Merge "[FAB-15895] Added client identity to context" into release-1.4

Author: jt-nti

fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/Utils.java

@@ -5,7 +5,42 @@
 */
 package org.hyperleder.fabric.shim.integration;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.stream.Collectors;
+
 import com.github.dockerjava.api.model.Container;
+
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
@@ -18,25 +53,28 @@
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.hamcrest.Matcher;
 import org.hamcrest.Matchers;
-import org.hyperledger.fabric.sdk.*;
-import org.hyperledger.fabric.sdk.exception.*;
+import org.hyperledger.fabric.sdk.BlockEvent;
+import org.hyperledger.fabric.sdk.ChaincodeCollectionConfiguration;
+import org.hyperledger.fabric.sdk.ChaincodeEndorsementPolicy;
+import org.hyperledger.fabric.sdk.ChaincodeID;
+import org.hyperledger.fabric.sdk.Channel;
+import org.hyperledger.fabric.sdk.Enrollment;
+import org.hyperledger.fabric.sdk.HFClient;
+import org.hyperledger.fabric.sdk.InstallProposalRequest;
+import org.hyperledger.fabric.sdk.InstantiateProposalRequest;
+import org.hyperledger.fabric.sdk.Orderer;
+import org.hyperledger.fabric.sdk.Peer;
+import org.hyperledger.fabric.sdk.ProposalResponse;
+import org.hyperledger.fabric.sdk.TransactionProposalRequest;
+import org.hyperledger.fabric.sdk.TransactionRequest;
+import org.hyperledger.fabric.sdk.User;
+import org.hyperledger.fabric.sdk.exception.ChaincodeCollectionConfigurationException;
+import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException;
+import org.hyperledger.fabric.sdk.exception.InvalidArgumentException;
+import org.hyperledger.fabric.sdk.exception.ProposalException;
+import org.hyperledger.fabric.sdk.exception.TransactionException;
 import org.testcontainers.DockerClientFactory;
 
-import java.io.*;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.Security;
-import java.security.spec.InvalidKeySpecException;
-import java.util.*;
-import java.util.concurrent.*;
-import java.util.concurrent.atomic.AtomicBoolean;
-import java.util.stream.Collectors;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.fail;
-
 public class Utils {
 
     static public User getUser(String name, String mspId, File privateKeyFile, File certificateFile)

fabric-chaincode-shim/build.gradle

@@ -19,8 +19,8 @@ tasks.withType(org.gradle.api.tasks.testing.Test) {
 dependencies {
     compile project(':fabric-chaincode-protos')
     compile 'io.netty:netty-tcnative-boringssl-static:2.0.7.Final'
-    compile 'org.bouncycastle:bcpkix-jdk15on:1.60'
-    compile 'org.bouncycastle:bcprov-jdk15on:1.60'
+    compile 'org.bouncycastle:bcpkix-jdk15on:1.62'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.62'
     compile 'org.reflections:reflections:0.9.11'
     implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.11.1'
     compile 'io.swagger.core.v3:swagger-annotations:2.0.0'

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/ClientIdentity.java

@@ -0,0 +1,169 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package org.hyperledger.fabric.contract;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.DEROctetString;
+import org.hyperledger.fabric.Logger;
+import org.hyperledger.fabric.protos.msp.Identities.SerializedIdentity;
+import org.hyperledger.fabric.shim.ChaincodeStub;
+import org.json.JSONException;
+import org.json.JSONObject;
+
+/**
+ * ClientIdentity represents information about the identity that submitted a
+ * transaction. Chaincodes can use this class to obtain information about the submitting
+ * identity including a unique ID, the MSP (Membership Service Provider) ID, and attributes.
+ * Such information is useful in enforcing access control by the chaincode.
+ *
+ */
+public final class ClientIdentity {
+    private static Logger logger = Logger.getLogger(ContractRouter.class.getName());
+
+    private String mspId;
+    private X509Certificate cert;
+    private Map<String, String> attrs;
+    private String id;
+    // special OID used by Fabric to save attributes in x.509 certificates
+    private static final String FABRIC_CERT_ATTR_OID = "1.2.3.4.5.6.7.8.1";
+
+    public ClientIdentity(ChaincodeStub stub) throws CertificateException, JSONException, IOException {
+        final byte[] signingId = stub.getCreator();
+
+        // Create a Serialized Identity protobuf
+        SerializedIdentity si = SerializedIdentity.parseFrom(signingId);
+        this.mspId = si.getMspid();
+
+        final byte[] idBytes = si.getIdBytes().toByteArray();
+
+        final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(idBytes));
+        this.cert = cert;
+
+        this.attrs = new HashMap<String, String>();
+        // Get the extension where the identity attributes are stored
+        final byte[] extensionValue = cert.getExtensionValue(FABRIC_CERT_ATTR_OID);
+        if (extensionValue != null) {
+            this.attrs = parseAttributes(extensionValue);
+        }
+
+        // Populate identity
+        this.id = "x509::" + cert.getSubjectDN().getName() + "::" + cert.getIssuerDN().getName();
+    }
+    /**
+     * getId returns the ID associated with the invoking identity. This ID
+     * is guaranteed to be unique within the MSP.
+     * @return {String} A string in the format: "x509::{subject DN}::{issuer DN}"
+     */
+    public String getId() {
+        return this.id;
+    }
+
+    /**
+     * getMSPID returns the MSP ID of the invoking identity.
+     * @return {String}
+     */
+    public String getMSPID() {
+        return this.mspId;
+    }
+
+    /**
+     * parseAttributes returns a map of the attributes associated with an identity
+     * @param extensionValue DER-encoded Octet string stored in the attributes extension
+     * of the certificate, as a byte array
+     * @return attrMap {Map<String, String>} a map of identity attributes as key value pair strings
+     */
+    private Map<String, String> parseAttributes(byte[] extensionValue) throws IOException {
+
+        Map<String, String> attrMap = new HashMap<String, String>();
+
+        // Create ASN1InputStream from extensionValue
+        try ( ByteArrayInputStream inStream = new ByteArrayInputStream(extensionValue);
+        ASN1InputStream asn1InputStream = new ASN1InputStream(inStream)) {
+
+            // Read the DER object
+            ASN1Primitive derObject = asn1InputStream.readObject();
+            if (derObject instanceof DEROctetString)
+            {
+                DEROctetString derOctetString = (DEROctetString) derObject;
+
+                // Create attributeString from octets and create JSON object
+                String attributeString = new String(derOctetString.getOctets(), UTF_8);
+                final JSONObject extJSON = new JSONObject(attributeString);
+                final JSONObject attrs = extJSON.getJSONObject("attrs");
+
+                Iterator<String> keys = attrs.keys();
+                while(keys.hasNext()) {
+                    String key = keys.next();
+                    // Populate map with attributes and values
+                    attrMap.put(key, attrs.getString(key));
+                }
+            }
+        } catch (JSONException error) {
+            // creating a JSON object failed
+            // decoded extensionValue is not a string containing JSON
+            logger.error(() -> logger.formatError(error));
+            // return empty map
+        }
+        return attrMap;
+    }
+
+    /**
+     * getAttributeValue returns the value of the client's attribute named `attrName`.
+     * If the invoking identity possesses the attribute, returns the value of the attribute.
+     * If the invoking identity does not possess the attribute, returns null.
+     * @param attrName Name of the attribute to retrieve the value from the
+     *     identity's credentials (such as x.509 certificate for PKI-based MSPs).
+     * @return {String | null} Value of the attribute or null if the invoking identity
+     *     does not possess the attribute.
+     */
+    public String getAttributeValue(String attrName) {
+        if (this.attrs.containsKey(attrName)) {
+            return this.attrs.get(attrName);
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * assertAttributeValue verifies that the invoking identity has the attribute named `attrName`
+     * with a value of `attrValue`.
+     * @param attrName Name of the attribute to retrieve the value from the
+     *     identity's credentials (such as x.509 certificate for PKI-based MSPs)
+     * @param attrValue Expected value of the attribute
+     * @return {boolean} True if the invoking identity possesses the attribute and the attribute
+     *     value matches the expected value. Otherwise, returns false.
+     */
+    public boolean assertAttributeValue(String attrName, String attrValue) {
+        if (!this.attrs.containsKey(attrName)) {
+            return false;
+        } else {
+            return attrValue.equals(this.attrs.get(attrName));
+        }
+    }
+
+    /**
+     * getX509Certificate returns the X509 certificate associated with the invoking identity,
+     * or null if it was not identified by an X509 certificate, for instance if the MSP is
+     * implemented with an alternative to PKI such as [Identity Mixer](https://jira.hyperledger.org/browse/FAB-5673).
+     * @return {X509Certificate | null}
+     */
+    public X509Certificate getX509Certificate() {
+        return this.cert;
+    }
+}

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/Context.java

@@ -6,7 +6,11 @@
 
 package org.hyperledger.fabric.contract;
 
+import java.io.IOException;
+import java.security.cert.CertificateException;
+
 import org.hyperledger.fabric.shim.ChaincodeStub;
+import org.json.JSONException;
 
 /**
  *
@@ -32,13 +36,20 @@
  */
 public class Context {
     protected ChaincodeStub stub;
+    protected ClientIdentity clientIdentity;
 
     /**
      * Constructor
+     * Creates new client identity and sets it as a property of the stub
      * @param stub Instance of the {@link ChaincodeStub} to use
      */
     public Context(ChaincodeStub stub) {
         this.stub = stub;
+        try {
+            this.clientIdentity = new ClientIdentity(stub);
+        } catch (CertificateException | JSONException | IOException e) {
+            throw new ContractRuntimeException("Could not create new client identity", e);
+        }
     }
 
     /**
@@ -48,4 +59,12 @@ public Context(ChaincodeStub stub) {
     public ChaincodeStub getStub() {
         return this.stub;
     }
+
+    /**
+     *
+     * @return ClientIdentity object to use
+     */
+    public ClientIdentity getClientIdentity() {
+        return this.clientIdentity;
+    }
 }

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/ContractRouter.java

@@ -116,7 +116,7 @@ TxFunction getRouting(InvocationRequest request) {
         } else {
             logger.debug(() -> "Namespace is " + request);
             ContractDefinition contract = registry.getContract(request.getNamespace());
-            return contract.getUnkownRoute();
+            return contract.getUnknownRoute();
         }
     }
 

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/execution/ExecutionService.java

@@ -12,7 +12,7 @@
 import org.hyperledger.fabric.shim.ChaincodeStub;
 
 /**
- * Service that executes {@link InvocationRequest} (wrapped INit/Invoke + extra data) using routing information {@link Routing}
+ * Service that executes {@link InvocationRequest} (wrapped Init/Invoke + extra data) using routing information {@link Routing}
  */
 public interface ExecutionService {
 

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/metadata/MetadataBuilder.java

@@ -22,6 +22,7 @@
 import org.everit.json.schema.loader.SchemaLoader;
 import org.hyperledger.fabric.Logger;
 import org.hyperledger.fabric.contract.annotation.Contract;
+import org.hyperledger.fabric.contract.annotation.Info;
 import org.hyperledger.fabric.contract.routing.ContractDefinition;
 import org.hyperledger.fabric.contract.routing.DataTypeDefinition;
 import org.hyperledger.fabric.contract.routing.RoutingRegistry;
@@ -31,8 +32,6 @@
 import org.json.JSONObject;
 import org.json.JSONTokener;
 
-import org.hyperledger.fabric.contract.annotation.Info;
-
 /**
  * Builder to assist in production of the metadata
  * <p>
@@ -99,7 +98,7 @@ public static void initialize(RoutingRegistry registry, TypeRegistry typeRegistr
         // need to validate that the metadata that has been created is really valid
         // it should be as it's been created by code, but this is a valuable double
         // check
-        logger.info("Validating scehma created");
+        logger.info("Validating schema created");
         MetadataBuilder.validate();
 
     }

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/routing/ContractDefinition.java

@@ -24,7 +24,7 @@
  * when invoked TxFunctions - the transaction functions defined in this contract
  *
  * Will embedded the ContgractInterface instance, as well as the annotation
- * itself, and the routing for any tx function that is unkown
+ * itself, and the routing for any tx function that is unknown
  *
  */
 public interface ContractDefinition {
@@ -59,8 +59,8 @@ public interface ContractDefinition {
 
     /**
      *
-     * @param method name to returned
-     * @return TxFunction that represent this requested method
+     * @param method name to be returned
+     * @return TxFunction that represents this requested method
      */
     TxFunction getTxFunction(String method);
 
@@ -75,7 +75,7 @@ public interface ContractDefinition {
      * @return The TxFunction to be used for this contract in case of unknown
      *         request
      */
-    TxFunction getUnkownRoute();
+    TxFunction getUnknownRoute();
 
     /**
      * @return Underlying raw annotation

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/routing/impl/ContractDefinitionImpl.java

@@ -112,7 +112,7 @@ public boolean hasTxFunction(String method) {
     }
 
     @Override
-    public TxFunction getUnkownRoute() {
+    public TxFunction getUnknownRoute() {
         return unknownTx;
     }