@@ -7,6 +7,7 @@ import java.util.Map; | |||
import java.util.Set; | |||
import java.util.concurrent.ConcurrentHashMap; | |||
import com.jd.blockchain.ledger.LedgerInitSetting; | |||
import com.jd.blockchain.ledger.LedgerPermission; | |||
import com.jd.blockchain.ledger.LedgerSecurityException; | |||
import com.jd.blockchain.ledger.RolePrivilegeSettings; | |||
@@ -29,9 +30,9 @@ public class LedgerSecurityManagerImpl implements LedgerSecurityManager { | |||
private UserRoleSettings userRolesSettings; | |||
//用户的权限配置 | |||
// 用户的权限配置 | |||
private Map<Bytes, UserRolesPrivileges> userPrivilegesCache = new ConcurrentHashMap<>(); | |||
private Map<Bytes, UserRoles> userRolesCache = new ConcurrentHashMap<>(); | |||
private Map<String, RolePrivileges> rolesPrivilegeCache = new ConcurrentHashMap<>(); | |||
@@ -39,7 +40,13 @@ public class LedgerSecurityManagerImpl implements LedgerSecurityManager { | |||
this.rolePrivilegeSettings = rolePrivilegeSettings; | |||
this.userRolesSettings = userRolesSettings; | |||
} | |||
public static void initSecuritySettings(LedgerInitSetting initSettings, LedgerEditor editor) { | |||
} | |||
@Override | |||
public SecurityPolicy createSecurityPolicy(Set<Bytes> endpoints, Set<Bytes> nodes) { | |||
Map<Bytes, UserRolesPrivileges> endpointPrivilegeMap = new HashMap<>(); | |||
@@ -8,7 +8,6 @@ import com.jd.blockchain.crypto.HashDigest; | |||
import com.jd.blockchain.ledger.BlockBody; | |||
import com.jd.blockchain.ledger.BlockRollbackException; | |||
import com.jd.blockchain.ledger.CryptoSetting; | |||
import com.jd.blockchain.ledger.DigitalSignature; | |||
import com.jd.blockchain.ledger.IllegalTransactionException; | |||
import com.jd.blockchain.ledger.LedgerBlock; | |||
import com.jd.blockchain.ledger.LedgerDataSnapshot; | |||
@@ -16,15 +15,12 @@ import com.jd.blockchain.ledger.LedgerInitSetting; | |||
import com.jd.blockchain.ledger.LedgerSettings; | |||
import com.jd.blockchain.ledger.LedgerTransaction; | |||
import com.jd.blockchain.ledger.OperationResult; | |||
import com.jd.blockchain.ledger.TransactionContent; | |||
import com.jd.blockchain.ledger.TransactionRequest; | |||
import com.jd.blockchain.ledger.TransactionRollbackException; | |||
import com.jd.blockchain.ledger.TransactionState; | |||
import com.jd.blockchain.storage.service.ExPolicyKVStorage; | |||
import com.jd.blockchain.storage.service.VersioningKVStorage; | |||
import com.jd.blockchain.storage.service.utils.BufferedKVStorage; | |||
import com.jd.blockchain.transaction.SignatureUtils; | |||
import com.jd.blockchain.transaction.TxBuilder; | |||
import com.jd.blockchain.utils.Bytes; | |||
import com.jd.blockchain.utils.codec.Base58Utils; | |||
@@ -92,7 +92,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||
} | |||
/** | |||
* 设置角色授权; <br> | |||
* 设置角色权限; <br> | |||
* 如果版本校验不匹配,则返回 -1; | |||
* | |||
* @param roleAuth | |||
@@ -108,7 +108,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||
} | |||
/** | |||
* 更新角色授权; <br> | |||
* 更新角色权限; <br> | |||
* 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | |||
* | |||
* @param participant | |||
@@ -242,7 +242,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||
} | |||
/** | |||
* 查询角色授权; | |||
* 查询角色权限; | |||
* | |||
* <br> | |||
* 如果不存在,则返回 null; | |||
@@ -279,4 +279,8 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||
return getRolePrivileges(0, (int) getRoleCount()); | |||
} | |||
@Override | |||
public boolean isReadonly() { | |||
return dataset.isReadonly(); | |||
} | |||
} |
@@ -166,4 +166,9 @@ public class UserRoleDataset implements Transactional, MerkleProvable, UserRoleS | |||
return pns; | |||
} | |||
@Override | |||
public boolean isReadonly() { | |||
return dataset.isReadonly(); | |||
} | |||
} |
@@ -88,45 +88,45 @@ public class LedgerAdminDatasetTest { | |||
MemoryKVStorage testStorage = new MemoryKVStorage(); | |||
// Create intance with init setting; | |||
LedgerAdminDataset ledgerAdminAccount = new LedgerAdminDataset(initSetting, keyPrefix, testStorage, | |||
LedgerAdminDataset ledgerAdminDataset = new LedgerAdminDataset(initSetting, keyPrefix, testStorage, | |||
testStorage); | |||
ledgerAdminAccount.getRolePrivileges().addRolePrivilege("DEFAULT", | |||
ledgerAdminDataset.getRolePrivileges().addRolePrivilege("DEFAULT", | |||
new LedgerPermission[] { LedgerPermission.AUTHORIZE_ROLES, LedgerPermission.REGISTER_USER, | |||
LedgerPermission.APPROVE_TX }, | |||
new TransactionPermission[] { TransactionPermission.DIRECT_OPERATION, | |||
TransactionPermission.CONTRACT_OPERATION }); | |||
ledgerAdminAccount.getUserRoles().addUserRoles(parties[0].getAddress(), RolesPolicy.UNION, "DEFAULT"); | |||
ledgerAdminDataset.getUserRoles().addUserRoles(parties[0].getAddress(), RolesPolicy.UNION, "DEFAULT"); | |||
// New created instance is updated until being committed; | |||
assertTrue(ledgerAdminAccount.isUpdated()); | |||
assertTrue(ledgerAdminDataset.isUpdated()); | |||
// Hash of account is null until being committed; | |||
assertNull(ledgerAdminAccount.getHash()); | |||
assertNull(ledgerAdminDataset.getHash()); | |||
LedgerMetadata_V2 meta = ledgerAdminAccount.getMetadata(); | |||
LedgerMetadata_V2 meta = ledgerAdminDataset.getMetadata(); | |||
assertNull(meta.getParticipantsHash()); | |||
// Commit, and check the storage keys; | |||
ledgerAdminAccount.commit(); | |||
ledgerAdminDataset.commit(); | |||
// New created instance isn't updated after being committed; | |||
assertFalse(ledgerAdminAccount.isUpdated()); | |||
assertFalse(ledgerAdminDataset.isUpdated()); | |||
// Hash of account isn't null after being committed; | |||
assertNotNull(ledgerAdminAccount.getHash()); | |||
assertNotNull(ledgerAdminDataset.getHash()); | |||
meta = ledgerAdminAccount.getMetadata(); | |||
meta = ledgerAdminDataset.getMetadata(); | |||
assertNotNull(meta.getParticipantsHash()); | |||
assertNotNull(meta.getSettingsHash()); | |||
assertNotNull(meta.getRolePrivilegesHash()); | |||
assertNotNull(meta.getUserRolesHash()); | |||
assertNotNull(ledgerAdminAccount.getRolePrivileges().getRolePrivilege("DEFAULT")); | |||
assertNotNull(ledgerAdminDataset.getRolePrivileges().getRolePrivilege("DEFAULT")); | |||
// ---------------------- | |||
// Reload account from storage with readonly mode, and check the integrity of | |||
// data; | |||
HashDigest adminAccHash = ledgerAdminAccount.getHash(); | |||
HashDigest adminAccHash = ledgerAdminDataset.getHash(); | |||
LedgerAdminDataset reloadAdminAccount1 = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | |||
testStorage, true); | |||
@@ -137,15 +137,15 @@ public class LedgerAdminDatasetTest { | |||
assertNotNull(meta2.getUserRolesHash()); | |||
// verify realod settings of admin account; | |||
verifyRealoadingSettings(reloadAdminAccount1, adminAccHash, ledgerAdminAccount.getMetadata(), | |||
ledgerAdminAccount.getSettings()); | |||
verifyRealoadingSettings(reloadAdminAccount1, adminAccHash, ledgerAdminDataset.getMetadata(), | |||
ledgerAdminDataset.getSettings()); | |||
// verify the consensus participant list; | |||
verifyRealoadingParities(reloadAdminAccount1, parties1); | |||
// It will throw exeception because of this account is readonly; | |||
verifyReadonlyState(reloadAdminAccount1); | |||
verifyRealoadingRoleAuthorizations(reloadAdminAccount1, ledgerAdminAccount.getRolePrivileges(), | |||
ledgerAdminAccount.getUserRoles()); | |||
verifyRealoadingRoleAuthorizations(reloadAdminAccount1, ledgerAdminDataset.getRolePrivileges(), | |||
ledgerAdminDataset.getUserRoles()); | |||
// -------------- | |||
// 重新加载,并进行修改; | |||
@@ -178,8 +178,8 @@ public class LedgerAdminDatasetTest { | |||
// load the last version of account and verify again; | |||
LedgerAdminDataset previousAdminAccount = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | |||
testStorage, true); | |||
verifyRealoadingSettings(previousAdminAccount, adminAccHash, ledgerAdminAccount.getMetadata(), | |||
ledgerAdminAccount.getSettings()); | |||
verifyRealoadingSettings(previousAdminAccount, adminAccHash, ledgerAdminDataset.getMetadata(), | |||
ledgerAdminDataset.getSettings()); | |||
verifyRealoadingParities(previousAdminAccount, parties1); | |||
verifyReadonlyState(previousAdminAccount); | |||
@@ -1,16 +1,55 @@ | |||
package com.jd.blockchain.ledger; | |||
public interface RolePrivilegeSettings { | |||
/** | |||
* 角色名称的最大 Unicode 字符数; | |||
*/ | |||
public static final int MAX_ROLE_NAME_LENGTH = 20; | |||
/** | |||
* 角色的数量; | |||
* | |||
* @return | |||
*/ | |||
long getRoleCount(); | |||
/** | |||
* 查询角色权限; | |||
* | |||
* <br> | |||
* 如果不存在,则返回 null; | |||
* | |||
* @param address | |||
* @return | |||
*/ | |||
RolePrivileges getRolePrivilege(String roleName); | |||
/** | |||
* 返回指定位置的角色权限; | |||
* | |||
* @param index | |||
* @param count | |||
* @return | |||
*/ | |||
RolePrivileges[] getRolePrivileges(int index, int count); | |||
/** | |||
* 加入新的角色授权; <br> | |||
* 返回所有的角色权限; | |||
* | |||
* @return | |||
*/ | |||
RolePrivileges[] getRolePrivileges(); | |||
/** | |||
* 是否只读; | |||
* | |||
* @return | |||
*/ | |||
boolean isReadonly(); | |||
/** | |||
* 加入新的角色权限; <br> | |||
* | |||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | |||
* | |||
@@ -21,7 +60,7 @@ public interface RolePrivilegeSettings { | |||
long addRolePrivilege(String roleName, Privileges privileges); | |||
/** | |||
* 加入新的角色授权; <br> | |||
* 加入新的角色权限; <br> | |||
* | |||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | |||
* | |||
@@ -32,7 +71,7 @@ public interface RolePrivilegeSettings { | |||
long addRolePrivilege(String roleName, LedgerPrivilege ledgerPrivilege, TransactionPrivilege txPrivilege); | |||
/** | |||
* 加入新的角色授权; <br> | |||
* 加入新的角色权限; <br> | |||
* | |||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | |||
* | |||
@@ -45,7 +84,7 @@ public interface RolePrivilegeSettings { | |||
long addRolePrivilege(String roleName, LedgerPermission[] ledgerPermissions, TransactionPermission[] txPermissions); | |||
/** | |||
* 更新角色授权; <br> | |||
* 更新角色权限; <br> | |||
* 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | |||
* | |||
* @param participant | |||
@@ -116,19 +155,4 @@ public interface RolePrivilegeSettings { | |||
long disablePermissions(String roleName, LedgerPermission[] ledgerPermissions, | |||
TransactionPermission[] txPermissions); | |||
/** | |||
* 查询角色授权; | |||
* | |||
* <br> | |||
* 如果不存在,则返回 null; | |||
* | |||
* @param address | |||
* @return | |||
*/ | |||
RolePrivileges getRolePrivilege(String roleName); | |||
RolePrivileges[] getRolePrivileges(int index, int count); | |||
RolePrivileges[] getRolePrivileges(); | |||
} |
@@ -16,6 +16,31 @@ public interface UserRoleSettings { | |||
*/ | |||
long getUserCount(); | |||
/** | |||
* 查询角色授权; | |||
* | |||
* <br> | |||
* 如果不存在,则返回 null; | |||
* | |||
* @param address | |||
* @return | |||
*/ | |||
UserRoles getUserRoles(Bytes userAddress); | |||
/** | |||
* 返回全部的用户授权; | |||
* | |||
* @return | |||
*/ | |||
UserRoles[] getUserRoles(); | |||
/** | |||
* 是否只读; | |||
* | |||
* @return | |||
*/ | |||
boolean isReadonly(); | |||
/** | |||
* 加入新的用户角色授权; <br> | |||
* | |||
@@ -46,22 +71,4 @@ public interface UserRoleSettings { | |||
*/ | |||
long setRoles(Bytes userAddress, RolesPolicy policy, String... roles); | |||
/** | |||
* 查询角色授权; | |||
* | |||
* <br> | |||
* 如果不存在,则返回 null; | |||
* | |||
* @param address | |||
* @return | |||
*/ | |||
UserRoles getUserRoles(Bytes userAddress); | |||
/** | |||
* 返回全部的用户授权; | |||
* | |||
* @return | |||
*/ | |||
UserRoles[] getUserRoles(); | |||
} |