@@ -7,6 +7,7 @@ import java.util.Map; | |||||
import java.util.Set; | import java.util.Set; | ||||
import java.util.concurrent.ConcurrentHashMap; | import java.util.concurrent.ConcurrentHashMap; | ||||
import com.jd.blockchain.ledger.LedgerInitSetting; | |||||
import com.jd.blockchain.ledger.LedgerPermission; | import com.jd.blockchain.ledger.LedgerPermission; | ||||
import com.jd.blockchain.ledger.LedgerSecurityException; | import com.jd.blockchain.ledger.LedgerSecurityException; | ||||
import com.jd.blockchain.ledger.RolePrivilegeSettings; | import com.jd.blockchain.ledger.RolePrivilegeSettings; | ||||
@@ -29,9 +30,9 @@ public class LedgerSecurityManagerImpl implements LedgerSecurityManager { | |||||
private UserRoleSettings userRolesSettings; | private UserRoleSettings userRolesSettings; | ||||
//用户的权限配置 | |||||
// 用户的权限配置 | |||||
private Map<Bytes, UserRolesPrivileges> userPrivilegesCache = new ConcurrentHashMap<>(); | private Map<Bytes, UserRolesPrivileges> userPrivilegesCache = new ConcurrentHashMap<>(); | ||||
private Map<Bytes, UserRoles> userRolesCache = new ConcurrentHashMap<>(); | private Map<Bytes, UserRoles> userRolesCache = new ConcurrentHashMap<>(); | ||||
private Map<String, RolePrivileges> rolesPrivilegeCache = new ConcurrentHashMap<>(); | private Map<String, RolePrivileges> rolesPrivilegeCache = new ConcurrentHashMap<>(); | ||||
@@ -39,7 +40,13 @@ public class LedgerSecurityManagerImpl implements LedgerSecurityManager { | |||||
this.rolePrivilegeSettings = rolePrivilegeSettings; | this.rolePrivilegeSettings = rolePrivilegeSettings; | ||||
this.userRolesSettings = userRolesSettings; | this.userRolesSettings = userRolesSettings; | ||||
} | } | ||||
public static void initSecuritySettings(LedgerInitSetting initSettings, LedgerEditor editor) { | |||||
} | |||||
@Override | @Override | ||||
public SecurityPolicy createSecurityPolicy(Set<Bytes> endpoints, Set<Bytes> nodes) { | public SecurityPolicy createSecurityPolicy(Set<Bytes> endpoints, Set<Bytes> nodes) { | ||||
Map<Bytes, UserRolesPrivileges> endpointPrivilegeMap = new HashMap<>(); | Map<Bytes, UserRolesPrivileges> endpointPrivilegeMap = new HashMap<>(); | ||||
@@ -8,7 +8,6 @@ import com.jd.blockchain.crypto.HashDigest; | |||||
import com.jd.blockchain.ledger.BlockBody; | import com.jd.blockchain.ledger.BlockBody; | ||||
import com.jd.blockchain.ledger.BlockRollbackException; | import com.jd.blockchain.ledger.BlockRollbackException; | ||||
import com.jd.blockchain.ledger.CryptoSetting; | import com.jd.blockchain.ledger.CryptoSetting; | ||||
import com.jd.blockchain.ledger.DigitalSignature; | |||||
import com.jd.blockchain.ledger.IllegalTransactionException; | import com.jd.blockchain.ledger.IllegalTransactionException; | ||||
import com.jd.blockchain.ledger.LedgerBlock; | import com.jd.blockchain.ledger.LedgerBlock; | ||||
import com.jd.blockchain.ledger.LedgerDataSnapshot; | import com.jd.blockchain.ledger.LedgerDataSnapshot; | ||||
@@ -16,15 +15,12 @@ import com.jd.blockchain.ledger.LedgerInitSetting; | |||||
import com.jd.blockchain.ledger.LedgerSettings; | import com.jd.blockchain.ledger.LedgerSettings; | ||||
import com.jd.blockchain.ledger.LedgerTransaction; | import com.jd.blockchain.ledger.LedgerTransaction; | ||||
import com.jd.blockchain.ledger.OperationResult; | import com.jd.blockchain.ledger.OperationResult; | ||||
import com.jd.blockchain.ledger.TransactionContent; | |||||
import com.jd.blockchain.ledger.TransactionRequest; | import com.jd.blockchain.ledger.TransactionRequest; | ||||
import com.jd.blockchain.ledger.TransactionRollbackException; | import com.jd.blockchain.ledger.TransactionRollbackException; | ||||
import com.jd.blockchain.ledger.TransactionState; | import com.jd.blockchain.ledger.TransactionState; | ||||
import com.jd.blockchain.storage.service.ExPolicyKVStorage; | import com.jd.blockchain.storage.service.ExPolicyKVStorage; | ||||
import com.jd.blockchain.storage.service.VersioningKVStorage; | import com.jd.blockchain.storage.service.VersioningKVStorage; | ||||
import com.jd.blockchain.storage.service.utils.BufferedKVStorage; | import com.jd.blockchain.storage.service.utils.BufferedKVStorage; | ||||
import com.jd.blockchain.transaction.SignatureUtils; | |||||
import com.jd.blockchain.transaction.TxBuilder; | |||||
import com.jd.blockchain.utils.Bytes; | import com.jd.blockchain.utils.Bytes; | ||||
import com.jd.blockchain.utils.codec.Base58Utils; | import com.jd.blockchain.utils.codec.Base58Utils; | ||||
@@ -92,7 +92,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||||
} | } | ||||
/** | /** | ||||
* 设置角色授权; <br> | |||||
* 设置角色权限; <br> | |||||
* 如果版本校验不匹配,则返回 -1; | * 如果版本校验不匹配,则返回 -1; | ||||
* | * | ||||
* @param roleAuth | * @param roleAuth | ||||
@@ -108,7 +108,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||||
} | } | ||||
/** | /** | ||||
* 更新角色授权; <br> | |||||
* 更新角色权限; <br> | |||||
* 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | * 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | ||||
* | * | ||||
* @param participant | * @param participant | ||||
@@ -242,7 +242,7 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||||
} | } | ||||
/** | /** | ||||
* 查询角色授权; | |||||
* 查询角色权限; | |||||
* | * | ||||
* <br> | * <br> | ||||
* 如果不存在,则返回 null; | * 如果不存在,则返回 null; | ||||
@@ -279,4 +279,8 @@ public class RolePrivilegeDataset implements Transactional, MerkleProvable, Role | |||||
return getRolePrivileges(0, (int) getRoleCount()); | return getRolePrivileges(0, (int) getRoleCount()); | ||||
} | } | ||||
@Override | |||||
public boolean isReadonly() { | |||||
return dataset.isReadonly(); | |||||
} | |||||
} | } |
@@ -166,4 +166,9 @@ public class UserRoleDataset implements Transactional, MerkleProvable, UserRoleS | |||||
return pns; | return pns; | ||||
} | } | ||||
@Override | |||||
public boolean isReadonly() { | |||||
return dataset.isReadonly(); | |||||
} | |||||
} | } |
@@ -88,45 +88,45 @@ public class LedgerAdminDatasetTest { | |||||
MemoryKVStorage testStorage = new MemoryKVStorage(); | MemoryKVStorage testStorage = new MemoryKVStorage(); | ||||
// Create intance with init setting; | // Create intance with init setting; | ||||
LedgerAdminDataset ledgerAdminAccount = new LedgerAdminDataset(initSetting, keyPrefix, testStorage, | |||||
LedgerAdminDataset ledgerAdminDataset = new LedgerAdminDataset(initSetting, keyPrefix, testStorage, | |||||
testStorage); | testStorage); | ||||
ledgerAdminAccount.getRolePrivileges().addRolePrivilege("DEFAULT", | |||||
ledgerAdminDataset.getRolePrivileges().addRolePrivilege("DEFAULT", | |||||
new LedgerPermission[] { LedgerPermission.AUTHORIZE_ROLES, LedgerPermission.REGISTER_USER, | new LedgerPermission[] { LedgerPermission.AUTHORIZE_ROLES, LedgerPermission.REGISTER_USER, | ||||
LedgerPermission.APPROVE_TX }, | LedgerPermission.APPROVE_TX }, | ||||
new TransactionPermission[] { TransactionPermission.DIRECT_OPERATION, | new TransactionPermission[] { TransactionPermission.DIRECT_OPERATION, | ||||
TransactionPermission.CONTRACT_OPERATION }); | TransactionPermission.CONTRACT_OPERATION }); | ||||
ledgerAdminAccount.getUserRoles().addUserRoles(parties[0].getAddress(), RolesPolicy.UNION, "DEFAULT"); | |||||
ledgerAdminDataset.getUserRoles().addUserRoles(parties[0].getAddress(), RolesPolicy.UNION, "DEFAULT"); | |||||
// New created instance is updated until being committed; | // New created instance is updated until being committed; | ||||
assertTrue(ledgerAdminAccount.isUpdated()); | |||||
assertTrue(ledgerAdminDataset.isUpdated()); | |||||
// Hash of account is null until being committed; | // Hash of account is null until being committed; | ||||
assertNull(ledgerAdminAccount.getHash()); | |||||
assertNull(ledgerAdminDataset.getHash()); | |||||
LedgerMetadata_V2 meta = ledgerAdminAccount.getMetadata(); | |||||
LedgerMetadata_V2 meta = ledgerAdminDataset.getMetadata(); | |||||
assertNull(meta.getParticipantsHash()); | assertNull(meta.getParticipantsHash()); | ||||
// Commit, and check the storage keys; | // Commit, and check the storage keys; | ||||
ledgerAdminAccount.commit(); | |||||
ledgerAdminDataset.commit(); | |||||
// New created instance isn't updated after being committed; | // New created instance isn't updated after being committed; | ||||
assertFalse(ledgerAdminAccount.isUpdated()); | |||||
assertFalse(ledgerAdminDataset.isUpdated()); | |||||
// Hash of account isn't null after being committed; | // Hash of account isn't null after being committed; | ||||
assertNotNull(ledgerAdminAccount.getHash()); | |||||
assertNotNull(ledgerAdminDataset.getHash()); | |||||
meta = ledgerAdminAccount.getMetadata(); | |||||
meta = ledgerAdminDataset.getMetadata(); | |||||
assertNotNull(meta.getParticipantsHash()); | assertNotNull(meta.getParticipantsHash()); | ||||
assertNotNull(meta.getSettingsHash()); | assertNotNull(meta.getSettingsHash()); | ||||
assertNotNull(meta.getRolePrivilegesHash()); | assertNotNull(meta.getRolePrivilegesHash()); | ||||
assertNotNull(meta.getUserRolesHash()); | assertNotNull(meta.getUserRolesHash()); | ||||
assertNotNull(ledgerAdminAccount.getRolePrivileges().getRolePrivilege("DEFAULT")); | |||||
assertNotNull(ledgerAdminDataset.getRolePrivileges().getRolePrivilege("DEFAULT")); | |||||
// ---------------------- | // ---------------------- | ||||
// Reload account from storage with readonly mode, and check the integrity of | // Reload account from storage with readonly mode, and check the integrity of | ||||
// data; | // data; | ||||
HashDigest adminAccHash = ledgerAdminAccount.getHash(); | |||||
HashDigest adminAccHash = ledgerAdminDataset.getHash(); | |||||
LedgerAdminDataset reloadAdminAccount1 = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | LedgerAdminDataset reloadAdminAccount1 = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | ||||
testStorage, true); | testStorage, true); | ||||
@@ -137,15 +137,15 @@ public class LedgerAdminDatasetTest { | |||||
assertNotNull(meta2.getUserRolesHash()); | assertNotNull(meta2.getUserRolesHash()); | ||||
// verify realod settings of admin account; | // verify realod settings of admin account; | ||||
verifyRealoadingSettings(reloadAdminAccount1, adminAccHash, ledgerAdminAccount.getMetadata(), | |||||
ledgerAdminAccount.getSettings()); | |||||
verifyRealoadingSettings(reloadAdminAccount1, adminAccHash, ledgerAdminDataset.getMetadata(), | |||||
ledgerAdminDataset.getSettings()); | |||||
// verify the consensus participant list; | // verify the consensus participant list; | ||||
verifyRealoadingParities(reloadAdminAccount1, parties1); | verifyRealoadingParities(reloadAdminAccount1, parties1); | ||||
// It will throw exeception because of this account is readonly; | // It will throw exeception because of this account is readonly; | ||||
verifyReadonlyState(reloadAdminAccount1); | verifyReadonlyState(reloadAdminAccount1); | ||||
verifyRealoadingRoleAuthorizations(reloadAdminAccount1, ledgerAdminAccount.getRolePrivileges(), | |||||
ledgerAdminAccount.getUserRoles()); | |||||
verifyRealoadingRoleAuthorizations(reloadAdminAccount1, ledgerAdminDataset.getRolePrivileges(), | |||||
ledgerAdminDataset.getUserRoles()); | |||||
// -------------- | // -------------- | ||||
// 重新加载,并进行修改; | // 重新加载,并进行修改; | ||||
@@ -178,8 +178,8 @@ public class LedgerAdminDatasetTest { | |||||
// load the last version of account and verify again; | // load the last version of account and verify again; | ||||
LedgerAdminDataset previousAdminAccount = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | LedgerAdminDataset previousAdminAccount = new LedgerAdminDataset(adminAccHash, keyPrefix, testStorage, | ||||
testStorage, true); | testStorage, true); | ||||
verifyRealoadingSettings(previousAdminAccount, adminAccHash, ledgerAdminAccount.getMetadata(), | |||||
ledgerAdminAccount.getSettings()); | |||||
verifyRealoadingSettings(previousAdminAccount, adminAccHash, ledgerAdminDataset.getMetadata(), | |||||
ledgerAdminDataset.getSettings()); | |||||
verifyRealoadingParities(previousAdminAccount, parties1); | verifyRealoadingParities(previousAdminAccount, parties1); | ||||
verifyReadonlyState(previousAdminAccount); | verifyReadonlyState(previousAdminAccount); | ||||
@@ -1,16 +1,55 @@ | |||||
package com.jd.blockchain.ledger; | package com.jd.blockchain.ledger; | ||||
public interface RolePrivilegeSettings { | public interface RolePrivilegeSettings { | ||||
/** | /** | ||||
* 角色名称的最大 Unicode 字符数; | * 角色名称的最大 Unicode 字符数; | ||||
*/ | */ | ||||
public static final int MAX_ROLE_NAME_LENGTH = 20; | public static final int MAX_ROLE_NAME_LENGTH = 20; | ||||
/** | |||||
* 角色的数量; | |||||
* | |||||
* @return | |||||
*/ | |||||
long getRoleCount(); | long getRoleCount(); | ||||
/** | |||||
* 查询角色权限; | |||||
* | |||||
* <br> | |||||
* 如果不存在,则返回 null; | |||||
* | |||||
* @param address | |||||
* @return | |||||
*/ | |||||
RolePrivileges getRolePrivilege(String roleName); | |||||
/** | |||||
* 返回指定位置的角色权限; | |||||
* | |||||
* @param index | |||||
* @param count | |||||
* @return | |||||
*/ | |||||
RolePrivileges[] getRolePrivileges(int index, int count); | |||||
/** | /** | ||||
* 加入新的角色授权; <br> | |||||
* 返回所有的角色权限; | |||||
* | |||||
* @return | |||||
*/ | |||||
RolePrivileges[] getRolePrivileges(); | |||||
/** | |||||
* 是否只读; | |||||
* | |||||
* @return | |||||
*/ | |||||
boolean isReadonly(); | |||||
/** | |||||
* 加入新的角色权限; <br> | |||||
* | * | ||||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | * 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | ||||
* | * | ||||
@@ -21,7 +60,7 @@ public interface RolePrivilegeSettings { | |||||
long addRolePrivilege(String roleName, Privileges privileges); | long addRolePrivilege(String roleName, Privileges privileges); | ||||
/** | /** | ||||
* 加入新的角色授权; <br> | |||||
* 加入新的角色权限; <br> | |||||
* | * | ||||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | * 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | ||||
* | * | ||||
@@ -32,7 +71,7 @@ public interface RolePrivilegeSettings { | |||||
long addRolePrivilege(String roleName, LedgerPrivilege ledgerPrivilege, TransactionPrivilege txPrivilege); | long addRolePrivilege(String roleName, LedgerPrivilege ledgerPrivilege, TransactionPrivilege txPrivilege); | ||||
/** | /** | ||||
* 加入新的角色授权; <br> | |||||
* 加入新的角色权限; <br> | |||||
* | * | ||||
* 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | * 如果指定的角色已经存在,则引发 {@link LedgerException} 异常; | ||||
* | * | ||||
@@ -45,7 +84,7 @@ public interface RolePrivilegeSettings { | |||||
long addRolePrivilege(String roleName, LedgerPermission[] ledgerPermissions, TransactionPermission[] txPermissions); | long addRolePrivilege(String roleName, LedgerPermission[] ledgerPermissions, TransactionPermission[] txPermissions); | ||||
/** | /** | ||||
* 更新角色授权; <br> | |||||
* 更新角色权限; <br> | |||||
* 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | * 如果指定的角色不存在,或者版本不匹配,则引发 {@link LedgerException} 异常; | ||||
* | * | ||||
* @param participant | * @param participant | ||||
@@ -116,19 +155,4 @@ public interface RolePrivilegeSettings { | |||||
long disablePermissions(String roleName, LedgerPermission[] ledgerPermissions, | long disablePermissions(String roleName, LedgerPermission[] ledgerPermissions, | ||||
TransactionPermission[] txPermissions); | TransactionPermission[] txPermissions); | ||||
/** | |||||
* 查询角色授权; | |||||
* | |||||
* <br> | |||||
* 如果不存在,则返回 null; | |||||
* | |||||
* @param address | |||||
* @return | |||||
*/ | |||||
RolePrivileges getRolePrivilege(String roleName); | |||||
RolePrivileges[] getRolePrivileges(int index, int count); | |||||
RolePrivileges[] getRolePrivileges(); | |||||
} | } |
@@ -16,6 +16,31 @@ public interface UserRoleSettings { | |||||
*/ | */ | ||||
long getUserCount(); | long getUserCount(); | ||||
/** | |||||
* 查询角色授权; | |||||
* | |||||
* <br> | |||||
* 如果不存在,则返回 null; | |||||
* | |||||
* @param address | |||||
* @return | |||||
*/ | |||||
UserRoles getUserRoles(Bytes userAddress); | |||||
/** | |||||
* 返回全部的用户授权; | |||||
* | |||||
* @return | |||||
*/ | |||||
UserRoles[] getUserRoles(); | |||||
/** | |||||
* 是否只读; | |||||
* | |||||
* @return | |||||
*/ | |||||
boolean isReadonly(); | |||||
/** | /** | ||||
* 加入新的用户角色授权; <br> | * 加入新的用户角色授权; <br> | ||||
* | * | ||||
@@ -46,22 +71,4 @@ public interface UserRoleSettings { | |||||
*/ | */ | ||||
long setRoles(Bytes userAddress, RolesPolicy policy, String... roles); | long setRoles(Bytes userAddress, RolesPolicy policy, String... roles); | ||||
/** | |||||
* 查询角色授权; | |||||
* | |||||
* <br> | |||||
* 如果不存在,则返回 null; | |||||
* | |||||
* @param address | |||||
* @return | |||||
*/ | |||||
UserRoles getUserRoles(Bytes userAddress); | |||||
/** | |||||
* 返回全部的用户授权; | |||||
* | |||||
* @return | |||||
*/ | |||||
UserRoles[] getUserRoles(); | |||||
} | } |