文件功能说明
主要核心代码在core/aclmgmt、common/policies、commmon/cauthdsl、core/policy、core/policyprovider
- core/aclmgmt目录
- resources/resources.go,定义了用于ACL检查的fabric资源常量
- aclmgmt.go,定义ACLProvider.CheckACL接口
- aclmgmtimpl.go,实现CheckACL接口,持有resourceprovider(ACLProvider),实际调用resourceprovider.CheckACL
- resourceprovider.go,定义了policyEvaluator.PolicyRefForAPI、policyEvaluator.Evaluate,aclmgmtPolicyProvider.GetPolicyName、aclmgmtPolicyProvider.CheckACL接口,和它们的实现policyEvaluatorImpl、aclmgmtPolicyProviderImpl;resourceProvider持有defaultProvider(ACLProvider)、ResourceGetter;resourceProvider.CheckACL实现中默认会取channel config,不会空则调用自身的实现 aclmgmtPolicyProviderImpl.checkACL,否则调用defaultACLProvider.checkACL
- defaultaclprovider.go,定义了defaultACLProvider,实现了CheckACL接口,持有pResourcePolicyMap、cResourcePolicyMap、policy.PolicyChecker,initialize方法默认会初始化这三个成员,最终调用policyChecker.CheckPolicy检查策略
- common/policies 目录
- implicitmeta_util.go,根据指定的参数创建策略
- implicitmeta.go,根据bytes创建策略,对signatureSet进行Evaluate
- implicitmetaparser.go,根据字符串解析规则(ALL、ANY、MAJORITY)
- policy.go, 定义了Policy.Evaluate、InquireablePolicy.SatisfiedBy、Manager.GetPolicy、Manager.Manager、Provider.NewPolicy、ChannelPolicyManagerGetter.Manager接口,policyLogger包装了Policy.Evaluate添加了日志打印,ManagerImpl实现了Manager接口,它自身持有多个ManagerImpl实例,根据Group有递归调用NewManagerImpl
- util.go, 定义了ConfigPolicy.Key ConfigPolicy.Value接口及即接口实现StandardConfigPolicy,Value为protos/common.Policy
- inquire目录,定义了inquireableSignaturePolicy,对common.SignaturePolicyEnvelope的包装;ComparablePrincipal,对MSPPrincipal的包装,可和其他主体比较、合并;
- common/cauthdsl 目录
- cauthdsl_builder.go,根据角色、身份、规则构造SignaturePolicyEnvelope,SignaturePolicy
- cauthdsl.go, 定义了deduplicate,用于删除重复身份;compile,最终的策略执行,递归校验签名,返回一个函数,最终会赋值给policy.evaluator)
- policy.go,定义了Identity.SatisfiesPrincipal、Identity.GetIdentifier、IdentityAndSignature.Identity、IdentityAndSignature.Verify接口;deserializeAndVerify实现了IdentityAndSignature,持有signedData、deserializer,根据deserializer、signedData.Identity可获得msp.Identity;provider和EnvelopeBasedPolicyProvider实现了Provider.NewPolicy接口,持有deserializer; policy实现了Policy.Evaluate,持有deserializer和evaluator,最终还是调用compile
- policy_parser.go,定义了一些工具函数and、or、outOf、firstPass、secondPass、FromString
- core/policy目录
- policy.go,定义了PolicyChecker.CheckPolicy、 CheckPolicyBySignedData、CheckPolicyNoChannel和PolicyCheckerFactory.NewPolicyChecker接口,policyChecker实现了PolicyChecker,持有ChannelPolicyManagerGetter和IdentityDeserializer,CheckPolicy调用了CheckPolicyNoChannel、CheckPolicyBySignedData,CheckPolicyBySignedData最终调用policy.Evaluate;
- core/policyprovider目录
- provider.go,定义了defaultFactory,实现了PolicyCheckerFactory.NewPolicyChecker接口,对外暴露GetPolicyChecker函数
peer node start 中acl的引用
DeliverEventsServer:事件分发
peer/node/start/serve
NewDeliverEventsServer(policyCheckerProvider)->
Deliver->deliver.Handle->deliver.deliverBlocks->NewSessionAC->SessionAccessControl->Evaluate()->policyChecker.CheckPolicy
ChaincodeServer:链码服务
用户链码
peer/node/start/serve ->startChaincodeServer->registerChaincodeSupport->
、chaincode.NewChaincodeSupport(aclProvider)->用户链码启动
core/chaincode/chaincode_support/Register->
core/chaincode/chaincode_support/HandleChaincodeStream->
core/chaincode/hanlder/ProcessStream->handleMessage->handleMessageReadyState->HandleInvokeChaincode->checkACL->ACLProvider.CheckACL
系统链码
- LSCC
peer/node/start/serve ->startChaincodeServer->registerChaincodeSupport->
lscc.New(aclProvider)->
LifeCycleSysCC( PolicyChecker,ACLProvider)->
Invoke->
PolicyChecker.CheckPolicyNoChannel|ACLProvider.CheckACL->
executeDeployOrUpgrade->
1.putChaincodeCollectionData->checkCollectionMemberPolicy->policyProvider.NewPolicy
2.supportImpl.CheckInstantiationPolicy->
cauthdsl.NewPolicyProvider().NewPolicy().Evaluate() - CSCC
peer/node/start/serve ->startChaincodeServer->registerChaincodeSupport->
cscc.New(policyChecker,aclProvider)->
Invoke->InvokeNoShim->policyChecker.CheckPolicyNoChannel| aclProvider.CheckACL
TODO:policyChecker.CheckPolicyNoChannel后面会改为aclProvider.CheckACL - QSCC
peer/node/start/serve ->startChaincodeServer->registerChaincodeSupport->
qscc.New(aclProvider)->
Invoke->aclProvider.CheckACL
EndorserServer: 背书服务
peer/node/start/serve
endorser.NewEndorserServer(endorserSupport(aclProvider))->
Endorser->ProcessProposal->
- preProcess->SupportImpl.checkACL()->ACLProvider.CheckACL
- SimulateProposal->SupportImpl.CheckInstantiationPolicy->
ccprovider.CheckInstantiationPolicy
registerProverService: 证明服务 (1.4版本后废弃)
GossipService: 绯闻服务
initGossipService(policyMgr)->peergossip.NewMCS(policyMgr)->
service.InitGossipService->InitGossipServiceCustomDeliveryFactory->NewGossipComponent->NewGossipService->gossipServiceImpl->
- gossipServiceImpl.JoinChan->chanState.joinChannel->channel.NewGossipChannel->VerifyByChannel
- gossipServiceImpl.InitializeChannel->NewGossipStateProvider->VerifyByChannel
3.gossipServiceImpl.start->acceptMessages->handleMessage->gossipChannel.HandleMessage->gossipChannel.verifyBlock - VerifyByChannel->channelPolicyManagerGetter.Manager->GetPolicy(“Channel/Application/Readers”)->policy.Evaluate
- VerifyBlock->channelPolicyManagerGetter.Manager->GetPolicy(“Channel/Order/BlockValidation”)->policy.Evaluate
