[FAB-15895] Added client identity to context

- Created a test utility file for storing certificate strings
- Moved tests from ContractSimplePath to ContractRouterTest
- Tidied up some imports
- Fixed some typos and warnings

Signed-off-by: heatherlp <[email protected]>
Change-Id: Iee2512ca4078a6487f6711eb5eae0be5b82acd30

Author: heatherlp

fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/FirstNetworkIntegrationTest.java

@@ -5,15 +5,8 @@
 */
 package org.hyperleder.fabric.shim.integration;
 
-import com.github.dockerjava.api.exception.ConflictException;
-import com.google.protobuf.ByteString;
-import org.hamcrest.Matchers;
-import org.hyperledger.fabric.sdk.*;
-import org.hyperledger.fabric.sdk.exception.*;
-import org.hyperledger.fabric.sdk.security.CryptoSuite;
-import org.hyperledger.fabric.shim.Chaincode;
-import org.junit.*;
-import org.testcontainers.containers.DockerComposeContainer;
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.Assert.assertThat;
 
 import java.io.File;
 import java.io.IOException;
@@ -25,8 +18,31 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
-import static org.hamcrest.Matchers.containsString;
-import static org.junit.Assert.assertThat;
+import com.github.dockerjava.api.exception.ConflictException;
+import com.google.protobuf.ByteString;
+
+import org.hamcrest.Matchers;
+import org.hyperledger.fabric.sdk.Channel;
+import org.hyperledger.fabric.sdk.HFClient;
+import org.hyperledger.fabric.sdk.InstallProposalRequest;
+import org.hyperledger.fabric.sdk.InstantiateProposalRequest;
+import org.hyperledger.fabric.sdk.Peer;
+import org.hyperledger.fabric.sdk.ProposalResponse;
+import org.hyperledger.fabric.sdk.TransactionProposalRequest;
+import org.hyperledger.fabric.sdk.exception.ChaincodeCollectionConfigurationException;
+import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException;
+import org.hyperledger.fabric.sdk.exception.CryptoException;
+import org.hyperledger.fabric.sdk.exception.InvalidArgumentException;
+import org.hyperledger.fabric.sdk.exception.ProposalException;
+import org.hyperledger.fabric.sdk.exception.TransactionException;
+import org.hyperledger.fabric.sdk.security.CryptoSuite;
+import org.hyperledger.fabric.shim.Chaincode;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.testcontainers.containers.DockerComposeContainer;
 
 public class FirstNetworkIntegrationTest {
 
@@ -274,7 +290,7 @@ void RunSBE(HFClient client, Channel channel,  String mode) throws NoSuchAlgorit
     }
 
     @Test
-    public void testSimpelChaincodeFirstNetwork() throws IllegalAccessException, InvocationTargetException, InvalidArgumentException, InstantiationException, NoSuchMethodException, CryptoException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, IOException, TransactionException, ProposalException, ChaincodeEndorsementPolicyParseException, ChaincodeCollectionConfigurationException {
+    public void testSimpleChaincodeFirstNetwork() throws IllegalAccessException, InvocationTargetException, InvalidArgumentException, InstantiationException, NoSuchMethodException, CryptoException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, IOException, TransactionException, ProposalException, ChaincodeEndorsementPolicyParseException, ChaincodeCollectionConfigurationException {
         final CryptoSuite crypto = CryptoSuite.Factory.getCryptoSuite();
 
         // Create client and set default crypto suite
@@ -330,7 +346,7 @@ private void executeAndValidateQueryOnAccount(HFClient client, Channel channel,
 
     @Test
     @Ignore
-    public void testSimpelChaincodeFirstNetworkNewPM() throws IllegalAccessException, InvocationTargetException, InvalidArgumentException, InstantiationException, NoSuchMethodException, CryptoException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, IOException, TransactionException, ProposalException, ChaincodeEndorsementPolicyParseException, ChaincodeCollectionConfigurationException {
+    public void testSimpleChaincodeFirstNetworkNewPM() throws IllegalAccessException, InvocationTargetException, InvalidArgumentException, InstantiationException, NoSuchMethodException, CryptoException, ClassNotFoundException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException, IOException, TransactionException, ProposalException, ChaincodeEndorsementPolicyParseException, ChaincodeCollectionConfigurationException {
         final CryptoSuite crypto = CryptoSuite.Factory.getCryptoSuite();
 
         // Create client and set default crypto suite

fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/Utils.java

@@ -5,8 +5,44 @@
 */
 package org.hyperleder.fabric.shim.integration;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.hamcrest.Matchers.hasItem;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.stream.Collectors;
+
 import com.github.dockerjava.api.model.Container;
 import com.github.dockerjava.api.model.Image;
+
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
@@ -18,28 +54,28 @@
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.hamcrest.Matcher;
-import org.hamcrest.Matchers;
-import org.hyperledger.fabric.sdk.*;
-import org.hyperledger.fabric.sdk.exception.*;
+import org.hyperledger.fabric.sdk.BlockEvent;
+import org.hyperledger.fabric.sdk.ChaincodeCollectionConfiguration;
+import org.hyperledger.fabric.sdk.ChaincodeEndorsementPolicy;
+import org.hyperledger.fabric.sdk.ChaincodeID;
+import org.hyperledger.fabric.sdk.Channel;
+import org.hyperledger.fabric.sdk.Enrollment;
+import org.hyperledger.fabric.sdk.HFClient;
+import org.hyperledger.fabric.sdk.InstallProposalRequest;
+import org.hyperledger.fabric.sdk.InstantiateProposalRequest;
+import org.hyperledger.fabric.sdk.Orderer;
+import org.hyperledger.fabric.sdk.Peer;
+import org.hyperledger.fabric.sdk.ProposalResponse;
+import org.hyperledger.fabric.sdk.TransactionProposalRequest;
+import org.hyperledger.fabric.sdk.TransactionRequest;
+import org.hyperledger.fabric.sdk.User;
+import org.hyperledger.fabric.sdk.exception.ChaincodeCollectionConfigurationException;
+import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException;
+import org.hyperledger.fabric.sdk.exception.InvalidArgumentException;
+import org.hyperledger.fabric.sdk.exception.ProposalException;
+import org.hyperledger.fabric.sdk.exception.TransactionException;
 import org.testcontainers.DockerClientFactory;
 
-import java.io.*;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.spec.InvalidKeySpecException;
-import java.util.*;
-import java.util.concurrent.*;
-import java.util.concurrent.atomic.AtomicBoolean;
-import java.util.stream.Collectors;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.hamcrest.Matchers.contains;
-import static org.hamcrest.Matchers.hasItem;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.fail;
-
 public class Utils {
 
     static public User getUser(String name, String mspId, File privateKeyFile, File certificateFile)

fabric-chaincode-shim/build.gradle

@@ -19,8 +19,8 @@ tasks.withType(org.gradle.api.tasks.testing.Test) {
 dependencies {
     compile project(':fabric-chaincode-protos')
     compile 'io.netty:netty-tcnative-boringssl-static:2.0.7.Final'
-    compile 'org.bouncycastle:bcpkix-jdk15on:1.60'
-    compile 'org.bouncycastle:bcprov-jdk15on:1.60'
+    compile 'org.bouncycastle:bcpkix-jdk15on:1.62'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.62'
     compile 'org.reflections:reflections:0.9.11'
     compile group: 'cglib', name: 'cglib', version: '3.2.10'
     implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.11.1'

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/ClientIdentity.java

@@ -0,0 +1,169 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package org.hyperledger.fabric.contract;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.DEROctetString;
+import org.hyperledger.fabric.Logger;
+import org.hyperledger.fabric.protos.msp.Identities.SerializedIdentity;
+import org.hyperledger.fabric.shim.ChaincodeStub;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * ClientIdentity represents information about the identity that submitted a
+ * transaction. Chaincodes can use this class to obtain information about the submitting
+ * identity including a unique ID, the MSP (Membership Service Provider) ID, and attributes.
+ * Such information is useful in enforcing access control by the chaincode.
+ *
+ */
+public final class ClientIdentity {
+    private static Logger logger = Logger.getLogger(ContractRouter.class.getName());
+
+    private String mspId;
+    private X509Certificate cert;
+    private Map<String, String> attrs;
+    private String id;
+    // special OID used by Fabric to save attributes in x.509 certificates
+    private static final String FABRIC_CERT_ATTR_OID = "1.2.3.4.5.6.7.8.1";
+
+    public ClientIdentity(ChaincodeStub stub) throws CertificateException, JSONException, IOException {
+        final byte[] signingId = stub.getCreator();
+
+        // Create a Serialized Identity protobuf
+        SerializedIdentity si = SerializedIdentity.parseFrom(signingId);
+        this.mspId = si.getMspid();
+
+        final byte[] idBytes = si.getIdBytes().toByteArray();
+
+        final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(idBytes));
+        this.cert = cert;
+
+        this.attrs = new HashMap<String, String>();
+        // Get the extension where the identity attributes are stored
+        final byte[] extensionValue = cert.getExtensionValue(FABRIC_CERT_ATTR_OID);
+        if (extensionValue != null) {
+            this.attrs = parseAttributes(extensionValue);
+        }
+
+        // Populate identity
+        this.id = "x509::" + cert.getSubjectDN().getName() + "::" + cert.getIssuerDN().getName();
+    }
+    /**
+     * getId returns the ID associated with the invoking identity. This ID
+     * is guaranteed to be unique within the MSP.
+     * @return {String} A string in the format: "x509::{subject DN}::{issuer DN}"
+     */
+    public String getId() {
+        return this.id;
+    }
+
+    /**
+     * getMSPID returns the MSP ID of the invoking identity.
+     * @return {String}
+     */
+    public String getMSPID() {
+        return this.mspId;
+    }
+
+    /**
+     * parseAttributes returns a map of the attributes associated with an identity
+     * @param extensionValue DER-encoded Octet string stored in the attributes extension
+     * of the certificate, as a byte array
+     * @return attrMap {Map<String, String>} a map of identity attributes as key value pair strings
+     */
+    private Map<String, String> parseAttributes(byte[] extensionValue) throws IOException {
+
+        Map<String, String> attrMap = new HashMap<String, String>();
+
+        // Create ASN1InputStream from extensionValue
+        try ( ByteArrayInputStream inStream = new ByteArrayInputStream(extensionValue);
+        ASN1InputStream asn1InputStream = new ASN1InputStream(inStream)) {
+
+            // Read the DER object
+            ASN1Primitive derObject = asn1InputStream.readObject();
+            if (derObject instanceof DEROctetString)
+            {
+                DEROctetString derOctetString = (DEROctetString) derObject;
+
+                // Create attributeString from octets and create JSON object
+                String attributeString = new String(derOctetString.getOctets(), UTF_8);
+                final JSONObject extJSON = new JSONObject(attributeString);
+                final JSONObject attrs = extJSON.getJSONObject("attrs");
+
+                Iterator<String> keys = attrs.keys();
+                while(keys.hasNext()) {
+                    String key = keys.next();
+                    // Populate map with attributes and values
+                    attrMap.put(key, attrs.getString(key));
+                }
+            }
+        } catch (JSONException error) {
+            // creating a JSON object failed
+            // decoded extensionValue is not a string containing JSON
+            logger.error(() -> logger.formatError(error));
+            // return empty map
+        }
+        return attrMap;
+    }
+
+    /**
+     * getAttributeValue returns the value of the client's attribute named `attrName`.
+     * If the invoking identity possesses the attribute, returns the value of the attribute.
+     * If the invoking identity does not possess the attribute, returns null.
+     * @param attrName Name of the attribute to retrieve the value from the
+     *     identity's credentials (such as x.509 certificate for PKI-based MSPs).
+     * @return {String | null} Value of the attribute or null if the invoking identity
+     *     does not possess the attribute.
+     */
+    public String getAttributeValue(String attrName) {
+        if (this.attrs.containsKey(attrName)) {
+            return this.attrs.get(attrName);
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * assertAttributeValue verifies that the invoking identity has the attribute named `attrName`
+     * with a value of `attrValue`.
+     * @param attrName Name of the attribute to retrieve the value from the
+     *     identity's credentials (such as x.509 certificate for PKI-based MSPs)
+     * @param attrValue Expected value of the attribute
+     * @return {boolean} True if the invoking identity possesses the attribute and the attribute
+     *     value matches the expected value. Otherwise, returns false.
+     */
+    public boolean assertAttributeValue(String attrName, String attrValue) {
+        if (!this.attrs.containsKey(attrName)) {
+            return false;
+        } else {
+            return attrValue.equals(this.attrs.get(attrName));
+        }
+    }
+
+    /**
+     * getX509Certificate returns the X509 certificate associated with the invoking identity,
+     * or null if it was not identified by an X509 certificate, for instance if the MSP is
+     * implemented with an alternative to PKI such as [Identity Mixer](https://jira.hyperledger.org/browse/FAB-5673).
+     * @return {X509Certificate | null}
+     */
+    public X509Certificate getX509Certificate() {
+        return this.cert;
+    }
+}

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/Context.java

@@ -6,7 +6,11 @@
 
 package org.hyperledger.fabric.contract;
 
+import java.io.IOException;
+import java.security.cert.CertificateException;
+
 import org.hyperledger.fabric.shim.ChaincodeStub;
+import org.json.JSONException;
 
 /**
  *
@@ -32,13 +36,20 @@
  */
 public class Context {
     protected ChaincodeStub stub;
+    protected ClientIdentity clientIdentity;
 
     /**
      * Constructor
+     * Creates new client identity and sets it as a property of the stub
      * @param stub Instance of the {@link ChaincodeStub} to use
      */
     public Context(ChaincodeStub stub) {
         this.stub = stub;
+        try {
+            this.clientIdentity = new ClientIdentity(stub);
+        } catch (CertificateException | JSONException | IOException e) {
+            throw new ContractRuntimeException("Could not create new client identity", e);
+        }
     }
 
     /**
@@ -48,4 +59,12 @@ public Context(ChaincodeStub stub) {
     public ChaincodeStub getStub() {
         return this.stub;
     }
+
+    /**
+     *
+     * @return ClientIdentity object to use
+     */
+    public ClientIdentity getClientIdentity() {
+        return this.clientIdentity;
+    }
 }