add control peer rest api

Signed-off-by: Fedor Partanskiy <fredprtnsk@gmail.com>

Author: pfi79

core/aclmgmt/defaultaclprovider.go

@@ -7,6 +7,8 @@ SPDX-License-Identifier: Apache-2.0
 package aclmgmt
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 
 	"github.com/hyperledger/fabric-protos-go-apiv2/common"
@@ -149,6 +151,8 @@ func (d *defaultACLProviderImpl) CheckACL(resName string, channelID string, idin
 		return d.policyChecker.CheckPolicyBySignedData(channelID, policy, []*protoutil.SignedData{typedData})
 	case []*protoutil.SignedData:
 		return d.policyChecker.CheckPolicyBySignedData(channelID, policy, typedData)
+	case *x509.Certificate:
+		return d.policyChecker.CheckPolicyByCert(channelID, policy, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: typedData.Raw}))
 	default:
 		aclLogger.Errorf("Unmapped id on checkACL %s", resName)
 		return fmt.Errorf("Unknown id on checkACL %s", resName)
@@ -174,6 +178,8 @@ func (d *defaultACLProviderImpl) CheckACLNoChannel(resName string, idinfo interf
 		return d.policyChecker.CheckPolicyNoChannelBySignedData(policy, sd)
 	case []*protoutil.SignedData:
 		return d.policyChecker.CheckPolicyNoChannelBySignedData(policy, typedData)
+	case *x509.Certificate:
+		return d.policyChecker.CheckPolicyNoChannelByCert(policy, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: typedData.Raw}))
 	default:
 		aclLogger.Errorf("Unmapped id on channelless checkACL %s", resName)
 		return fmt.Errorf("Unknown id on channelless checkACL %s", resName)

core/peer/config.go

@@ -48,6 +48,26 @@ type ExternalBuilder struct {
 	Path                 string   `yaml:"path"`
 }
 
+// AdminConf configuration for peer administration
+type AdminConf struct {
+	// ListenAddress provides the host and port for the admin server
+	ListenAddress string
+	// TLSEnabled enables/disables TLS for admins.
+	TLSEnabled bool
+	// TLSCertFile provides the path to PEM encoded server certificate for
+	// the admin server.
+	TLSCertFile string
+	// TLSKeyFile provides the path to PEM encoded server key for the
+	// admin server.
+	TLSKeyFile string
+	// TLSClientAuthRequired enables/disables the requirements for client
+	// certificate authentication at the TLS layer to access all resource.
+	TLSClientAuthRequired bool
+	// TLSClientRootCAs provides the path to PEM encoded ca certiricates to
+	// trust for client authentication.
+	TLSClientRootCAs []string
+}
+
 // Config is the struct that defines the Peer configurations.
 type Config struct {
 	// LocalMSPID is the identifier of the local MSP.
@@ -219,6 +239,9 @@ type Config struct {
 	// interact with fabric networks
 
 	GatewayOptions gatewayconfig.Options
+
+	// ----- Admin config -----
+	Admin AdminConf
 }
 
 // GlobalConfig obtains a set of configuration from viper, build and returns
@@ -321,6 +344,16 @@ func (c *Config) load() error {
 		c.OperationsTLSClientRootCAs = append(c.OperationsTLSClientRootCAs, config.TranslatePath(configDir, rca))
 	}
 
+	c.Admin.ListenAddress = viper.GetString("admin.listenAddress")
+	c.Admin.TLSEnabled = viper.GetBool("admin.tls.enabled")
+	c.Admin.TLSCertFile = config.GetPath("admin.tls.cert.file")
+	c.Admin.TLSKeyFile = config.GetPath("admin.tls.key.file")
+	c.Admin.TLSClientAuthRequired = viper.GetBool("admin.tls.clientAuthRequired")
+
+	for _, rca := range viper.GetStringSlice("admin.tls.clientRootCAs.files") {
+		c.Admin.TLSClientRootCAs = append(c.Admin.TLSClientRootCAs, config.TranslatePath(configDir, rca))
+	}
+
 	c.MetricsProvider = viper.GetString("metrics.provider")
 	c.StatsdNetwork = viper.GetString("metrics.statsd.network")
 	c.StatsdAaddress = viper.GetString("metrics.statsd.address")

core/peer/config_test.go

@@ -299,6 +299,13 @@ func TestGlobalConfig(t *testing.T) {
 	viper.Set("operations.tls.clientAuthRequired", false)
 	viper.Set("operations.tls.clientRootCAs.files", []string{"relative/file1", "/absolute/file2"})
 
+	viper.Set("admin.listenAddress", "127.0.0.1:9444")
+	viper.Set("admin.tls.enabled", false)
+	viper.Set("admin.tls.cert.file", "test/tls/cert/file")
+	viper.Set("admin.tls.key.file", "test/tls/key/file")
+	viper.Set("admin.tls.clientAuthRequired", false)
+	viper.Set("admin.tls.clientRootCAs.files", []string{"relative/file1", "/absolute/file2"})
+
 	viper.Set("metrics.provider", "disabled")
 	viper.Set("metrics.statsd.network", "udp")
 	viper.Set("metrics.statsd.address", "127.0.0.1:8125")
@@ -385,6 +392,17 @@ func TestGlobalConfig(t *testing.T) {
 			BroadcastTimeout:   10 * time.Second,
 			DialTimeout:        60 * time.Second,
 		},
+		Admin: AdminConf{
+			ListenAddress:         "127.0.0.1:9444",
+			TLSEnabled:            false,
+			TLSCertFile:           filepath.Join(cwd, "test/tls/cert/file"),
+			TLSKeyFile:            filepath.Join(cwd, "test/tls/key/file"),
+			TLSClientAuthRequired: false,
+			TLSClientRootCAs: []string{
+				filepath.Join(cwd, "relative", "file1"),
+				"/absolute/file2",
+			},
+		},
 	}
 
 	require.Equal(t, coreConfig, expectedConfig)

core/policy/policy.go

@@ -39,6 +39,15 @@ type PolicyChecker interface {
 	// CheckPolicyNoChannelBySignedData checks that the passed signed data is valid with the respect to
 	// passed policy on the local MSP.
 	CheckPolicyNoChannelBySignedData(policyName string, signedData []*protoutil.SignedData) error
+
+	// CheckPolicyByCert checks that the passed cert is valid with the respect to
+	// passed policy on the passed channel.
+	// If no channel is passed, CheckPolicyNoChannelByCert is invoked directly.
+	CheckPolicyByCert(channelID, policyName string, cert []byte) error
+
+	// CheckPolicyNoChannelByCert checks that the passed cert is valid with the respect to
+	// passed policy on the local MSP.
+	CheckPolicyNoChannelByCert(policyName string, cert []byte) error
 }
 
 type policyChecker struct {
@@ -226,3 +235,96 @@ func (p *policyChecker) CheckPolicyNoChannelBySignedData(policyName string, sign
 
 	return nil
 }
+
+// CheckPolicyByCert checks that the passed cert is valid with the respect to
+// passed policy on the passed channel.
+// If no channel is passed, CheckPolicyNoChannelByCert is invoked directly.
+func (p *policyChecker) CheckPolicyByCert(channelID, policyName string, cert []byte) error {
+	if channelID == "" {
+		return p.CheckPolicyNoChannelByCert(policyName, cert)
+	}
+
+	if policyName == "" {
+		return fmt.Errorf("Invalid policy name during check policy on channel [%s]. Name must be different from nil.", channelID)
+	}
+
+	if cert == nil {
+		return fmt.Errorf("Invalid cert during check policy on channel [%s] with policy [%s]", channelID, policyName)
+	}
+
+	gi, err := p.getIdentityer()
+	if err != nil {
+		return err
+	}
+
+	id, err := gi.GetIdentityFromCert(cert)
+	if err != nil {
+		logger.Warnw("Failed get identity during check policy on channel check policy", "error", err, "policyName", policyName, "cert", cert, "channelID", channelID)
+		return fmt.Errorf("Failed get identity during check policy on channel [%s] with policy [%s]: [%s]", channelID, policyName, err)
+	}
+
+	// Get Policy
+	policyManager := p.channelPolicyManagerGetter.Manager(channelID)
+	if policyManager == nil {
+		return fmt.Errorf("Failed to get policy manager for channel [%s]", channelID)
+	}
+
+	// Recall that get policy always returns a policy object
+	policy, _ := policyManager.GetPolicy(policyName)
+
+	// Evaluate the policy
+	err = policy.EvaluateIdentities([]msp.Identity{id})
+	if err != nil {
+		logger.Warnw("Failed evaluating policy on Identity", "error", err, "policyName", policyName, "identities", id, "channelID", channelID)
+		return fmt.Errorf("Failed evaluating policy on Identity during check policy on channel [%s] with policy [%s]: [%s]", channelID, policyName, err)
+	}
+
+	return nil
+}
+
+// CheckPolicyNoChannelByCert checks that the passed cert is valid with the respect to
+// passed policy on the local MSP.
+func (p *policyChecker) CheckPolicyNoChannelByCert(policyName string, cert []byte) error {
+	if policyName == "" {
+		return errors.New("Invalid policy name during channelless check policy. Name must be different from nil.")
+	}
+
+	if cert == nil {
+		return fmt.Errorf("Invalid cert during channelless check policy with policy [%s]", policyName)
+	}
+
+	gi, err := p.getIdentityer()
+	if err != nil {
+		return err
+	}
+
+	id, err := gi.GetIdentityFromCert(cert)
+	if err != nil {
+		logger.Warnw("Failed get identity during channelless check policy", "error", err, "policyName", policyName, "cert", cert)
+		return fmt.Errorf("Failed get identity during channelless check policy with policy [%s]: [%s]", policyName, err)
+	}
+
+	// Load MSPPrincipal for policy
+	principal, err := p.principalGetter.Get(policyName)
+	if err != nil {
+		return fmt.Errorf("Failed getting local MSP principal during channelless check policy with policy [%s]: [%s]", policyName, err)
+	}
+
+	// Verify that proposal's creator satisfies the principal
+	err = id.SatisfiesPrincipal(principal)
+	if err != nil {
+		logger.Warnw("Failed verifying that identity satisfies local MSP principal during channelless check policy", "error", err, "policyName", policyName, "requiredPrincipal", principal)
+		return fmt.Errorf("Failed verifying identity satisfies local MSP principal during channelless check policy with policy [%s]: [%s]", policyName, err)
+	}
+
+	return nil
+}
+
+func (p *policyChecker) getIdentityer() (msp.GetIdentityer, error) {
+	gi, ok := p.localMSP.(msp.GetIdentityer)
+	if !ok {
+		return nil, errors.New("MSP does not support the GetIdentityer interface.")
+	}
+
+	return gi, nil
+}

core/scc/cscc/configure.go

@@ -125,11 +125,10 @@ func (e *PeerConfiger) Invoke(stub shim.ChaincodeStubInterface) *pb.Response {
 		return shim.Error(fmt.Sprintf("Rejecting invoke of CSCC from another chaincode, original invocation for '%s'", name))
 	}
 
-	return e.InvokeNoShim(args, sp)
+	return e.InvokeNoShim(args, sp, true)
 }
 
-func (e *PeerConfiger) InvokeNoShim(args [][]byte, sp *pb.SignedProposal) *pb.Response {
-	var err error
+func (e *PeerConfiger) InvokeNoShim(args [][]byte, sp *pb.SignedProposal, checkACL bool) *pb.Response {
 	fname := string(args[0])
 
 	switch fname {
@@ -150,14 +149,16 @@ func (e *PeerConfiger) InvokeNoShim(args [][]byte, sp *pb.SignedProposal) *pb.Re
 		}
 
 		// 1. check config block's format and capabilities requirement.
-		if err := validateConfigBlock(block, e.bccsp); err != nil {
+		if err = validateConfigBlock(block, e.bccsp); err != nil {
 			return shim.Error(fmt.Sprintf("\"JoinChain\" for channelID = %s failed because of validation "+
 				"of configuration block, because of %s", cid, err))
 		}
 
 		// 2. check join policy.
-		if err = e.aclProvider.CheckACL(resources.Cscc_JoinChain, "", sp); err != nil {
-			return shim.Error(fmt.Sprintf("access denied for [%s][%s]: [%s]", fname, cid, err))
+		if checkACL {
+			if err = e.aclProvider.CheckACL(resources.Cscc_JoinChain, "", sp); err != nil {
+				return shim.Error(fmt.Sprintf("access denied for [%s][%s]: [%s]", fname, cid, err))
+			}
 		}
 
 		// Initialize txsFilter if it does not yet exist. We can do this safely since
@@ -175,19 +176,19 @@ func (e *PeerConfiger) InvokeNoShim(args [][]byte, sp *pb.SignedProposal) *pb.Re
 			return shim.Error("Cannot join the channel, no snapshot directory provided")
 		}
 		// check policy
-		if err = e.aclProvider.CheckACL(resources.Cscc_JoinChainBySnapshot, "", sp); err != nil {
+		if err := e.aclProvider.CheckACL(resources.Cscc_JoinChainBySnapshot, "", sp); err != nil {
 			return shim.Error(fmt.Sprintf("access denied for [%s]: [%s]", fname, err))
 		}
 		snapshotDir := string(args[1])
 		return e.JoinChainBySnapshot(snapshotDir, e.deployedCCInfoProvider, e.legacyLifecycle, e.newLifecycle)
 	case JoinBySnapshotStatus:
-		if err = e.aclProvider.CheckACL(resources.Cscc_JoinBySnapshotStatus, "", sp); err != nil {
+		if err := e.aclProvider.CheckACL(resources.Cscc_JoinBySnapshotStatus, "", sp); err != nil {
 			return shim.Error(fmt.Sprintf("access denied for [%s]: %s", fname, err))
 		}
 		return e.joinBySnapshotStatus()
 	case GetConfigBlock:
 		// 2. check policy
-		if err = e.aclProvider.CheckACL(resources.Cscc_GetConfigBlock, string(args[1]), sp); err != nil {
+		if err := e.aclProvider.CheckACL(resources.Cscc_GetConfigBlock, string(args[1]), sp); err != nil {
 			return shim.Error(fmt.Sprintf("access denied for [%s][%s]: %s", fname, args[1], err))
 		}
 
@@ -196,13 +197,13 @@ func (e *PeerConfiger) InvokeNoShim(args [][]byte, sp *pb.SignedProposal) *pb.Re
 		if len(args[1]) == 0 {
 			return shim.Error("empty channel name provided")
 		}
-		if err = e.aclProvider.CheckACL(resources.Cscc_GetChannelConfig, string(args[1]), sp); err != nil {
+		if err := e.aclProvider.CheckACL(resources.Cscc_GetChannelConfig, string(args[1]), sp); err != nil {
 			return shim.Error(fmt.Sprintf("access denied for [%s][%s]: %s", fname, args[1], err))
 		}
 		return e.getChannelConfig(args[1])
 	case GetChannels:
 		// 2. check get channels policy
-		if err = e.aclProvider.CheckACL(resources.Cscc_GetChannels, "", sp); err != nil {
+		if err := e.aclProvider.CheckACL(resources.Cscc_GetChannels, "", sp); err != nil {
 			return shim.Error(fmt.Sprintf("access denied for [%s]: %s", fname, err))
 		}
 

core/scc/cscc/configure_test.go

@@ -206,7 +206,7 @@ func TestConfigerInvokeJoinChainMissingParams(t *testing.T) {
 		bccsp:       cryptoProvider,
 	}
 	mockStub := &mocks.ChaincodeStub{}
-	mockStub.GetArgsReturns([][]byte{[]byte("JoinChain")})
+	mockStub.GetArgsReturns([][]byte{[]byte(JoinChain)})
 	res := cscc.Invoke(mockStub)
 	require.NotEqual(
 		t,
@@ -224,7 +224,7 @@ func TestConfigerInvokeJoinChainWrongParams(t *testing.T) {
 		bccsp:       cryptoProvider,
 	}
 	mockStub := &mocks.ChaincodeStub{}
-	mockStub.GetArgsReturns([][]byte{[]byte("JoinChain"), []byte("action")})
+	mockStub.GetArgsReturns([][]byte{[]byte(JoinChain), []byte("action")})
 	mockStub.GetSignedProposalReturns(validSignedProposal(), nil)
 	res := cscc.Invoke(mockStub)
 	require.NotEqual(
@@ -262,15 +262,15 @@ func TestConfigerInvokeJoinChainCorrectParams(t *testing.T) {
 	if blockBytes == nil {
 		t.Fatalf("cscc invoke JoinChain failed because invalid block")
 	}
-	args := [][]byte{[]byte("JoinChain"), blockBytes}
+	args := [][]byte{[]byte(JoinChain), blockBytes}
 	sProp := validSignedProposal()
 	sProp.Signature = sProp.ProposalBytes
 
 	// Try fail path with nil block
-	mockStub.GetArgsReturns([][]byte{[]byte("JoinChain"), nil})
+	mockStub.GetArgsReturns([][]byte{[]byte(JoinChain), nil})
 	mockStub.GetSignedProposalReturns(sProp, nil)
 	res := cscc.Invoke(mockStub)
-	// res := stub.MockInvokeWithSignedProposal("2", [][]byte{[]byte("JoinChain"), nil}, sProp)
+	// res := stub.MockInvokeWithSignedProposal("2", [][]byte{[]byte(JoinChain), nil}, sProp)
 	require.Equal(t, int32(shim.ERROR), res.Status)
 
 	// Try fail path with block and nil payload header
@@ -284,9 +284,9 @@ func TestConfigerInvokeJoinChainCorrectParams(t *testing.T) {
 		},
 	}
 	badBlockBytes := protoutil.MarshalOrPanic(badBlock)
-	mockStub.GetArgsReturns([][]byte{[]byte("JoinChain"), badBlockBytes})
+	mockStub.GetArgsReturns([][]byte{[]byte(JoinChain), badBlockBytes})
 	res = cscc.Invoke(mockStub)
-	// res = stub.MockInvokeWithSignedProposal("2", [][]byte{[]byte("JoinChain"), badBlockBytes}, sProp)
+	// res = stub.MockInvokeWithSignedProposal("2", [][]byte{[]byte(JoinChain), badBlockBytes}, sProp)
 	require.Equal(t, int32(shim.ERROR), res.Status)
 
 	// Now, continue with valid execution path
@@ -532,7 +532,7 @@ func TestPeerConfiger_SubmittingOrdererGenesis(t *testing.T) {
 	}
 	mockStub := &mocks.ChaincodeStub{}
 	// Failed path: wrong parameter type
-	args := [][]byte{[]byte("JoinChain"), blockBytes}
+	args := [][]byte{[]byte(JoinChain), blockBytes}
 	mockStub.GetArgsReturns(args)
 	mockStub.GetSignedProposalReturns(validSignedProposal(), nil)
 	res := cscc.Invoke(mockStub)

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/go-viper/mapstructure/v2 v2.4.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
 	github.com/hyperledger-labs/SmartBFT v0.0.0-20250503203013-eb005eef8866
 	github.com/hyperledger/fabric-chaincode-go/v2 v2.3.0
 	github.com/hyperledger/fabric-config v0.3.0
@@ -36,6 +37,8 @@ require (
 	go.etcd.io/etcd/raft/v3 v3.5.16
 	go.etcd.io/etcd/server/v3 v3.5.16
 	go.uber.org/zap v1.27.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20250313205543-e70fdf4c4cb4
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4
 	google.golang.org/grpc v1.72.0
 	google.golang.org/protobuf v1.36.10
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
@@ -116,5 +119,4 @@ require (
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect
 )