- 1. Usage
- 2. Architecture
- 3. Containerization
- 4. Prometheus Exporter
- 5. Contributing
- 6. License
- 7. Acknowledgments
This plugin provides a way to interact with Fabric networks. Using this one can perform:
- Deploy smart contracts (chaincode).
- Execute transactions on the ledger.
- Invoke chaincode functions.
The above functionality can either be accessed by importing the plugin directly as a library (embedding) or by hosting it as a REST API through the Cactus API server
We also publish the Cactus API server as a container image to the GitHub Container Registry that you can run easily with a one liner. The API server is also embeddable in your own NodeJS project if you choose to do so.
npm
npm install @hyperledger/cactus-plugin-ledger-connector-fabricyarn
yarn add @hyperledger/cactus-plugin-ledger-connector-fabricimport {
PluginLedgerConnectorFabric,
DefaultEventHandlerStrategy,
} from "@hyperledger/cactus-plugin-ledger-connector-fabric";
const plugin = new PluginLedgerConnectorFabric({
// See test cases for exact details on what parameters are needed
});
const req: RunTransactionRequest = {
// See tests for specific examples on request properties
};
try {
const res = await plugin.transact(req);
} catch (ex: Error) {
// Make sure to handle errors gracefully (which is dependent on your use-case)
console.error(ex);
throw ex;
}Prerequisites
- A running Fabric ledger (network)
- You have a running Cactus API server on
$HOST:$PORTwith the Fabric connector plugin installed on it (and the latter configured to have access to the Fabric ledger from point 1)
import {
PluginLedgerConnectorFabric,
DefaultApi as FabricApi,
DefaultEventHandlerStrategy,
} from "@hyperledger/cactus-plugin-ledger-connector-fabric";
// Step zero is to deploy your Fabric ledger and the Cactus API server
const apiUrl = `https://${HOST}:${PORT}`;
const config = new Configuration({ basePath: apiUrl });
const apiClient = new FabricApi(config);
const req: RunTransactionRequest = {
// See tests for specific examples on request properties
};
try {
const res = await apiClient.runTransactionV1(req);
} catch (ex: Error) {
// Make sure to handle errors gracefully (which is dependent on your use-case)
console.error(ex);
throw ex;
}To support signing of message with multiple identity types
// vault server config for supporting vault identity provider
const vaultConfig:IVaultConfig = {
endpoint : "http://localhost:8200",
transitEngineMountPath: "/transit",
}
// web-socket server config for supporting vault identity provider
const webSocketConfig:IVaultConfig = {
server: socketServer as FabricSocketServer
}
// provide list of identity signing to be supported
const supportedIdentity:FabricSigningCredentialType[] = [FabricSigningCredentialType.VaultX509,FabricSigningCredentialType.WsX509,FabricSigningCredentialType.X509]
const pluginOptions:IPluginLedgerConnectorFabricOptions = {
// other options
vaultConfig : vaultConfig,
webSocketConfig : webSocketConfig,
supportedIdentity:supportedIdentity
// .. other options
}
const connector: PluginLedgerConnectorFabric = new PluginLedgerConnectorFabric(pluginOptions);To enroll an identity
await connector.enroll(
{
keychainId: "keychain-identifier-for storing-certData",
keychainRef: "cert-data-identifier",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: "vault-token",
keyName: "vault-key-label",
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
{
enrollmentID: "client2",
enrollmentSecret: "pw",
mspId: "Org1MSP",
caId: "ca.org1.example.com",
},
);To Register an identity using register's key
const secret = await connector.register(
{
keychainId: "keychain-id-that-store-certData-of-registrar",
keychainRef: "certData-label",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
{
enrollmentID: "client-enrollmentID",
enrollmentSecret: "pw",
affiliation: "org1.department1",
},
"ca.org1.example.com", // caID
);To transact with fabric
const resp = await connector.transact{
signingCredential: {
keychainId: keychainId,
keychainRef: "client-certData-id",
// require in case of vault
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// required in case of web-socket server
type: FabricSigningCredentialType.WsX509,
webSocketKey: {
signature: signature,
sessionId: sessionId,
},
},
// .. other options
}To Rotate the key
await connector.rotateKey(
{
keychainId: keychainId,
keychainRef: "client-certData-id",
type: FabricSigningCredentialType.VaultX509, // FabricSigningCredentialType.X509
// require in case of vault
vaultTransitKey: {
token: testToken,
keyName: registrarKey,
},
// key rotation currently not available using web-socket server
// web-socket connection not used to manages external keys
// user should re-enroll with new pub/priv key pair
},
{
enrollmentID: string;
enrollmentSecret: string;
caId: string;
}
)Extensive documentation and examples in the readthedocs (WIP)
Identity providers allows client to manage their private more effectively and securely. Cactus Fabric Connector support multiple type of providers. Each provider differ based upon where the private are stored. On High level certificate credential are stored as
{
type: FabricSigningCredentialType;
credentials: {
certificate: string;
// if identity type is IdentityProvidersType.X509
privateKey?: string;
};
mspId: string;
}Currently Cactus Fabric Connector supports following Identity Providers
- X509 : Simple and unsecured provider wherein
privatekey is stored along with certificate in somedatastore. Whenever connector require signature on fabric message, private key is brought from thedatastoreand message signed at the connector. - Vault-X.509 : Secure provider wherein
privatekey is stored with vault's transit transit engine and certificate incertDatastore. Rather then bringing the key to the connector, message digest are sent to the vault server which returns thesignature. - WS-X.509 : Secure provider wherein
privatekey is stored withclientand certificate incertDatastore. To get the fabric messages signed, message digest is sent to the client viawebSocketconnection opened by the client in the beginning (as described above)
The following packages are used to access private keys (via web-socket) stored on a clients external device (e.g., browser, mobile app, or an IoT device...). -ws-identity: web-socket server that issues new ws-session tickets, authenticates incoming connections, and sends signature requests -ws-identity-client: backend connector to send requests from fabric application to ws-identity -ws-wallet: external clients crypto key tool: create new key pair, request session ticket and open web-socket connection with ws-identity
TBD
- Use
ApiClientto receive new blocks from a fabric ledger. - Type of the response can be configured.
- Credentials must be configured using
gatewayOptionsargument (you can either send them directly in request or use wallet stored in keychain).
For more detailed example check fabric-watch-blocks-v1-endpoint.test.ts
// Setup
const signingCredential = {
keychainId: uuidv4(),
keychainRef: "user2",
};
// Create RxJS Observable.
// This will connect to the fabric connector and start the monitoring operation.
const watchObservable = apiClient.watchBlocksV1({
channelName: "mychannel", // fabric channel name
gatewayOptions: { // use signing credential from keychain
identity: signingCredential.keychainRef,
wallet: {
keychain: signingCredential,
},
},
WatchBlocksListenerTypeV1.Full, // return full block data
});
// Subscribe to the observable to receive new blocks
const subscription = watchObservable.subscribe({
next(event) {
// Handle new event
},
error(err) {
// Handle error from connector
},
});There are two types of listener type - original and cactus ones.
Corresponds directly to BlockType from fabric-common:
-
WatchBlocksListenerTypeV1.Filtered, -
WatchBlocksListenerTypeV1.Full, -
WatchBlocksListenerTypeV1.Private,
Parses the data and returns custom formatted block.
-
WatchBlocksListenerTypeV1.CactiTransactions: Returns transactions summary. Compatible with legacyfabric-socketiomonitoring operation. -
WatchBlocksListenerTypeV1.CactiFullBlock: Returns full block summary.
- Custom signature callback can be used when increased security is needed or currently available options are not sufficient.
- Signature callback is used whenever fabric request must be signed.
- To use delegate signature instead of identity supplied directly / through keychain use
transactDelegatedSign(for transact) orwatchBlocksDelegatedSignV1for block monitoring. -
uniqueTransactionDatacan be passed to each delegate sign method on connector. This data is passed to signCallback to identify and verify the request. It can be used to pass signing tokens or any other data needed for performing the signing (e.g. user, scopes, etc...). -
signProposalmethod from this package can be used to sign the requests in offline location. - For more complex examples see tests:
delegate-signing-methods.testandfabric-watch-blocks-delegated-sign-v1-endpoint.test.
// Setup - supply callback when instantiating the connector plugin
fabricConnectorPlugin = new PluginLedgerConnectorFabric({
instanceId: uuidv4(),
// ...
signCallback: async (payload, txData) => {
log.debug("signCallback called with txData (token):", txData);
return signProposal(adminIdentity.credentials.privateKey, payload);
},
});
// Run transactions
await apiClient.runDelegatedSignTransactionV1({
signerCertificate: adminIdentity.credentials.certificate,
signerMspID: adminIdentity.mspId,
channelName: ledgerChannelName,
contractName: assetTradeContractName,
invocationType: FabricContractInvocationType.Call,
methodName: "ReadAsset",
params: ["asset1"],
uniqueTransactionData: myJwtToken,
});
// Monitor for transactions:
apiClient.watchBlocksDelegatedSignV1({
type: WatchBlocksListenerTypeV1.CactiTransactions,
signerCertificate: adminIdentity.credentials.certificate,
signerMspID: adminIdentity.mspId,
channelName: ledgerChannelName,
})The sequence diagrams for various endpoints are mentioned below
The above diagram shows the sequence diagram of run-transaction-endpoint. User A (One of the many Users) interacts with the API Client which in turn, calls the API server. API server then executes transact() method which is explained in detailed in the subsequent diagram.
The above diagram shows the sequence diagram of transact() method of the PluginLedgerConnectorFabric class. The caller to this function, which in reference to the above sequence diagram is API server, sends RunTransactionRequest object as an argument to the transact() method. Based on the invocationType (FabricContractInvocationType.CALL, FabricCOntractInvocationType.SEND), corresponding responses are send back to the caller.
The above diagram shows the sequence diagram of enroll() method of the PluginLedgerConnectorFabric class. The caller to this function, which in reference to the above sequence diagram is API server, sends Signer object along with EnrollmentRequest as an argument to the enroll() method. Based on the singerType (FabricSigningCredentialType.X509, FabricSigningCredentialType.VaultX509, FabricSigningCredentialType.WsX509), corresponding identity is enrolled and stored inside keychain.
Launch container with plugin configuration as an environment variable:
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env AUTHORIZATION_PROTOCOL='NONE' \
--env AUTHORIZATION_CONFIG_JSON='{}' \
--env GRPC_TLS_ENABLED=false \
--env API_TLS_CERT_PEM=- \
--env API_TLS_CLIENT_CA_PEM=- \
--env API_TLS_KEY_PEM=- \
--env API_TLS_ENABLED=false \
--env API_MTLS_ENABLED=false \
--env API_HOST=0.0.0.0 \
--env LOG_LEVEL=INFO \
--env PLUGINS='[
{
"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric",
"type": "org.hyperledger.cactus.plugin_import_type.LOCAL",
"action": "org.hyperledger.cactus.plugin_import_action.INSTALL",
"options": {
"instanceId": "some-unique-fabric-connector-instance-id",
"dockerBinary": "usr/local/bin/docker",
"peerBinary": "/fabric-samples/bin/peer",
"connectionProfile": {
"name": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"version": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"organizations": {},
"peers": {}
},
"cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp",
"CORE_PEER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost": true
}
}
}
]' \
ghcr.io/hyperledger/cactus-cmd-api-server:2024-07-03t18-38-45-dev-65adc3255Launch container with plugin configuration as a CLI argument:
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env AUTHORIZATION_PROTOCOL='NONE' \
--env AUTHORIZATION_CONFIG_JSON='{}' \
--env GRPC_TLS_ENABLED=false \
--env API_TLS_CERT_PEM=- \
--env API_TLS_CLIENT_CA_PEM=- \
--env API_TLS_KEY_PEM=- \
--env API_TLS_ENABLED=false \
--env API_MTLS_ENABLED=false \
--env API_HOST=0.0.0.0 \
--env LOG_LEVEL=INFO \
ghcr.io/hyperledger/cactus-cmd-api-server:2024-07-03t18-38-45-dev-65adc3255 \
node index.js \
--plugins='[
{
"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric",
"type": "org.hyperledger.cactus.plugin_import_type.LOCAL",
"action": "org.hyperledger.cactus.plugin_import_action.INSTALL",
"options": {
"instanceId": "some-unique-fabric-connector-instance-id",
"dockerBinary": "usr/local/bin/docker",
"peerBinary": "/fabric-samples/bin/peer",
"connectionProfile": {
"name": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"version": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"organizations": {},
"peers": {}
},
"cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp",
"CORE_PEER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost": true
}
}
}
]'Launch container with configuration file mounted from host machine:
echo '{"plugins": [
{
"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric",
"type": "org.hyperledger.cactus.plugin_import_type.LOCAL",
"action": "org.hyperledger.cactus.plugin_import_action.INSTALL",
"options": {
"instanceId": "some-unique-fabric-connector-instance-id",
"dockerBinary": "usr/local/bin/docker",
"peerBinary": "/fabric-samples/bin/peer",
"connectionProfile": {
"name": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"version": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"organizations": {},
"peers": {}
},
"cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp",
"CORE_PEER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost": true
}
}
}]
}' > .cacti-config.json
docker run \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env AUTHORIZATION_PROTOCOL='NONE' \
--env AUTHORIZATION_CONFIG_JSON='{}' \
--env GRPC_TLS_ENABLED=false \
--env API_TLS_CERT_PEM=- \
--env API_TLS_CLIENT_CA_PEM=- \
--env API_TLS_KEY_PEM=- \
--env API_TLS_ENABLED=false \
--env API_MTLS_ENABLED=false \
--env API_HOST=0.0.0.0 \
--env LOG_LEVEL=INFO \
--mount type=bind,source="$(pwd)"/.cacti-config.json,target=/.cacti-config.json \
ghcr.io/hyperledger/cactus-cmd-api-server:2024-07-03t18-38-45-dev-65adc3255 \
node index.js \
--config-file=/.cacti-config.jsonDon't have a fabric network on hand to test with? Test or develop against our fabric All-In-One container!
Terminal Window 1 (Ledger)
docker run \
--privileged \
--publish 0.0.0.0:8545:8545/tcp \
--publish 0.0.0.0:8546:8546/tcp \
--publish 0.0.0.0:8888:8888/tcp \
--publish 0.0.0.0:9001:9001/tcp \
--publish 0.0.0.0:9545:9545/tcp \
ghcr.io/hyperledger/cactus-fabric2-all-in-one:2024-03-03--issue-2945-fabric-v2-5-6Terminal Window 2 (Cacti API Server)
docker run \
--network=host \
--rm \
--publish 3000:3000 \
--publish 4000:4000 \
--env AUTHORIZATION_PROTOCOL='NONE' \
--env AUTHORIZATION_CONFIG_JSON='{}' \
--env GRPC_TLS_ENABLED=false \
--env API_TLS_CERT_PEM=- \
--env API_TLS_CLIENT_CA_PEM=- \
--env API_TLS_KEY_PEM=- \
--env API_TLS_ENABLED=false \
--env API_MTLS_ENABLED=false \
--env API_HOST=0.0.0.0 \
--env LOG_LEVEL=INFO \
--env PLUGINS='[
{
"packageName": "@hyperledger/cactus-plugin-ledger-connector-fabric",
"type": "org.hyperledger.cactus.plugin_import_type.LOCAL",
"action": "org.hyperledger.cactus.plugin_import_action.INSTALL",
"options": {
"instanceId": "some-unique-fabric-connector-instance-id",
"dockerBinary": "usr/local/bin/docker",
"peerBinary": "/fabric-samples/bin/peer",
"connectionProfile": {
"name": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"version": "TODO-FILL-OUT-YOUR-CONNECTION-PROFILE-DETAILS",
"organizations": {},
"peers": {}
},
"cliContainerEnv": {
"CORE_PEER_LOCALMSPID": "Org1MSP",
"CORE_PEER_ADDRESS": "peer0.org1.example.com:7051",
"CORE_PEER_MSPCONFIGPATH": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp",
"CORE_PEER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt",
"ORDERER_TLS_ROOTCERT_FILE": "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"
},
"discoveryOptions": {
"enabled": true,
"asLocalhost": true
}
}
}
]' \
ghcr.io/hyperledger/cactus-cmd-api-server:2024-07-03t18-38-45-dev-65adc3255FIXME: This does not work. We need to (at the very least)
- add the a keychain plugin to the API server config
- load the keychain up with credentials that can be used to access the Ledger
- reference the keychain entry created in step 2 as the signing credential below.
Terminal Window 3 (cURL)
curl --location --request POST 'http://127.0.0.1:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/run-transaction' \
--header 'Content-Type: application/json' \
--data-raw '{
"channelName": "mychannel",
"contractName": "basic",
"invocationType": "FabricContractInvocationType.SEND",
"params": ["some-unique-asset-id-1", "Green", "19", "Peter", "9999"],
"methodName": "CreateAsset",
"signingCredential": {
"keychainId": "FIXME",
"keychainRef": "FIXME"
}
}'The above should produce a response that looks similar to this:
// FIXMEThis class creates a prometheus exporter, which scraps the transactions (total transaction count) for the use cases incorporating the use of Fabric connector plugin.
The prometheus exporter object is initialized in the PluginLedgerConnectorFabric class constructor itself, so instantiating the object of the PluginLedgerConnectorFabric class, gives access to the exporter object.
You can also initialize the prometheus exporter object seperately and then pass it to the IPluginLedgerConnectorFabricOptions interface for PluginLedgerConnectoFabric constructor.
getPrometheusExporterMetricsEndpointV1 function returns the prometheus exporter metrics, currently displaying the total transaction count, which currently increments everytime the transact() method of the PluginLedgerConnectorFabric class is called.
To use Prometheus with this exporter make sure to install Prometheus main component. Once Prometheus is setup, the corresponding scrape_config needs to be added to the prometheus.yml
- job_name: 'fabric_ledger_connector_exporter'
metrics_path: api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
scrape_interval: 5s
static_configs:
- targets: ['{host}:{port}']
Here the host:port is where the prometheus exporter metrics are exposed. The test cases (For example, packages/cactus-plugin-ledger-connector-fabric/src/test/typescript/integration/fabric-v2-2-x/run-transaction-endpoint-v1.test.ts) exposes it over 0.0.0.0 and a random port(). The random port can be found in the running logs of the test case and looks like (42379 in the below mentioned URL)
Metrics URL: http://0.0.0.0:42379/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
Once edited, you can start the prometheus service by referencing the above edited prometheus.yml file. On the prometheus graphical interface (defaulted to http://localhost:9090), choose Graph from the menu bar, then select the Console tab. From the Insert metric at cursor drop down, select cactus_fabric_total_tx_count and click execute
This file contains the various responses of the metrics.
This file contains functions encasing the logic to process the data points
This file lists all the prometheus metrics and what they are used for.
We welcome contributions to Hyperledger Cactus in many forms, and there’s always plenty to do!
Please review CONTRIBUTING.md to get started.
This distribution is published under the Apache License Version 2.0 found in the LICENSE file.