@brioux/cactus-plugin-ledger-connector-fabric
v0.9.8-web-socket-identity-provider
Published
Allows Cactus nodes to connect to a Fabric ledger.
Downloads
17
Maintainers
briouxReadme
@hyperledger/cactus-plugin-ledger-connector-fabric
This plugin provides Cactus a way to interact with Fabric networks. Using this we can perform:
- Deploy Golang chaincodes.
- Make transactions.
- Invoke chaincodes functions that we have deployed on the network.
Summary
- Getting Started
- Architecture
- Usage
- Identity Providers
- Runing the tests
- Built With
- Prometheus Exporter
- Contributing
- License
- Acknowledgments
Getting Started
Clone the git repository on your local machine. Follow these instructions that will get you a copy of the project up and running on your local machine for development and testing purposes.
Prerequisites
In the root of the project to install the dependencies execute the command:
npm run comfigureCompiling
In the project root folder, run this command to compile the plugin and create the dist directory:
npm run tscArchitecture
The sequence diagrams for various endpoints are mentioned below
run-transaction-endpoint
The above diagram shows the sequence diagram of run-transaction-endpoint. User A (One of the many Users) interacts with the API Client which in turn, calls the API server. API server then executes transact() method which is explained in detailed in the subsequent diagram.
The above diagram shows the sequence diagraom of transact() method of the PluginLedgerConnectorFabric class. The caller to this function, which in reference to the above sequence diagram is API server, sends RunTransactionRequest object as an argument to the transact() method. Based on the invocationType (FabricContractInvocationType.CALL, FabricCOntractInvocationType.SEND), corresponding responses are send back to the caller.
The above diagram shows the sequence diagraom of enroll() method of the PluginLedgerConnectorFabric class. The caller to this function, which in reference to the above sequence diagram is API server, sends Signer object along with EnrollmentRequest as an argument to the enroll() method. Based on the singerType (FabricSigningCredentialType.X509, FabricSigningCredentialType.VaultX509, FabricSigningCredentialType.WsX509), corresponding identity is enrolled and stored inside keychain.
Usage
To use this import public-api and create new PluginLedgerConnectorFabric and ChainCodeCompiler.
const connector: PluginLedgerConnectorFabric = new PluginLedgerConnectorFabric(pluginOptions);
const compiler = new ChainCodeCompiler({ logLevel });For compile the chaincodes:
const opts: ICompilationOptions = {
fileName: "hello-world-contract.go",
moduleName: "hello-world-contract",
pinnedDeps: [
"github.com/hyperledger/[email protected]",
"golang.org/x/[email protected]",
],
modTidyOnly: true, // we just need the go.mod file so tidy only is enough
sourceCode: HELLO_WORLD_CONTRACT_GO_SOURCE,
};
const result = await compiler.compile(opts);To support signing of message with multiple identity types
// vault server config for supporting vault identity provider
const vaultConfig:IVaultConfig = {
endpoint : "http://localhost:8200",
transitEngineMountPath: "/transit",
}
// web-socket server config for supporting vault identity provider
const webSocketConfig:IVaultConfig = {
server: socketServer as FabricSocketServer
}
// provide list of identity signing to be supported
const supportedIdentity:FabricSigningCredentialType[] = [FabricSigningCredentialType.VaultX509,FabricSigningCredentialType.WsX509,FabricSigningCredentialType.X509]
const pluginOptions:IPluginLedgerConnectorFabricOptions = {
// other options
vaultConfig : vaultConfig,
webSocketConfig : webSocketConfig,
supportedIdentity:supportedIdentity
// .. other options
}
const connector: PluginLedgerConnectorFabric = new PluginLedgerConnectorFabric(pluginOptions);To enroll an identity
await connector.enroll(
{
keychainId: "keychain-identifier-for storing-certData",
keychainRef: "cert-data-identifier",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: "vault-token",
keyName: "vault-key-label",
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
{
enrollmentID: "client2",
enrollmentSecret: "pw",
mspId: "Org1MSP",
caId: "ca.org1.example.com",
},
);To Register an identity using register's key
const secret = await connector.register(
{
keychainId: "keychain-id-that-store-certData-of-registrar",
keychainRef: "certData-label",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
{
enrollmentID: "client-enrollmentID",
enrollmentSecret: "pw",
affiliation: "org1.department1",
},
"ca.org1.example.com", // caID
);To transact with fabric
const resp = await connector.transact{
signingCredential: {
keychainId: keychainId,
keychainRef: "client-certData-id",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
// .. other options
}To Rotate the key
await connector.rotateKey(
{
keychainId: keychainId,
keychainRef: "client-certData-id",
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
// require in case of vault
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// key rotation currently not available using web-socket server
// web-socket connection not used to manages external keys
// user should re-enroll with new pub/priv key pair
},
{
enrollmentID: string;
enrollmentSecret: string;
caId: string;
}
)Extensive documentation and examples in the readthedocs (WIP)
Identity Providers
Identity providers allows client to manage their private more effectively and securely. Cactus Fabric Connector support multiple type of providers. Each provider differ based upon where the private are stored. On High level certificate credential are stored as
{
type: FabricSigningCredentialType;
credentials: {
certificate: string;
// if identity type is IdentityProvidersType.X509
privateKey?: string;
};
mspId: string;
}Currently Cactus Fabric Connector supports following Identity Providers
- X509 : Simple and unsecured provider wherein
privatekey is stored along with certificate in somedatastore. Whenever connector require signature on fabric message, private key is brought from thedatastoreand message signed at the connector. - Vault-X.509 : Secure provider wherein
privatekey is stored with vault's transit transit engine and certificate incertDatastore. Rather then bringing the key to the connector, message digest are sent to the vault server which returns thesignature. - WS-X.509 : Secure provider wherein
privatekey is stored withclientand certificate incertDatastore. To get the fabric messages signed, message digest is sent to the client viawebSocketconnection opened by the client in the beginning (as described above)
setting up a WS-X.509 provider
The following packages are used to access private keys (via web-socket) stored on a clients external device (e.g., browser, mobile app, or an IoT device...). -ws-identity: web-socket server that issues new ws-session tickets, authenticates incoming connections, and sends signature requests -ws-identity-client: backend connector to send requests from fabric application to ws-identity -ws-wallet: external clients key tool: create new key pair, open web-socket connection with ws-identity
Building the ws-identity docker image
Running the tests
To check that all has been installed correctly and that the pugin has no errors, run the tests:
- Run this command at the project's root:
npm run test:plugin-ledger-connector-fabricBuilding/running the container image locally
In the Cactus project root say:
DOCKER_BUILDKIT=1 docker build -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile . -t cplcbBuild with a specific version of the npm package:
DOCKER_BUILDKIT=1 docker build --build-arg NPM_PKG_VERSION=0.4.1 -f ./packages/cactus-plugin-ledger-connector-fabric/Dockerfile . -t cplcbRunning the container
Launch container with plugin configuration as an environment variable:
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env PLUGINS='[{"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric", "type": "org.hyperledger.cactus.plugin_import_type.LOCAL", "options": {"instanceId": "some-unique-fabric-connector-instance-id", "dockerBinary": "usr/local/bin/docker","cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp",
"CORE_PEER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost: true"
}
}}}]' \
cplcbLaunch container with plugin configuration as a CLI argument:
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
cplcb \
./node_modules/.bin/cactusapi \
--plugins='[{"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric", "type": "org.hyperledger.cactus.plugin_import_type.LOCAL", "options": {"instanceId": "some-unique-fabric-connector-instance-id", "dockerBinary": "usr/local/bin/docker","cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp",
"CORE_PEER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost: true"
}
}}}]'Launch container with configuration file mounted from host machine:
echo '[{"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric", "type": "org.hyperledger.cactus.plugin_import_type.LOCAL", "options": {"instanceId": "some-unique-fabric-connector-instance-id", "dockerBinary": "usr/local/bin/docker","cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp",
"CORE_PEER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost: true"
}
}}}]' > cactus.json
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--mount type=bind,source="$(pwd)"/cactus.json,target=/cactus.json \
cplcb \
./node_modules/.bin/cactusapi \
--config-file=/cactus.jsonTesting API calls with the container
Don't have a fabric network on hand to test with? Test or develop against our fabric All-In-One container!
Terminal Window 1 (Ledger)
docker run -p 0.0.0.0:8545:8545/tcp -p 0.0.0.0:8546:8546/tcp -p 0.0.0.0:8888:8888/tcp -p 0.0.0.0:9001:9001/tcp -p 0.0.0.0:9545:9545/tcp hyperledger/cactus-fabric-all-in-one:latestTerminal Window 2 (Cactus API Server)
docker run \
--network host \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env PLUGINS='[{"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric", "type": "org.hyperledger.cactus.plugin_import_type.LOCAL", "options": {"instanceId": "some-unique-fabric-connector-instance-id", "dockerBinary": "usr/local/bin/docker","cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp",
"CORE_PEER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE":
"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost: true"
}
}}}]' \
cplcbTerminal Window 3 (curl - replace eth accounts as needed)
curl --location --request POST 'http://127.0.0.1:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/run-transaction' \
--header 'Content-Type: application/json' \
--data-raw '{
channelName: "mychannel",
contractName: "contract-example";
invocationType: "FabricContractInvocationType.SEND";
methodName: "example"
}'The above should produce a response that looks similar to this:
{
"success": true,
"data": {
"transactionReceipt": {
"blockHash": "0x7c97c038a5d3bd84613fe23ed442695276d5d2df97f4e7c4f10ca06765033ffd",
"blockNumber": 1218,
"contractAddress": null,
"cumulativeGasUsed": 21000,
"from": "0x627306090abab3a6e1400e9345bc60c78a8bef57",
"gasUsed": 21000,
"logs": [],
"logsBloom": "0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"status": true,
"to": "0xf17f52151ebef6c7334fad080c5704d77216b732",
"transactionHash": "0xc7fcb46c735bdc696d500bfc70c72595a2b8c31813929e5c61d9a5aec3376d6f",
"transactionIndex": 0
}
}
}Prometheus Exporter
This class creates a prometheus exporter, which scraps the transactions (total transaction count) for the use cases incorporating the use of Fabric connector plugin.
Usage Prometheus
The prometheus exporter object is initialized in the PluginLedgerConnectorFabric class constructor itself, so instantiating the object of the PluginLedgerConnectorFabric class, gives access to the exporter object.
You can also initialize the prometheus exporter object seperately and then pass it to the IPluginLedgerConnectorFabricOptions interface for PluginLedgerConnectoFabric constructor.
getPrometheusExporterMetricsEndpointV1 function returns the prometheus exporter metrics, currently displaying the total transaction count, which currently increments everytime the transact() method of the PluginLedgerConnectorFabric class is called.
Prometheus Integration
To use Prometheus with this exporter make sure to install Prometheus main component. Once Prometheus is setup, the corresponding scrape_config needs to be added to the prometheus.yml
- job_name: 'fabric_ledger_connector_exporter'
metrics_path: api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
scrape_interval: 5s
static_configs:
- targets: ['{host}:{port}']Here the host:port is where the prometheus exporter metrics are exposed. The test cases (For example, packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v1-4-x/run-transaction-endpoint-v1.test.ts) exposes it over 0.0.0.0 and a random port(). The random port can be found in the running logs of the test case and looks like (42379 in the below mentioned URL)
Metrics URL: http://0.0.0.0:42379/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
Once edited, you can start the prometheus service by referencing the above edited prometheus.yml file. On the prometheus graphical interface (defaulted to http://localhost:9090), choose Graph from the menu bar, then select the Console tab. From the Insert metric at cursor drop down, select cactus_fabric_total_tx_count and click execute
Helper code
response.type.ts
This file contains the various responses of the metrics.
data-fetcher.ts
This file contains functions encasing the logic to process the data points
metrics.ts
This file lists all the prometheus metrics and what they are used for.
Contributing
We welcome contributions to Hyperledger Cactus in many forms, and there’s always plenty to do!
Please review CONTIRBUTING.md to get started.
License
This distribution is published under the Apache License Version 2.0 found in the LICENSE file.