源码剖析 [EOS 源码分析] EOS 权限模型机制分析

Surou · 2018年10月17日 · 623 次阅读

cleos涉及account和contract的命令都会产生一个action,进而生成一个transaction,所有的action都需要指定permission权限 权限验证流程图如下 主要分为三个部分:

  • permission声明:1~3
  • permission授权证明:4~9
  • 权限检测:10~14,其中本地节点的nodeos和miner节点的nodeos都会执行权限检测,10~11(本地节点)和12~14(外部矿工节点)的工作内容是一样 #### 权限声明 所有action相关命令都是通过通过-p/--permission声明permission参数,permission参数有几种表达形式:account, [email protected], publickey, account等价于[email protected]
cleos create account -j eosio testaccount -p [email protected]
cleos set account permission testaccount active -p [email protected]
cleos push action contractaccount method 'data' -p [email protected]
cleos push action contractaccount method1 'data' -p publickey

如果用户没有输入该参数,cleos会自动添加默认permission,各种action的默认permission是不一样的

chain::action create_newaccount(const name& creator, const name& newaccount, public_key_type owner, public_key_type active) {
   return action {
      //tx_permission就是-p参数的值,如果没有[email protected]这个值,则默认为[email protected]
      tx_permission.empty() ? vector<chain::permission_level>{{creator,config::active_name}} : get_account_permissions(tx_permission),
      eosio::chain::newaccount{
         .creator      = creator,
         .name         = newaccount,
         .owner        = eosio::chain::authority{1, {{owner, 1}}, {}},
         .active       = eosio::chain::authority{1, {{active, 1}}, {}}
      }
   };
}

chain::action create_updateauth(const name& account, const name& permission, const name& parent, const authority& auth) {
   return action { tx_permission.empty() ? vector<chain::permission_level>{{account,config::active_name}} : get_account_permissions(tx_permission),
                   updateauth{account, permission, parent, auth}};
}

如果-p [email protected]只带了account,则默认为[email protected]

vector<chain::permission_level> get_account_permissions(const vector<string>& permissions) {
   auto fixedPermissions = permissions | boost::adaptors::transformed([](const string& p) {
      vector<string> pieces;
      split(pieces, p, boost::algorithm::is_any_of("@"));
      //如果没有@permission这个声明,则默认为@active
      if( pieces.size() == 1 ) pieces.push_back( "active" );
      return chain::permission_level{ .actor = pieces[0], .permission = pieces[1] };
   });
   vector<chain::permission_level> accountPermissions;
   boost::range::copy(fixedPermissions, back_inserter(accountPermissions));
   return accountPermissions;
}

权限授权证明

用户在执行cleos相关命令时通过-p声明了permission,这个permission只是一个字符串,谁都可以伪造的,因而需要提交真实可验证的证据,这个证据就是permission的授权(authority)信息。一个permission的authority可以是public key,也可以是子permission(另一个账号的permission, [email protected]), 这样就形成了一颗树, 叶子节点是public key, 只有该叶子节点的public key才有该权限。 所以提交授权证明的过程由两部分构成 ####收集权限permission的public key 搜集permission生成的授权树的叶子节点的public key,即找出哪些public key被授予该权限 比如上图的[email protected]权限展开后得到如下叶子节点public key集合【key1, key10, key11, key20, key21, key60, key61】,只要用户拥有这些key集合中的一个public key对应的私钥就可以证明该用户可以以该[email protected]权限提交action.

cleos端:

fc::variant push_transaction( signed_transaction& trx, int32_t extra_kcpu = 1000, packed_transaction::compression_type compression = packed_transaction::none ) {
   auto required_keys = determine_required_keys(trx);
}

fc::variant determine_required_keys(const signed_transaction& trx) {
   // TODO better error checking
   //wdump((trx));
   //拿到本地所有的public keys,这些key中可能拥有[email protected]权限
   const auto& public_keys = call(wallet_url, wallet_public_keys);
   //trx包含action,action包含[email protected]权限信息
   auto get_arg = fc::mutable_variant_object
           ("transaction", (transaction)trx)
           ("available_keys", public_keys);
   //调用keosd的服务获取本地满足[email protected]权限的public key
   const auto& required_keys = call(get_required_keys, get_arg);
   return required_keys["required_keys"];
}

nodeos端:

flat_set<public_key_type> authorization_manager::get_required_keys( const transaction& trx,
const flat_set<public_key_type>& candidate_keys,
fc::microseconds provided_delay)const
   {
      auto checker = make_auth_checker( [&](const permission_level& p){ return get_permission(p).auth; },
                                        _control.get_global_properties().configuration.max_authority_depth,
                                        candidate_keys,
                                        {},
                                        provided_delay,
                                        _noop_checktime
                                      );

      for (const auto& act : trx.actions ) {
         for (const auto& declared_auth : act.authorization) {
            //判断candidate_keys是否有合适的key被授予了act.authorization
            EOS_ASSERT( checker.satisfied(declared_auth), unsatisfied_authorization,
                        "transaction declares authority '${auth}', but does not have signatures for it.",
                        ("auth", declared_auth) );
         }
      }
      //返回满足条件的public key
      return checker.used_keys();
   }

通过私钥签名提供授权证明

搜索上一步收集到的public key,检测是否含有本用户的key,如果存在,则用相应的private key 签名交易,这样就可以证明该交易的具备[email protected]这一permission

fc::variant push_transaction( signed_transaction& trx, int32_t extra_kcpu = 1000, packed_transaction::compression_type compression = packed_transaction::none ) {
   //上一步获取到的被授权的public key
   auto required_keys = determine_required_keys(trx);
   if (!tx_skip_sign) {
      //通过签名交易提交permission证明
      sign_transaction(trx, required_keys);
   }

   if (!tx_dont_broadcast) {
      //广播交易
      return call(push_txn_func, packed_transaction(trx, compression));
   } else {
      return fc::variant(trx);
   }
}

void sign_transaction(signed_transaction& trx, fc::variant& required_keys) {
   // TODO determine chain id
   fc::variants sign_args = {fc::variant(trx), required_keys, fc::variant(chain_id_type{})};
   //cleos调用keosd的sign_trx api来执行签名操作
   const auto& signed_trx = call(wallet_url, wallet_sign_trx, sign_args);
   trx = signed_trx.as<signed_transaction>();
}

chain::signed_transaction
wallet_manager::sign_transaction(const chain::signed_transaction& txn, const flat_set<public_key_type>& keys, const chain::chain_id_type& id) {
   check_timeout();
   chain::signed_transaction stxn(txn);

   for (const auto& pk : keys) {
      bool found = false;
      for (const auto& i : wallets) {
         if (!i.second->is_locked()) {
            //根据public key拿到private key并签名,这个是没法伪造的
            const auto& k = i.second->try_get_private_key(pk);
            if (k) {
               stxn.sign(*k, id);
               found = true;
               break; // inner for
            }
         }
      }
   }

   return stxn;
}

节点验证权限授权证明

用权限permission授权的私钥签名(授权证明)的交易发布到网络后,矿工收到该交易后,还需要解释签名并验证权限。验证分为两部分

  • 声明的权限是否满足action的最低权限要求

    transaction_trace_ptr push_transaction( const transaction_metadata_ptr& trx,
                                           fc::time_point deadline,
                                           bool implicit,
                                           uint32_t billed_cpu_time_us  )
    {
      FC_ASSERT(deadline != fc::time_point(), "deadline cannot be uninitialized");
    
      transaction_trace_ptr trace;
      try {
            if (!implicit) {
               //检验权限和
               authorization.check_authorization(
                       trx->trx.actions,
                       trx->recover_keys(),
                       {},
                       trx_context.delay,
                       [](){}
            }
    
      } FC_CAPTURE_AND_RETHROW((trace))
    } /// push_transaction
    
     //从签名里获取action发起者拥有的public key
      const flat_set<public_key_type>& recover_keys() {
         // TODO: Update caching logic below when we use a proper chain id setup for the particular blockchain rather than just chain_id_type()
         if( !signing_keys )
            signing_keys = trx.get_signature_keys( chain_id_type() );
         return *signing_keys;
      }
    
    void
       authorization_manager::check_authorization( const vector<action>&                actions,
                                                   const flat_set<public_key_type>&     provided_keys,
                                                   const 
    flat_set<permission_level>&    provided_permissions,
                                                  )const
       {
          map<permission_level, fc::microseconds> permissions_to_satisfy;
    
          for( const auto& act : actions ) {
             bool special_case = false;
             fc::microseconds delay = effective_provided_delay;
    
             if( act.account == config::system_account_name ) {
                special_case = true;
                //系统级action,比如修改权限的授权,链接授权等action,它的执行权限permission是固定的,需要在这里检测签名的keys是否具备相应的permission
                if( act.name == updateauth::get_name() ) {
                   check_updateauth_authorization( act.data_as<updateauth>(), act.authorization );
                } else if( act.name == deleteauth::get_name() ) {
                   check_deleteauth_authorization( act.data_as<deleteauth>(), act.authorization );
                ……..
                }
             }
    
             //authorization
             //其他action,检测授权是否正确
             for( const auto& declared_auth : act.authorization ) {
                //对于上面的case,这里的[email protected]
                checktime();
    
                if( !special_case ) {
                   //获取该action需要的最低权限
                   auto min_permission_name = lookup_minimum_permission(declared_auth.actor, act.account, act.name);
                   if( min_permission_name ) { // since special cases were already handled, it should only be false if the permission is eosio.any
                      //从区块中取出最低权限数据
                      const auto& min_permission = get_permission({declared_auth.actor, *min_permission_name});
                      //比较声明的权限是否满足最低权限
                      EOS_ASSERT( get_permission(declared_auth).satisfies( min_permission,
                                                                           _db.get_index<permission_index>().indices() ),
                                  irrelevant_auth_exception,
                                  "action declares irrelevant authority '${auth}'; minimum authority is ${min}",
                                  ("auth", declared_auth)("min", permission_level{min_permission.owner, min_permission.name}) );
                   }
                }
    
       }
    

    声明的权限的授权签名是否正确

    void
    authorization_manager::check_authorization( const vector<action>&                actions,
                                               const flat_set<public_key_type>&     provided_keys,
                                               const flat_set<permission_level>&    provided_permissions,
                                              )const
    { 
     auto checker = make_auth_checker( [&](const permission_level& p){ return get_permission(p).auth; },
                                        _control.get_global_properties().configuration.max_authority_depth,
                                        provided_keys,
                                        provided_permissions,
                                        effective_provided_delay,
                                        checktime
                                      );
    ..
    for( const auto& p : permissions_to_satisfy ) {
         checktime(); // TODO: this should eventually move into authority_checker instead
         //验证
         EOS_ASSERT( checker.satisfied( p.first, p.second ), unsatisfied_authorization,
                     "transaction declares authority '${auth}', "
                     "but does not have signatures for it under a provided delay of ${provided_delay} ms",
                     ("auth", p.first)("provided_delay", provided_delay.count()/1000)
                     ("delay_max_limit_ms", delay_max_limit.count()/1000)
                   );
    
      }
    

    权限验证实例

    修改权限,命令如下:

    $cleos set account permission testaccount active '{"threshold" : 1, "keys" : [], "accounts" : [{"permission":{"actor":"bob","permission":"active"},"weight":1}, {"permission":{"actor":"stacy","permission":"active"},"weight":1}]}’ owner
    

    该命令没有添加permission参数,cleos会自动添加默认权限声明,其等价于

    $cleos set account permission testaccount active '{"threshold" : 1, "keys" : [], "accounts" : [{"permission":{"actor":"bob","permission":"active"},"weight":1}, {"permission":{"actor":"stacy","permission":"active"},"weight":1}]}’ owner
    -p [email protected]
    

    -p [email protected]是cleos自动补全的 该action打包到transaction然后进入到了某一个矿工节点,然后就会执行上面的authorization_manager::check_authorization函数来验证权限,而对于该系统action,会调用check_updateauth_authorization来检验

    void authorization_manager::check_updateauth_authorization( const updateauth& update,
                                                               const vector<permission_level>& auths
                                                             )const
    {
      EOS_ASSERT( auths.size() == 1, irrelevant_auth_exception,
                  "updateauth action should only have one declared authorization" );
      const auto& auth = auths[0];
      EOS_ASSERT( auth.actor == update.account, irrelevant_auth_exception,
                  "the owner of the affected permission needs to be the actor of the declared authorization" );
      //检测对应的permission是否存在
      const auto* min_permission = find_permission({update.account, update.permission});
      if( !min_permission ) { // creating a new permission
         //不存在则以父permission为min_permission检测
         min_permission = &get_permission({update.account, update.parent});
      }
      //示例中,testaccount.active存在,所以[email protected]
      //声明的也是[email protected],所以能通过验证
      EOS_ASSERT( get_permission(auth).satisfies( *min_permission,
                                                  _db.get_index<permission_index>().indices() ),
                  irrelevant_auth_exception,
                  "updateauth action declares irrelevant authority '${auth}'; minimum authority is ${min}",
                  ("auth", auth)("min", permission_level{update.account, min_permission->name}) );
    }
    

    contract函数执行类型的action, 权限检测由contract代码激发,比如下面的例子

    void hi( account_name user ) {
    require_auth( user );
    print( "Hello, ", name{user} );
    }
    

    require_auth(user)就会激发对‘[email protected]’权限的检测

    转载自:http://blog.csdn.net/itleaks
暂无回复。
需要 登录 后方可回复, 如果你还没有账号请点击这里 注册