func (t *AssetManagementChaincode) Init(stub *shim.ChaincodeStub, function string, args []string) ([]byte, error) {
myLogger.Info("[AssetManagementChaincode] Init")
if len(args) != 0 {
return nil, errors.New("Incorrect number of arguments. Expecting 0")
}
// Create ownership table
err := stub.CreateTable("AssetsOwnership", []*shim.ColumnDefinition{
&shim.ColumnDefinition{"Asset", shim.ColumnDefinition_STRING, true},
&shim.ColumnDefinition{"Owner", shim.ColumnDefinition_BYTES, false},
})
if err != nil {
return nil, errors.New("Failed creating AssetsOnwership table.")
}
// Set the role of the users that are allowed to assign assets
// The metadata will contain the role of the users that are allowed to assign assets
assignerRole, err := stub.GetCallerMetadata()
if err != nil {
return nil, errors.New("Failed getting metadata.")
}
if len(assignerRole) == 0 {
return nil, errors.New("Invalid assigner role. Empty.")
}
stub.PutState("assignerRole", assignerRole)
return nil, nil
}
func (t *AssetManagementChaincode) isCaller(stub *shim.ChaincodeStub, certificate []byte) (bool, error) {
// In order to enforce access control, we require that the
// metadata contains the signature under the signing key corresponding
// to the verification key inside certificate of
// the payload of the transaction (namely, function name and args) and
// the transaction binding (to avoid copying attacks)
// Verify \sigma=Sign(certificate.sk, tx.Payload||tx.Binding) against certificate.vk
// \sigma is in the metadata
sigma, err := stub.GetCallerMetadata()
if err != nil {
return false, errors.New("Failed getting metadata")
}
payload, err := stub.GetPayload()
if err != nil {
return false, errors.New("Failed getting payload")
}
binding, err := stub.GetBinding()
if err != nil {
return false, errors.New("Failed getting binding")
}
myLogger.Debug("passed certificate [% x]", certificate)
myLogger.Debug("passed sigma [% x]", sigma)
myLogger.Debug("passed payload [% x]", payload)
myLogger.Debug("passed binding [% x]", binding)
return stub.VerifySignature(
certificate,
sigma,
append(payload, binding...),
)
}
// Init method will be called during deployment.
// The deploy transaction metadata is supposed to contain the administrator cert
func (t *AssetManagementChaincode) Init(stub *shim.ChaincodeStub, function string, args []string) ([]byte, error) {
myLogger.Debug("Init Chaincode...")
if len(args) != 0 {
return nil, errors.New("Incorrect number of arguments. Expecting 0")
}
// Create ownership table
err := stub.CreateTable("AssetsOwnership", []*shim.ColumnDefinition{
&shim.ColumnDefinition{Name: "Asset", Type: shim.ColumnDefinition_STRING, Key: true},
&shim.ColumnDefinition{Name: "Owner", Type: shim.ColumnDefinition_BYTES, Key: false},
})
if err != nil {
return nil, errors.New("Failed creating AssetsOnwership table.")
}
// Set the admin
// The metadata will contain the certificate of the administrator
adminCert, err := stub.GetCallerMetadata()
if err != nil {
myLogger.Debug("Failed getting metadata")
return nil, errors.New("Failed getting metadata.")
}
if len(adminCert) == 0 {
myLogger.Debug("Invalid admin certificate. Empty.")
return nil, errors.New("Invalid admin certificate. Empty.")
}
myLogger.Debug("The administrator is [%x]", adminCert)
stub.PutState("admin", adminCert)
myLogger.Debug("Init Chaincode...done")
return nil, nil
}
// Init method will be called during deployment
func (t *RBACChaincode) Init(stub *shim.ChaincodeStub, function string, args []string) ([]byte, error) {
// Init the crypto layer
if err := crypto.Init(); err != nil {
panic(fmt.Errorf("Failed initializing the crypto layer [%s]", err))
}
myLogger.Info("Init")
// if len(args) != 0 {
// return nil, errors.New("Incorrect number of arguments. Expecting 0")
// }
myLogger.Debug("Creating RBAC Table...")
// Create RBAC table
err := stub.CreateTable("RBAC", []*shim.ColumnDefinition{
&shim.ColumnDefinition{Name: "ID", Type: shim.ColumnDefinition_BYTES, Key: true},
&shim.ColumnDefinition{Name: "Roles", Type: shim.ColumnDefinition_STRING, Key: false},
})
if err != nil {
return nil, errors.New("Failed creating RBAC table.")
}
myLogger.Debug("Assign 'admin' role...")
// Give to the deployer the role 'admin'
deployer, err := stub.GetCallerMetadata()
if err != nil {
return nil, errors.New("Failed getting metadata.")
}
if len(deployer) == 0 {
return nil, errors.New("Invalid admin certificate. Empty.")
}
myLogger.Debug("Add admin [% x][%s]", deployer, "admin")
ok, err := stub.InsertRow("RBAC", shim.Row{
Columns: []*shim.Column{
&shim.Column{Value: &shim.Column_Bytes{Bytes: deployer}},
&shim.Column{Value: &shim.Column_String_{String_: "admin"}},
},
})
if !ok && err == nil {
return nil, fmt.Errorf("Failed initiliazing RBAC entries.")
}
if err != nil {
return nil, fmt.Errorf("Failed initiliazing RBAC entries [%s]", err)
}
myLogger.Debug("Done.")
return nil, nil
}
func (t *RBACChaincode) hasInvokerRole(stub *shim.ChaincodeStub, role string) (bool, []byte, error) {
// In order to enforce access control, we require that the
// metadata contains the following items:
// 1. a certificate Cert
// 2. a signature Sigma under the signing key corresponding
// to the verification key inside Cert of :
// (a) Cert;
// (b) The payload of the transaction (namely, function name and args) and
// (c) the transaction binding.
// Verify Sigma=Sign(certificate.sk, Cert||tx.Payload||tx.Binding) against Cert.vk
// Unmarshall metadata
metadata, err := stub.GetCallerMetadata()
rbacMetadata := new(RBACMetadata)
_, err = asn1.Unmarshal(metadata, rbacMetadata)
if err != nil {
return false, nil, fmt.Errorf("Failed unmarshalling metadata [%s]", err)
}
// Verify signature
payload, err := stub.GetPayload()
if err != nil {
return false, nil, errors.New("Failed getting payload")
}
binding, err := stub.GetBinding()
if err != nil {
return false, nil, errors.New("Failed getting binding")
}
myLogger.Debug("passed certificate [% x]", rbacMetadata.Cert)
myLogger.Debug("passed sigma [% x]", rbacMetadata.Sigma)
myLogger.Debug("passed payload [% x]", payload)
myLogger.Debug("passed binding [% x]", binding)
ok, err := stub.VerifySignature(
rbacMetadata.Cert,
rbacMetadata.Sigma,
append(rbacMetadata.Cert, append(payload, binding...)...),
)
if err != nil {
return false, nil, fmt.Errorf("Failed verifying signature [%s]", err)
}
if !ok {
return false, nil, fmt.Errorf("Signature is not valid!")
}
myLogger.Debug("Signature verified. Check for role...")
myLogger.Debug("ID [% x]", rbacMetadata.Cert)
// Check role
var columns []shim.Column
idCol := shim.Column{Value: &shim.Column_Bytes{Bytes: rbacMetadata.Cert}}
columns = append(columns, idCol)
row, err := stub.GetRow("RBAC", columns)
if err != nil {
return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err)
}
if len(row.GetColumns()) == 0 {
return false, nil, fmt.Errorf("Failed retrieveing RBAC row [%s]", err)
}
myLogger.Debug("#Columns: [%d]", len(row.Columns))
roles := row.Columns[1].GetString_()
result := strings.Split(roles, " ")
for i := range result {
if result[i] == role {
myLogger.Debug("Role found.")
return true, rbacMetadata.Cert, nil
}
}
myLogger.Debug("Role not found.")
return false, nil, nil
}