[FAB-6050] Adding fabric-ca sample

This sample uses fabric-ca to run an end-to-end test similar to the BYFN sample. However, instead of using cryptogen, it uses fabric-ca. All private keys are generated dynamically in the container in which they are used. This sample also demonstrates how to use abac (Attribute-Based Access Control) to make access decisions. See chaincode/abac/abac.go. Change-Id: I5eddc9e35908e409ac07266c3183ce89a5a6cd82 Signed-off-by: Keith Smith <bksmith@us.ibm.com>
hyperledger · Oct 17, 2017 · caf5c33 · caf5c33
1 parent 7cca09f
commit caf5c33
Show file tree

Hide file tree

Showing 15 changed files with 1,604 additions and 0 deletions.
diff --git a/chaincode/abac/abac.go b/chaincode/abac/abac.go
@@ -0,0 +1,206 @@
+/*
+Copyright IBM Corp. 2016 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+ "fmt"
+ "strconv"
+
+ "github.com/hyperledger/fabric/core/chaincode/shim"
+ "github.com/hyperledger/fabric/core/chaincode/lib/cid"
+ pb "github.com/hyperledger/fabric/protos/peer"
+)
+
+// SimpleChaincode example simple Chaincode implementation
+type SimpleChaincode struct {
+}
+
+// Init initializes the chaincode
+func (t *SimpleChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response {
+
+ fmt.Println("abac Init")
+
+ //
+ // Demonstrate the use of Attribute-Based Access Control (ABAC) by checking
+ // to see if the caller has the "abac.init" attribute with a value of true;
+ // if not, return an error.
+ //
+ err := cid.AssertAttributeValue(stub, "abac.init", "true")
+ if err != nil {
+ return shim.Error(err.Error())
+ }
+
+ _, args := stub.GetFunctionAndParameters()
+ var A, B string // Entities
+ var Aval, Bval int // Asset holdings
+
+ if len(args) != 4 {
+ return shim.Error("Incorrect number of arguments. Expecting 4")
+ }
+
+ // Initialize the chaincode
+ A = args[0]
+ Aval, err = strconv.Atoi(args[1])
+ if err != nil {
+ return shim.Error("Expecting integer value for asset holding")
+ }
+ B = args[2]
+ Bval, err = strconv.Atoi(args[3])
+ if err != nil {
+ return shim.Error("Expecting integer value for asset holding")
+ }
+ fmt.Printf("Aval = %d, Bval = %d\n", Aval, Bval)
+
+ // Write the state to the ledger
+ err = stub.PutState(A, []byte(strconv.Itoa(Aval)))
+ if err != nil {
+ return shim.Error(err.Error())
+ }
+
+ err = stub.PutState(B, []byte(strconv.Itoa(Bval)))
+ if err != nil {
+ return shim.Error(err.Error())
+ }
+
+ return shim.Success(nil)
+}
+
+func (t *SimpleChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response {
+ fmt.Println("abac Invoke")
+ function, args := stub.GetFunctionAndParameters()
+ if function == "invoke" {
+ // Make payment of X units from A to B
+ return t.invoke(stub, args)
+ } else if function == "delete" {
+ // Deletes an entity from its state
+ return t.delete(stub, args)
+ } else if function == "query" {
+ // the old "Query" is now implemtned in invoke
+ return t.query(stub, args)
+ }
+
+ return shim.Error("Invalid invoke function name. Expecting \"invoke\" \"delete\" \"query\"")
+}
+
+// Transaction makes payment of X units from A to B
+func (t *SimpleChaincode) invoke(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+ var A, B string // Entities
+ var Aval, Bval int // Asset holdings
+ var X int // Transaction value
+ var err error
+
+ if len(args) != 3 {
+ return shim.Error("Incorrect number of arguments. Expecting 3")
+ }
+
+ A = args[0]
+ B = args[1]
+
+ // Get the state from the ledger
+ // TODO: will be nice to have a GetAllState call to ledger
+ Avalbytes, err := stub.GetState(A)
+ if err != nil {
+ return shim.Error("Failed to get state")
+ }
+ if Avalbytes == nil {
+ return shim.Error("Entity not found")
+ }
+ Aval, _ = strconv.Atoi(string(Avalbytes))
+
+ Bvalbytes, err := stub.GetState(B)
+ if err != nil {
+ return shim.Error("Failed to get state")
+ }
+ if Bvalbytes == nil {
+ return shim.Error("Entity not found")
+ }
+ Bval, _ = strconv.Atoi(string(Bvalbytes))
+
+ // Perform the execution
+ X, err = strconv.Atoi(args[2])
+ if err != nil {
+ return shim.Error("Invalid transaction amount, expecting a integer value")
+ }
+ Aval = Aval - X
+ Bval = Bval + X
+ fmt.Printf("Aval = %d, Bval = %d\n", Aval, Bval)
+
+ // Write the state back to the ledger
+ err = stub.PutState(A, []byte(strconv.Itoa(Aval)))
+ if err != nil {
+ return shim.Error(err.Error())
+ }
+
+ err = stub.PutState(B, []byte(strconv.Itoa(Bval)))
+ if err != nil {
+ return shim.Error(err.Error())
+ }
+
+ return shim.Success(nil)
+}
+
+// Deletes an entity from state
+func (t *SimpleChaincode) delete(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+ if len(args) != 1 {
+ return shim.Error("Incorrect number of arguments. Expecting 1")
+ }
+
+ A := args[0]
+
+ // Delete the key from the state in ledger
+ err := stub.DelState(A)
+ if err != nil {
+ return shim.Error("Failed to delete state")
+ }
+
+ return shim.Success(nil)
+}
+
+// query callback representing the query of a chaincode
+func (t *SimpleChaincode) query(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+ var A string // Entities
+ var err error
+
+ if len(args) != 1 {
+ return shim.Error("Incorrect number of arguments. Expecting name of the person to query")
+ }
+
+ A = args[0]
+
+ // Get the state from the ledger
+ Avalbytes, err := stub.GetState(A)
+ if err != nil {
+ jsonResp := "{\"Error\":\"Failed to get state for " + A + "\"}"
+ return shim.Error(jsonResp)
+ }
+
+ if Avalbytes == nil {
+ jsonResp := "{\"Error\":\"Nil amount for " + A + "\"}"
+ return shim.Error(jsonResp)
+ }
+
+ jsonResp := "{\"Name\":\"" + A + "\",\"Amount\":\"" + string(Avalbytes) + "\"}"
+ fmt.Printf("Query Response:%s\n", jsonResp)
+ return shim.Success(Avalbytes)
+}
+
+func main() {
+ err := shim.Start(new(SimpleChaincode))
+ if err != nil {
+ fmt.Printf("Error starting Simple chaincode: %s", err)
+ }
+}
diff --git a/fabric-ca/.env b/fabric-ca/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=net
diff --git a/fabric-ca/.gitignore b/fabric-ca/.gitignore
@@ -0,0 +1,2 @@
+docker-compose.yml
+data
diff --git a/fabric-ca/README.md b/fabric-ca/README.md
@@ -0,0 +1,88 @@
+# Hyperledger Fabric CA sample
+
+The Hyperledger Fabric CA sample demonstrates the following:
+
+* How to use the Hyperledger Fabric CA client and server to generate all crypto
+ material rather than using cryptogen. The cryptogen tool is not intended for
+ a production environment because it generates all private keys in one location
+ which must then be copied to the appropriate host or container. This sample demonstrates
+ how to generate crypto material for orderers, peers, administrators, and end
+ users so that private keys never leave the host or container in which they are generated.
+
+* How to use Attribute-Based Access Control (ABAC). See fabric-samples/chaincode/abac/abac.go and
+ note the use of the *github.com/hyperledger/fabric/core/chaincode/lib/cid* package to extract
+ attributes from the invoker's identity. Only identities with the *abac.init* attribute value of
+ *true* can successfully call the *Init* function to instantiate the chaincode.
+
+## Running this sample
+
+1. The following images are required to run this sample:
+*hyperledger/fabric-ca-orderer*, *hyperledger/fabric-ca-peer*, and *hyperledger/fabric-ca-tools*.
+These images are new in the v1.1.0 release of the *github.com/hyperledger/fabric-ca*.
+In order to run this sample prior to the v1.1.0 release, you must build these
+images manually as follows:
+a) pull the master branch of the *github.com/hyperledger/fabric* and
+ *github.com/hyperledger/fabric-ca* repositories;
+b) make sure these repositories are on your GOPATH;
+c) run the *build-images.sh* script provided with this sample.
+
+2. To run this sample, simply run the *start.sh* script. You may do this multiple times in a row as needed
+since the *start.sh* script cleans up before starting each time.
+
+3. To stop the containers which are started by the *start.sh* script, you may run the *stop.sh* script.
+
+## Understanding this sample
+
+There are some variables at the top of *fabric-samples/fabric-ca/scripts/env.sh* script which
+define the names and topology of this sample. You may modify these as described in the comments
+of the script in order to customize this sample. By default, there are three organizations.
+The orderer organization is *org0*, and two peer organizations are *org1* and *org2*.
+
+The *start.sh* script first builds the *docker-compose.yml* file (by invoking the
+*makeDocker.sh* script) and then starts the docker containers.
+The *data* directory is a volume mount for all containers.
+This volume mount is not be needed in a real scenario, but it is used by this sample
+for the following reasons:
+ a) so that all containers can write their logs to a common directory
+ (i.e. *the *data/logs* directory) to make debugging easier;
+ b) to synchronize the sequence in which containers start as described below
+ (for example, an intermediate CA in an *ica* container must wait for the
+ corresponding root CA in a *rca* container to write its certificate to
+ the *data* directory);
+ c) to access bootstrap certificates required by clients to connect over TLS.
+
+The containers defined in the *docker-compose.yml* file are started in the
+following sequence.
+
+1. The *rca* (root CA) containers start first, one for each organization.
+An *rca* container runs the fabric-ca-server for the root CA of an
+organization. The root CA certificate is written to the *data* directory
+and is used when an intermediate CA must connect to it over TLS.
+
+2. The *ica* (Intermediate CA) containers start next. An *ica* container
+runs the fabric-ca-server for the intermediate CA of an organization.
+Each of these containers enrolls with a corresponding root CA.
+The intermediate CA certificate is also written to the *data* directory.
+
+3. The *setup* container registers identities with the intermediate CAs,
+generates the genesis block, and other artifacts needed to setup the
+blockchain network. This is performed by the
+*fabric-samples/fabric-ca/scripts/run-fabric.sh* script. Note that the
+admin identity is registered with **abac.init=true:ecert**
+(see the *registerPeerIdentities* function of this script). This causes
+the admin's enrollment certificate (ECert) to have an attribute named "abac.init"
+with a value of "true". Note further that the chaincode used by this sample
+requires this attribute be included in the certificate of the identity that
+invokes its Init function. See the chaincode at *fabric-samples/chaincode/abac/abac.go*).
+For more information on Attribute-Based Access Control (ABAC), see
+https://github.com/hyperledger/fabric/tree/release/core/chaincode/lib/cid/README.md.
+
+4. The orderer and peer containers are started. The naming of these containers
+is straight-forward as is their log files in the *data/logs* directory.
+
+5. The *run* container is started which runs the actual test case. It creates
+a channel, peers join the channel, chaincode is installed and instantiated,
+and the chaincode is queried and invoked. See the *main* function of the
+*fabric-samples/fabric-ca/scripts/run-fabric.sh* script for more details.
+
+<a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>
diff --git a/fabric-ca/build-images.sh b/fabric-ca/build-images.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+#
+# This script builds the images required to run this sample.
+#
+
+function assertOnMasterBranch {
+ if [ "`git rev-parse --abbrev-ref HEAD`" != "master" ]; then
+ fatal "You must switch to the master branch in `pwd`"
+ fi
+}
+
+set -e
+
+SDIR=$(dirname "$0")
+source $SDIR/scripts/env.sh
+
+# Delete docker containers
+dockerContainers=$(docker ps -a | awk '$2~/hyperledger/ {print $1}')
+if [ "$dockerContainers" != "" ]; then
+ log "Deleting existing docker containers ..."
+ docker rm -f $dockerContainers > /dev/null
+fi
+
+# Remove chaincode docker images
+chaincodeImages=`docker images | grep "^dev-peer" | awk '{print $3}'`
+if [ "$chaincodeImages" != "" ]; then
+ log "Removing chaincode docker images ..."
+ docker rmi $chaincodeImages > /dev/null
+fi
+
+# Perform docker clean for fabric-ca
+log "Cleaning fabric-ca docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric-ca
+assertOnMasterBranch
+make docker-clean
+
+# Perform docker clean for fabric and rebuild
+log "Cleaning and rebuilding fabric docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric
+assertOnMasterBranch
+make docker-clean docker
+
+# Perform docker clean for fabric and rebuild against latest fabric images just built
+log "Rebuilding fabric-ca docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric-ca
+FABRIC_TAG=latest make docker
+
+log "Setup completed successfully. You may run the tests multiple times by running start.sh."