如何在用户证书中添加角色并以链码形式使用它们?

时间:2019-01-01 13:06:13

标签: node.js hyperledger-fabric hyperledger-fabric-ca

我在带有“ IBM‌ Blockchain Platform”扩展和nodejs的超级账本结构上开发了一个应用程序。我使用“ fabric-ca-client v1.3.0”模块来注册用户和管理员证书。我想向用户添加角色,并基于我的链码上的用户角色进行访问控制。我尝试注册多个证书,但是此模块始终使用空角色和从属关系注册证书,如下所示:

{"name":"admin","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"...","identity":{"..."}}}

我在hyperledger shim documentation上发现了有关在链码上使用角色的问题:

const ClientIdentity = require('fabric-shim').ClientIdentity;

let cid = new ClientIdentity(stub); 
object passed to Init() and Invoke() methods
if (cid.assertAttributeValue('hf.role', 'auditor')) {
   // proceed to carry out auditing
}

但是我没有找到任何方法来注册和注册具有'hf.role'属性的用户

1 个答案:

答案 0 :(得分:1)

您必须注册用户1st,然后注册该用户。您可以通过cmdline和REST来执行此操作。对于cmdline,在注册用户时,您需要将其他属性传递为:

--enrollment.attrs "role=writer,email,phone:opt"

然后在注册时:

let cid = new ClientIdentity(stub); 
if (cid.assertAttributeValue('role', 'writer')) { .. }

在链码中,您可以按以下方式访问属性:

Function Grant-OAuth2PermissionsToApp{
Param(
    [Parameter(Mandatory=$true)]$Username, #global administrator username
    [Parameter(Mandatory=$true)]$Password, #global administrator password
    [Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to
)

$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
$res = login-azurermaccount -Credential $mycreds
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
Invoke-RestMethod -Uri $url -Headers $header -Method POST -ErrorAction Stop
}
相关问题
最新问题