I am playing around with the ERC20 token implemented in fabric-samples. I was wondering if it is possible to not only send tokens between users but have deployed chaincodes receive/hold/send tokens as well. Hence allowing users to send tokens to a specific chaincode and vice versa. This is a very common thing on other blockchains like Ethereum.
To realize this I tried to invoke the erc20 chaincode from my own chaincode via InvokeChaincode and noticed that its documentation states
InvokeChaincode: Locally calls the specified chaincode invoke()
using the same transaction context; that is, chaincode calling
chaincode doesn't create a new transaction message.
which implies to me that chaincode in fabric does not have its own identity but the identity of its callee. Which in turn would make the use case described above impossible...
During researching this problem I stumbled across some old posts briefly mentioning this topic. E.g. here and here. Interestingly SignedProposal seems to contain information regarding the "original" chaincode called by the user. Theoretically, this information could be used in a modified ERC20 contract to identify a specific chaincode but this seems to be a bit hacky to me.
Am I missing something here?
I would appreciate any help. Thanks.
One last thought of mine - but not directly connected to my question: In general just "forwarding" the user's identity to other chaincodes seems to be quite critical from a security point of a view, right?. An adversary could theoretically hide such cross invocations in chaincode and use the callees identity to steal e.g. these ERC20 tokens.
Related
The task is to transfer assets from fabric to another blockchain. For the unlock/lock token contract, it is necessary to come up with a place to store tokens for the time of their blocking. I decided to store them on the client's account. The bottom line is, can I store data on in contact and can I assign a certificate to the contract as a user, for example as in eth? And the contract uses its own certificate when interacting with other contracts.
If there is documentation or code examples, I will be glad of any answers and examples. And then we have already entered a dead end.
Smart contracts in Fabric do not invoke other smart contracts in the way that I think you are describing. While a smart contract can use and invokeChaincode API call to invoke another smart contract, which is done within the scope of the current transaction and can only augment the read/write set of that transaction. If successful, this endorsement / simulation of the transaction is signed by the peer that received the transaction proposal from the client.
In short, smart contracts do not (or at least should not) interact with other smart contracts as if they are a client using their own client identity.
There is some documentation here that might help clarify:
https://hyperledger-fabric.readthedocs.io/en/release-2.2/developapps/chaincodenamespace.html#cross-chaincode-access
i have a current channel of hyperledger fabric with chaincode that does CRUD operations my question is that is there any way to make a method in a chaincode that registers the new user when certain condition match.
You can use one of several methods to get the identity of the user:
GetCreator
GetId
GetMSPId
They are part of the Client Identity Chaincode Library, documented here: https://pkg.go.dev/github.com/hyperledger/fabric-chaincode-go/pkg/cid#section-readme
The Hyperledger Fabric docs provide some help for access control also if you're interested in that: https://hyperledger-fabric.readthedocs.io/en/latest/private-data/private-data.html?highlight=getmspid#private-data-sharing-patterns
I'm trying to combine the core strengths of the two Hyperledger projects, Indy / Aries and Fabric.
In the scenario we have an Indy network for SSI and a Fabric network managing a token. The Fabric token accounts should be tied to the Indy identities. Furthermore, an identity is only allowed to move tokens when it can proof to be an active member of the golf club.
This means, the Fabric endorsers need a way to see the identity's DID and to verify the golf club credential.
Question: Is there a best practice architecture to achieve that?
My current approach is to let the user send a <Proof Proposal>,<Receiver>,<Qty> message via her Aries agent to a server connected with the Fabric network. The server then sends a transaction including this data to all endorsers via the fabric-sdk. Now, the chaincode gets executed at each organisation. The chaincode tells its Aries agent to verify this Proof Proposal, which leads to a huge amount of connection invitations and proof requests against the users agent. Once the verification is successful, the chaincode continues execution and changes the state.
I see several (potential) problems:
The user must accept many connection invitations manually (if there's no hardcoded auto-accept whitelist)
Even you could avoid the connection attempts (maybe /w ephemeral challenges? Documentation for that?), there would still be massive parallel traffic, due to the presentation protocol, incoming from a decently large fabric network.
Here's a visualisation:
Am I missing something? Do you have any hints / experiences about how this can be accomplished?
Kind regards
I am currently working in projects using Fabric 1.4 I am able to get a decent idea of how things seems to work out but I am quite confused with the way smart contracts and endorsement policies work together.
What i have understood is that endorsement policy is defined during chaincode instantiation where say two or three orgs will sign a transaction in order for it to be valid. This kind of an endorsement just verifies the transaction signatures right ? no data level checks.
Like say I have this kind of a scenario: I have three orgs(Org1,Org2,Org3) each with a peer. Now through a client web app each peer puts data into the blockchain. Now how do I verify if the data (the information that I submit in the blockchain) say for example the name and id are validated by another peer properly and only then added to the world state.
Example: If peer0 in org1 adds data, name and id and the ID is wrong. Org2 has a list of IDs and it should check if the ID that org1 added matches with it and validates it. If it validates then it is fine and data can be put it in the world state
How to define this kind of a transaction state level validation (more of a data level validation rather than just signature verification)? Can this be done in the Go smart contract.
Any help and suggestions would help.
Thanks
During the endorsement, each selected endorser executes (or simulates) the transaction and returns its response, read set and write set signed. The client checks signatures and that responses from different endorsers match (or at least it should do it, anyway this check is performed later again by committers), so there are data level checks (your premise is wrong). The client assembles all the endorsements into a transaction and broadcasts it so it reaches to the ordering service. The ordering service adds the transaction to a block and the block is send to every (committer) peer joined to the channel. The committers perform their checks again and commit the transaction into the state.
It is perfectly explained here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/txflow.html.
When triggering a transaction with the "composer-cli" one has to specify the "enrollId" and the "secret" to be able to send the request. So transaction is fired in the context of a given fabric-user.
I was asking myself if there is a way to map the identity of the fabric-user firing the transaction to a given "participant" from the Participant Registry (in the composer JS code, which implements business logic)?
Are these two layers of authentication completely separated? If yes, then how is one supposed to identify in the JS code that a given participant (in composer terminology) is firing the transaction? Thx.
Please refer to the docs here:
https://fabric-composer.github.io/managing/identity-issue.html
The issue identity / revoke identity CLI commands are used to map a Fabric user to a Composer participant.