[FAB-9471] Set attributes during user registration

Added support for setting attributes during user registration.

Change-Id: I9c724245bf69d0a672b6ca0e8c2c0a83aee76ad9
Signed-off-by: Aleksandar Likic <aleksandar.likic@securekey.com>

Author: Aleksandar Likic

internal/github.com/hyperledger/fabric/common/attrmgr/attrmgr.go

@@ -26,7 +26,13 @@ Please review third_party pinning scripts and patches for more details.
 package attrmgr
 
 import (
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/json"
+	"fmt"
+
+	"github.com/pkg/errors"
 )
 
 var (
@@ -53,10 +59,156 @@ type AttributeRequest interface {
 	IsRequired() bool
 }
 
+// New constructs an attribute manager
+func New() *Mgr { return &Mgr{} }
+
 // Mgr is the attribute manager and is the main object for this package
 type Mgr struct{}
 
+// ProcessAttributeRequestsForCert add attributes to an X509 certificate, given
+// attribute requests and attributes.
+func (mgr *Mgr) ProcessAttributeRequestsForCert(requests []AttributeRequest, attributes []Attribute, cert *x509.Certificate) error {
+	attrs, err := mgr.ProcessAttributeRequests(requests, attributes)
+	if err != nil {
+		return err
+	}
+	return mgr.AddAttributesToCert(attrs, cert)
+}
+
+// ProcessAttributeRequests takes an array of attribute requests and an identity's attributes
+// and returns an Attributes object containing the requested attributes.
+func (mgr *Mgr) ProcessAttributeRequests(requests []AttributeRequest, attributes []Attribute) (*Attributes, error) {
+	attrsMap := map[string]string{}
+	attrs := &Attributes{Attrs: attrsMap}
+	missingRequiredAttrs := []string{}
+	// For each of the attribute requests
+	for _, req := range requests {
+		// Get the attribute
+		name := req.GetName()
+		attr := getAttrByName(name, attributes)
+		if attr == nil {
+			if req.IsRequired() {
+				// Didn't find attribute and it was required; return error below
+				missingRequiredAttrs = append(missingRequiredAttrs, name)
+			}
+			// Skip attribute requests which aren't required
+			continue
+		}
+		attrsMap[name] = attr.GetValue()
+	}
+	if len(missingRequiredAttrs) > 0 {
+		return nil, errors.Errorf("The following required attributes are missing: %+v",
+			missingRequiredAttrs)
+	}
+	return attrs, nil
+}
+
+// AddAttributesToCert adds public attribute info to an X509 certificate.
+func (mgr *Mgr) AddAttributesToCert(attrs *Attributes, cert *x509.Certificate) error {
+	buf, err := json.Marshal(attrs)
+	if err != nil {
+		return errors.Wrap(err, "Failed to marshal attributes")
+	}
+	ext := pkix.Extension{
+		Id:       AttrOID,
+		Critical: false,
+		Value:    buf,
+	}
+	cert.Extensions = append(cert.Extensions, ext)
+	return nil
+}
+
+// GetAttributesFromCert gets the attributes from a certificate.
+func (mgr *Mgr) GetAttributesFromCert(cert *x509.Certificate) (*Attributes, error) {
+	// Get certificate attributes from the certificate if it exists
+	buf, err := getAttributesFromCert(cert)
+	if err != nil {
+		return nil, err
+	}
+	// Unmarshal into attributes object
+	attrs := &Attributes{}
+	if buf != nil {
+		err := json.Unmarshal(buf, attrs)
+		if err != nil {
+			return nil, errors.Wrap(err, "Failed to unmarshal attributes from certificate")
+		}
+	}
+	return attrs, nil
+}
+
 // Attributes contains attribute names and values
 type Attributes struct {
 	Attrs map[string]string `json:"attrs"`
 }
+
+// Names returns the names of the attributes
+func (a *Attributes) Names() []string {
+	i := 0
+	names := make([]string, len(a.Attrs))
+	for name := range a.Attrs {
+		names[i] = name
+		i++
+	}
+	return names
+}
+
+// Contains returns true if the named attribute is found
+func (a *Attributes) Contains(name string) bool {
+	_, ok := a.Attrs[name]
+	return ok
+}
+
+// Value returns an attribute's value
+func (a *Attributes) Value(name string) (string, bool, error) {
+	attr, ok := a.Attrs[name]
+	return attr, ok, nil
+}
+
+// True returns nil if the value of attribute 'name' is true;
+// otherwise, an appropriate error is returned.
+func (a *Attributes) True(name string) error {
+	val, ok, err := a.Value(name)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return fmt.Errorf("Attribute '%s' was not found", name)
+	}
+	if val != "true" {
+		return fmt.Errorf("Attribute '%s' is not true", name)
+	}
+	return nil
+}
+
+// Get the attribute info from a certificate extension, or return nil if not found
+func getAttributesFromCert(cert *x509.Certificate) ([]byte, error) {
+	for _, ext := range cert.Extensions {
+		if isAttrOID(ext.Id) {
+			return ext.Value, nil
+		}
+	}
+	return nil, nil
+}
+
+// Is the object ID equal to the attribute info object ID?
+func isAttrOID(oid asn1.ObjectIdentifier) bool {
+	if len(oid) != len(AttrOID) {
+		return false
+	}
+	for idx, val := range oid {
+		if val != AttrOID[idx] {
+			return false
+		}
+	}
+	return true
+}
+
+// Get an attribute from 'attrs' by its name, or nil if not found
+func getAttrByName(name string, attrs []Attribute) Attribute {
+	for _, attr := range attrs {
+		if attr.GetName() == name {
+			return attr
+		}
+	}
+	return nil
+}

pkg/client/msp/ca.go

@@ -36,8 +36,8 @@ type RegistrationRequest struct {
 // Attribute defines additional attributes that may be passed along during registration
 type Attribute struct {
 	Name  string
-	Key   string
 	Value string
+	ECert bool
 }
 
 // RevocationRequest defines the attributes required to revoke credentials with the CA

pkg/client/msp/client.go

@@ -129,17 +129,17 @@ func (c *Client) Register(request *RegistrationRequest) (string, error) {
 		return "", err
 	}
 
-	// TODO - this code is unused.
-	//var a []mspapi.Attribute
-	//for i := range request.Attributes {
-	//	a = append(a, mspapi.Attribute{Name: request.Attributes[i].Name, Key: request.Attributes[i].Key, Value: request.Attributes[i].Value})
-	//}
+	var a []mspapi.Attribute
+	for i := range request.Attributes {
+		a = append(a, mspapi.Attribute{Name: request.Attributes[i].Name, Value: request.Attributes[i].Value, ECert: request.Attributes[i].ECert})
+	}
 
 	r := mspapi.RegistrationRequest{
 		Name:           request.Name,
 		Type:           request.Type,
 		MaxEnrollments: request.MaxEnrollments,
 		Affiliation:    request.Affiliation,
+		Attributes:     a,
 		CAName:         request.CAName,
 		Secret:         request.Secret,
 	}

pkg/msp/api/api.go

@@ -53,8 +53,8 @@ type RegistrationRequest struct {
 // Attribute defines additional attributes that may be passed along during registration
 type Attribute struct {
 	Name  string
-	Key   string
 	Value string
+	ECert bool
 }
 
 // RevocationRequest defines the attributes required to revoke credentials with the CA

pkg/msp/caclient_test.go

@@ -192,8 +192,8 @@ func TestRegister(t *testing.T) {
 
 	// Register with valid request
 	var attributes []api.Attribute
-	attributes = append(attributes, api.Attribute{Key: "test1", Value: "test2"})
-	attributes = append(attributes, api.Attribute{Key: "test2", Value: "test3"})
+	attributes = append(attributes, api.Attribute{Name: "test1", Value: "test2"})
+	attributes = append(attributes, api.Attribute{Name: "test2", Value: "test3"})
 	secret, err := f.caClient.Register(&api.RegistrationRequest{Name: "test", Affiliation: "test", Attributes: attributes})
 	if err != nil {
 		t.Fatalf("identityManager Register return error %v", err)
@@ -217,8 +217,8 @@ func TestEmbeddedRegistar(t *testing.T) {
 
 	// Register with valid request
 	var attributes []api.Attribute
-	attributes = append(attributes, api.Attribute{Key: "test1", Value: "test2"})
-	attributes = append(attributes, api.Attribute{Key: "test2", Value: "test3"})
+	attributes = append(attributes, api.Attribute{Name: "test1", Value: "test2"})
+	attributes = append(attributes, api.Attribute{Name: "test2", Value: "test3"})
 	secret, err := f.caClient.Register(&api.RegistrationRequest{Name: "withEmbeddedRegistrar", Affiliation: "test", Attributes: attributes})
 	if err != nil {
 		t.Fatalf("identityManager Register return error %v", err)
@@ -254,8 +254,8 @@ func TestRegisterNoRegistrar(t *testing.T) {
 
 	// Register with valid request
 	var attributes []api.Attribute
-	attributes = append(attributes, api.Attribute{Key: "test1", Value: "test2"})
-	attributes = append(attributes, api.Attribute{Key: "test2", Value: "test3"})
+	attributes = append(attributes, api.Attribute{Name: "test1", Value: "test2"})
+	attributes = append(attributes, api.Attribute{Name: "test2", Value: "test3"})
 	_, err = f.caClient.Register(&api.RegistrationRequest{Name: "test", Affiliation: "test", Attributes: attributes})
 	if err != api.ErrCARegistrarNotFound {
 		t.Fatalf("Expected ErrCARegistrarNotFound, got: %v", err)

pkg/msp/fabcaadapter.go

@@ -87,8 +87,7 @@ func (c *fabricCAAdapter) Register(key core.Key, cert []byte, request *api.Regis
 	// Contruct request for Fabric CA client
 	var attributes []caapi.Attribute
 	for i := range request.Attributes {
-		attributes = append(attributes, caapi.Attribute{Name: request.
-			Attributes[i].Key, Value: request.Attributes[i].Value})
+		attributes = append(attributes, caapi.Attribute{Name: request.Attributes[i].Name, Value: request.Attributes[i].Value, ECert: request.Attributes[i].ECert})
 	}
 	var req = caapi.RegistrationRequest{
 		CAName:         request.CAName,

scripts/third_party_pins/fabric/apply_fabric_client_utils.sh

@@ -180,10 +180,6 @@ gofilter
 sed -i'' -e 's/&bccsp.SHA256Opts{}/factory.GetSHA256Opts()/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 sed -i'' -e 's/"github.com\/hyperledger\/fabric\/bccsp\/factory"/factory "github.com\/hyperledger\/fabric-sdk-go\/internal\/github.com\/hyperledger\/fabric\/sdkpatch\/cryptosuitebridge"/g' "${TMP_PROJECT_PATH}/${FILTER_FILENAME}"
 
-FILTER_FILENAME="common/attrmgr/attrmgr.go"
-FILTER_FN=
-gofilter
-
 FILTER_FILENAME="common/channelconfig/applicationorg.go"
 FILTER_FN=
 gofilter

test/integration/msp/check_cert_attributes.go

@@ -0,0 +1,46 @@
+// +build !prev
+
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package msp
+
+import (
+	"testing"
+
+	"crypto/x509"
+	"encoding/pem"
+
+	"github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric/common/attrmgr"
+	"github.com/hyperledger/fabric-sdk-go/pkg/client/msp"
+	"github.com/stretchr/testify/assert"
+)
+
+func checkCertAttributes(t *testing.T, certBytes []byte, expected []msp.Attribute) {
+	decoded, _ := pem.Decode(certBytes)
+	if decoded == nil {
+		t.Fatalf("Failed cert decoding")
+	}
+	cert, err := x509.ParseCertificate(decoded.Bytes)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+	if cert == nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+	mgr := attrmgr.New()
+	attrs, err := mgr.GetAttributesFromCert(cert)
+	if err != nil {
+		t.Fatalf("Failed to GetAttributesFromCert: %s", err)
+	}
+	for _, a := range expected {
+		v, ok, err := attrs.Value(a.Name)
+		assert.NoError(t, err)
+		assert.True(t, attrs.Contains(a.Name), "does not contain attribute '%s'", a.Name)
+		assert.True(t, ok, "attribute '%s' was not found", a.Name)
+		assert.True(t, v == a.Value, "incorrect value for '%s'; expected '%s' but found '%s'", a.Name, a.Value, v)
+	}
+}

test/integration/msp/check_cert_ser_attributes_prev.go

@@ -0,0 +1,19 @@
+// +build prev
+
+/*
+Copyright SecureKey Technologies Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package msp
+
+import (
+	"testing"
+
+	"github.com/hyperledger/fabric-sdk-go/pkg/client/msp"
+)
+
+func checkCertAttributes(t *testing.T, certBytes []byte, expected []msp.Attribute) {
+	// Do nothing, as the previous CA version wasn't setting attributes in generated certs.
+}

test/integration/msp/enrollment_test.go

@@ -9,6 +9,8 @@ package msp
 import (
 	"testing"
 
+	"fmt"
+
 	"github.com/hyperledger/fabric-sdk-go/pkg/client/msp"
 	"github.com/hyperledger/fabric-sdk-go/pkg/common/providers/context"
 	"github.com/hyperledger/fabric-sdk-go/pkg/fabsdk"
@@ -62,10 +64,24 @@ func TestRegisterEnroll(t *testing.T) {
 	// Generate a random user name
 	username := integration.GenerateRandomID()
 
+	testAttributes := []msp.Attribute{
+		msp.Attribute{
+			Name:  integration.GenerateRandomID(),
+			Value: fmt.Sprintf("%s:ecert", integration.GenerateRandomID()),
+			ECert: true,
+		},
+		msp.Attribute{
+			Name:  integration.GenerateRandomID(),
+			Value: fmt.Sprintf("%s:ecert", integration.GenerateRandomID()),
+			ECert: true,
+		},
+	}
+
 	// Register the new user
 	enrollmentSecret, err := mspClient.Register(&msp.RegistrationRequest{
-		Name: username,
-		Type: IdentityTypeUser,
+		Name:       username,
+		Type:       IdentityTypeUser,
+		Attributes: testAttributes,
 		// Affiliation is mandatory. "org1" and "org2" are hardcoded as CA defaults
 		// See https://github.com/hyperledger/fabric-ca/blob/release/cmd/fabric-ca-server/config.go
 		Affiliation: "org2",
@@ -81,11 +97,13 @@ func TestRegisterEnroll(t *testing.T) {
 	}
 
 	// Get the new user's signing identity
-	_, err = mspClient.GetSigningIdentity(username)
+	si, err := mspClient.GetSigningIdentity(username)
 	if err != nil {
 		t.Fatalf("GetSigningIdentity failed: %v", err)
 	}
 
+	checkCertAttributes(t, si.EnrollmentCertificate(), testAttributes)
+
 }
 
 func getRegistrarEnrollmentCredentials(t *testing.T, ctxProvider context.ClientProvider) (string, string) {