Search in sources :

Example 1 with UserRoleDatasetEditor

use of com.jd.blockchain.ledger.core.UserRoleDatasetEditor in project jdchain-core by blockchain-jd-com.

the class UserAuthorizeOperationHandle method doProcess.

@Override
protected void doProcess(UserAuthorizeOperation operation, LedgerTransactionContext transactionContext, TransactionRequestExtension request, LedgerQuery ledger, OperationHandleContext handleContext, EventManager manager) {
    // 权限校验;
    SecurityPolicy securityPolicy = SecurityContext.getContextUsersPolicy();
    securityPolicy.checkEndpointPermission(LedgerPermission.CONFIGURE_ROLES, MultiIDsPolicy.AT_LEAST_ONE);
    // 操作账本;
    UserRolesEntry[] urcfgs = operation.getUserRolesAuthorizations();
    UserAuthorizationSettings userRoleDataset = transactionContext.getDataset().getAdminDataset().getAdminSettings().getAuthorizations();
    RolePrivilegeSettings rolesSettings = transactionContext.getDataset().getAdminDataset().getAdminSettings().getRolePrivileges();
    if (urcfgs != null) {
        for (UserRolesEntry urcfg : urcfgs) {
            // 
            String[] authRoles = urcfg.getAuthorizedRoles();
            Arrays.stream(authRoles).forEach(role -> {
                if (!rolesSettings.contains(role)) {
                    throw new RoleDoesNotExistException(String.format("Role doesn't exist! --[Role=%s]", role));
                }
            });
            for (Bytes address : urcfg.getUserAddresses()) {
                UserRoles ur = userRoleDataset.getUserRoles(address);
                if (ur == null) {
                    // 这是新的授权;
                    RolesPolicy policy = urcfg.getPolicy();
                    if (policy == null) {
                        policy = RolesPolicy.UNION;
                    }
                    ((UserRoleDatasetEditor) userRoleDataset).addUserRoles(address, policy, authRoles);
                } else {
                    // 更改之前的授权;
                    ur.addRoles(authRoles);
                    ur.removeRoles(urcfg.getUnauthorizedRoles());
                    // 如果请求中设置了策略,才进行更新;
                    RolesPolicy policy = urcfg.getPolicy();
                    if (policy != null) {
                        ur.setPolicy(policy);
                    }
                    ((UserRoleDatasetEditor) userRoleDataset).updateUserRoles(ur);
                }
            }
        }
    }
}
Also used : UserRolesEntry(com.jd.blockchain.ledger.UserAuthorizeOperation.UserRolesEntry) Bytes(utils.Bytes) RolesPolicy(com.jd.blockchain.ledger.RolesPolicy) UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor) SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy) UserRoles(com.jd.blockchain.ledger.UserRoles) RoleDoesNotExistException(com.jd.blockchain.ledger.RoleDoesNotExistException) UserAuthorizationSettings(com.jd.blockchain.ledger.UserAuthorizationSettings) RolePrivilegeSettings(com.jd.blockchain.ledger.RolePrivilegeSettings)

Example 2 with UserRoleDatasetEditor

use of com.jd.blockchain.ledger.core.UserRoleDatasetEditor in project jdchain-core by blockchain-jd-com.

the class LedgerSecurityManagerTest method testGetSecurityPolicy.

@Test
public void testGetSecurityPolicy() {
    MemoryKVStorage testStorage = new MemoryKVStorage();
    // 定义不同角色用户的 keypair;
    final BlockchainKeypair kpManager = BlockchainKeyGenerator.getInstance().generate();
    final BlockchainKeypair kpEmployee = BlockchainKeyGenerator.getInstance().generate();
    final BlockchainKeypair kpDevoice = BlockchainKeyGenerator.getInstance().generate();
    final BlockchainKeypair kpPlatform = BlockchainKeyGenerator.getInstance().generate();
    // 定义角色和权限;
    final String ROLE_ADMIN = "ID_ADMIN";
    final String ROLE_OPERATOR = "OPERATOR";
    final String ROLE_DATA_COLLECTOR = "DATA_COLLECTOR";
    final String ROLE_PLATFORM = "PLATFORM";
    // 定义管理员角色的权限:【账本权限只允许:注册用户、注册数据账户】【交易权限只允许:调用账本直接操作】
    final Privileges PRIVILEGES_ADMIN = Privileges.configure().enable(LedgerPermission.REGISTER_USER, LedgerPermission.REGISTER_DATA_ACCOUNT).enable(TransactionPermission.DIRECT_OPERATION);
    // 定义操作员角色的权限:【账本权限只允许:写入数据账户】【交易权限只允许:调用合约】
    final Privileges PRIVILEGES_OPERATOR = Privileges.configure().enable(LedgerPermission.WRITE_DATA_ACCOUNT).enable(TransactionPermission.CONTRACT_OPERATION);
    // 定义数据收集器角色的权限:【账本权限只允许:写入数据账户】【交易权限只允许:调用账本直接操作】
    final Privileges PRIVILEGES_DATA_COLLECTOR = Privileges.configure().enable(LedgerPermission.WRITE_DATA_ACCOUNT).enable(TransactionPermission.DIRECT_OPERATION);
    // 定义平台角色的权限:【账本权限只允许:签署合约】 (只允许作为节点签署交易,不允许作为终端发起交易指令)
    final Privileges PRIVILEGES_PLATFORM = Privileges.configure().enable(LedgerPermission.APPROVE_TX);
    RolePrivilegeDataset rolePrivilegeDataset = createRolePrivilegeDataset(testStorage);
    long v = rolePrivilegeDataset.addRolePrivilege(ROLE_ADMIN, PRIVILEGES_ADMIN);
    assertTrue(v > -1);
    v = rolePrivilegeDataset.addRolePrivilege(ROLE_OPERATOR, PRIVILEGES_OPERATOR);
    assertTrue(v > -1);
    v = rolePrivilegeDataset.addRolePrivilege(ROLE_DATA_COLLECTOR, PRIVILEGES_DATA_COLLECTOR);
    assertTrue(v > -1);
    v = rolePrivilegeDataset.addRolePrivilege(ROLE_PLATFORM, PRIVILEGES_PLATFORM);
    assertTrue(v > -1);
    rolePrivilegeDataset.commit();
    // 为用户分配角色;
    String[] managerRoles = new String[] { ROLE_ADMIN, ROLE_OPERATOR };
    String[] employeeRoles = new String[] { ROLE_OPERATOR };
    String[] devoiceRoles = new String[] { ROLE_DATA_COLLECTOR };
    String[] platformRoles = new String[] { ROLE_PLATFORM };
    UserRoleDatasetEditor userRolesDataset = createUserRoleDataset(testStorage);
    userRolesDataset.addUserRoles(kpManager.getAddress(), RolesPolicy.UNION, managerRoles);
    userRolesDataset.addUserRoles(kpEmployee.getAddress(), RolesPolicy.UNION, employeeRoles);
    userRolesDataset.addUserRoles(kpDevoice.getAddress(), RolesPolicy.UNION, devoiceRoles);
    userRolesDataset.addUserRoles(kpPlatform.getAddress(), RolesPolicy.UNION, platformRoles);
    userRolesDataset.commit();
    ParticipantCollection partisQuery = Mockito.mock(ParticipantCollection.class);
    UserAccountSet usersQuery = Mockito.mock(UserAccountSet.class);
    // 创建安全管理器;
    LedgerSecurityManager securityManager = new LedgerSecurityManagerImpl(rolePrivilegeDataset, userRolesDataset, partisQuery, usersQuery);
    // 定义终端用户列表;终端用户一起共同具有 ADMIN、OPERATOR 角色;
    final Map<Bytes, BlockchainKeypair> endpoints = new HashMap<>();
    endpoints.put(kpManager.getAddress(), kpManager);
    endpoints.put(kpEmployee.getAddress(), kpEmployee);
    // 定义节点参与方列表;
    final Map<Bytes, BlockchainKeypair> nodes = new HashMap<>();
    nodes.put(kpPlatform.getAddress(), kpPlatform);
    // 创建一项与指定的终端用户和节点参与方相关的安全策略;
    SecurityPolicy policy = securityManager.getSecurityPolicy(endpoints.keySet(), nodes.keySet());
    // 校验安全策略的正确性;
    LedgerPermission[] ledgerPermissions = LedgerPermission.values();
    for (LedgerPermission p : ledgerPermissions) {
        // 终端节点有 ADMIN 和 OPERATOR 两种角色的合并权限;
        if (p == LedgerPermission.REGISTER_USER || p == LedgerPermission.REGISTER_DATA_ACCOUNT || p == LedgerPermission.WRITE_DATA_ACCOUNT) {
            assertTrue(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        } else {
            assertFalse(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        }
        if (p == LedgerPermission.APPROVE_TX) {
            // 共识参与方只有 PLATFORM 角色的权限:核准交易;
            assertTrue(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        } else {
            assertFalse(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        }
    }
    TransactionPermission[] transactionPermissions = TransactionPermission.values();
    for (TransactionPermission p : transactionPermissions) {
        // 终端节点有 ADMIN 和 OPERATOR 两种角色的合并权限;
        if (p == TransactionPermission.DIRECT_OPERATION || p == TransactionPermission.CONTRACT_OPERATION) {
            assertTrue(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        } else {
            assertFalse(policy.isEndpointEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
        }
        assertFalse(policy.isNodeEnable(p, MultiIDsPolicy.AT_LEAST_ONE));
    }
}
Also used : RolePrivilegeDataset(com.jd.blockchain.ledger.core.RolePrivilegeDataset) LedgerSecurityManager(com.jd.blockchain.ledger.core.LedgerSecurityManager) TransactionPermission(com.jd.blockchain.ledger.TransactionPermission) HashMap(java.util.HashMap) ParticipantCollection(com.jd.blockchain.ledger.core.ParticipantCollection) LedgerPermission(com.jd.blockchain.ledger.LedgerPermission) BlockchainKeypair(com.jd.blockchain.ledger.BlockchainKeypair) Bytes(utils.Bytes) UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor) LedgerSecurityManagerImpl(com.jd.blockchain.ledger.core.LedgerSecurityManagerImpl) MemoryKVStorage(com.jd.blockchain.storage.service.utils.MemoryKVStorage) Privileges(com.jd.blockchain.ledger.Privileges) SecurityPolicy(com.jd.blockchain.ledger.SecurityPolicy) UserAccountSet(com.jd.blockchain.ledger.core.UserAccountSet) Test(org.junit.Test)

Example 3 with UserRoleDatasetEditor

use of com.jd.blockchain.ledger.core.UserRoleDatasetEditor in project jdchain-core by blockchain-jd-com.

the class LedgerSecurityManagerTest method createUserRoleDataset.

private UserRoleDatasetEditor createUserRoleDataset(MemoryKVStorage testStorage) {
    String prefix = "user-roles/";
    UserRoleDatasetEditor userRolesDataset = new UserRoleDatasetEditor(CRYPTO_SETTINGS, prefix, testStorage, testStorage, LedgerDataStructure.MERKLE_TREE);
    return userRolesDataset;
}
Also used : UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor)

Example 4 with UserRoleDatasetEditor

use of com.jd.blockchain.ledger.core.UserRoleDatasetEditor in project jdchain-core by blockchain-jd-com.

the class UserRoleDatasetTest method testAddUserRoles.

@Test
public void testAddUserRoles() {
    CryptoConfig cryptoConfig = new CryptoConfig();
    cryptoConfig.setAutoVerifyHash(true);
    cryptoConfig.setSupportedProviders(SUPPORTED_PROVIDERS);
    cryptoConfig.setHashAlgorithm(HASH_ALGORITHM);
    MemoryKVStorage testStorage = new MemoryKVStorage();
    String prefix = "user-roles/";
    UserRoleDatasetEditor userRolesDataset = new UserRoleDatasetEditor(cryptoConfig, prefix, testStorage, testStorage, LedgerDataStructure.MERKLE_TREE);
    BlockchainKeypair bckp = BlockchainKeyGenerator.getInstance().generate();
    String[] authRoles = { "DEFAULT", "MANAGER" };
    userRolesDataset.addUserRoles(bckp.getAddress(), RolesPolicy.UNION, authRoles);
    userRolesDataset.commit();
    assertEquals(1, userRolesDataset.getUserCount());
    UserRoles userRoles = userRolesDataset.getUserRoles(bckp.getAddress());
    assertNotNull(userRoles);
    String[] roles = userRoles.getRoles();
    assertEquals(2, roles.length);
    assertArrayEquals(authRoles, roles);
    assertEquals(RolesPolicy.UNION, userRoles.getPolicy());
}
Also used : UserRoleDatasetEditor(com.jd.blockchain.ledger.core.UserRoleDatasetEditor) MemoryKVStorage(com.jd.blockchain.storage.service.utils.MemoryKVStorage) UserRoles(com.jd.blockchain.ledger.UserRoles) BlockchainKeypair(com.jd.blockchain.ledger.BlockchainKeypair) CryptoConfig(com.jd.blockchain.ledger.core.CryptoConfig) Test(org.junit.Test)

Aggregations

UserRoleDatasetEditor (com.jd.blockchain.ledger.core.UserRoleDatasetEditor)4 BlockchainKeypair (com.jd.blockchain.ledger.BlockchainKeypair)2 SecurityPolicy (com.jd.blockchain.ledger.SecurityPolicy)2 UserRoles (com.jd.blockchain.ledger.UserRoles)2 MemoryKVStorage (com.jd.blockchain.storage.service.utils.MemoryKVStorage)2 Test (org.junit.Test)2 Bytes (utils.Bytes)2 LedgerPermission (com.jd.blockchain.ledger.LedgerPermission)1 Privileges (com.jd.blockchain.ledger.Privileges)1 RoleDoesNotExistException (com.jd.blockchain.ledger.RoleDoesNotExistException)1 RolePrivilegeSettings (com.jd.blockchain.ledger.RolePrivilegeSettings)1 RolesPolicy (com.jd.blockchain.ledger.RolesPolicy)1 TransactionPermission (com.jd.blockchain.ledger.TransactionPermission)1 UserAuthorizationSettings (com.jd.blockchain.ledger.UserAuthorizationSettings)1 UserRolesEntry (com.jd.blockchain.ledger.UserAuthorizeOperation.UserRolesEntry)1 CryptoConfig (com.jd.blockchain.ledger.core.CryptoConfig)1 LedgerSecurityManager (com.jd.blockchain.ledger.core.LedgerSecurityManager)1 LedgerSecurityManagerImpl (com.jd.blockchain.ledger.core.LedgerSecurityManagerImpl)1 ParticipantCollection (com.jd.blockchain.ledger.core.ParticipantCollection)1 RolePrivilegeDataset (com.jd.blockchain.ledger.core.RolePrivilegeDataset)1