Hyperledger Composer - ACL Rule with function in c

2020-05-07 18:46发布

I'm trying to write a little complexer logic in the condition of an ACL Rule as always the p.getIdentifier() == r.getIdentifier(), because in my fault it isn't possible.

These are my models:

participant Customer identified by customerID {
  o String  customerID
  o String  name
  ...
}

asset A identified by aID {
  o String       aID
  --> Customer   customer
}

asset B identified by bID {
  o String  bID
  --> A     a
}

Now I want to give the Customer access to see all B assets, but only where the relationship to A references to an asset, which have a relatinship to the actual participant of Customer, who is "logged in".

Summarized logic: From asset B to A, and then from A to Customer.

So in this case I can't compare the identifiers of Customer and B directly and have to go over A. Therefore I wanted to evaulate the access with a function which is called in the script.js file:

rule CustomerAccessCustomer {
  description: "The customer should see all B assets, but only when he have a relationship in asset A "
  participant(p): "org.xxx.test.participant.Customer"
  operation: READ
  resource(r): "org.xxx.test.asset.B"
  condition: (evaluateAccess(p,r))
  action: ALLOW
}

Here is the function of the script.js:

async function evaluateAccess(p,r) {
  try {
    const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
    const b = await bRegistry.get(r.getIdentifier());

    const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
    const a = await aRegistry.get(b.a.getIdentifier());

    if (p.getIdentifier() === a.customer.getIdentifier()) {
        return true;
    }
  } catch (error) {
    console.log(error);
  }
}

But I get an error Error: The runtime API is not available.

Do I think the wrong way, isn't it possible to evaluate access with a function? How did you handle access rule if you can't just compare the identifiers?

2条回答
Fickle 薄情
2楼-- · 2020-05-07 19:26

The customer should be participant not asset:

participant Customer identified by customerID {
  o String  customerID
  o String  name
}
查看更多
啃猪蹄的小仙女
3楼-- · 2020-05-07 19:42

you should just be able to do:

rule CustomerAccessCustomer {
  description: "The customer should see all B assets, but only when he have a relationship in asset A "
  participant(p): "org.xxx.test.participant.Customer"
  operation: READ
  resource(r): "org.xxx.test.asset.B"
  condition: ( (p.getIdentifier() === r.a.customer.getIdentifier()) 
  action: ALLOW
}

but p would also need READ access already to be able to 'read' Asset resource 'A' (to check the identifier etc) in the first place :-)

查看更多
登录 后发表回答