Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down Expand Up @@ -1661,7 +1661,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down Expand Up @@ -10424,7 +10424,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down
4 changes: 1 addition & 3 deletions chaincode/src/contracts/GalaContract.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import {
GalaChainResponseType,
GetObjectDto,
GetObjectHistoryDto,
NotFoundError,
UserProfile,
ValidationFailedError,
createValidDTO,
Expand Down Expand Up @@ -223,8 +222,7 @@ export abstract class GalaContract extends Contract {
in: BatchDto,
out: "object",
enforceUniqueKey: true,
description: "Submit a batch of transactions",
allowedOrgs: [process.env.CURATOR_ORG_MSP ?? "CuratorOrg"]
description: "Submit a batch of transactions"
})
public async BatchSubmit(ctx: GalaChainContext, batchDto: BatchDto): Promise<GalaChainResponse<unknown>[]> {
const responses: GalaChainResponse<unknown>[] = [];
Expand Down
7 changes: 5 additions & 2 deletions chaincode/src/contracts/GalaTransaction.ts
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,11 @@ function GalaTransaction<In extends ChainCallDTO, Out>(
}

if (options.type === SUBMIT && !options.verifySignature && !options.allowedOrgs?.length) {
const message = `SUBMIT transaction '${propertyKey}' must have either verifySignature or allowedOrgs defined`;
throw new NotImplementedError(message);
// Edge case: we allow BatchSubmit without verifySignature or allowedOrgs
if (propertyKey !== "BatchSubmit") {
const message = `SUBMIT transaction '${propertyKey}' must have either verifySignature or allowedOrgs defined`;
throw new NotImplementedError(message);
}
}

if (options.allowedRoles !== undefined && options.allowedOrgs !== undefined) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ The key is generated by the caller and should be unique for each DTO. You can us
},
},
{
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT. Allowed orgs: CuratorOrg.",
"description": "Submit a batch of transactions Transaction updates the chain (submit). Allowed roles: SUBMIT.",
"dtoSchema": {
"properties": {
"dtoExpiresAt": {
Expand Down
14 changes: 13 additions & 1 deletion chaincode/src/contracts/authorize.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import { ChainCallDTO, ForbiddenError, UnauthorizedError, UserRole } from "@gala-chain/api";
import { BatchDto, ChainCallDTO, ForbiddenError, UnauthorizedError, UserRole } from "@gala-chain/api";

import { GalaChainContext } from "../types";

Expand Down Expand Up @@ -100,6 +100,13 @@ export function ensureChaincodeIsAllowed(chaincode: string, allowedChaincodes: s
}
}

function isBatchOperation(ctx: GalaChainContext, dto: ChainCallDTO | undefined) {
const methodName = ctx.operationCtx.methodName;
const isBatchMethod = methodName === "BatchSubmit" || methodName.endsWith(":BatchSubmit");
const isBatchDto = (dto as BatchDto | undefined)?.operations?.some((o) => o.method.length > 0);
return isBatchMethod || isBatchDto;
}

export interface AuthorizeOptions {
allowedOrgs?: string[];
allowedRoles?: string[];
Expand All @@ -112,6 +119,11 @@ export async function authorize(
options: AuthorizeOptions,
dto: ChainCallDTO | undefined
) {
// For batch operations authorization happens for each operation in the batch
if (isBatchOperation(ctx, dto)) {
return;
}

if (options.allowedOriginChaincodes && ctx.callingUser.startsWith("service|")) {
const callingChaincode = ctx.callingUser.slice(8);
ensureChaincodeIsAllowed(callingChaincode, options.allowedOriginChaincodes);
Expand Down
Loading