 Hello. Hello. Can you hear me? Can someone hear me? Yes, that's cool. Okay, so hello and welcome to this session. My name is Roland and I'm happy to be your guest for this session. This is an ongoing work from my previous sessions. So that's the reason why we have here session 11. And the topic for today is attribute-paced access control with node shares. But before we start, let me say thank you to the sponsor of this session. That's the company it's called Summoning Locs Development. The company is established in Austria and is very well-established also in the field of cloud and blockchain technologies. And I would like to say also thank you to Daniel from Hyperledger Budapest, which was helping me to promote the session and also David from the Hyperledger Community Manager. So thank you for that. And now let's start with the session. And at the beginning, I would like to give you a short overview of what we are going to do in the next hour. So this is my first session with this Crowdcast software. And I think it's a pretty cool tool. But I'm not so familiar with this tool. I hope everything will work fine. And from your side also that you are able to handle the tool because it's a little bit different to ask questions as we have done it in the last sessions with the Zoom meeting. So and that's the reason why I put together a slide with the meeting rules so that you know how you can ask questions and so on. And then I would like to come to the topic. So I would like to introduce the topic and the lab overview. So this is a semi hands-on session because of the time. So everything is prepared and I will walk through the source code and you can test the source code. And it's not the live coding because it would take too much time. And we will not be ready within the one hour for this session. And yeah, so short overview of what we are going to do and what we need for the setup, for the lab setup. And then I will focus a little bit on the relevant aspects from the Fabric Contract API, which methods we need so that we have a little bit theoretical background that we see which functions we need to do our example for. And then I will give you an overview of the lab environment finally. And then the hands-on. So we will first register identities because we have here, so we need the Fabric CA identities and we have to enroll some identities and how you can do this with the command line interface. I will show you that. And then yeah, we will develop the chain code and see how this is, how this could be done. But we will see it in the ready version. So because it's not enough time to do this in the live coding session. And then we are going to use it with the CLI commands. And then in the end, so I have a challenge of the day for you. So if somebody wants to accept this challenge, then I think it's great practice for everyone who is listening to this session. But later we will see more on that topic. Here you will find the references. I have posted also the support material and the slides here on my blog. So the link is in the chat. So you can download this from the site. And here you find a little bit more detailed links. So here to the GitHub repository from this session, the support material and here three links which are useful because here Fabric links are at all useful to read this. We are going to use Fabric 2.2 version here. And then the Fabric chain code API. So it's also important to know where is the documentation. And what can I find in the documentation and how I can use this to improve my chain code. And then a link to the Fabric CA because we are going to use Fabric CA in this session to register and enroll some identities. So short meeting rules. This session will take one hour and then we will have 15 minutes Q&A. And if you have a question, then Crowdcast gives us a good tool for that. When you look a little bit on the bottom of your screen, then you will find a button ask a question. And when you click on this ask a question button, then you can write a question on. And the cool thing is other users can see this question and can vote for this question. So in this Q&A, I will go through these questions and then we will see which questions have the highest weight. And in this order, we are going to answer these questions. Yeah, you can use the chat for some comments or you write down. So but it's a little bit difficult for me to do the presentation and with the chat. And because that's the reason also why they asked the question button is really good, really nice feature from Crowdcast. Yeah, the recording will be available under the same meeting link. So the session is recorded and when the session is closed here, then the recording will be immediately available under the same link as you have used for this live session. The slides in the source first are available from my blog. And in the slides, you find the link to the GitHub repo and then the GitHub repo on the first page of the GitHub repo, you'll see the dates from the 10 sessions before. And then you can find also the documentation and the topics. So may for today, when you want to reproduce this example, you will need some information to develop their development network, to set up your development network. And this is an example we have shown in the last sessions with the Docker files and also with the binary files. So you can choose which path you would like and then you can try. Okay, so the topic for today is attribute-based chain code control. And access control, attribute-based access control. And when we come to the topic, then we have to think about how we can go a little bit deeper, how we see this topic in a wider view and how we can sort this topic in. And I have tried a completely new approach here. So I try to define these topics between something you can define on the channel and something you can define within the chain code. And these are both paths where the permissions are came from. And when we look at Fabric and when we try to install it, then the first one we will hit here and see is sometimes the so-called endorsement policy. So Hyperledger Fabric takes a lot of usage of policies. And the endorsement policies are also something which is found in the literature under the name Chain Code Level Endorsement. But in simple words, endorsement policy here is you have to define it on the channel and all channel members have to agree to that policy. And this policy rules the way how a transaction is valid. So you can say every organizations must agree with these transactions or two organizations must agree or the majority of an organization must agree and so on. And this is something where you can control permissions. So this is but defined on the channel. And then it's a global statement, I think, a global configuration for the whole consortium network. And then you can say, okay, we will have something in a private state. And that's a little bit courier when you say Hyperledger Fabric is not a public blockchain system, it is a private blockchain system. But we have a public state here, and we can have a private state here. And that means that public means in this context that everything is public inside of the consortium. So it's not visible to the public, but it is visible to the consortium and all organizations that members of the consortium. But in this network, we can have something private. And this could be done with the so-called private data collections. And these private data collections is a configuration which can override this global endorsement policy settings. And it's also done with the definition on the channel. And it's also called a key collection level endorsement. So you find different terms for different, or better, you find different terms for the same documentation. And I try here also to collect this and bring this to the same level. And this is something private data collections where we can control the access and limit the access to a certain group of members. And then we have something that's called the state-based endorsement. And the state-based endorsement allows somebody to reduce the permissions of a key, of an asset. And then you can say, this is an endorsement for specific keys. And you find also the term key level endorsement. And a typical example for that is when you have something like an asset, which is owned by a certain organization, and only this organization can change the ownership or some attributes of this asset. And with this state-based endorsement, you can say, okay, when a certain condition happens, then you can change this state-based endorsement. And this will also override the global endorsement policies here. And this is also a term you find is called the key level endorsement. But all these topics here are not part of the session. But it's important to know you can define this on the channel. So this is something defined on the channel. And here, by the state-based endorsement, you start doing on their chain code. And the topic today is this AdWords-Paced Access Control. And this is defined within the chain code. And for this AdWords-Paced Access Control, we need the designing third of the particular client. And a client could be, in this context, will be a user. And this user runs the client application. This is an OGS application, for example. And this makes the communication with the network and with the blockchain system itself. And this certificates, this five, this is a designing third, is a certificate. And in this certificate, you can set some AdWords. And you can set this AdWords according to your needs and according to your use case. And then you can access this. And you can control this from the chain code. And we will see later on the next slide which AdWords we can form the certificate. And then we can make decisions. So you can make a simple control decision with an if-else statement, for example. And then you can say if this certificate belongs to membership service provider ID number one or organization one, then you can access this function in the chain code. And all other organizations cannot. But you have a lot of flexibility in this system. So we will see, we can set any kind of information and any kind of value. And then you can create the system really for your needs. The aim of this lab is that we are going to test with the development network. And in the development network, we have one organization. And in this organization, we try to create two different roles. So we try to create a role for the creating and updating an asset. And then another role for reading those assets. And when we start the system, we will have 24 two identities. So we have an admin identity and we have a so-called user one identity. And then we will see both of these identities will not be able to create and update this asset. And also let's read this asset because our chain code will control this. And this is the aim from this lab to show you how you can create such certificates. What is the important part by this certificate where you can find this certificate, how you can change this certificate. And then what is needed in the chain code to evaluate this certificate and grab the values from the certificate and make a decision on that. And then you can program whatever you want. And yeah, the steps to go for that. So the first thing is we need the network. So when we try to go a little bit away from the network, from the test network, for example, I think I hope everybody of you know the test network and have played a little bit with this test network. And then when you try to do your own steps, then it's a little bit difficult to do that. Because in this test network, you always have the whole approved process for the installation of the chain code. Because in the February 2.2 version, we have a new system. This is a life cycle endorsement policy and life cycle endorsement management so that you can install chain code when all other organization members agree with that. So and then when you change the chain code, you have to upgrade the chain code. And that's not really efficient to do that. And for that, we can use a little bit shorter way. So there is a death mode in the beer. And in previous sessions, I have shown in several examples how you can create this death mode. And we use this death mode scenario also here. So we need a development network that we can easily try and test our chain code before we will roll out this to the real test network or canary test whatever you have to test it. And then, of course, we need these identities. So we have to register and enroll identities with this particular attributes we need. So this is a part of how we can do this. And then we have to write the chain code or we have to inspect this chain code. And this is also a good example. So you see in this you will see a simple chain code with a set method and the get method. And then you see also the the anatomy of of a chain code. So what is needed from the notorious perspective to create a chain code. And that's it. You can say it's a template or you can see it as a template. And then you can write your logic and your methods inside of this template. And then, okay, we have to test it. And this this test network is called here the be a chain code the death environment. Yeah, we can test it with different identities. So short overview of the environment what we need. So we need this be a chain code death environment. So this is something that we started here. And when we started the beer, then we can use this option. And then we have the possibility to start the chain code in a separate step. And then you can stop the chain code container and start it again stop which started again. And every time you make change to your chain code, then you can start a chain code container again. And could and you can immediately test your change in the source code. And in this scenario, we have four Docker containers. So because we need the identities, so we need the certificate authority, so favorite CA container. And we need this for we need this not really for the order but we need the order and we need here the for the organization one, the certificate authority. So this is the favorite CA version that we are going to register and enroll some identities. And then we need the beer to test our scenario. And we use a simple asset chain code. So where we can store and read product data with some attributes here. So but this is not really important for the session. But important is that we use a favorite CA. So and because we want to create new identities, and that's the reason why we have to use this favorite CA. So okay, so from the fabric contract API, we have here some methods, which I will briefly give you an overview of that. So I think it's not really difficult to do that and to understand. So you find this also in the documentation. And the only thing what we need is we need this client identity instance. So we have to create it. And with this client identity instance, we can get some information from the certificate from the current transaction, which is going to call the chain code for the moment. So we have here a method that's called get MSP ID. So and the methods does exactly that. What's the name like. So it gives us the text screen back with the name of the membership service provider ID. And with this string, you can make a decision. You can say, okay, only the organization one can do something. And then you can make here and condition. And that's it. So yeah, so you can read out the membership service provider ID. And then a little bit more information will will you receive when you use the get ID method. So and with this get ID method, you receive a string in a specific format. And this is a little bit. Yeah, so you can see here this format. So we have an x509 in as a prefix here. And then we have here two blocks, a block for the subject. And the block for the issuer with some attributes. And we can pass this to a string object or a JSON object, for example. And then we can use this to make decisions based on the attributes from this certificate. So and these are the both methods where we can get some information from their favorite contract API with these two methods. And but we can also get one specific attribute. So there's another method with get attribute value. And we can here grab a value directly. So we can say the value assembly nox dot writer. We want to we want to receive this value. Then we can use this method get attribute value. And we can also use a function called asset at asset at worth value. And this value should be true. And if this is as the value true, so this is not the Boolean value here. This is also only a text value. So and when this property has this value, then you will have the result is here true or false. And these three elements you have to control the information from your client identity. And then you can make decisions on that. Yeah, so we need identities and to register and enroll identities from the fabric CA. This is a two step process. And here's important to know you have always to register first. So we can hear the we use here in this example the fabric the CLI version of this of this of the interaction with the fabric CA. In the next session, I have planned to do this with the Node.js SDK. So then we will see how we can do this also with the Node.js SDK. But here but in the session we do it from the command line interface. But the general approach here is you can you have to register first, and then you can enroll an identity. And the fabric CI this fabric CI client command register gives us the possibility to do that. And we have here some attributes. So okay, we need the name. So it's clear that's the name of the identity. Then we have we can define a secret. So the secret here is important only for the second step for the enrollment. Then we need the type. So the type is here a client. Because also other elements in the fabric network like be or order need some certificates need some identities. But they will have other types. So they will have to type order or they will have to type here, for example. And these kinds of certificates need the type client here. And then we have here this ID attributes, address, attribute, and then we can hear define attribute. So in this in this manner. So some Linux dot wider is equals to true. And then here this is suffix itself. And this is something I will take a little bit later. So because we can take this insert suffix, but we can leave it as well. But when we leave this, then we have to make a second step up in the enrollment process. But when you have here in this example, we have here this itself suffix. And in this example, we use TLS. So so we have here this TLS. And then when you enroll this, then you can also use the fabric client CA client command with the enroll option here. And then you have here this syntax. So you have the writer and you have to write a password here, the secret. And then this is the host from the fabric CA and some attributes. And yeah, so this is, I think, clear what what is here? What is what is here happened? And the only important part here is, I think that we have here this is ID attributes option field. And here this is served. So but this, I will show you this a little bit later when we try this. But so we can register, we can enroll with a command here. And of course, we can remove an attribute as we can modify this identity. And so when we say, okay, we want this reader to change the true attributes, we want to remove it, then we have to use the same attribute here without any value on this position. And this will lead to the fact that the client command here will remove this attribute from the attribute list. And you can also modify it. And you see here the example for the modifying. So we can have here one value, two value. And you see here, when you have more than one, then you have more than one attributes here, then you have to write it in under quotes. So in this format. So because it's, I think that's really symbolize and doing a way here. And yeah, so this is the modification. And so when this is something really important to know, so when we everything what we do here when we something register, then this is registered in the favorite CA server. Then the next step is to enroll this certificate. And then if it's enrolled with this option here, then here is the home folder, for example, the home folder, the membership service provider home folder for this wider identity. And then you will have this certificate. When you, when you modify this, then here, then this is modified only in the server, not in your client. So that's really important to know that when you set here an attribute with an value, and you gave this identity to third party, for example, then it's not enough that you change this attribute here and reduce maybe the permissions. But the third party user can use already the old certificate. So he has also to replace it. And we have to enroll it or we enroll this identity, and then we have to replace it. Because this type of certificates are static. And when there is no check in the, when the chain code is checking this certificate, and then it's not only checked if the certificate is valid. So is it in time, or is it the valid certificate which belongs to this organization. And when you change your property, then the favorite CA server, then the old certificate is already valid. And you have to replace it by yourself. Otherwise, your new identity, your new attribute here will not work in the chain code. So that's important to know. And I think it could be a little bit difficult to handle the situation. But there may be some ways to handle it, because we have different kinds of client wallets. So maybe we can handle this with client wallets. So in the next session, we will see this from the, from the, from the node shares perspective, these commands. And when we interact with the network, we need an identity and this identity need a local wallet. And we have different wallets. So we have also a database wallet, or we can have a memory wallet. So maybe we can make a workaround with this kind of wallets. But yeah, it's a, I think it's a little bit difficult here. Okay. But, but the important part here to take from this slide here is that you always have to register a client or identity. And then the second step, you can enroll this client with the secret with the password here. And that's the, this, the process. Okay. And then, okay, this certificate, the sign certificate, you can find this sign, signed here on this path. So when you, when you look to your, to your certificates folder, and the structure is always the same. So we have organizations, we have the B organizations, then we have here the name of the B organizations. And here we have the folder users with all users from this set, from this organization, from this organization. And then we have here a folder with the specific user. And in this MSP folder, we have a sign tab folder. And there is a so-called signed assert PEM file. And this is the signing certificate what we need. And when you make a cut on this file, you will see nothing useful. So you have to decode this sign tab. And you can use this command here. And then you can look what is inside of this sign set certificate. But for example, we need only this line here. So in this sign set, there is a lot of information. And we need only a small part of this information. And we will find here and a string with this numbers here. And then we have defined here attributes. And then you will see here your attributes. So and this is the part we are looking for in the sign set. And with this command here, you can inspect this sign set and see what is inside of the sign set. And that's very useful when you look inside your certificate and see what is in this signing set. And so in this way, you can learn a little bit what's going on. Okay, so that's the theory. Yeah. And then challenge of today. So this will be then in there on the end. So now, and now I will show you how you can do this. So, okay. This is I use my setup. So my setup, this is an Ubuntu 20 machine. And for this example, I use William Schmucks as a terminal multiplexer. And if you use this, then you have the possibility to have different windows in one SSH terminal. And the cool thing here is that you can attach to the session and you can detach to the session. And for those which are not familiar with with Schmucks terminal or with other terminal multiplex systems. So that's really helpful. So because we can one here tasks for it, for example, this each top. And then so you can detach from the session. And you can also close the SSH connection. And but in the background, this process is still running. And when you come back, then you'll see this process here is always still alive. And it's running. So and this is really cool that you can define some panels here. And you can make your setup. And for this demo setup, so we need at least three terminals. So we need here a terminal to run the network. And the second terminal here, we can start and stop the chain code container. So when we do a change on that, then we can stop it and start it again. And then we can immediately see if our change is working or not. And it's also useful for your debugging. So this example, or in today's example, I will print you out some information from this ID and you see if this user has this attribute or not. And then so you can really do work with this. And so we need this. This is in the second panel. And then the third panel here. So we need a panel to to create our identities and to call our functions. So this is our working panel, if you want, you can run this also in the background. And you can do it also with one terminal. Of course, I think that will work, but it's really useful to see what happens. So and that's the reason why we have here these three panels. Okay, so the first step is to start this development network. This is the documentation here. This is in the GitHub so I hope that's large enough that you can see this a little bit on your screen. And this is maybe you can see a step by step guide. So when you follow these instructions, then you must be able to reproduce this example. So the only thing here is that we need this development network. So because this is a work from a previous session. And with this development network, we can this is I think a copy. And I did the I did the copy from the test official test network script. And I have modified this a little bit so that we have only one organization and that this one organization has one peer and this peer is started in this peer depth mode. And the advantage of that is that we can use this depth network with level to be this is the default configuration. So when we want to try something with level to be so composite keys or something like that, or a simple normal blockchain system. But when we use when maybe you try to use couch to be then we can do it as well because in the network script in the favorite official network script is start quick start script is also an option s or an option for the for the couch to be for couch to be and then you can start this depth network also with couch to be then you can do everything but you can test with your couch to be when you want to try a different index as I want to make some which queries want to query the right state in a in a different way. And more important for today is that we have the this this CA option here. And with the CA option that means that the whole network starts with favorite CA's so that means that it starts with an order within say favorite say order and with the order itself and within favorite CA for the organization one and with one tier of the organization one and all the crypto material is also created in this process. So is that and that's is the starting point for us. So when we start this year and then this network will start. So this is something you have to do as a preparation to this session and how you can do that. That's is in one of the we did this in one of the previous sessions and you can find two versions of them. You can use the Docker version like in my case here and when you say here Docker PS then you see here this that we have this setup now up and running. And you see here we have here a pure organization PS0 and here this CR of organization one and also here for the order. So okay so that's the first step here and the second step is that we need these identities. So these identities we have to enroll it but we can skip this we can skip this this this step and we can also so let us start the chain code. So the chain code I will walk through the chain code here this must be here. So and when you write the chain code in Node.js this is I think it's pretty easy to do that. So if you're familiar with Node.js then I think it's really easy and also when you're familiar with the goal and then it's also easy to do that. So it depends really on your background so it's not really complicated to write this chain code but you have to know a little bit how you can do it. And for the Node.js is it is it that we need the folder here this chain code is called cs04 and then we need an index.js file and then in this index.js file we have to export contracts and we have but this contracts export is in a way so it gives us the possibility to export one contract here in this chain code but this is in a way so we can have here different contracts so and we can export here different contracts with one chain code. So you can say this is a chain code and this chain code can contain different contracts one or ten for example whatever you want here and this is the way here so and you include this here with the required command and then you export here in any way and this is in this case the only value the only object here what you are and the only contract here what you are going to export here and then you need the package.js file so the package.js file is important because we need these two dependencies so we need this favorite contract API of course and we need this favorite shim package here so the favorite shim is I say that's the old one it's a more low level bigger possibility to develop chain codes on the favorite contract API is the new one so okay and I have this also later here in the in my in my chain code description but we need this favorite shim for the chain code we don't need the favorite shim so we need only elements from the favorite contract API but when we have to start the chain code and to start this chain code we need and that's an important part here we need this in the scripts here in the scripts as we would here this is an object and here we have a value start and here we need this command favorite contract favorite chain code node start and this command here will come when you install the favorite shim npm package and that's the reason why we need the favorite shim here so in the favorite contract API we use a lot of favorite shim commands and elements because they have included that for background compatibility and you can work and you are pretty fine when you work with this favorite contract API alone but to start you need this program here and this will come when you install your favorite shim so and that's the reason why we need this here as a dependency yeah so when you start with the development so then you have to create this package JSON file and call the npm install command and then these two packages will be installed and then you have to extend this package file with this command here this is not needed for the development scenario here so it's not needed for that but this is needed for the transition of today so when you try to install this okay so um yeah that's that and that's the chain code let's have a look to this chain code so I will make this a little bit larger so and this is let me close this and then I will walk through this so okay so what is important so in the index.js file we have here this require and then we have here an export so we export here this class this is CS04 contract class so this is the link between this file and the index.js file which we have seen previously and then we need here uh yeah oh for the favorite shim we need this sorry uh this is something I have missed uh we need her for the client identity we need the favorite shim but we need also that for the for the for the start command and so a contract is based on an on a contract on the contract class which contract class came from the favorite contract API and we call it CS04 contract so that's our name and then we have here a constructor for that so the constructor this constructor is important uh because when we call this here we gave this class a namespace in name so you know and with this name we can also when we call everybody commands an interface so we can have a short namespace so we can say okay this is the contract c04 and from this contract we want to function x epsilon for example yeah so and that's I think it's a good way that you that you call here a name for this function for this class and then here we can define some properties uh for this for this for this contract so but this is depends on you on your programming style and whatever you want to do this and here this command here it's uh the note from as I mentioned so the chain code this is the old version the favorite scheme is the old version and the favorite contract API is the newer version so yeah and when you read the documentation you will see it will read that the favorite contract the API is this descriptive as a higher level of development and the favorite scheme is a little bit low is low level bigger than yeah um I think uh in for the standard case you are fine with this favorite contract okay so this is this is the the task of the constructor so we need this here yeah and to call this name and then uh we have a name namespace for this contract and then we have here three functions and if these three functions are pretty cool so we have here something is called before transaction happened then after transaction happened and for unknown transactions so what does this mean so when somebody uh does uh transaction then uh the first thing which is called here is the before transaction a function so and here we can do different things so uh we can we can do logging we can get the transaction ID from this uh we can uh in my case here you'll see um I call this client identity class and create an instance of that and then I get all the informations which I want so yeah but that's that is an interesting part so um this is there the the door when you say okay when you start this when you call this contract this is the first function which is called here and the after transaction is called when the transaction is done so this is the ideal place when you start an event so when you make a notification service and you wonder everything is fine and and the transaction is done then you can fire here an event and this is a good place to do that so this function is automatically called when the transaction has finished so this is the last function here and this is the first function which is called and uh unknown transaction is when you call a function uh which is not set in your channel so and this is uh so you don't need to try catch for this uh for the for your function names so you can you have here built in try catch so called try catch and with this unknown transaction um you can you know you can handle this situation so like here in this so uh we have here this uh ctx so all of this functions has one parameter with this con with the ctx property and this has this stop object here and this stop object gives us functionality also from the favorite stream and here is a function get function and parameters and then you can here this is an object and then you can give back the function which the invoker and decoder has called and then you can throw here an error so this is so so called try catch built in but this you you can um you can leave these three functions away so it's also fine but uh i think that's really good to know that these functions are available and you can work with that and i think this way i think that's very useful for debugging and also for things like logging or i am uh fetching identity information and so okay so and then we are here are two functions so we have a typical set function and we have a get function and the set function is the task is to create and update assets so and there's nothing there's no magic behind so here you can create the model and then you can uh with this this these are the two important commands here so um in fabric you have to store a key the value and the key is your identifier so you can have this could be a string this could be a number this could be a composite key whatever yeah and the value uh is a buffer yeah is here an asset buffer so it's a binary information it's a binary it's a binary type and uh we have the only thing what we have to do is we have to uh swingify and create the binary data from our data model so in this way we can create a data model whatever JSON structure whatever you want and you can convert this in a single binary uh value and then you have here this asset the binary value and then you can use this put state function here and you can say okay this key you know this model key you know uh has this value and that's it so and this is how these two lines store your data in a favorite function so it's pretty easy and uh yeah um in here we see uh how we can use this asset at root value and this is a simple if uh construct so we check if this um if the the client identity has this some linear criteria identity with with the value true um the if not then we uh stop here and we return here value uh personalized personalized value from our side and this is a stop condition here and if not if the attribute here is set then we create here the data model so that's also easy and straightforward um yeah it's a simple function where you can create this the data model here you pass the data yeah and this is a way this is one way uh how you can do that and you can make it in different ways whatever you want so that's not here specific to this scenario okay and then you can return the key uh from this uh create process and in my case I have here try and catch plot I try catch so we can also here throw an error uh when there is some problem with this transaction but here is the first usage of this asset at root value so we can check this here yeah and in the get function um it's the same so but here um I have here a hash attribute uh so um the get is also simple so let's look first on that so this is also really the the contact uh the contract stop here and as a function get state and we need only the key so uh and the key is delivered here in this function as the first parameter and uh yeah and that's it and then you receive the binary data and then you can here uh convert this binary data to a utf 8 string and then this side this is also uh straight forward and uh not really difficult here and this is the typically way how you can read the value of a given key from a standard key uh and read it from the birth state so this is only the birth state not your history or history versions of uh this key and the more interesting part is here so in our scenario we have uh the reader the reader um should read this at rules uh the writer should obviously also read his his his work and then I have here a special role in the auditor so because uh we have another identity so we can uh practice this a little bit and then we can add another identity so we have here three identities and only this three identities uh are allowed to read this data and unfortunately uh there is no function for that so I have looked in the go SDK and in the go SDK there is indeed a function which uh checks for his attributes so but that's not uh I haven't seen that this is implemented in the node shares SDK but it's not not a problem so we can do it by our own and uh this is a simple for a loop over the attributes here and uh we check each of the attributes if this attribute is uh everywhere level here so and this is also to get attributes value and we check if this has the value and with the simple loop we can uh check if this certificate has one of this allowed attributes and if yes we can set the status to true and break the loop I'll stop the loop and then we can uh return the status with true or false in this way so but this is also one approach how you can do that so and you can do it in node shares in different ways but the important part here is that you use this line here uh to check it so with this uh get the output value yeah we can check if this is the value true and in this way we can check this so okay so yeah and then the status is true here then uh everything is okay and we can read the data and uh give and return the data and if the status here is has the value false then we return also a custom error message error you are not allowed to read an asset okay whatever you want here okay so and this is how you can uh check these attributes but you can read a little bit more uh from this so and this is what we can see here in the before transaction and in the before transaction I have also used this methods which we have seen previously in the slides so with this uh get MSPID so we will return a string and this string will contain the name of the membership service provider ID which this certificate belongs to and with that you can make also a decision true or false or whatever and um it's a simple string and uh with the get ID that's a little bit complicated more complex and this is as I have mentioned we would we will receive a string in that format so yeah and we have to manipulate or we have to split this string up by ourselves and uh but this this format is fixed and so we can write the function that splits that uh up and create an object here and then we can bring this object and uh this split ID function is also very straightforward here so this is the function so as you can see we can split this uh with the uh double quotes uh double dots here in uh uh in the type and we can have a type and we can have here a subtract and we have an issuer so the subject this uh belongs to the information to the client yeah and the issuer is uh has information regarding the issuer from the certificate so from the organization from the certificate authority so in our example so now we are focusing more on the subject and the subject itself uh contains also um some uh some slashes and then we can split it also up uh that we can have a single uh property with a single value but this also is the same as I have mentioned so this is one way how you can do it so I'm sure uh you have uh more than one way to split this information up and then you will have here you can also make here this is something which should not really done here in the chain code so we want to use it uh more often so that there's something you are going it's better when you exclude that and then you can uh yeah import it uh with a require function use it in different chain codes okay so on this asset exists is in this example not needed so this is a formula example I don't know so we can we can skip it so okay and that's that is how the chain code is created so let's wrap this here uh I think the most takeaway here from this uh from the chain code here is when you start with this is that you need an index.js file and this index.js file has here an export uh and this and and this export need to need to name contracts and this contract is in a way and here you can export one or more different contracts and uh that means that you have one chain code with different contracts for examples here or with one contract yeah and in this contract you have here a template you can see this as a template so you have to uh extend your class from the global contract class the global contract class belongs to the favorite contract API here so and for the client identity we need this favorite stream package here in this for only for set and get and for composite keys or for history whatever you don't I don't think you need this uh favorite stream package here but it's a normal included here and then you have here this class and this class I think it needs uh yeah it's good when you have a constructor here yeah because it's important to have this name because this is the name of the chain code and then we can use this as a namespace because it could in this way it will be possible that you have uh more contracts if you have two contracts and both contracts will have a get function so then when you don't use a contract name for example then which function should be called so that's the reason why it's important to set here name because this name is also part of the address when you call the function from the client's head or for the command interface so that's the reason why this is here so important and then the next part is these three functions these are also as an option you can see it as an option but I think that's really really useful so because we have a fixed starting point in our chain code where we can do logging we can measure time whatever you want here yeah and in our scenario we we have we fetch some client data so the important part is that this function is the first function which will be called when this contract is executed and the after transaction is the last one so this is typically the place where you can fire an event so you can make an chain code event and the client can listen on this event and yeah then you can do something with the information yeah and then the unknown transaction this is a good point to catch some wrong inputs so when somebody is calling a function which is not here in this in your chain code then this is here fired and you can throw an error so there is no need like you have seen maybe in older chain code versions where we are in an init function and then this and starting function where you have a switch condition where in the switch when you have case one two three four and then you have a sender else function where they can catch the function which are not existing so that is not needed here and you can use this unknown transaction built-in function here but you can leave this and your chain code will also work so that's not a must to use it and then you can have your set yeah and your get function as you have seen and yeah and the important part to get to the identity is you create a new instance of this client identity so and you have to use always this context and this stop object and then you receive this information and with this object you can have different functions you can have this get membership service provider ID and also this with the sketch ID more information about this certificate and then you can call the get at good value function to get some information from your attributes and then you can handle this okay so this is the anatomy of this chain code of every chain code so you can you can take this example and build your own setup with that and yeah so okay and now let's try try this out that's like oh so I think we are in trouble in time trouble yeah okay so now let's start our chain code so to start the chain code we can use here this setup so I will show you this in a little bit in detail so we have here a normal setup here and with an organization and we have here in this definite record chain code folder and in this chain code folder we can divide between node shares and goal and yeah so we can switch between them if you want and then we have here CS4 folder and in this folder we have the package chasing file yeah don't forget this and then we have to call npm install and then the node modules will be installed so and that's it and then with this index on this CS04 file we are ready to start the chain code and to start the chain cut in this depth mode we need a command line here so and this is this one so we need we have to set two environment variables here uh or free so free so we have this is core chain code log level to the pack so then we see a little bit more information then we have to disable the tls and we have to give the chain core chain code id name here a standard name my chain code 01 so we can leave this always the same and then here you see yeah when we need this node under the node model so in the pin folder fabric chain code node start and this will come when you install the npm machine package so that's the reason why we need this here and that's it so and then we copy that in here then you see the chain code this one okay and since we use the this network is a reduced version of the network uh network script then for the network script we have to set some environment variables so i have modified uh also this environment variables to fit this setup here and uh we have here a file this org1 um yeah and here i have the uh a function set globals and here we have this uh for uh for environment variables which we need and this core peer msp config path is the path which we did is the variable which we have to um change then we try to test with different uh users here because all our users belongs to the fabric ca from this organization and the p address is the same in the config uh path to the fabric config is also the same so yeah and this is the environment variable we have to change later so okay and then okay so let us and then execute this set globals so and uh now here we have to we have the invoke command so now we are the user admin we are the admin user here so yeah and as you have seen the admin user doesn't have any right to to read everything or to do anything so and that means that when everything is ready uh and work fine then we can try to invoke here uh an asset and uh we should receive an error yeah and you see here you receive this key error you're not allowed to create an asset and here in here the pack values you see a little bit more so you see here uh the transaction id then we see here the information from the membership service provider id so organization one and then we say here the information from the uh certificate from the get id function so and this is the result and then we have here the uh check for the etcher routes and you see this this identity doesn't have the right to the reader order or the auditor flag here and that's the reason why we have here in the result an error yeah so not so also the administrator of this favorite network cannot change this asset so and that's important to know yeah okay and now we need some identities so let us grab some identities so okay um we go back to this here so we just identify this uh with proper etcher routes so and um for that we have to define um one environment variable so the favorite client has to know where the home directory is from this organization uh and we export this here you can check the result here you see here this is our path and you see when you check it with three there's one organizations users so and you see here you have only these two identities here these two user identities and this is because that's how you default user so when you use the default network then you have always the admin user and you have always a user one for installed okay and now uh let's try to register which is the here the first user so and here is really important that you have these two steps the first step is you have to register something and then you can enroll it so that's a second step and uh yeah and the etcher route here is the semblance writer is like true with this e-cert suffix so okay let us copy this and and here we receive the password yeah this is the secret so and we need this secret but it's the same secret uh like here and we need this secret for the second step so in in in the in the third way we don't need the secret here so that's only the secret uh to uh enroll enroll this this certificate okay um ah done oops okay so okay let's do the same with the reader when you check your folder you see there is no information so all this now lives only in the favorite cac server and not here in your client on your client side and on the client side it will come when you enroll this in the second step so and then we can we wish we will enroll the writer and we will enroll enroll the reader and um the credentials are here so this is the first is the username then is this uh uh and then uh you have the the password here okay and then here this is the the host this is the IP local host and depart from the physics here so so this is the important part here then we can enroll it and now you see we have here a writer certificate a writer folder right the same we're going to do with the reader and you have here also the reader um one important point is so we have to copy uh this config yaml file here with this information about the node organization units configuration here so uh this uh must be done by hand and we have we can take this from the um here from from the v organization one membership service provider file here here the file is located here and we can copy this here into this uh config folder okay so we copy this and we need the second uh the same file also for the reader here so all right and now okay so this is the the part we have seen already so when you go into the reader and you see here the msp file to the config file and then you will hear this sound as well so okay now we have two users one with a with a role for the writer and one for the reader okay so one short word two this is e uh set so this is suffix so um that means so when we use this here in the in the ring register process yeah when we have this uh esert suffix here then we don't have then when we enroll uh this uh identity uh this address will be enrolled uh will be included and when you don't have this when you don't use this here then this uh attribute is set in the phoenix a server but it will not uh automatically enrolled so you have to do it by hand and uh this is done here with the manager example here so um we can we can register here the manager so here without this suffix and uh when we when we enroll this manager without uh these enrollment attributes here so i hope we have an already internet connection so we have the manager here with the manager when there's been in the sign set so okay and uh let's have a look into this certificate and you see here this is the certificate when you're inspected you see here a lot of information about the uh issuer about the validity uh how long is the subject information and so on and here is this part here and you see here there is no information about this some Linux writer attribute and uh that's that is because uh we don't use the suffix here and uh when we want this then we have to have to use this enrollment attributes here and then we can say which um identities which attributes we want to include in this certificate so i can we enroll this certificate now and when we look at that and then you see here some Linux manager is true yeah so and that's the secret for the uh esert suffix here yeah so that means when you uh when you set this here in the register process then you can enroll it enroll the identity and these uh at root will be included automatically but when you don't use it then it will not be included automatically so then you have to name it yeah and you can do that with this enrollment attributes option here and you have to write this with a comma comma separated form here so here these are the attributes which are going to include yeah and here's the the command to check your your uh to decode this sign okay so and now let's change to a writer so to change to the writer uh we have to change this membership config path and this is um this comes from an environment variable co-op here membership config path and then here we have to set the path to the writer so copy that and then we can try it again so uh we invoke the train code and you see successful status payload key a one and you see here some Linux writer true with a false auditor zero and when you come to the um reader then you can change this to the reader so this is a short message okay so and then let's read it now you're not allowed to read this so let's see with a reader i'll create okay of course that's correct so um i have to be a little bit more focused uh so we have tried the invoke function and we are reader now so uh this should not work and we are right so error you're not allowed to update this so uh but when i call this reader function then you can read it with the check code to it you see it a little bit uh nicer let me just see here here's the package okay so i think my time limit i will run out of time so um here i have uh some modify uh some further examples uh so how you can modify and remove these attributes so this is something you maybe want to try out uh by yourself and uh yeah so i think this this was the example and uh let me come back now to the challenge uh for you and then we can make a short uh Q&A session okay so and the challenge of the day so i think that's when you want to play with them then you can try you can you can load this chain code this uh from the um from the github repo and then you can try to install uh this chain code in the official test network so and uh this is something this would be the next step in our in this process so now we have developed this um chain code and you have tested this chain code and the next step would be install it in a near real network so in a network with two or more organizations to see how this is how this goes and uh this could be done with the official test network and uh i think it's a two or one liner so when you uh know the network script and with this you can you can install the system and you can install also some chain code and you can install also the no-chairs chain code and uh if you want try it out and give me feedback if you uh have problems with that or you can do it okay so yeah thanks for watching this crowdcast session uh i hope there is something useful for you uh there was something useful for you in this session and uh yeah so let's see um if you have any questions i will click the out no question here no question from the audience yet so okay so is there any question out there so okay so if no question so it's because um yeah so okay if you don't have any questions uh then i would i say thank you for your time and um i hope we see us again in the next uh in the upcoming weeks and uh stay safe and we see you soon bye bye