[FAB-9478] Principal set filtering based on role

yacovm · yacovm · commit 6a976ba38b39 · 2018-05-10T14:58:23.000+03:00
This change set implements filtering of principal sets based on
their role and MSP ID.

This is needed for collection support for service discovery:
When a chaincode has several possible endorsement combinations
that each combination is a principal set, but the user wants
to perform a collection read/write - then the response should
contain only principal sets which are "authorized" by the
collection config.

For this - we need a way to filter out principal sets that
there exists a principal among them which isn't "authorized"
by the collection config.

This change set implements this filtering while taking into account
the different MSP roles, for instance- if the endorsement policy
has Peer roles in it, or OU roles, but the collection config has members,
then it would still work because a peer is also a member (but not vice versa)

Change-Id: I5b4c1a031b81e78ecdf535ae363a4c45a8a44967
Signed-off-by: yacovm &lt;yacovm@il.ibm.com&gt;
diff --git a/common/policies/inquire/compare.go b/common/policies/inquire/compare.go
@@ -0,0 +1,157 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package inquire
+
+import (
+	"bytes"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/protos/msp"
+)
+
+// ComparablePrincipal defines an MSPPrincipal that can be compared to other principals
+type ComparablePrincipal struct {
+	principal *msp.MSPPrincipal
+	ou        *msp.OrganizationUnit
+	role      *msp.MSPRole
+	mspID     string
+}
+
+// NewComparablePrincipal creates a ComparablePrincipal out of the given MSPPrincipal.
+// Returns nil if a failure occurs.
+func NewComparablePrincipal(principal *msp.MSPPrincipal) *ComparablePrincipal {
+	if principal == nil {
+		logger.Warning("Principal is nil")
+		return nil
+	}
+	cp := &ComparablePrincipal{
+		principal: principal,
+	}
+	switch principal.PrincipalClassification {
+	case msp.MSPPrincipal_ROLE:
+		return cp.ToRole()
+	case msp.MSPPrincipal_ORGANIZATION_UNIT:
+		return cp.ToOURole()
+	}
+	mapping := msp.MSPPrincipal_Classification_name[int32(principal.PrincipalClassification)]
+	logger.Warning("Received an unsupported principal type:", principal.PrincipalClassification, "mapped to", mapping)
+	return nil
+}
+
+// IsFound returns whether the ComparablePrincipal is found among the given set of ComparablePrincipals
+// For the ComparablePrincipal x to be found, there needs to be some ComparablePrincipal y in the set
+// such that x.IsA(y) will be true.
+func (cp *ComparablePrincipal) IsFound(set ...*ComparablePrincipal) bool {
+	for _, cp2 := range set {
+		if cp.IsA(cp2) {
+			return true
+		}
+	}
+	return false
+}
+
+// IsA determines whether all identities that satisfy this ComparablePrincipal
+// also satisfy the other ComparablePrincipal.
+// Example: if this ComparablePrincipal is a Peer role,
+// and the other ComparablePrincipal is a Member role, then
+// all identities that satisfy this ComparablePrincipal (are peers)
+// also satisfy the other principal (are members).
+func (cp *ComparablePrincipal) IsA(other *ComparablePrincipal) bool {
+	this := cp
+
+	if other == nil {
+		return false
+	}
+	if this.principal == nil || other.principal == nil {
+		logger.Warning("Used an un-initialized ComparablePrincipal")
+		return false
+	}
+	// Compare the MSP ID
+	if this.mspID != other.mspID {
+		return false
+	}
+
+	// If the other Principal is a member, then any role or OU role
+	// fits, because every role or OU role is also a member of the MSP
+	if other.role != nil && other.role.Role == msp.MSPRole_MEMBER {
+		return true
+	}
+
+	// Check if we're both OU roles
+	if this.ou != nil && other.ou != nil {
+		sameOU := this.ou.OrganizationalUnitIdentifier == other.ou.OrganizationalUnitIdentifier
+		sameIssuer := bytes.Equal(this.ou.CertifiersIdentifier, other.ou.CertifiersIdentifier)
+		return sameOU && sameIssuer
+	}
+
+	// Check if we're both the same MSP Role
+	if this.role != nil && other.role != nil {
+		return this.role.Role == other.role.Role
+	}
+
+	// Else, we can't say anything, because we have no knowledge
+	// about the OUs that make up the MSP roles - so return false
+	return false
+}
+
+// ToOURole converts this ComparablePrincipal to OU principal, and returns nil on failure
+func (cp *ComparablePrincipal) ToOURole() *ComparablePrincipal {
+	ouRole := &msp.OrganizationUnit{}
+	err := proto.Unmarshal(cp.principal.Principal, ouRole)
+	if err != nil {
+		logger.Warning("Failed unmarshaling principal:", err)
+		return nil
+	}
+	cp.mspID = ouRole.MspIdentifier
+	cp.ou = ouRole
+	return cp
+}
+
+// ToRole converts this ComparablePrincipal to MSP Role, and returns nil if the conversion failed
+func (cp *ComparablePrincipal) ToRole() *ComparablePrincipal {
+	mspRole := &msp.MSPRole{}
+	err := proto.Unmarshal(cp.principal.Principal, mspRole)
+	if err != nil {
+		logger.Warning("Failed unmarshaling principal:", err)
+		return nil
+	}
+	cp.mspID = mspRole.MspIdentifier
+	cp.role = mspRole
+	return cp
+}
+
+// ComparablePrincipalSet aggregates ComparablePrincipals
+type ComparablePrincipalSet []*ComparablePrincipal
+
+// NewComparablePrincipalSet constructs a ComparablePrincipalSet out of the given PrincipalSet
+func NewComparablePrincipalSet(set policies.PrincipalSet) ComparablePrincipalSet {
+	var res ComparablePrincipalSet
+	for _, principal := range set {
+		cp := NewComparablePrincipal(principal)
+		if cp == nil {
+			return nil
+		}
+		res = append(res, cp)
+	}
+	return res
+}
+
+// IsCoveredBy returns whether the ComparablePrincipalSet is covered by the given ComparablePrincipalSet.
+// A ComparablePrincipalSet X is covered by another ComparablePrincipalSet Y if:
+// for each ComparablePrincipal x in X there is a ComparablePrincipal y in Y,
+// such that x.IsA(y) is true.
+// This method is useful for determining if the all elements of a ComparablePrincipalSet
+// are accepted by another ComparablePrincipalSet.
+func (cps ComparablePrincipalSet) IsCoveredBy(set ComparablePrincipalSet) bool {
+	for _, cp := range cps {
+		if !cp.IsFound(set...) {
+			return false
+		}
+	}
+	return true
+}
diff --git a/common/policies/inquire/compare_test.go b/common/policies/inquire/compare_test.go
@@ -0,0 +1,201 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package inquire
+
+import (
+	"testing"
+
+	"github.com/hyperledger/fabric/common/policies"
+	"github.com/hyperledger/fabric/protos/msp"
+	"github.com/hyperledger/fabric/protos/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewComparablePrincipal(t *testing.T) {
+	mspID := "Org1MSP"
+
+	t.Run("Nil input", func(t *testing.T) {
+		assert.Nil(t, NewComparablePrincipal(nil))
+	})
+
+	t.Run("Invalid principal type", func(t *testing.T) {
+		assert.Nil(t, NewComparablePrincipal(identity(mspID)))
+	})
+
+	t.Run("Invalid principal input", func(t *testing.T) {
+		member := member(mspID)
+		member.Principal = append(member.Principal, 0)
+		assert.Nil(t, NewComparablePrincipal(member))
+
+		ou := ou(mspID)
+		ou.Principal = append(ou.Principal, 0)
+		assert.Nil(t, NewComparablePrincipal(ou))
+	})
+
+	t.Run("Role", func(t *testing.T) {
+		expectedMember := &msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: mspID}
+		expectedPrincipal := &ComparablePrincipal{
+			role: expectedMember, mspID: mspID,
+			principal: &msp.MSPPrincipal{
+				PrincipalClassification: msp.MSPPrincipal_ROLE,
+				Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: mspID}),
+			},
+		}
+		assert.Equal(t, expectedPrincipal, NewComparablePrincipal(member(mspID)))
+	})
+
+	t.Run("OU", func(t *testing.T) {
+		expectedOURole := &msp.OrganizationUnit{OrganizationalUnitIdentifier: "ou", MspIdentifier: mspID}
+		expectedPrincipal := &ComparablePrincipal{
+			ou:    expectedOURole,
+			mspID: mspID,
+			principal: &msp.MSPPrincipal{
+				PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT,
+				Principal:               utils.MarshalOrPanic(&msp.OrganizationUnit{OrganizationalUnitIdentifier: "ou", MspIdentifier: mspID}),
+			},
+		}
+		assert.Equal(t, expectedPrincipal, NewComparablePrincipal(ou(mspID)))
+	})
+}
+
+func TestIsA(t *testing.T) {
+	member1 := NewComparablePrincipal(member("Org1MSP"))
+	member2 := NewComparablePrincipal(member("Org2MSP"))
+	peer1 := NewComparablePrincipal(peer("Org1MSP"))
+	peer2 := NewComparablePrincipal(peer("Org2MSP"))
+	ou1 := NewComparablePrincipal(ou("Org1MSP"))
+	ou1ButDifferentIssuer := NewComparablePrincipal(ou("Org1MSP"))
+	ou1ButDifferentIssuer.ou.CertifiersIdentifier = []byte{1, 2, 3}
+	ou2 := NewComparablePrincipal(ou("Org2MSP"))
+
+	t.Run("Nil input", func(t *testing.T) {
+		assert.False(t, member1.IsA(nil))
+	})
+
+	t.Run("Incorrect state", func(t *testing.T) {
+		assert.False(t, (&ComparablePrincipal{}).IsA(member1))
+	})
+
+	t.Run("Same MSP ID", func(t *testing.T) {
+		assert.True(t, member1.IsA(NewComparablePrincipal(member("Org1MSP"))))
+	})
+
+	t.Run("A peer is also a member", func(t *testing.T) {
+		assert.True(t, peer1.IsA(member1))
+	})
+
+	t.Run("A member isn't a peer", func(t *testing.T) {
+		assert.False(t, member1.IsA(peer1))
+	})
+
+	t.Run("Different MSP IDs", func(t *testing.T) {
+		assert.False(t, member1.IsA(member2))
+		assert.False(t, peer2.IsA(peer1))
+	})
+
+	t.Run("An OU member is also a member", func(t *testing.T) {
+		assert.True(t, peer1.IsA(member1))
+	})
+
+	t.Run("A member isn't an OU member", func(t *testing.T) {
+		assert.False(t, member1.IsA(peer1))
+	})
+
+	t.Run("Same OU", func(t *testing.T) {
+		assert.True(t, ou1.IsA(NewComparablePrincipal(ou("Org1MSP"))))
+	})
+
+	t.Run("Different OU", func(t *testing.T) {
+		assert.False(t, ou1.IsA(ou2))
+	})
+
+	t.Run("Same OU, different issuer", func(t *testing.T) {
+		assert.False(t, ou1.IsA(ou1ButDifferentIssuer))
+	})
+
+	t.Run("OUs and Peers aren't the same", func(t *testing.T) {
+		assert.False(t, ou1.IsA(peer1))
+	})
+}
+
+func TestIsFound(t *testing.T) {
+	member1 := NewComparablePrincipal(member("Org1MSP"))
+	member2 := NewComparablePrincipal(member("Org2MSP"))
+	peer1 := NewComparablePrincipal(peer("Org1MSP"))
+
+	assert.True(t, member1.IsFound(member1, member2))
+	assert.False(t, member1.IsFound())
+	assert.False(t, member1.IsFound(member2, peer1))
+	assert.True(t, peer1.IsFound(member1, member2))
+}
+
+func TestNewComparablePrincipalSet(t *testing.T) {
+	t.Run("Invalid principal", func(t *testing.T) {
+		principals := []*msp.MSPPrincipal{member("Org1MSP"), identity("Org1MSP")}
+		assert.Nil(t, NewComparablePrincipalSet(policies.PrincipalSet(principals)))
+	})
+
+	t.Run("Valid Principals", func(t *testing.T) {
+		member1 := NewComparablePrincipal(member("Org1MSP"))
+		peer2 := NewComparablePrincipal(peer("Org2MSP"))
+		principals := []*msp.MSPPrincipal{member("Org1MSP"), peer("Org2MSP")}
+		cps := NewComparablePrincipalSet(policies.PrincipalSet(principals))
+		expected := ComparablePrincipalSet([]*ComparablePrincipal{member1, peer2})
+		assert.Equal(t, expected, cps)
+	})
+}
+
+func TestIsCoveredBy(t *testing.T) {
+	t.Run("Covered", func(t *testing.T) {
+		ou1 := NewComparablePrincipal(ou("Org1MSP"))
+		peer1 := NewComparablePrincipal(peer("Org1MSP"))
+		member1 := NewComparablePrincipal(member("Org1MSP"))
+		member2 := NewComparablePrincipal(member("Org2MSP"))
+
+		covered := ComparablePrincipalSet([]*ComparablePrincipal{ou1, peer1})
+		cover := ComparablePrincipalSet([]*ComparablePrincipal{member1, member2})
+
+		assert.True(t, covered.IsCoveredBy(cover))
+		assert.False(t, cover.IsCoveredBy(covered))
+	})
+
+	t.Run("Not Covered", func(t *testing.T) {
+		peer1 := NewComparablePrincipal(peer("Org1MSP"))
+		peer2 := NewComparablePrincipal(peer("Org1MSP"))
+		member1 := NewComparablePrincipal(member("Org1MSP"))
+
+		covered := ComparablePrincipalSet([]*ComparablePrincipal{peer1, peer2})
+		cover := ComparablePrincipalSet([]*ComparablePrincipal{member1})
+
+		assert.False(t, cover.IsCoveredBy(covered))
+	})
+}
+
+func member(orgName string) *msp.MSPPrincipal {
+	return &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ROLE,
+		Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_MEMBER, MspIdentifier: orgName})}
+}
+
+func peer(orgName string) *msp.MSPPrincipal {
+	return &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ROLE,
+		Principal:               utils.MarshalOrPanic(&msp.MSPRole{Role: msp.MSPRole_PEER, MspIdentifier: orgName})}
+}
+
+func ou(orgName string) *msp.MSPPrincipal {
+	return &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_ORGANIZATION_UNIT,
+		Principal:               utils.MarshalOrPanic(&msp.OrganizationUnit{OrganizationalUnitIdentifier: "ou", MspIdentifier: orgName})}
+}
+
+func identity(orgName string) *msp.MSPPrincipal {
+	return &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_IDENTITY,
+		Principal:               utils.MarshalOrPanic(&msp.SerializedIdentity{Mspid: orgName, IdBytes: []byte("identity")}),
+	}
+}
