Support for Couchdb JWT Authentation

core/ledger/kvledger/txmgmt/statedb/statecouchdb/couchdb.go

@@ -28,6 +28,7 @@ import (
 	"time"
 	"unicode/utf8"
 
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/hyperledger/fabric/common/flogging"
 	"github.com/hyperledger/fabric/core/ledger"
 	"github.com/pkg/errors"
@@ -200,6 +201,11 @@ type databaseSecurity struct {
 	} `json:"members"`
 }
 
+// JWT contains the definition of a JWT object
+type JWT struct {
+	privateKey []byte
+}
+
 // couchDoc defines the structure for a JSON document value
 type couchDoc struct {
 	jsonValue   []byte
@@ -1627,12 +1633,14 @@ func (couchInstance *couchInstance) handleRequest(ctx context.Context, method, d
 			req.Header.Set("Accept", "multipart/related")
 		}
 
-		// If username and password are set the use basic auth
+		// If username and password are set the use basic auth otherwise if JWT private key and JWT username is set use the jwt token authorization
 		if couchInstance.conf.Username != "" && couchInstance.conf.Password != "" {
 			// req.Header.Set("Authorization", "Basic YWRtaW46YWRtaW5w")
 			req.SetBasicAuth(couchInstance.conf.Username, couchInstance.conf.Password)
+		} else if couchInstance.conf.JwtPrivateKey != "" && couchInstance.conf.JwtUserName != "" {
+			token := generateToken(couchInstance.conf.JwtPrivateKey, couchInstance.conf.JwtUserName)
+			req.Header.Add("Authorization", "Bearer "+token)
 		}
-
 		// Execute http request
 		resp, errResp = couchInstance.client.Do(req)
 
@@ -1803,3 +1811,52 @@ func printDocumentIds(documentPointers []*couchDoc) (string, error) {
 	}
 	return strings.Join(documentIds, ","), nil
 }
+
+func NewJWT(privateKey []byte) JWT {
+	return JWT{
+		privateKey: privateKey,
+	}
+}
+
+// Generate a JWT token for a JWT object
+func (j JWT) Create(ttl time.Duration, jwtUserName string) (string, error) {
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(j.privateKey)
+	if err != nil {
+		return "", fmt.Errorf("Error Parsing RSA Private key from PEM %s", err)
+	}
+
+	now := time.Now().UTC()
+
+	claims := make(jwt.MapClaims)
+	claims["_couchdb.roles"] = []string{"_admin"}
+	claims["exp"] = now.Add(ttl).Unix() // The expiration time after which the token must be disregarded.
+	claims["alg"] = "RS256"
+	claims["sub"] = jwtUserName // Couchdb Server Admin user name
+
+	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, claims).SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("Error Generating JWT token %s", err)
+	}
+
+	couchdbLogger.Debugf("JWT token generated: %s", token)
+
+	return token, nil
+}
+
+// Generate a new JWT token
+func generateToken(privateKeyPath string, jwtUserName string) string {
+	// Read JWT Private key
+	prvKey, err := ioutil.ReadFile(privateKeyPath)
+	if err != nil {
+		couchdbLogger.Errorf("Error in reading JWT Private key: %s", err)
+	}
+	// Create a new JWT object with private key
+	jwtToken := NewJWT(prvKey)
+
+	// Generate a new JWT token with the object created. For now duration is arbitarly set high to avoid token expiration issue on call
+	token, err := jwtToken.Create(time.Duration(24)*time.Hour, jwtUserName)
+	if err != nil {
+		couchdbLogger.Errorf("Error from jwtToken.create method: %s", err)
+	}
+	return token
+}

core/ledger/ledger_interface.go

@@ -73,6 +73,10 @@ type CouchDBConfig struct {
 	Username string
 	// Password is the password for Username.
 	Password string
+	// Path of JWT Private Key
+	JwtPrivateKey string
+	// Username to authenticate with Couchdb. This username must have read and write access permissions
+	JwtUserName string
 	// MaxRetries is the maximum number of times to retry CouchDB operations on
 	// failure.
 	MaxRetries int

go.mod

@@ -45,7 +45,10 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 )
 
-require google.golang.org/protobuf v1.28.1
+require (
+	github.com/golang-jwt/jwt/v4 v4.4.3
+	google.golang.org/protobuf v1.28.1
+)
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect

go.sum

@@ -196,6 +196,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
+github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

internal/peer/node/config.go

@@ -78,6 +78,8 @@ func ledgerConfig() *ledger.Config {
 			Address:               viper.GetString("ledger.state.couchDBConfig.couchDBAddress"),
 			Username:              viper.GetString("ledger.state.couchDBConfig.username"),
 			Password:              viper.GetString("ledger.state.couchDBConfig.password"),
+			JwtPrivateKey:         viper.GetString("ledger.state.couchDBConfig.jwtPrivateKey"),
+			JwtUserName:           viper.GetString("ledger.state.couchDBConfig.jwtUserName"),
 			MaxRetries:            viper.GetInt("ledger.state.couchDBConfig.maxRetries"),
 			MaxRetriesOnStartup:   viper.GetInt("ledger.state.couchDBConfig.maxRetriesOnStartup"),
 			RequestTimeout:        viper.GetDuration("ledger.state.couchDBConfig.requestTimeout"),

sampleconfig/core.yaml

@@ -679,6 +679,10 @@ ledger:
        # If it is stored here, the file must be access control protected
        # to prevent unintended users from discovering the password.
        password:
+       # Path of JWT Private key file 
+       jwtPrivateKey: 
+       # This username must have read and write authority on CouchDB  
+       jwtUserName: 
        # Number of retries for CouchDB errors
        maxRetries: 3
        # Number of retries for CouchDB errors during peer startup.