicy(cv.Policy)
if pol == nil {
return errors.New("failed obtaining channel application writers policy")
}
return pol.Evaluate([]*cb.SignedData{sd})
}