From d2b29b42fe343ae6e8f96aa304ef728c7ff13016 Mon Sep 17 00:00:00 2001 From: Patrick Kuo Date: Thu, 15 Mar 2018 15:20:07 +0000 Subject: [PATCH] ENT-1592 Add private network id to CSR (#533) * * add private network id to CSR * TODO : Doc * TODO : Signing server and network map end points * Remove private network attribute from CSR * revert unnecessary changes * remove private network identifier from node as we are not shipping this to the node in DP3 * revert unnecessary changes * address PR issues --- network-management/README.md | 46 ++++++++++++++++++ .../CertificateSigningRequestStorage.kt | 2 +- .../common/persistence/PersistenceUtils.kt | 1 + .../persistence/PersistentNodeInfoStorage.kt | 2 +- .../entity/CertificateSigningRequestEntity.kt | 47 ++++++++----------- .../persistence/entity/NodeInfoEntity.kt | 24 ++-------- .../corda/networkmanage/common/utils/Utils.kt | 5 +- .../network-manager.changelog-init.xml | 14 ++++++ 8 files changed, 87 insertions(+), 54 deletions(-) diff --git a/network-management/README.md b/network-management/README.md index 5da7c4e8db..b974835cea 100644 --- a/network-management/README.md +++ b/network-management/README.md @@ -230,3 +230,49 @@ Run the following SQL script to archive the node info table (change the timestam delect from node_info where is_current = false and published_at < '2018-03-12' ``` +## Private Network Map +The private network is a tactical solution to provide temporary privacy to the initial network map. + +### Creating a private network +To create a new private network, a entry has to be create in the ``private_network`` table manually. + +Run the following SQL script to create a new private network: + +``` +insert into private_network (id, name) +values (NEWID(), 'Private Network Name') +``` + +Then use the following SQL to retrieve the private network ID for the private network owner: +``` +select id from private_network where name = 'Private Network Name' +``` + +### Modify existing private network registration +Since this is a tactical solution, any modification will require manual database changes. + +**We should try to keep these changes to the minimal** + +#### Add nodes to a private network + +``` +update certificate_signing_request +set private_network = '<>' +where request_id in ('<>', ...) +``` + +or this SQL script to add all approved nodes to the private network map. + +``` +update certificate_signing_request +set private_network = '<>' +where status = 'APPROVED' +``` + +#### Move a node from its private network and into the global network map** + +``` +update certificate_signing_request +set private_network = null +where request_id = '<>' +``` diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/CertificateSigningRequestStorage.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/CertificateSigningRequestStorage.kt index 510a26675b..78c68da89c 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/CertificateSigningRequestStorage.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/CertificateSigningRequestStorage.kt @@ -56,7 +56,7 @@ interface CertificateSigningRequestStorage { * Persist the fact that a ticket has been created for the given [requestId]. */ fun markRequestTicketCreated(requestId: String) - + /** * Approve the given request if it has not already been approved. Otherwise do nothing. * @param requestId id of the certificate signing request diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistenceUtils.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistenceUtils.kt index 27e9929889..cde83fea56 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistenceUtils.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistenceUtils.kt @@ -63,6 +63,7 @@ sealed class NetworkManagementSchemaServices { CertificateSigningRequestEntity::class.java, CertificateDataEntity::class.java, CertificateRevocationRequestEntity::class.java, + PrivateNetworkEntity::class.java, CertificateRevocationListEntity::class.java, NodeInfoEntity::class.java, NetworkParametersEntity::class.java, diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt index b0f2f96f21..f323e5ea49 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/PersistentNodeInfoStorage.kt @@ -63,7 +63,7 @@ class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeIn override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? { return database.transaction { - session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo() + session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.toSignedNodeInfo() } } diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/CertificateSigningRequestEntity.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/CertificateSigningRequestEntity.kt index 890a548e7d..f8f226d30f 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/CertificateSigningRequestEntity.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/CertificateSigningRequestEntity.kt @@ -26,7 +26,7 @@ import javax.persistence.* @Entity @Table(name = "certificate_signing_request", indexes = arrayOf(Index(name = "IDX_PUB_KEY_HASH", columnList = "public_key_hash"))) -class CertificateSigningRequestEntity( +data class CertificateSigningRequestEntity( @Id @Column(name = "request_id", length = 64) val requestId: String, @@ -60,7 +60,11 @@ class CertificateSigningRequestEntity( @Lob @Column(name = "request_bytes", nullable = false) - val requestBytes: ByteArray + val requestBytes: ByteArray, + + @ManyToOne + @JoinColumn(name = "private_network", foreignKey = ForeignKey(name = "FK_CSR_PN")) + val privateNetwork: PrivateNetworkEntity? = null ) { fun toCertificateSigningRequest() = CertificateSigningRequest( requestId = requestId, @@ -73,36 +77,12 @@ class CertificateSigningRequestEntity( certData = certificateData?.toCertificateData() ) - fun copy(requestId: String = this.requestId, - legalName: String = this.legalName, - publicKeyHash: String = this.publicKeyHash, - status: RequestStatus = this.status, - modifiedBy: String = this.modifiedBy, - modifiedAt: Instant = this.modifiedAt, - remark: String? = this.remark, - certificateData: CertificateDataEntity? = this.certificateData, - requestBytes: ByteArray = this.requestBytes - ): CertificateSigningRequestEntity { - return CertificateSigningRequestEntity( - requestId = requestId, - legalName = legalName, - publicKeyHash = publicKeyHash, - status = status, - modifiedAt = modifiedAt, - modifiedBy = modifiedBy, - remark = remark, - certificateData = certificateData, - requestBytes = requestBytes - ) - } - private fun request() = PKCS10CertificationRequest(requestBytes) } @Entity @Table(name = "certificate_data") -class CertificateDataEntity( - +data class CertificateDataEntity( @Id @GeneratedValue(strategy = GenerationType.SEQUENCE) val id: Long? = null, @@ -145,4 +125,15 @@ class CertificateDataEntity( } private fun toCertificatePath(): CertPath = buildCertPath(certificatePathBytes) -} \ No newline at end of file +} + +@Entity +@Table(name = "private_network") +data class PrivateNetworkEntity( + @Id + @Column(name = "id") + val networkId: String, + + @Column(name = "name") + val networkName: String +) \ No newline at end of file diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/NodeInfoEntity.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/NodeInfoEntity.kt index f6e69b6bd5..7d61727f32 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/NodeInfoEntity.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/persistence/entity/NodeInfoEntity.kt @@ -12,13 +12,12 @@ package com.r3.corda.networkmanage.common.persistence.entity import net.corda.core.serialization.deserialize import net.corda.nodeapi.internal.SignedNodeInfo -import org.hibernate.annotations.CreationTimestamp import java.time.Instant import javax.persistence.* @Entity @Table(name = "node_info") -class NodeInfoEntity( +data class NodeInfoEntity( // Hash of serialized [NodeInfo] without signatures. @Id @Column(name = "node_info_hash", length = 64) @@ -32,29 +31,14 @@ class NodeInfoEntity( @Column(name = "signed_node_info_bytes") val signedNodeInfoBytes: ByteArray, - @Column(name="is_current") + @Column(name = "is_current") val isCurrent: Boolean, @Column(name = "published_at") val publishedAt: Instant = Instant.now() ) { /** - * Deserializes NodeInfoEntity.soignedNodeInfoBytes into the [SignedNodeInfo] instance + * Deserialize NodeInfoEntity.signedNodeInfoBytes into the [SignedNodeInfo] instance */ - fun signedNodeInfo() = signedNodeInfoBytes.deserialize() - - fun copy(nodeInfoHash: String = this.nodeInfoHash, - certificateSigningRequest: CertificateSigningRequestEntity = this.certificateSigningRequest, - signedNodeInfoBytes: ByteArray = this.signedNodeInfoBytes, - isCurrent: Boolean = this.isCurrent, - publishedAt: Instant = this.publishedAt - ): NodeInfoEntity { - return NodeInfoEntity( - nodeInfoHash = nodeInfoHash, - certificateSigningRequest = certificateSigningRequest, - signedNodeInfoBytes = signedNodeInfoBytes, - isCurrent = isCurrent, - publishedAt = publishedAt - ) - } + fun toSignedNodeInfo() = signedNodeInfoBytes.deserialize() } diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/utils/Utils.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/utils/Utils.kt index b0184f52f2..772ca955c5 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/utils/Utils.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/common/utils/Utils.kt @@ -98,7 +98,4 @@ fun PKCS10CertificationRequest.getCertRole(): CertRole { /** * Helper method to extract email from certificate signing request. */ -fun PKCS10CertificationRequest.getEmail(): String { - // TODO: Add basic email check? - return firstAttributeValue(BCStyle.E).toString() -} +fun PKCS10CertificationRequest.getEmail(): String = firstAttributeValue(BCStyle.E).toString() diff --git a/network-management/src/main/resources/migration/network-manager.changelog-init.xml b/network-management/src/main/resources/migration/network-manager.changelog-init.xml index fb1d6982d1..cf0bd97339 100644 --- a/network-management/src/main/resources/migration/network-manager.changelog-init.xml +++ b/network-management/src/main/resources/migration/network-manager.changelog-init.xml @@ -57,6 +57,7 @@ + @@ -285,4 +286,17 @@ + + + + + + + + + + +