Add servers' signature verification.

Resolves #23 by adding method to verify signatures comming with servers'
responses.

Signed-off-by: Artem Barger <[email protected]>
Signed-off-by: Yoav Tock <[email protected]>

examples/cars/commands/init.go

@@ -155,8 +155,8 @@ func initUsers(demoDir string, session bcdb.DBSession, logger *logger.SugarLogge
 					DBPermission: map[string]types.Privilege_Access{CarDBName: 1},
 				},
 			}, &types.AccessControl{
-				ReadWriteUsers: bcdb.UsersMap("admin"),
-				ReadUsers:      bcdb.UsersMap("admin"),
+				ReadWriteUsers: usersMap("admin"),
+				ReadUsers:      usersMap("admin"),
 			})
 		if err != nil {
 			usersTx.Abort()

examples/cars/commands/mint.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/IBM-Blockchain/bcdb-sdk/pkg/bcdb"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/logger"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/types"
 	"github.com/pkg/errors"
@@ -54,8 +53,8 @@ func MintRequest(demoDir, dealerID, carRegistration string, lg *logger.SugarLogg
 
 	err = dataTx.Put(CarDBName, key, recordBytes,
 		&types.AccessControl{
-			ReadUsers:      bcdb.UsersMap("dmv"),
-			ReadWriteUsers: bcdb.UsersMap(dealerID),
+			ReadUsers:      usersMap("dmv"),
+			ReadWriteUsers: usersMap(dealerID),
 		},
 	)
 	if err != nil {
@@ -146,8 +145,8 @@ func MintApprove(demoDir, dmvID, mintReqRecordKey string, lg *logger.SugarLogger
 
 	err = dataTx.Put(CarDBName, carKey, carRecordBytes,
 		&types.AccessControl{
-			ReadUsers:      bcdb.UsersMap(mintReqRec.Dealer),
-			ReadWriteUsers: bcdb.UsersMap(dmvID),
+			ReadUsers:      usersMap(mintReqRec.Dealer),
+			ReadWriteUsers: usersMap(dmvID),
 		},
 	)
 	if err != nil {

examples/cars/commands/transafer.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/IBM-Blockchain/bcdb-sdk/pkg/bcdb"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/logger"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/types"
 	"github.com/pkg/errors"
@@ -62,8 +61,8 @@ func TransferTo(demoDir, ownerID, buyerID, carRegistration string, lg *logger.Su
 	ttRecKey := ttRecord.Key()
 	err = dataTx.Put(CarDBName, ttRecKey, ttRecBytes,
 		&types.AccessControl{
-			ReadUsers:      bcdb.UsersMap("dmv", buyerID),
-			ReadWriteUsers: bcdb.UsersMap(ownerID),
+			ReadUsers:      usersMap("dmv", buyerID),
+			ReadWriteUsers: usersMap(ownerID),
 		},
 	)
 	if err != nil {
@@ -152,8 +151,8 @@ func TransferReceive(demoDir, buyerID, carRegistration, transferToRecordKey stri
 	trRecKey := trRec.Key()
 
 	err = dataTx.Put(CarDBName, trRecKey, trRecBytes, &types.AccessControl{
-		ReadUsers:      bcdb.UsersMap("dmv", ttRec.Owner),
-		ReadWriteUsers: bcdb.UsersMap(buyerID),
+		ReadUsers:      usersMap("dmv", ttRec.Owner),
+		ReadWriteUsers: usersMap(buyerID),
 	})
 	if err != nil {
 		return "", errors.Wrap(err, "error during data transaction")
@@ -247,8 +246,8 @@ func Transfer(demoDir, dmvID, transferToRecordKey, transferRcvRecordKey string,
 
 	err = dataTx.Put(CarDBName, carKey, recordBytes,
 		&types.AccessControl{
-			ReadUsers:      bcdb.UsersMap(ttRec.Buyer),
-			ReadWriteUsers: bcdb.UsersMap(dmvID),
+			ReadUsers:      usersMap(ttRec.Buyer),
+			ReadWriteUsers: usersMap(dmvID),
 		},
 	)
 	if err != nil {

examples/cars/commands/utils.go

@@ -6,10 +6,10 @@ import (
 	"io/ioutil"
 	"path"
 
-	"github.com/golang/protobuf/jsonpb"
-	"github.com/golang/protobuf/proto"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/logger"
 	"github.com/IBM-Blockchain/bcdb-server/pkg/types"
+	"github.com/golang/protobuf/jsonpb"
+	"github.com/golang/protobuf/proto"
 )
 
 func marshalOrPanic(msg proto.Message) []byte {
@@ -81,3 +81,11 @@ func loadTxEvidence(demoDir, txID string, lg *logger.SugarLogger) (*types.DataTx
 
 	return env, rct, nil
 }
+
+func usersMap(users ...string) map[string]bool {
+	m := make(map[string]bool)
+	for _, u := range users {
+		m[u] = true
+	}
+	return m
+}

go.sum

@@ -5,12 +5,6 @@ github.com/AndreasBriese/bbloom v0.0.0-20190306092124-e2d15f34fcf9/go.mod h1:bOv
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210609180532-d6c2c4edaed9 h1:pXBFUqoQndojNnTFd1ZgVD6amzmsYHxZogA0xuNLYu0=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210609180532-d6c2c4edaed9/go.mod h1:3/eL2aR2AxiitHtzet++d1b1kgtmfgHdoezwYXZivwc=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210617023424-769c72bf3ee7 h1:sxICIV8raTrRCXFNJ3xBQ6SJ/cv6g4TUo4PPveHxbLo=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210617023424-769c72bf3ee7/go.mod h1:mtuB0GJek4elh+cUs7DGtdsUrzcjX4JJznIeRjcDJko=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210620090414-7807cc5304c5 h1:F+hv8hDlAvyl0L5vDgtHwp4wxqGUScsBbNGi7VnD/fk=
-github.com/IBM-Blockchain/bcdb-server v0.0.0-20210620090414-7807cc5304c5/go.mod h1:mtuB0GJek4elh+cUs7DGtdsUrzcjX4JJznIeRjcDJko=
 github.com/IBM-Blockchain/bcdb-server v0.1.0 h1:jp/x3m+l7HroeoO0t4yNKVZaTeAmQOAL3KOWFGmQKGE=
 github.com/IBM-Blockchain/bcdb-server v0.1.0/go.mod h1:mtuB0GJek4elh+cUs7DGtdsUrzcjX4JJznIeRjcDJko=
 github.com/Microsoft/go-winio v0.4.12/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
@@ -157,6 +151,7 @@ github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/gopherjs/gopherjs v0.0.0-20190411002643-bd77b112433e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c h1:7lF+Vz0LqiRidnzC1Oq86fpX1q/iEv2KJdrCtttYjT4=
 github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/jsbuiltin v0.0.0-20180426082241-50091555e127/go.mod h1:7X1acUyFRf+oVFTU6SWw9mnb57Vxn+Nbh8iPbKg95hs=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
@@ -220,6 +215,7 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -383,6 +379,7 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7 h1:rTIdg5QFRR7XCaK4LCjBiPbx8j4DQRpdYMnGn/bJUEU=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

pkg/bcdb/config_tx_context_test.go

@@ -183,10 +183,7 @@ func TestConfigTxContext_DeleteAdmin(t *testing.T) {
 	require.NoError(t, err)
 
 	adminCert, _ := testutils.LoadTestClientCrypto(t, clientCryptoDir, "admin")
-	admin := &types.Admin{
-		ID:          "admin",
-		Certificate: adminCert.Raw,
-	}
+	admin := &types.Admin{ID: "admin", Certificate: adminCert.Raw}
 
 	admin2Cert, _ := testutils.LoadTestClientCrypto(t, clientCryptoDir, "admin2")
 	admin3Cert, _ := testutils.LoadTestClientCrypto(t, clientCryptoDir, "admin3")
@@ -251,7 +248,7 @@ func TestConfigTxContext_DeleteAdmin(t *testing.T) {
 
 	// session1 by removed admin cannot execute additional transactions
 	tx4, err := session1.ConfigTx()
-	require.EqualError(t, err, "failed to obtain server's certificate")
+	require.EqualError(t, err, "error handling request, server returned: status: 401 Unauthorized, message: signature verification failed")
 	require.Nil(t, tx4)
 }
 
@@ -317,7 +314,7 @@ func TestConfigTxContext_UpdateAdmin(t *testing.T) {
 
 	// session1 by updated admin cannot execute additional transactions, need to recreate session
 	tx3, err := session1.ConfigTx()
-	require.EqualError(t, err, "failed to obtain server's certificate")
+	require.EqualError(t, err, "error handling request, server returned: status: 401 Unauthorized, message: signature verification failed")
 	require.Nil(t, tx3)
 
 	// need to recreate session with new credentials
@@ -413,13 +410,14 @@ func TestConfigTxContext_DeleteClusterNode(t *testing.T) {
 	config, err := tx1.GetClusterConfig()
 	require.NoError(t, err)
 
-	id1 := config.Nodes[0].ID
+	node1 := config.Nodes[0]
 	node2 := &types.NodeConfig{
 		ID:          "testNode2",
 		Address:     config.Nodes[0].Address,
 		Port:        config.Nodes[0].Port + 1,
 		Certificate: config.Nodes[0].Certificate,
 	}
+	peer1 := config.ConsensusConfig.Members[0]
 	peer2 := &types.PeerConfig{
 		NodeId:   "testNode2",
 		RaftId:   config.ConsensusConfig.Members[0].RaftId + 1,
@@ -437,7 +435,19 @@ func TestConfigTxContext_DeleteClusterNode(t *testing.T) {
 
 	tx2, err := session1.ConfigTx()
 	require.NoError(t, err)
-	err = tx2.DeleteClusterNode(id1)
+
+	clusterConfig, err := tx2.GetClusterConfig()
+	require.NoError(t, err)
+	require.NotNil(t, clusterConfig)
+	require.Len(t, clusterConfig.Nodes, 2)
+	found, index := NodeExists("testNode2", clusterConfig.Nodes)
+	require.True(t, found)
+	require.Equal(t, clusterConfig.Nodes[index].Port, node2.Port)
+	found, index = PeerExists("testNode2", clusterConfig.ConsensusConfig.Members)
+	require.True(t, found)
+	require.Equal(t, clusterConfig.ConsensusConfig.Members[index].PeerPort, peer2.PeerPort)
+
+	err = tx2.DeleteClusterNode(node2.ID)
 	require.NoError(t, err)
 
 	txID, receipt, err = tx2.Commit(true)
@@ -449,17 +459,17 @@ func TestConfigTxContext_DeleteClusterNode(t *testing.T) {
 	// verify tx was successfully committed. "Get" works once per Tx.
 	tx3, err := session1.ConfigTx()
 	require.NoError(t, err)
-	clusterConfig, err := tx3.GetClusterConfig()
+	clusterConfig, err = tx3.GetClusterConfig()
 	require.NoError(t, err)
 	require.NotNil(t, clusterConfig)
 	require.Len(t, clusterConfig.Nodes, 1)
 
-	found, index := NodeExists("testNode2", clusterConfig.Nodes)
+	found, index = NodeExists("testNode1", clusterConfig.Nodes)
 	require.True(t, found)
-	require.Equal(t, clusterConfig.Nodes[index].Port, node2.Port)
-	found, index = PeerExists("testNode2", clusterConfig.ConsensusConfig.Members)
+	require.Equal(t, clusterConfig.Nodes[index].Port, node1.Port)
+	found, index = PeerExists("testNode1", clusterConfig.ConsensusConfig.Members)
 	require.True(t, found)
-	require.Equal(t, clusterConfig.ConsensusConfig.Members[index].PeerPort, peer2.PeerPort)
+	require.Equal(t, clusterConfig.ConsensusConfig.Members[index].PeerPort, peer1.PeerPort)
 }
 
 //TODO this test will stop working once we implement quorum rules