From 3e0481b7d1a7abfe7632ca86715341d410ac14ac Mon Sep 17 00:00:00 2001
From: Alessandro Sorniotti <ale.linux@sopit.net>
Date: Wed, 22 Feb 2017 12:01:00 +0100
Subject: [PATCH] [FAB-2087] - support for admin policy principals

This change set introduces admin-based MSP and cauthdsl validation.

Change-Id: If6d6b69c2c13b0279988c254a9b86e4b63ead0e8
Signed-off-by: Alessandro Sorniotti <ale.linux@sopit.net>
---
 msp/msp_test.go                           | 33 +++++++++++++++++++++++
 msp/mspimpl.go                            | 25 ++++++++++++++---
 msp/sampleconfig/admincerts/admincert.pem | 23 ++++++++--------
 3 files changed, 67 insertions(+), 14 deletions(-)

diff --git a/msp/msp_test.go b/msp/msp_test.go
index 776c078d079..67a3764eb88 100644
--- a/msp/msp_test.go
+++ b/msp/msp_test.go
@@ -277,6 +277,39 @@ func TestOUPolicyPrincipal(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestAdminPolicyPrincipal(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	principalBytes, err := proto.Marshal(&common.MSPRole{Role: common.MSPRole_ADMIN, MspIdentifier: "DEFAULT"})
+	assert.NoError(t, err)
+
+	principal := &common.MSPPrincipal{
+		PrincipalClassification: common.MSPPrincipal_ROLE,
+		Principal:               principalBytes}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.NoError(t, err)
+}
+
+func TestAdminPolicyPrincipalFails(t *testing.T) {
+	id, err := localMsp.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	principalBytes, err := proto.Marshal(&common.MSPRole{Role: common.MSPRole_ADMIN, MspIdentifier: "DEFAULT"})
+	assert.NoError(t, err)
+
+	principal := &common.MSPPrincipal{
+		PrincipalClassification: common.MSPPrincipal_ROLE,
+		Principal:               principalBytes}
+
+	// remove the admin so validation will fail
+	localMsp.(*bccspmsp).admins = make([]Identity, 0)
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+}
+
 var conf *msp.MSPConfig
 var localMsp MSP
 var mspMgr MSPManager
diff --git a/msp/mspimpl.go b/msp/mspimpl.go
index af2e155782a..339af930320 100644
--- a/msp/mspimpl.go
+++ b/msp/mspimpl.go
@@ -528,12 +528,31 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *common.MSPPrinci
 
 		// now we validate the different msp roles
 		switch mspRole.Role {
-		// in the case of member, we simply check
-		// whether this identity is valid for the MSP
 		case common.MSPRole_MEMBER:
+			// in the case of member, we simply check
+			// whether this identity is valid for the MSP
 			return msp.Validate(id)
 		case common.MSPRole_ADMIN:
-			panic("Not yet implemented")
+			// in the case of admin, we check that the
+			// id is exactly one of our admins
+			idBytes, err := id.Serialize()
+			if err != nil {
+				return fmt.Errorf("Could not serialize this identity instance, err %s", err)
+			}
+
+			for _, admincert := range msp.admins {
+				adBytes, err := admincert.Serialize()
+				if err != nil {
+					return fmt.Errorf("Could not serialize admin cert, err %s", err)
+				}
+
+				rv := bytes.Compare(idBytes, adBytes)
+				if rv == 0 {
+					return nil
+				}
+			}
+
+			return errors.New("This identity is not an admin")
 		default:
 			return fmt.Errorf("Invalid MSP role type %d", int32(mspRole.Role))
 		}
diff --git a/msp/sampleconfig/admincerts/admincert.pem b/msp/sampleconfig/admincerts/admincert.pem
index 8d98dfa59e0..5f6293ac39a 100644
--- a/msp/sampleconfig/admincerts/admincert.pem
+++ b/msp/sampleconfig/admincerts/admincert.pem
@@ -1,15 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICYjCCAgmgAwIBAgIUB3CTDOU47sUC5K4kn/Caqnh114YwCgYIKoZIzj0EAwIw
+MIICjDCCAjKgAwIBAgIUBEVwsSx0TmqdbzNwleNBBzoIT0wwCgYIKoZIzj0EAwIw
 fzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh
 biBGcmFuY2lzY28xHzAdBgNVBAoTFkludGVybmV0IFdpZGdldHMsIEluYy4xDDAK
-BgNVBAsTA1dXVzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYxMDEyMTkzMTAw
-WhcNMjExMDExMTkzMTAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
-cm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEfMB0GA1UEChMWSW50ZXJuZXQg
-V2lkZ2V0cywgSW5jLjEMMAoGA1UECxMDV1dXMRQwEgYDVQQDEwtleGFtcGxlLmNv
-bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKIH5b2JaSmqiQXHyqC+cmknICcF
-i5AddVjsQizDV6uZ4v6s+PWiJyzfA/rTtMvYAPq/yeEHpBUB1j053mxnpMujYzBh
-MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXZ0I9
-qp6CP8TFHZ9bw5nRtZxIEDAfBgNVHSMEGDAWgBQXZ0I9qp6CP8TFHZ9bw5nRtZxI
-EDAKBggqhkjOPQQDAgNHADBEAiAHp5Rbp9Em1G/UmKn8WsCbqDfWecVbZPQj3RK4
-oG5kQQIgQAe4OOKYhJdh3f7URaKfGTf492/nmRmtK+ySKjpHSrU=
+BgNVBAsTA1dXVzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYxMTExMTcwNzAw
+WhcNMTcxMTExMTcwNzAwWjBjMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGgg
+Q2Fyb2xpbmExEDAOBgNVBAcTB1JhbGVpZ2gxGzAZBgNVBAoTEkh5cGVybGVkZ2Vy
+IEZhYnJpYzEMMAoGA1UECxMDQ09QMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+HBuKsAO43hs4JGpFfiGMkB/xsILTsOvmN2WmwpsPHZNL6w8HWe3xCPQtdG/XJJvZ
++C756KEsUBM3yw5PTfku8qOBpzCBpDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOFC
+dcUZ4es3ltiCgAVDoyLfVpPIMB8GA1UdIwQYMBaAFBdnQj2qnoI/xMUdn1vDmdG1
+nEgQMCUGA1UdEQQeMByCCm15aG9zdC5jb22CDnd3dy5teWhvc3QuY29tMAoGCCqG
+SM49BAMCA0gAMEUCIDf9Hbl4xn3z4EwNKmilM9lX2Fq4jWpAaRVB97OmVEeyAiEA
+25aDPQHGGq2AvhKT0wvt08cX1GTGCIbfmuLpMwKQj38=
 -----END CERTIFICATE-----