Example 1 with SecurityPolicy
use of com.jd.blockchain.ledger.SecurityPolicy in project jdchain-core by blockchain-jd-com.
the class UserStateUpdateOperationHandle method doProcess.
@Override
protected void doProcess(UserStateUpdateOperation op, LedgerTransactionContext transactionContext, TransactionRequestExtension requestContext, LedgerQuery ledger, OperationHandleContext handleContext, EventManager manager) {
// 权限校验;
SecurityPolicy securityPolicy = SecurityContext.getContextUsersPolicy();
securityPolicy.checkEndpointPermission(LedgerPermission.UPDATE_USER_STATE, MultiIDsPolicy.AT_LEAST_ONE);
UserAccount user = transactionContext.getDataset().getUserAccountSet().getAccount(op.getUserAddress());
if (null == user) {
throw new UserDoesNotExistException(String.format("User doesn't exist! --[Address=%s]", op.getUserAddress()));
}
// REVOKE 状态不可再恢复
if (user.getState() == AccountState.REVOKE) {
throw new IllegalAccountStateException(String.format("Can not change user in REVOKE state! --[Address=%s]", op.getUserAddress()));
}
// 操作账本;
((UserAccountSetEditor) (transactionContext.getDataset().getUserAccountSet())).setState(op.getUserAddress(), op.getState());
}
Also used :
UserAccountSetEditor(com.jd.blockchain.ledger.core.UserAccountSetEditor)
SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy)
IllegalAccountStateException(com.jd.blockchain.ledger.IllegalAccountStateException)
UserDoesNotExistException(com.jd.blockchain.ledger.UserDoesNotExistException)
UserAccount(com.jd.blockchain.ledger.core.UserAccount)
Example 2 with SecurityPolicy
use of com.jd.blockchain.ledger.SecurityPolicy in project jdchain-core by blockchain-jd-com.
the class ContractStateUpdateOperationHandle method doProcess.
@Override
protected void doProcess(ContractStateUpdateOperation op, LedgerTransactionContext transactionContext, TransactionRequestExtension requestContext, LedgerQuery ledger, OperationHandleContext handleContext, EventManager manager) {
// 权限校验;
SecurityPolicy securityPolicy = SecurityContext.getContextUsersPolicy();
securityPolicy.checkEndpointPermission(LedgerPermission.UPDATE_CONTRACT_STATE, MultiIDsPolicy.AT_LEAST_ONE);
ContractAccount contract = transactionContext.getDataset().getContractAccountSet().getAccount(op.getContractAddress());
if (null == contract) {
throw new ContractDoesNotExistException(String.format("Contract doesn't exist! --[Address=%s]", op.getContractAddress()));
}
// REVOKE 状态不可再恢复
if (contract.getState() == AccountState.REVOKE) {
throw new IllegalAccountStateException(String.format("Can not change contract in REVOKE state! --[Address=%s]", op.getContractAddress()));
}
// 操作账本;
((ContractAccountSetEditor) (transactionContext.getDataset().getContractAccountSet())).setState(op.getContractAddress(), op.getState());
}
Also used :
ContractAccount(com.jd.blockchain.ledger.core.ContractAccount)
ContractAccountSetEditor(com.jd.blockchain.ledger.core.ContractAccountSetEditor)
SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy)
IllegalAccountStateException(com.jd.blockchain.ledger.IllegalAccountStateException)
ContractDoesNotExistException(com.jd.blockchain.ledger.ContractDoesNotExistException)
Example 3 with SecurityPolicy
use of com.jd.blockchain.ledger.SecurityPolicy in project jdchain-core by blockchain-jd-com.
the class UserAuthorizeOperationHandle method doProcess.
@Override
protected void doProcess(UserAuthorizeOperation operation, LedgerTransactionContext transactionContext, TransactionRequestExtension request, LedgerQuery ledger, OperationHandleContext handleContext, EventManager manager) {
// 权限校验;
SecurityPolicy securityPolicy = SecurityContext.getContextUsersPolicy();
securityPolicy.checkEndpointPermission(LedgerPermission.CONFIGURE_ROLES, MultiIDsPolicy.AT_LEAST_ONE);
// 操作账本;
UserRolesEntry[] urcfgs = operation.getUserRolesAuthorizations();
UserAuthorizationSettings userRoleDataset = transactionContext.getDataset().getAdminDataset().getAdminSettings().getAuthorizations();
RolePrivilegeSettings rolesSettings = transactionContext.getDataset().getAdminDataset().getAdminSettings().getRolePrivileges();
if (urcfgs != null) {
for (UserRolesEntry urcfg : urcfgs) {
//
String[] authRoles = urcfg.getAuthorizedRoles();
Arrays.stream(authRoles).forEach(role -> {
if (!rolesSettings.contains(role)) {
throw new RoleDoesNotExistException(String.format("Role doesn't exist! --[Role=%s]", role));
}
});
for (Bytes address : urcfg.getUserAddresses()) {
UserRoles ur = userRoleDataset.getUserRoles(address);
if (ur == null) {
// 这是新的授权;
RolesPolicy policy = urcfg.getPolicy();
if (policy == null) {
policy = RolesPolicy.UNION;
}
((UserRoleDatasetEditor) userRoleDataset).addUserRoles(address, policy, authRoles);
} else {
// 更改之前的授权;
ur.addRoles(authRoles);
ur.removeRoles(urcfg.getUnauthorizedRoles());
// 如果请求中设置了策略,才进行更新;
RolesPolicy policy = urcfg.getPolicy();
if (policy != null) {
ur.setPolicy(policy);
}
((UserRoleDatasetEditor) userRoleDataset).updateUserRoles(ur);
}
}
}
}
}
Also used :
UserRolesEntry(com.jd.blockchain.ledger.UserAuthorizeOperation.UserRolesEntry)
Bytes(utils.Bytes)
RolesPolicy(com.jd.blockchain.ledger.RolesPolicy)
UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor)
SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy)
UserRoles(com.jd.blockchain.ledger.UserRoles)
RoleDoesNotExistException(com.jd.blockchain.ledger.RoleDoesNotExistException)
UserAuthorizationSettings(com.jd.blockchain.ledger.UserAuthorizationSettings)
RolePrivilegeSettings(com.jd.blockchain.ledger.RolePrivilegeSettings)
Example 4 with SecurityPolicy
use of com.jd.blockchain.ledger.SecurityPolicy in project jdchain-core by blockchain-jd-com.
the class UserRegisterOperationHandle method doProcess.
@Override
protected void doProcess(UserRegisterOperation op, LedgerTransactionContext transactionContext, TransactionRequestExtension requestContext, LedgerQuery ledger, OperationHandleContext handleContext, EventManager manager) {
// 权限校验;
SecurityPolicy securityPolicy = SecurityContext.getContextUsersPolicy();
securityPolicy.checkEndpointPermission(LedgerPermission.REGISTER_USER, MultiIDsPolicy.AT_LEAST_ONE);
// 证书模式下必须传递证书
if (transactionContext.getDataset().getAdminDataset().getAdminSettings().getMetadata().getIdentityMode() == IdentityMode.CA) {
if (StringUtils.isEmpty(op.getCertificate())) {
throw new IllegalTransactionException("User certificate is empty!");
}
X509Certificate cert = CertificateUtils.parseCertificate(op.getCertificate());
CertificateUtils.checkCertificateRolesAny(cert, CertificateRole.PEER, CertificateRole.GW, CertificateRole.USER);
CertificateUtils.checkValidity(cert);
X509Certificate[] ledgerCAs = CertificateUtils.parseCertificates(transactionContext.getDataset().getAdminDataset().getAdminSettings().getMetadata().getLedgerCertificates());
X509Certificate[] issuers = CertificateUtils.findIssuers(cert, ledgerCAs);
Arrays.stream(issuers).forEach(issuer -> CertificateUtils.checkCACertificate(issuer));
CertificateUtils.checkValidityAny(issuers);
}
// 操作账本;
BlockchainIdentity bid = op.getUserID();
Bytes userAddress = bid.getAddress();
((UserAccountSetEditor) (transactionContext.getDataset().getUserAccountSet())).register(userAddress, bid.getPubKey(), op.getCertificate());
}
Also used :
Bytes(utils.Bytes)
IllegalTransactionException(com.jd.blockchain.ledger.IllegalTransactionException)
UserAccountSetEditor(com.jd.blockchain.ledger.core.UserAccountSetEditor)
SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy)
BlockchainIdentity(com.jd.blockchain.ledger.BlockchainIdentity)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with SecurityPolicy
use of com.jd.blockchain.ledger.SecurityPolicy in project jdchain-core by blockchain-jd-com.
the class LedgerSecurityManagerTest method testGetSecurityPolicy.
@Test
public void testGetSecurityPolicy() {
MemoryKVStorage testStorage = new MemoryKVStorage();
// 定义不同角色用户的 keypair;
final BlockchainKeypair kpManager = BlockchainKeyGenerator.getInstance().generate();
final BlockchainKeypair kpEmployee = BlockchainKeyGenerator.getInstance().generate();
final BlockchainKeypair kpDevoice = BlockchainKeyGenerator.getInstance().generate();
final BlockchainKeypair kpPlatform = BlockchainKeyGenerator.getInstance().generate();
// 定义角色和权限;
final String ROLE_ADMIN = "ID_ADMIN";
final String ROLE_OPERATOR = "OPERATOR";
final String ROLE_DATA_COLLECTOR = "DATA_COLLECTOR";
final String ROLE_PLATFORM = "PLATFORM";
// 定义管理员角色的权限:【账本权限只允许:注册用户、注册数据账户】【交易权限只允许:调用账本直接操作】
final Privileges PRIVILEGES_ADMIN = Privileges.configure().enable(LedgerPermission.REGISTER_USER, LedgerPermission.REGISTER_DATA_ACCOUNT).enable(TransactionPermission.DIRECT_OPERATION);
// 定义操作员角色的权限:【账本权限只允许:写入数据账户】【交易权限只允许:调用合约】
final Privileges PRIVILEGES_OPERATOR = Privileges.configure().enable(LedgerPermission.WRITE_DATA_ACCOUNT).enable(TransactionPermission.CONTRACT_OPERATION);
// 定义数据收集器角色的权限:【账本权限只允许:写入数据账户】【交易权限只允许:调用账本直接操作】
final Privileges PRIVILEGES_DATA_COLLECTOR = Privileges.configure().enable(LedgerPermission.WRITE_DATA_ACCOUNT).enable(TransactionPermission.DIRECT_OPERATION);
// 定义平台角色的权限:【账本权限只允许:签署合约】 (只允许作为节点签署交易,不允许作为终端发起交易指令)
final Privileges PRIVILEGES_PLATFORM = Privileges.configure().enable(LedgerPermission.APPROVE_TX);
RolePrivilegeDataset rolePrivilegeDataset = createRolePrivilegeDataset(testStorage);
long v = rolePrivilegeDataset.addRolePrivilege(ROLE_ADMIN, PRIVILEGES_ADMIN);
assertTrue(v > -1);
v = rolePrivilegeDataset.addRolePrivilege(ROLE_OPERATOR, PRIVILEGES_OPERATOR);
assertTrue(v > -1);
v = rolePrivilegeDataset.addRolePrivilege(ROLE_DATA_COLLECTOR, PRIVILEGES_DATA_COLLECTOR);
assertTrue(v > -1);
v = rolePrivilegeDataset.addRolePrivilege(ROLE_PLATFORM, PRIVILEGES_PLATFORM);
assertTrue(v > -1);
rolePrivilegeDataset.commit();
// 为用户分配角色;
String[] managerRoles = new String[] { ROLE_ADMIN, ROLE_OPERATOR };
String[] employeeRoles = new String[] { ROLE_OPERATOR };
String[] devoiceRoles = new String[] { ROLE_DATA_COLLECTOR };
String[] platformRoles = new String[] { ROLE_PLATFORM };
UserRoleDatasetEditor userRolesDataset = createUserRoleDataset(testStorage);
userRolesDataset.addUserRoles(kpManager.getAddress(), RolesPolicy.UNION, managerRoles);
userRolesDataset.addUserRoles(kpEmployee.getAddress(), RolesPolicy.UNION, employeeRoles);
userRolesDataset.addUserRoles(kpDevoice.getAddress(), RolesPolicy.UNION, devoiceRoles);
userRolesDataset.addUserRoles(kpPlatform.getAddress(), RolesPolicy.UNION, platformRoles);
userRolesDataset.commit();
ParticipantCollection partisQuery = Mockito.mock(ParticipantCollection.class);
UserAccountSet usersQuery = Mockito.mock(UserAccountSet.class);
// 创建安全管理器;
LedgerSecurityManager securityManager = new LedgerSecurityManagerImpl(rolePrivilegeDataset, userRolesDataset, partisQuery, usersQuery);
// 定义终端用户列表;终端用户一起共同具有 ADMIN、OPERATOR 角色;
final Map<Bytes, BlockchainKeypair> endpoints = new HashMap<>();
endpoints.put(kpManager.getAddress(), kpManager);
endpoints.put(kpEmployee.getAddress(), kpEmployee);
// 定义节点参与方列表;
final Map<Bytes, BlockchainKeypair> nodes = new HashMap<>();
nodes.put(kpPlatform.getAddress(), kpPlatform);
// 创建一项与指定的终端用户和节点参与方相关的安全策略;
SecurityPolicy policy = securityManager.getSecurityPolicy(endpoints.keySet(), nodes.keySet());
// 校验安全策略的正确性;
LedgerPermission[] ledgerPermissions = LedgerPermission.values();
for (LedgerPermission p : ledgerPermissions) {
// 终端节点有 ADMIN 和 OPERATOR 两种角色的合并权限;
if (p == LedgerPermission.REGISTER_USER || p == LedgerPermission.REGISTER_DATA_ACCOUNT || p == LedgerPermission.WRITE_DATA_ACCOUNT) {
assertTrue(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
} else {
assertFalse(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
}
if (p == LedgerPermission.APPROVE_TX) {
// 共识参与方只有 PLATFORM 角色的权限:核准交易;
assertTrue(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
} else {
assertFalse(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
}
}
TransactionPermission[] transactionPermissions = TransactionPermission.values();
for (TransactionPermission p : transactionPermissions) {
// 终端节点有 ADMIN 和 OPERATOR 两种角色的合并权限;
if (p == TransactionPermission.DIRECT_OPERATION || p == TransactionPermission.CONTRACT_OPERATION) {
assertTrue(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
} else {
assertFalse(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
}
assertFalse(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
}
}
Also used :
RolePrivilegeDataset(com.jd.blockchain.ledger.core.RolePrivilegeDataset)
LedgerSecurityManager(com.jd.blockchain.ledger.core.LedgerSecurityManager)
TransactionPermission(com.jd.blockchain.ledger.TransactionPermission)
HashMap(java.util.HashMap)
ParticipantCollection(com.jd.blockchain.ledger.core.ParticipantCollection)
LedgerPermission(com.jd.blockchain.ledger.LedgerPermission)
BlockchainKeypair(com.jd.blockchain.ledger.BlockchainKeypair)
Bytes(utils.Bytes)
UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor)
LedgerSecurityManagerImpl(com.jd.blockchain.ledger.core.LedgerSecurityManagerImpl)
MemoryKVStorage(com.jd.blockchain.storage.service.utils.MemoryKVStorage)
Privileges(com.jd.blockchain.ledger.Privileges)
SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy)
UserAccountSet(com.jd.blockchain.ledger.core.UserAccountSet)
Test(org.junit.Test)
Aggregations
SecurityPolicy (com.jd.blockchain.ledger.SecurityPolicy)16
LedgerSecurityManager (com.jd.blockchain.ledger.core.LedgerSecurityManager)4
IllegalAccountStateException (com.jd.blockchain.ledger.IllegalAccountStateException)3
LedgerPermission (com.jd.blockchain.ledger.LedgerPermission)3
TransactionPermission (com.jd.blockchain.ledger.TransactionPermission)3
UserAccountSetEditor (com.jd.blockchain.ledger.core.UserAccountSetEditor)3
X509Certificate (java.security.cert.X509Certificate)3
Bytes (utils.Bytes)3
AccountDataPermission (com.jd.blockchain.ledger.AccountDataPermission)2
BlockchainIdentity (com.jd.blockchain.ledger.BlockchainIdentity)2
ContractDoesNotExistException (com.jd.blockchain.ledger.ContractDoesNotExistException)2
DataAccountDoesNotExistException (com.jd.blockchain.ledger.DataAccountDoesNotExistException)2
RoleDoesNotExistException (com.jd.blockchain.ledger.RoleDoesNotExistException)2
RolePrivilegeSettings (com.jd.blockchain.ledger.RolePrivilegeSettings)2
UserDoesNotExistException (com.jd.blockchain.ledger.UserDoesNotExistException)2
DataAccount (com.jd.blockchain.ledger.core.DataAccount)2
LedgerAdminDataSet (com.jd.blockchain.ledger.core.LedgerAdminDataSet)2
LedgerAdminDataSetEditor (com.jd.blockchain.ledger.core.LedgerAdminDataSetEditor)2
RolePrivilegeDataset (com.jd.blockchain.ledger.core.RolePrivilegeDataset)2
UserAccount (com.jd.blockchain.ledger.core.UserAccount)2
