Merge branch 'main' of https://github.com/hyperledger-labs/fabric-token-sdk into issue915

Author: sreenidhidrIBM

.github/workflows/codeql-analysis.yml

@@ -33,7 +33,6 @@ jobs:
         shell: bash
         run: |
           go build -o tokengen ./cmd/tokengen
-          make unit-tests
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3

.github/workflows/tests.yml

@@ -66,6 +66,9 @@ jobs:
       - name: Set up tools
         run: make install-tools
 
+      - name: Install Testing Docker Images
+        run: make testing-docker-images
+
       - name: Run ${{ matrix.tests }}
         run: make ${{ matrix.tests }}
 

Makefile

@@ -54,6 +54,7 @@ docker-images: fabric-docker-images orion-server-images monitoring-docker-images
 testing-docker-images:
 	docker pull postgres:16.2-alpine
 	docker tag postgres:16.2-alpine postgres:latest
+	docker pull hashicorp/vault
 
 .PHONY: fabric-docker-images
 fabric-docker-images:

docs/services/identity.md

@@ -51,88 +51,82 @@ The identity service is locate under [`token/services/identity`](./../../token/s
 Building on the concept of long-term identities, we'll now explore how they are grouped into roles within the identity service.
 
 Each role acts as a container for long-term identities, which are then used to create wallets. 
-Here's the interface that defines a role:
-
-```go
-// Role is a container of long-term identities.
-// A long-term identity is then used to construct a wallet.
-type Role interface {
-	// ID returns the identifier of this role
-	ID() IdentityRoleType
-	// MapToIdentity returns the long-term identity and its identifier for the given index.
-	// The index can be an identity or a label (string).
-	MapToIdentity(v WalletLookupID) (Identity, string, error)
-	// GetIdentityInfo returns the long-term identity info associated to the passed id
-	GetIdentityInfo(id string) (IdentityInfo, error)
-	// RegisterIdentity registers the given identity
-	RegisterIdentity(config IdentityConfiguration) error
-	// IdentityIDs returns the identifiers contained in this role
-	IdentityIDs() ([]string, error)
-}
-```
-
+The role is defined by the [`Role`](./../../token/services/identity/roles.go) interface.
 This interface offers functions for managing identities within the role. 
 You, as the developer, have the flexibility to implement a role using any identity representation that best fits your application's needs. 
 
 A default implementation is provided under [`token/services/identity/role`](./../../token/services/identity/role).
 
 ## Understanding Wallets in More Detail
 
-The Token-SDK abstracts the wallet management via a service called `WalletService`. 
-Here is the interface that defines such a service:
+The Token-SDK abstracts the wallet management via an interface called [`WalletService`](./../../token/driver/wallet.go) that is part of the `Driver API`.
+The `WalletService` interface gives access to the available wallets.
+You, as the developer, have the flexibility to implement a `WalletService` that best fits your application's needs.
 
-```go
-// WalletService models the wallet service that handles issuer, recipient, auditor and certifier wallets
-type WalletService interface {
-	// RegisterRecipientIdentity registers the passed recipient identity together with the associated audit information
-	RegisterRecipientIdentity(data *RecipientData) error
+A default implementation is provided under [`token/services/identity/wallet`](./../../token/services/identity/wallet).
 
-	// GetAuditInfo retrieves the audit information for the passed identity
-	GetAuditInfo(id Identity) ([]byte, error)
+## Storage
 
-	// GetEnrollmentID extracts the enrollment id from the passed audit information
-	GetEnrollmentID(identity Identity, auditInfo []byte) (string, error)
+The identity service uses 3 data storage defined by the following interfaces:
+- `IdentityDB`: It is used to store identity configuration, signer related information, audit information, and so on.
+- `WalletDB`: It is used to track the mapping between identities, wallet identifier, and enrollment IDs.
+- `Keystore`: It is used for the key storage.
 
-	// GetRevocationHandle extracts the revocation handler from the passed audit information
-	GetRevocationHandle(identity Identity, auditInfo []byte) (string, error)
+### Implementation
 
-	// GetEIDAndRH returns both enrollment ID and revocation handle
-	GetEIDAndRH(identity Identity, auditInfo []byte) (string, string, error)
+We support the following implementations:
+- `IdentityDB`, can be either based on the `identitydb` service or the Fabric-Smart-Client's KVS.
+- `WalletDB`, same as the `IdentityDB`.
+- `Keystore` is based on the Fabric-Smart-Client's KVS.
+By default, the `identitydb` is used to provide both an implementation to both the `IdentityDB` and `WalletDB`.
 
-	// Wallet returns the wallet bound to the passed identity, if any is available
-	Wallet(identity Identity) Wallet
+To retrieve the implementation of these interfaces, we have the `identity.StorageProvider` interface.
+An implementation for this interface can be found under [`token/sdk/identity`](./../../token/sdk/identity).
+It uses the `identitydb` service for the `IdentityDB` and the `WalletDB`, and the Fabric-Smart-Client's KVS for the `Keystore`.
 
-	// RegisterOwnerIdentity registers an owner long-term identity
-	RegisterOwnerIdentity(config IdentityConfiguration) error
+### HashiCorp Vault Secrets Engine Support
 
-	// RegisterIssuerIdentity registers an issuer long-term wallet
-	RegisterIssuerIdentity(config IdentityConfiguration) error
+The HashiCorp Vault Secrets Engine is a modular component of Vault designed to securely manage, store, or generate sensitive data such as API keys, passwords, certificates, and encryption keys.
+The identity service provides an implementation for both the `IdentityDB` and `Keystore` based on the `HashiCorp Vault Secrets Engine`.
+This implementation can be found under [`hashicorp`](./../../token/services/identity/storage/kvs/hashicorp).
+This implementation requires to configure the `HashiCorp Vault Secrets Engine` to run in non-versioned mode (i.e., stores the most recently written value for a key). 
+For more information about non-versioned secrets engine mode, refer to the (https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v1).
 
-	// OwnerWalletIDs returns the list of owner wallet identifiers
-	OwnerWalletIDs() ([]string, error)
+In order to use this integration, the developer must do the following:
+1. Implement the `identity.StorageProvider` interface. 
+2. Register this implementation in [`Dig`](https://github.com/hyperledger-labs/fabric-smart-client/blob/main/docs/sdk.md) via decoration like this:
+   ```go
+    p.Container().Decorate(NewMixedStorageProvider)
+   ```
+   This can be added in the Application Dig SDK that links that token-sdk Dig SDK.
 
-	// OwnerWallet returns an instance of the OwnerWallet interface bound to the passed id.
-	// The id can be: the wallet identifier or a unique id of a view identity belonging to the wallet.
-	OwnerWallet(id WalletLookupID) (OwnerWallet, error)
+Here is an example of the implementation of the `identity.StorageProvider` interface implementing bullet `1`:
 
-	// IssuerWallet returns an instance of the IssuerWallet interface bound to the passed id.
-	// The id can be: the wallet identifier or a unique id of a view identity belonging to the wallet.
-	IssuerWallet(id WalletLookupID) (IssuerWallet, error)
+```go
+type MixedStorageProvider struct {
+	kvs     kvs.KVS
+	manager *identitydb.Manager
+}
 
-	// AuditorWallet returns an instance of the AuditorWallet interface bound to the passed id.
-	// The id can be: the wallet identifier or a unique id of a view identity belonging to the wallet.
-	AuditorWallet(id WalletLookupID) (AuditorWallet, error)
+func NewMixedStorageProvider(client *vault.Client, prefix string, manager *identitydb.Manager) (*MixedStorageProvider, error) {
+	kvs, err := hashicorp.NewWithClient(client, prefix)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed instantiating hashicorp.NewWithClient")
+	}
+	return &MixedStorageProvider{kvs: kvs, manager: manager}, nil
+}
 
-	// CertifierWallet returns an instance of the CertifierWallet interface bound to the passed id.
-	// The id can be: the wallet identifier or a unique id of a view identity belonging to the wallet.
-	CertifierWallet(id WalletLookupID) (CertifierWallet, error)
+func (s *MixedStorageProvider) WalletDB(tmsID token.TMSID) (identity.WalletDB, error) {
+	return s.manager.WalletDBByTMSId(tmsID)
+}
 
-    // SpendIDs returns the spend ids for the passed token ids
-    SpendIDs(ids ...*token.ID) ([]string, error)
+func (s *MixedStorageProvider) IdentityDB(tmsID token.TMSID) (identity.IdentityDB, error) {
+	return kvs.NewIdentityDB(s.kvs, tmsID), nil
 }
-```
 
-The `WalletService` gives access to the available wallets.
-You, as the developer, have the flexibility to implement a `WalletService` that best fits your application's needs.
+func (s *MixedStorageProvider) Keystore() (identity.Keystore, error) {
+	return s.kvs, nil
+}
+```
 
-A default implementation is provided under [`token/services/identity/wallet`](./../../token/services/identity/wallet).
+ 

docs/services/snippets/msp.go

@@ -0,0 +1,42 @@
+/*
+Copyright IBM Corp All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package snippets
+
+import (
+	vault "github.com/hashicorp/vault/api"
+	"github.com/hyperledger-labs/fabric-token-sdk/token"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/storage/kvs"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/storage/kvs/hashicorp"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identitydb"
+	"github.com/pkg/errors"
+)
+
+type MixedStorageProvider struct {
+	kvs     kvs.KVS
+	manager *identitydb.Manager
+}
+
+func NewMixedStorageProvider(client *vault.Client, prefix string, manager *identitydb.Manager) (*MixedStorageProvider, error) {
+	kvs, err := hashicorp.NewWithClient(client, prefix)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed instantiating hashicorp.NewWithClient")
+	}
+	return &MixedStorageProvider{kvs: kvs, manager: manager}, nil
+}
+
+func (s *MixedStorageProvider) WalletDB(tmsID token.TMSID) (identity.WalletDB, error) {
+	return s.manager.WalletDBByTMSId(tmsID)
+}
+
+func (s *MixedStorageProvider) IdentityDB(tmsID token.TMSID) (identity.IdentityDB, error) {
+	return kvs.NewIdentityDB(s.kvs, tmsID), nil
+}
+
+func (s *MixedStorageProvider) Keystore() (identity.Keystore, error) {
+	return s.kvs, nil
+}

docs/services/storage.md

@@ -6,25 +6,26 @@ This system leverages several databases, each with a specific purpose:
 * **Transaction Database (`ttxdb`)**:
   This critical database serves as the central repository for all transaction records.
   It captures every token issuance, transfer, or redemption, providing a complete historical record of token activity within the network.
-  The `ttxdb` service is locate under [`token/services/ttxdb`](./../../token/services/ttxdb).
+  The `ttxdb` service is locate under [`token/services/ttxdb`](./../../token/services/ttxdb). It is accessible via the `ttx` service.
 
 * **Token Database (`tokendb`)**:
   The `tokendb` acts as the registry for all tokens within the system.
   It stores detailed information about each token, including its unique identifier, denomination type (think currency or unique identifier), current ownership, and total quantity in circulation.
   By referencing the `tokendb`, developers and network participants can obtain a clear picture of the token landscape.
   The `tokendb` is used by the `Token Selector`, to select the tokens to use in each transaction, and by the `Token Vault Service` to provide its services.
-  The `tokendb` service is locate under [`token/services/tokendb`](./../../token/services/tokendb).
+  The `tokendb` service is locate under [`token/services/tokendb`](./../../token/services/tokendb). It is accessible via the `tokens` service.
 
 * **Audit Database (`auditdb`)** (if applicable):
   For applications requiring enhanced auditability, the `auditdb` provides an additional layer of transparency.
   It meticulously stores audit records for transactions that have undergone the auditing process.
   This functionality is particularly valuable for scenarios where regulatory compliance or tamper-proof records are essential. 
-  The `auditdb` service is locate under [`token/services/auditdb`](./../../token/services/auditdb).
+  The `auditdb` service is locate under [`token/services/auditdb`](./../../token/services/auditdb). It is accessible via the `auditor` service.
 
 * **Identity Database (`identitydb`)**:
   The `identitydb` plays a crucial role in managing user identities and wallets within the network.
   It securely stores wallet configurations, identity-related audit information, and so on, enabling secure interactions with the token system.
-  The `identitydb` service is locate under [`token/services/identitydb`](./../../token/services/identitydb).
+  The `identitydb` service is locate under [`token/services/identitydb`](./../../token/services/identitydb). 
+  It is used by the `identity` service via its interfaces. Please, refer to the [`identity service`](identity.md) for more information about the storage part.
 
 ## Configuration
 

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/gobuffalo/packr/v2 v2.7.1
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/vault/api v1.16.0
-	github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250314124232-4cd027590cfb
+	github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250319152028-b53f202e2b62
 	github.com/hyperledger-labs/orion-sdk-go v0.2.10
 	github.com/hyperledger-labs/orion-server v0.2.10
 	github.com/hyperledger/fabric v1.4.0-rc1.0.20230405174026-695dd57e01c2

go.sum

@@ -1084,8 +1084,8 @@ github.com/hidal-go/hidalgo v0.0.0-20201109092204-05749a6d73df/go.mod h1:bPkrxDl
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc=
 github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8=
-github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250314124232-4cd027590cfb h1:tXjdCuJdbLmf+oPb9CluSOuwnYPnQKJn8gwySYBy3to=
-github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250314124232-4cd027590cfb/go.mod h1:EdiA1cY2eOOZjqPlutIlFPkueUMMJOxLoiRH5KwOW1c=
+github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250319152028-b53f202e2b62 h1:fUK1AxK//9bF8si5AYE6kptAErzn+oWbINndOTfTQTM=
+github.com/hyperledger-labs/fabric-smart-client v0.4.1-0.20250319152028-b53f202e2b62/go.mod h1:EdiA1cY2eOOZjqPlutIlFPkueUMMJOxLoiRH5KwOW1c=
 github.com/hyperledger-labs/orion-sdk-go v0.2.10 h1:lFgWgxyvngIhWnIqymYGBmtmq9D6uC5d0uLG9cbyh5s=
 github.com/hyperledger-labs/orion-sdk-go v0.2.10/go.mod h1:iN2xZB964AqwVJwL+EnwPOs8z1EkMEbbIg/qYeC7gDY=
 github.com/hyperledger-labs/orion-server v0.2.10 h1:G4zbQEL5Egk0Oj+TwHCZWdTOLDBHOjaAEvYOT4G7ozw=

integration/token/common/sdk/identity/provider.go

@@ -8,7 +8,6 @@ package identity
 
 import (
 	"github.com/hyperledger-labs/fabric-token-sdk/token"
-	"github.com/hyperledger-labs/fabric-token-sdk/token/services/db/driver"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/identity/storage/kvs"
 )
@@ -21,11 +20,11 @@ func NewKVSStorageProvider(kvs kvs.KVS) *KVSStorageProvider {
 	return &KVSStorageProvider{kvs: kvs}
 }
 
-func (s *KVSStorageProvider) WalletDB(tmsID token.TMSID) (driver.WalletDB, error) {
+func (s *KVSStorageProvider) WalletDB(tmsID token.TMSID) (identity.WalletDB, error) {
 	return kvs.NewWalletDB(s.kvs, tmsID), nil
 }
 
-func (s *KVSStorageProvider) IdentityDB(tmsID token.TMSID) (driver.IdentityDB, error) {
+func (s *KVSStorageProvider) IdentityDB(tmsID token.TMSID) (identity.IdentityDB, error) {
 	return kvs.NewIdentityDB(s.kvs, tmsID), nil
 }
 

integration/token/fungible/views/checks.go

@@ -14,7 +14,7 @@ import (
 	"github.com/hyperledger-labs/fabric-token-sdk/token"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/db/driver"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/interop/htlc"
-	"github.com/hyperledger-labs/fabric-token-sdk/token/services/network"
+	"github.com/hyperledger-labs/fabric-token-sdk/token/services/tokens"
 	"github.com/hyperledger-labs/fabric-token-sdk/token/services/ttx"
 	token2 "github.com/hyperledger-labs/fabric-token-sdk/token/token"
 	"github.com/pkg/errors"
@@ -80,12 +80,14 @@ type PruneInvalidUnspentTokensView struct {
 }
 
 func (p *PruneInvalidUnspentTokensView) Call(context view.Context) (interface{}, error) {
-	net := network.GetInstance(context, p.TMSID.Network, p.TMSID.Channel)
-	assert.NotNil(net, "cannot find network [%s:%s]", p.TMSID.Network, p.TMSID.Channel)
-	vault, err := net.TokenVault(p.TMSID.Namespace)
-	assert.NoError(err, "failed to get vault for [%s:%s:%s]", p.TMSID.Network, p.TMSID.Channel, p.TMSID.Namespace)
+	tms := token.GetManagementService(context, token.WithTMSID(p.TMSID))
+	assert.NotNil(tms, "cannot find tms [%s]", p.TMSID)
+	tokensProvider, err := tokens.GetProvider(context)
+	assert.NoError(err, "failed to get tokens provider")
+	tokens, err := tokensProvider.Tokens(tms.ID())
+	assert.NoError(err, "failed to get tokens for [%s]", p.TMSID)
 
-	return vault.PruneInvalidUnspentTokens(context)
+	return tokens.PruneInvalidUnspentTokens(context.Context())
 }
 
 type PruneInvalidUnspentTokensViewFactory struct{}
@@ -107,12 +109,9 @@ type ListVaultUnspentTokensView struct {
 }
 
 func (l *ListVaultUnspentTokensView) Call(context view.Context) (interface{}, error) {
-	net := network.GetInstance(context, l.TMSID.Network, l.TMSID.Channel)
-	assert.NotNil(net, "cannot find network [%s:%s]", l.TMSID.Network, l.TMSID.Channel)
-	vault, err := net.TokenVault(l.TMSID.Namespace)
-	assert.NoError(err, "failed to get vault for [%s:%s:%s]", l.TMSID.Network, l.TMSID.Channel, l.TMSID.Namespace)
-
-	return vault.QueryEngine().ListUnspentTokens()
+	net := token.GetManagementService(context, token.WithTMSID(l.TMSID))
+	assert.NotNil(net, "cannot find tms [%s]", l.TMSID)
+	return net.Vault().NewQueryEngine().ListUnspentTokens()
 }
 
 type ListVaultUnspentTokensViewFactory struct{}
@@ -135,11 +134,9 @@ type CheckIfExistsInVaultView struct {
 }
 
 func (c *CheckIfExistsInVaultView) Call(context view.Context) (interface{}, error) {
-	net := network.GetInstance(context, c.TMSID.Network, c.TMSID.Channel)
-	assert.NotNil(net, "cannot find network [%s:%s]", c.TMSID.Network, c.TMSID.Channel)
-	vault, err := net.TokenVault(c.TMSID.Namespace)
-	assert.NoError(err, "failed to get vault for [%s:%s:%s]", c.TMSID.Network, c.TMSID.Channel, c.TMSID.Namespace)
-	qe := vault.QueryEngine()
+	tms := token.GetManagementService(context, token.WithTMSID(c.TMSID))
+	assert.NotNil(tms, "cannot find tms [%s]", c.TMSID)
+	qe := tms.Vault().NewQueryEngine()
 	var IDs []*token2.ID
 	count := 0
 	assert.NoError(qe.GetTokenOutputs(c.IDs, func(id *token2.ID, tokenRaw []byte) error {
@@ -151,7 +148,7 @@ func (c *CheckIfExistsInVaultView) Call(context view.Context) (interface{}, erro
 		return nil
 	}), "failed to match tokens")
 	assert.Equal(len(c.IDs), count, "got a mismatch; count is [%d] while there are [%d] ids", count, len(c.IDs))
-	return IDs, err
+	return IDs, nil
 }
 
 type CheckIfExistsInVaultViewFactory struct {