[FAB-6050] Adding fabric-ca sample

This sample uses fabric-ca to run an end-to-end test similar to the BYFN sample. However, instead of using cryptogen, it uses fabric-ca. All private keys are generated dynamically in the container in which they are used. This sample also demonstrates how to use abac (Attribute-Based Access Control) to make access decisions. See chaincode/abac/abac.go. Change-Id: I5eddc9e35908e409ac07266c3183ce89a5a6cd82 Signed-off-by: Keith Smith <bksmith@us.ibm.com>
hyperledger · Oct 17, 2017 · caf5c33 · caf5c33
1 parent 7cca09f
commit caf5c33
Show file tree

Hide file tree

Showing 15 changed files with 1,604 additions and 0 deletions.
diff --git a/chaincode/abac/abac.go b/chaincode/abac/abac.go
@@ -0,0 +1,206 @@
+/*
+Copyright IBM Corp. 2016 All Rights Reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		 http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/hyperledger/fabric/core/chaincode/shim"
+	"github.com/hyperledger/fabric/core/chaincode/lib/cid"
+	pb "github.com/hyperledger/fabric/protos/peer"
+)
+
+// SimpleChaincode example simple Chaincode implementation
+type SimpleChaincode struct {
+}
+
+// Init initializes the chaincode
+func (t *SimpleChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response {
+
+	fmt.Println("abac Init")
+
+	//
+	// Demonstrate the use of Attribute-Based Access Control (ABAC) by checking
+	// to see if the caller has the "abac.init" attribute with a value of true;
+	// if not, return an error.
+	//
+	err := cid.AssertAttributeValue(stub, "abac.init", "true")
+	if err != nil {
+		return shim.Error(err.Error())
+	}
+
+	_, args := stub.GetFunctionAndParameters()
+	var A, B string    // Entities
+	var Aval, Bval int // Asset holdings
+
+	if len(args) != 4 {
+		return shim.Error("Incorrect number of arguments. Expecting 4")
+	}
+
+	// Initialize the chaincode
+	A = args[0]
+	Aval, err = strconv.Atoi(args[1])
+	if err != nil {
+		return shim.Error("Expecting integer value for asset holding")
+	}
+	B = args[2]
+	Bval, err = strconv.Atoi(args[3])
+	if err != nil {
+		return shim.Error("Expecting integer value for asset holding")
+	}
+	fmt.Printf("Aval = %d, Bval = %d\n", Aval, Bval)
+
+	// Write the state to the ledger
+	err = stub.PutState(A, []byte(strconv.Itoa(Aval)))
+	if err != nil {
+		return shim.Error(err.Error())
+	}
+
+	err = stub.PutState(B, []byte(strconv.Itoa(Bval)))
+	if err != nil {
+		return shim.Error(err.Error())
+	}
+
+	return shim.Success(nil)
+}
+
+func (t *SimpleChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response {
+	fmt.Println("abac Invoke")
+	function, args := stub.GetFunctionAndParameters()
+	if function == "invoke" {
+		// Make payment of X units from A to B
+		return t.invoke(stub, args)
+	} else if function == "delete" {
+		// Deletes an entity from its state
+		return t.delete(stub, args)
+	} else if function == "query" {
+		// the old "Query" is now implemtned in invoke
+		return t.query(stub, args)
+	}
+
+	return shim.Error("Invalid invoke function name. Expecting \"invoke\" \"delete\" \"query\"")
+}
+
+// Transaction makes payment of X units from A to B
+func (t *SimpleChaincode) invoke(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+	var A, B string    // Entities
+	var Aval, Bval int // Asset holdings
+	var X int          // Transaction value
+	var err error
+
+	if len(args) != 3 {
+		return shim.Error("Incorrect number of arguments. Expecting 3")
+	}
+
+	A = args[0]
+	B = args[1]
+
+	// Get the state from the ledger
+	// TODO: will be nice to have a GetAllState call to ledger
+	Avalbytes, err := stub.GetState(A)
+	if err != nil {
+		return shim.Error("Failed to get state")
+	}
+	if Avalbytes == nil {
+		return shim.Error("Entity not found")
+	}
+	Aval, _ = strconv.Atoi(string(Avalbytes))
+
+	Bvalbytes, err := stub.GetState(B)
+	if err != nil {
+		return shim.Error("Failed to get state")
+	}
+	if Bvalbytes == nil {
+		return shim.Error("Entity not found")
+	}
+	Bval, _ = strconv.Atoi(string(Bvalbytes))
+
+	// Perform the execution
+	X, err = strconv.Atoi(args[2])
+	if err != nil {
+		return shim.Error("Invalid transaction amount, expecting a integer value")
+	}
+	Aval = Aval - X
+	Bval = Bval + X
+	fmt.Printf("Aval = %d, Bval = %d\n", Aval, Bval)
+
+	// Write the state back to the ledger
+	err = stub.PutState(A, []byte(strconv.Itoa(Aval)))
+	if err != nil {
+		return shim.Error(err.Error())
+	}
+
+	err = stub.PutState(B, []byte(strconv.Itoa(Bval)))
+	if err != nil {
+		return shim.Error(err.Error())
+	}
+
+	return shim.Success(nil)
+}
+
+// Deletes an entity from state
+func (t *SimpleChaincode) delete(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+	if len(args) != 1 {
+		return shim.Error("Incorrect number of arguments. Expecting 1")
+	}
+
+	A := args[0]
+
+	// Delete the key from the state in ledger
+	err := stub.DelState(A)
+	if err != nil {
+		return shim.Error("Failed to delete state")
+	}
+
+	return shim.Success(nil)
+}
+
+// query callback representing the query of a chaincode
+func (t *SimpleChaincode) query(stub shim.ChaincodeStubInterface, args []string) pb.Response {
+	var A string // Entities
+	var err error
+
+	if len(args) != 1 {
+		return shim.Error("Incorrect number of arguments. Expecting name of the person to query")
+	}
+
+	A = args[0]
+
+	// Get the state from the ledger
+	Avalbytes, err := stub.GetState(A)
+	if err != nil {
+		jsonResp := "{\"Error\":\"Failed to get state for " + A + "\"}"
+		return shim.Error(jsonResp)
+	}
+
+	if Avalbytes == nil {
+		jsonResp := "{\"Error\":\"Nil amount for " + A + "\"}"
+		return shim.Error(jsonResp)
+	}
+
+	jsonResp := "{\"Name\":\"" + A + "\",\"Amount\":\"" + string(Avalbytes) + "\"}"
+	fmt.Printf("Query Response:%s\n", jsonResp)
+	return shim.Success(Avalbytes)
+}
+
+func main() {
+	err := shim.Start(new(SimpleChaincode))
+	if err != nil {
+		fmt.Printf("Error starting Simple chaincode: %s", err)
+	}
+}
diff --git a/fabric-ca/.env b/fabric-ca/.env
@@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=net
diff --git a/fabric-ca/.gitignore b/fabric-ca/.gitignore
@@ -0,0 +1,2 @@
+docker-compose.yml
+data
diff --git a/fabric-ca/README.md b/fabric-ca/README.md
@@ -0,0 +1,88 @@
+# Hyperledger Fabric CA sample
+
+The Hyperledger Fabric CA sample demonstrates the following:
+
+* How to use the Hyperledger Fabric CA client and server to generate all crypto
+  material rather than using cryptogen.  The cryptogen tool is not intended for
+  a production environment because it generates all private keys in one location
+  which must then be copied to the appropriate host or container. This sample demonstrates
+  how to generate crypto material for orderers, peers, administrators, and end
+  users so that private keys never leave the host or container in which they are generated.
+
+* How to use Attribute-Based Access Control (ABAC). See fabric-samples/chaincode/abac/abac.go and
+  note the use of the *github.com/hyperledger/fabric/core/chaincode/lib/cid* package to extract
+  attributes from the invoker's identity.  Only identities with the *abac.init* attribute value of
+  *true* can successfully call the *Init* function to instantiate the chaincode.
+
+## Running this sample
+
+1. The following images are required to run this sample:
+*hyperledger/fabric-ca-orderer*, *hyperledger/fabric-ca-peer*, and *hyperledger/fabric-ca-tools*.
+These images are new in the v1.1.0 release of the *github.com/hyperledger/fabric-ca*.
+In order to run this sample prior to the v1.1.0 release, you must build these
+images manually as follows:
+a) pull the master branch of the *github.com/hyperledger/fabric* and
+   *github.com/hyperledger/fabric-ca* repositories;
+b) make sure these repositories are on your GOPATH;
+c) run the *build-images.sh* script provided with this sample.
+
+2. To run this sample, simply run the *start.sh* script.  You may do this multiple times in a row as needed
+since the *start.sh* script cleans up before starting each time.
+
+3. To stop the containers which are started by the *start.sh* script, you may run the *stop.sh* script.
+
+## Understanding this sample
+
+There are some variables at the top of *fabric-samples/fabric-ca/scripts/env.sh* script which
+define the names and topology of this sample.  You may modify these as described in the comments
+of the script in order to customize this sample.  By default, there are three organizations.
+The orderer organization is *org0*, and two peer organizations are *org1* and *org2*.
+
+The *start.sh* script first builds the *docker-compose.yml* file (by invoking the
+*makeDocker.sh* script) and then starts the docker containers.
+The *data* directory is a volume mount for all containers.
+This volume mount is not be needed in a real scenario, but it is used by this sample
+for the following reasons:
+  a) so that all containers can write their logs to a common directory
+     (i.e. *the *data/logs* directory) to make debugging easier;
+  b) to synchronize the sequence in which containers start as described below
+     (for example, an intermediate CA in an *ica* container must wait for the
+      corresponding root CA in a *rca* container to write its certificate to
+      the *data* directory);
+  c) to access bootstrap certificates required by clients to connect over TLS.
+
+The containers defined in the *docker-compose.yml* file are started in the
+following sequence.
+
+1. The *rca* (root CA) containers start first, one for each organization.
+An *rca* container runs the fabric-ca-server for the root CA of an
+organization. The root CA certificate is written to the *data* directory
+and is used when an intermediate CA must connect to it over TLS.
+
+2. The *ica* (Intermediate CA) containers start next.  An *ica* container
+runs the fabric-ca-server for the intermediate CA of an organization.
+Each of these containers enrolls with a corresponding root CA.
+The intermediate CA certificate is also written to the *data* directory.
+
+3. The *setup* container registers identities with the intermediate CAs,
+generates the genesis block, and other artifacts needed to setup the
+blockchain network.  This is performed by the
+*fabric-samples/fabric-ca/scripts/run-fabric.sh* script.  Note that the
+admin identity is registered with **abac.init=true:ecert**
+(see the *registerPeerIdentities* function of this script).  This causes
+the admin's enrollment certificate (ECert) to have an attribute named "abac.init"
+with a value of "true".  Note further that the chaincode used by this sample
+requires this attribute be included in the certificate of the identity that
+invokes its Init function.  See the chaincode at *fabric-samples/chaincode/abac/abac.go*).
+For more information on Attribute-Based Access Control (ABAC), see
+https://github.com/hyperledger/fabric/tree/release/core/chaincode/lib/cid/README.md.
+
+4. The orderer and peer containers are started.  The naming of these containers
+is straight-forward as is their log files in the *data/logs* directory.
+
+5. The *run* container is started which runs the actual test case.  It creates
+a channel, peers join the channel, chaincode is installed and instantiated,
+and the chaincode is queried and invoked.  See the *main* function of the
+*fabric-samples/fabric-ca/scripts/run-fabric.sh* script for more details.
+
+<a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>
diff --git a/fabric-ca/build-images.sh b/fabric-ca/build-images.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+#
+# This script builds the images required to run this sample.
+#
+
+function assertOnMasterBranch {
+   if [ "`git rev-parse --abbrev-ref HEAD`" != "master" ]; then
+      fatal "You must switch to the master branch in `pwd`"
+   fi
+}
+
+set -e
+
+SDIR=$(dirname "$0")
+source $SDIR/scripts/env.sh
+
+# Delete docker containers
+dockerContainers=$(docker ps -a | awk '$2~/hyperledger/ {print $1}')
+if [ "$dockerContainers" != "" ]; then
+   log "Deleting existing docker containers ..."
+   docker rm -f $dockerContainers > /dev/null
+fi
+
+# Remove chaincode docker images
+chaincodeImages=`docker images | grep "^dev-peer" | awk '{print $3}'`
+if [ "$chaincodeImages" != "" ]; then
+   log "Removing chaincode docker images ..."
+   docker rmi $chaincodeImages > /dev/null
+fi
+
+# Perform docker clean for fabric-ca
+log "Cleaning fabric-ca docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric-ca
+assertOnMasterBranch
+make docker-clean
+
+# Perform docker clean for fabric and rebuild
+log "Cleaning and rebuilding fabric docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric
+assertOnMasterBranch
+make docker-clean docker
+
+# Perform docker clean for fabric and rebuild against latest fabric images just built
+log "Rebuilding fabric-ca docker images ..."
+cd $GOPATH/src/github.com/hyperledger/fabric-ca
+FABRIC_TAG=latest make docker
+
+log "Setup completed successfully.  You may run the tests multiple times by running start.sh."