[FAB-8428] UserStore

Introduced a concept of a UserStore, for persistence of
user information. In this first implementation, only the
user primary key (mspID, name) and enrollment certificate
are stored.

During enrollment, user's private key is added to
cryptosuite store automatically. Application still needs
to add user (that contains the enrollment certificate)
to user store upon enrollment. In the future this won't
be necessary.

Initial implementation of the store is a simple file store
that stores user's enrollment cert in a pem file, using
naming convention <user>@<mspid>-cert.pem. The intention
is to make the user store pluggable in the future, to allow
SDK integrators to plugin their own implementation of
the UserStore interface.

Change-Id: I63452e92a50976b141345a87766541bab2291a8e
Signed-off-by: Aleksandar Likic <aleksandar.likic@securekey.com>

Author: Aleksandar Likic

api/apifabca/fabricca.go

@@ -8,6 +8,7 @@ package apifabca
 
 import (
 	"github.com/hyperledger/fabric-sdk-go/api/apicryptosuite"
+	"github.com/hyperledger/fabric-sdk-go/api/apifabclient"
 	api "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/api"
 )
 
@@ -16,9 +17,9 @@ type FabricCAClient interface {
 	CAName() string
 	Enroll(enrollmentID string, enrollmentSecret string) (apicryptosuite.Key, []byte, error)
 	// Reenroll to renew user's enrollment certificate
-	Reenroll(user User) (apicryptosuite.Key, []byte, error)
-	Register(registrar User, request *RegistrationRequest) (string, error)
-	Revoke(registrar User, request *RevocationRequest) (*api.RevocationResponse, error)
+	Reenroll(user apifabclient.User) (apicryptosuite.Key, []byte, error)
+	Register(registrar apifabclient.User, request *RegistrationRequest) (string, error)
+	Revoke(registrar apifabclient.User, request *RevocationRequest) (*api.RevocationResponse, error)
 }
 
 // RegistrationRequest defines the attributes required to register a user with the CA

api/apifabca/mocks/mockfabriccaclient.gen.go

@@ -6,7 +6,11 @@ SPDX-License-Identifier: Apache-2.0
 
 package apifabclient
 
-import "github.com/hyperledger/fabric-sdk-go/api/apicryptosuite"
+import (
+	"errors"
+
+	"github.com/hyperledger/fabric-sdk-go/api/apicryptosuite"
+)
 
 // User represents users that have been enrolled and represented by
 // an enrollment certificate (ECert) and a signing key. The ECert must have
@@ -38,3 +42,20 @@ type IdentityContext interface {
 	Identity() ([]byte, error)
 	PrivateKey() apicryptosuite.Key
 }
+
+var (
+	// ErrUserNotFound indicates the user was not found
+	ErrUserNotFound = errors.New("user not found")
+)
+
+// UserKey is a lookup key in UserStore
+type UserKey struct {
+	MspID string
+	Name  string
+}
+
+// UserStore is responsible for User persistence
+type UserStore interface {
+	Store(User) error
+	Load(UserKey) (User, error)
+}

api/apifabca/user.go

@@ -68,8 +68,8 @@ client:
   # Some SDKs support pluggable KV stores, the properties under "credentialStore"
   # are implementation specific
   credentialStore:
-    # [Optional]. Not used by Go SDK. Others SDKs may use it if using an alternative impl
-    # Could be used if SDK would require an object for properties like url, db name, etc.
+    # [Optional]. Used by user store. Not needed if all credentials are embedded in configuration
+    # and enrollments are performed elswhere.
     path: "/tmp/hfc-kvs"
 
     # [Optional]. Specific to the CryptoSuite implementation used by GO SDK. Software-based implementations

api/apifabclient/identity.go

@@ -68,8 +68,8 @@ client:
   # Some SDKs support pluggable KV stores, the properties under "credentialStore"
   # are implementation specific
   credentialStore:
-    # [Optional]. Not used by Go SDK. Others SDKs may use it if using an alternative impl
-    # Could be used if SDK would require an object for properties like url, db name, etc.
+    # [Optional]. Used by user store. Not needed if all credentials are embedded in configuration
+    # and enrollments are performed elswhere.
     path: unused/by/sdk/go
 
     # [Optional]. Specific to the CryptoSuite implementation used by GO SDK. Software-based implementations

pkg/config/testdata/config_test_pem.yaml

@@ -11,6 +11,7 @@ import (
 
 	config "github.com/hyperledger/fabric-sdk-go/api/apiconfig"
 	sdkApi "github.com/hyperledger/fabric-sdk-go/api/apifabca"
+	"github.com/hyperledger/fabric-sdk-go/api/apifabclient"
 	api "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/api"
 	fabric_ca "github.com/hyperledger/fabric-sdk-go/internal/github.com/hyperledger/fabric-ca/lib"
 	"github.com/hyperledger/fabric-sdk-go/pkg/config/urlutil"
@@ -124,7 +125,7 @@ func (fabricCAServices *FabricCA) Enroll(enrollmentID string, enrollmentSecret s
 
 // Reenroll an enrolled user in order to receive a signed X509 certificate
 // Returns X509 certificate
-func (fabricCAServices *FabricCA) Reenroll(user sdkApi.User) (apicryptosuite.Key, []byte, error) {
+func (fabricCAServices *FabricCA) Reenroll(user apifabclient.User) (apicryptosuite.Key, []byte, error) {
 	if user == nil {
 		return nil, nil, errors.New("user required")
 	}
@@ -153,7 +154,7 @@ func (fabricCAServices *FabricCA) Reenroll(user sdkApi.User) (apicryptosuite.Key
 // registrar: The User that is initiating the registration
 // request: Registration Request
 // Returns Enrolment Secret
-func (fabricCAServices *FabricCA) Register(registrar sdkApi.User,
+func (fabricCAServices *FabricCA) Register(registrar apifabclient.User,
 	request *sdkApi.RegistrationRequest) (string, error) {
 	// Validate registration request
 	if request == nil {
@@ -190,7 +191,7 @@ func (fabricCAServices *FabricCA) Register(registrar sdkApi.User,
 // Revoke a User with the Fabric CA
 // registrar: The User that is initiating the revocation
 // request: Revocation Request
-func (fabricCAServices *FabricCA) Revoke(registrar sdkApi.User,
+func (fabricCAServices *FabricCA) Revoke(registrar apifabclient.User,
 	request *sdkApi.RevocationRequest) (*api.RevocationResponse, error) {
 	// Validate revocation request
 	if request == nil {
@@ -212,8 +213,7 @@ func (fabricCAServices *FabricCA) Revoke(registrar sdkApi.User,
 }
 
 // createSigningIdentity creates an identity to sign Fabric CA requests with
-func (fabricCAServices *FabricCA) createSigningIdentity(user sdkApi.
-	User) (*fabric_ca.Identity, error) {
+func (fabricCAServices *FabricCA) createSigningIdentity(user apifabclient.User) (*fabric_ca.Identity, error) {
 	// Validate user
 	if user == nil {
 		return nil, errors.New("user required")

pkg/config/testdata/template/config.yaml

@@ -7,18 +7,14 @@ SPDX-License-Identifier: Apache-2.0
 package fabricclient
 
 import (
-	"encoding/json"
-
 	config "github.com/hyperledger/fabric-sdk-go/api/apiconfig"
 	fab "github.com/hyperledger/fabric-sdk-go/api/apifabclient"
-	"github.com/hyperledger/fabric-sdk-go/api/kvstore"
 	"github.com/hyperledger/fabric-sdk-go/third_party/github.com/hyperledger/fabric/protos/common"
 	pb "github.com/hyperledger/fabric-sdk-go/third_party/github.com/hyperledger/fabric/protos/peer"
 
 	"github.com/hyperledger/fabric-sdk-go/api/apicryptosuite"
 	channel "github.com/hyperledger/fabric-sdk-go/pkg/fabric-client/channel"
 	"github.com/hyperledger/fabric-sdk-go/pkg/fabric-client/chconfig"
-	"github.com/hyperledger/fabric-sdk-go/pkg/fabric-client/identity"
 	"github.com/hyperledger/fabric-sdk-go/pkg/fabric-client/resource"
 	"github.com/hyperledger/fabric-sdk-go/pkg/logging"
 	"github.com/pkg/errors"
@@ -30,7 +26,7 @@ var logger = logging.NewLogger("fabric_sdk_go")
 type Client struct {
 	channels        map[string]fab.Channel
 	cryptoSuite     apicryptosuite.CryptoSuite
-	stateStore      kvstore.KVStore
+	stateStore      fab.UserStore
 	signingIdentity fab.IdentityContext
 	config          config.Config
 	signingManager  fab.SigningManager
@@ -99,12 +95,12 @@ func (c *Client) QueryChannelInfo(name string, peers []fab.Peer) (fab.Channel, e
  * so that multiple app instances can share app state via the database (note that this doesn’t necessarily make the app stateful).
  * This API makes this pluggable so that different store implementations can be selected by the application.
  */
-func (c *Client) SetStateStore(stateStore kvstore.KVStore) {
+func (c *Client) SetStateStore(stateStore fab.UserStore) {
 	c.stateStore = stateStore
 }
 
 // StateStore is a convenience method for obtaining the state store object in use for this client.
-func (c *Client) StateStore() kvstore.KVStore {
+func (c *Client) StateStore() fab.UserStore {
 	return c.stateStore
 }
 
@@ -152,63 +148,29 @@ func (c *Client) SaveUserToStateStore(user fab.User) error {
 	if c.stateStore == nil {
 		return errors.New("stateStore is nil")
 	}
-	userJSON := &identity.JSON{
-		MspID:                 user.MspID(),
-		Roles:                 user.Roles(),
-		PrivateKeySKI:         user.PrivateKey().SKI(),
-		EnrollmentCertificate: user.EnrollmentCertificate(),
-	}
-	data, err := json.Marshal(userJSON)
-	if err != nil {
-		return errors.Wrap(err, "marshal json return error")
-	}
-	err = c.stateStore.Store(user.Name(), data)
+	err := c.stateStore.Store(user)
 	if err != nil {
-		return errors.WithMessage(err, "stateStore SetValue failed")
+		return errors.WithMessage(err, "saving user failed")
 	}
 	return nil
 }
 
-// LoadUserFromStateStore ...
-/**
- * Restore the state of this member from the key value store (if found).  If not found, do nothing.
- * @returns {Promise} A Promise for a {User} object upon successful restore, or if the user by the name
- * does not exist in the state store, returns null without rejecting the promise
- */
-func (c *Client) LoadUserFromStateStore(name string) (fab.User, error) {
-	if name == "" {
-		return nil, nil
+// LoadUserFromStateStore loads a user from user store.
+// If user is not found, returns ErrUserNotFound
+func (c *Client) LoadUserFromStateStore(mspID string, name string) (fab.User, error) {
+	if mspID == "" || name == "" {
+		return nil, errors.New("Invalid user key")
 	}
 	if c.stateStore == nil {
-		return nil, nil
+		return nil, errors.New("Invalid state - start store is missing")
 	}
 	if c.cryptoSuite == nil {
 		return nil, errors.New("cryptoSuite required")
 	}
-	value, err := c.stateStore.Load(name)
+	user, err := c.stateStore.Load(fab.UserKey{MspID: mspID, Name: name})
 	if err != nil {
-		if err == kvstore.ErrNotFound {
-			return nil, nil
-		}
 		return nil, err
 	}
-	valueBytes, ok := value.([]byte)
-	if !ok {
-		return nil, errors.New("state store return wrong data type")
-	}
-	var userJSON identity.JSON
-	err = json.Unmarshal(valueBytes, &userJSON)
-	if err != nil {
-		return nil, errors.Wrap(err, "unmarshal user JSON failed")
-	}
-	user := identity.NewUser(name, userJSON.MspID)
-	user.SetRoles(userJSON.Roles)
-	user.SetEnrollmentCertificate(userJSON.EnrollmentCertificate)
-	key, err := c.cryptoSuite.GetKey(userJSON.PrivateKeySKI)
-	if err != nil {
-		return nil, errors.Wrap(err, "cryptoSuite GetKey failed")
-	}
-	user.SetPrivateKey(key)
 	return user, nil
 }