FAB-2062 - OU-based policy checks

This change set adds support for policy principals specified by the
Organizational Unit specified in the Subject Distinguished Name.

Change-Id: Ibb8ca6558666e010db92ad69ffb51f3189fe6737
Signed-off-by: Alessandro Sorniotti <ale.linux@sopit.net>

common/cauthdsl/cauthdsl.go

@@ -120,8 +120,8 @@ func (id *mockIdentity) Validate() error {
 	return nil
 }
 
-func (id *mockIdentity) GetOrganizationUnits() string {
-	return "dunno"
+func (id *mockIdentity) GetOrganizationalUnits() []string {
+	return []string{"dunno"}
 }
 
 func (id *mockIdentity) Verify(msg []byte, sig []byte) error {

msp/identities.go

@@ -70,10 +70,13 @@ func (id *identity) Validate() error {
 	return id.msp.Validate(id)
 }
 
-// GetOrganizationUnits returns the OU for this instance
-func (id *identity) GetOrganizationUnits() string {
-	// TODO
-	return "dunno"
+// GetOrganizationalUnits returns the OU for this instance
+func (id *identity) GetOrganizationalUnits() []string {
+	if id.cert == nil {
+		return nil
+	}
+
+	return id.cert.Subject.OrganizationalUnit
 }
 
 // NewSerializedIdentity returns a serialized identity

msp/msp.go

@@ -119,22 +119,20 @@ type Identity interface {
 	// authority.
 	Validate() error
 
-	// TODO: Fix this comment
-	// GetOrganizationUnits returns the participant this identity is related to
-	// as long as this is public information. In certain implementations
-	// this could be implemented by certain attributes that are publicly
-	// associated to that identity, or the identifier of the root certificate
-	// authority that has provided signatures on this certificate.
+	// GetOrganizationalUnits returns zero or more organization units or
+	// divisions this identity is related to as long as this is public
+	// information. Certain MSP implementations may use attributes
+	// that are publicly associated to this identity, or the identifier of
+	// the root certificate authority that has provided signatures on this
+	// certificate.
 	// Examples:
-	//  - ParticipantID of a fabric-tcert that was signed by TCA under name
-	//    "Organization 1", would be "Organization 1".
-	//  - ParticipantID of an alternative implementation of tcert signed by a public
-	//    CA used by organization "Organization 1", could be provided in the clear
-	//    as part of that tcert structure that this call would be able to return.
-	// TODO: check if we need a dedicated type for participantID properly namespaced by the associated provider identifier.
-	GetOrganizationUnits() string
-
-	// TODO: Discuss GetOU() further.
+	//  - if the identity is an x.509 certificate, this function returns one
+	//    or more string which is encoded in the Subject's Distinguished Name
+	//    of the type OU
+	// TODO: For X.509 based identities, check if we need a dedicated type
+	//       for OU where the Certificate OU is properly namespaced by the
+	//       signer's identity
+	GetOrganizationalUnits() []string
 
 	// Verify a signature over some message using this identity as reference
 	Verify(msg []byte, sig []byte) error

msp/msp_test.go

@@ -24,6 +24,7 @@ import (
 	"fmt"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/hyperledger/fabric/protos/common"
 	"github.com/hyperledger/fabric/protos/msp"
 	"github.com/stretchr/testify/assert"
 )
@@ -249,6 +250,33 @@ func TestSignAndVerify_longMessage(t *testing.T) {
 	}
 }
 
+func TestGetOU(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	if err != nil {
+		t.Fatalf("GetSigningIdentity should have succeeded")
+		return
+	}
+
+	assert.Equal(t, "COP", id.GetOrganizationalUnits()[0])
+}
+
+func TestOUPolicyPrincipal(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	ou := &common.OrganizationUnit{OrganizationalUnitIdentifier: "COP", MspIdentifier: "DEFAULT"}
+	bytes, err := proto.Marshal(ou)
+	assert.NoError(t, err)
+
+	principal := &common.MSPPrincipal{
+		PrincipalClassification: common.MSPPrincipal_ORGANIZATION_UNIT,
+		Principal:               bytes,
+	}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.NoError(t, err)
+}
+
 var conf *msp.MSPConfig
 var localMsp MSP
 var mspMgr MSPManager

msp/mspimpl.go

@@ -395,7 +395,35 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *common.MSPPrinci
 			return errors.New("The identities do not match")
 		}
 	case common.MSPPrincipal_ORGANIZATION_UNIT:
-		panic("Not yet implemented")
+		// Principal contains the OrganizationUnit
+		OU := &common.OrganizationUnit{}
+		err := proto.Unmarshal(principal.Principal, OU)
+		if err != nil {
+			return fmt.Errorf("Could not unmarshal OrganizationUnit from principal, err %s", err)
+		}
+
+		// at first, we check whether the MSP
+		// identifier is the same as that of the identity
+		if OU.MspIdentifier != msp.name {
+			return fmt.Errorf("The identity is a member of a different MSP (expected %s, got %s)", OU.MspIdentifier, id.GetMSPIdentifier())
+		}
+
+		// we then check if the identity is valid with this MSP
+		// and fail if it is not
+		err = msp.Validate(id)
+		if err != nil {
+			return err
+		}
+
+		// now we check whether any of this identity's OUs match the requested one
+		for _, ou := range id.GetOrganizationalUnits() {
+			if ou == OU.OrganizationalUnitIdentifier {
+				return nil
+			}
+		}
+
+		// if we are here, no match was found, return an error
+		return errors.New("The identities do not match")
 	default:
 		return fmt.Errorf("Invalid principal type %d", int32(principal.PrincipalClassification))
 	}

msp/noopmsp.go

@@ -92,8 +92,8 @@ func (id *noopidentity) Validate() error {
 	return nil
 }
 
-func (id *noopidentity) GetOrganizationUnits() string {
-	return "dunno"
+func (id *noopidentity) GetOrganizationalUnits() []string {
+	return []string{"dunno"}
 }
 
 func (id *noopidentity) Verify(msg []byte, sig []byte) error {