I've been trying to build a cordapp with three participants, where one of those participants can act as a notary but doesn't need to be a notary.
Is it possible to build a cordapp without a notary node??
No, you must have a notary; which is the entity that prevents double-spends (i.e. consuming already consumed states as transaction inputs), and it's also the time-stamping authority which allows you to use time-windows in your transactions.
If you want to avoid notaries you can build a network where all nodes are notary and each node refers himself as notary when building a transaction.
Related
Is it mandatory for all the nodes in a Corda network to have the same Cordapp deployed? What if some nodes are having different version? Will the nodes be able to participate in a transaction if they have different versions of Cordapp?
No, it is not mandatory. The version of the same CorDapp deployed in different nodes does not have to be the same, as long as the new version does not break the compatibility with the previous one, so making it impossible for the counterparty to participate to the transactions using the old version. The considerations to make are listed in the doc, but I report them here as well:
Flow versioning
State and contract versioning
State and state schema versioning
Serialisation of custom types
For example, if the new version of the CorDapp change things like the order of some send() and receive(), or the object type passed to the Responder flow, etc the transaction will fail.
I want to regularly check that output state is not consumed by tampering, so I want to ask the notary whether the state is consumed or not. Is this possible ?
I believe you would need to write a flow that is executed by the corda notary which then performs the vault query on the notary. This is listed as an experimental feature in the corda docs so you may want to rethink how you are designing your cordapp first. I haven't utilised this feature a great deal before myself so I'm unsure how well it's supported but it should work. This does mean however you are likely to be running your own corda network as you need control over how the notary is deployed.
It may be more appropriate to have another trusted node or party that has visibility and is a signer on the ContractState's that you want to check. Your third party would then also have a responder flow that performs a vault query on it's own vault and responds back to initiator.
You can query a node for consumed states by specifying Vault.StateStatus in the vault query API
val vaultSnapshot = proxy.vaultQueryBy<ContractState>(
QueryCriteria.VaultQueryCriteria(Vault.StateStatus.UNCONSUMED))
I'm just starting with Consumer-Driven Contracts for our microservice setup, and as they are mainly Spring Boot apps natural choice is Spring Cloud Contract.
But then comes the confusion. In all examples in docs contracts are defined on the producer side, and consumer retrieves them from maven repo. How it is consumer-driven if the producer defines them?
My understanding was that conceptually consumer defines them as its expectation from the producer for part of the API it uses. In addition to the previous question, is it possible with Spring Cloud Contract to define a contract on the consumer side and verify it on producers?
Thanks for this question. Yes, Spring Cloud Contract can be consumer-driven or producer driven.
The contract definitions can lay either with the producer or in an external repository. The concept of consumer-driven is not related to the fact where the contract are stored. It's related to the fact who creates them or actually who drives the change of those contracts. Another thing is whether each consumer can define a set of their own requirements. That means that one consumer can have different requirements than another one.
So in Spring Cloud Contract for the producer-driven approach, the producer just creates the contracts and it doesn't really care if different consumers use their API in a different way. The producer of the API creates e.g. 1 contract definition for all the consumers and it's the consumer's problem to align to that contract.
With consumer-driven contracts with Spring Cloud Contract, it's the consumer that suggests the changes and creates the contract definitions. The consumer sends a PR either to the producer team's repo or to a separate repo where all the contract definitions are stored. It's not the producer, but the consumer who does it. The consumer can, in the meantime, create the stubs locally without asking the producer for the permission, and prototype the API. Once the consumer has finished its work and of course talked with the producer team about the changes before, then a pull request can be sent with the suggested changes. Important thing to remember is that each consumer has their own folder with their requirements. E.g. if there are consumers example1 and example2 and there's a producer producer1 then under producer1's contract folder there will be 2 folders, one example1 and the second example2. Both will contain expectations for the particular consumer.
Then the producer takes the PR over and the verification happens on the producer side. The tests are generated. Once the implementation is written and tests are passing the stubs can be uploaded.
Finally, on the consumer side, the consumers can switch to start fetching the uploaded stubs to always get the fresh version of the stubs.
You can check a video of how full cycle of CDC is done here: https://www.youtube.com/watch?v=pDkC_00hhvA
Consumer Driven Contract tutorial: https://cloud-samples.spring.io/spring-cloud-contract-samples/tutorials/stubs_per_consumer.html
Producer Contract tutorial with contracts on the producer side: https://cloud-samples.spring.io/spring-cloud-contract-samples/tutorials/contracts_on_the_producer_side.html
Producer Contract tutorial with contracts in an external repo: https://cloud-samples.spring.io/spring-cloud-contract-samples/tutorials/contracts_external.html
All the workflows related to doing contract tests with Spring Cloud Contract can be found here - https://docs.spring.io/spring-cloud-contract/docs/current/reference/html/using.html#using
How does a notary/node verify that a specific flow has been called when it receives the transaction?
Does this mean Corda can guarantee that the flow has not been modified from what was stated in the corresponding Cordapp?
In detail:
It's a DLT (Distributed Ledger Technology); so in a sense, you can't really trust anyone.
The notary doesn't receive flows, it receives transactions and makes sure that there is no double-spend (i.e. consumed inputs are not being consumed again).
Even if you gave a node your CorDapp, it can override the responder flow. See links below.
Wrong assumptions about responder flows: https://www.corda.net/blog/corda-flow-responder-wrong-assumptions/
Configuring responder flows: https://docs.corda.net/flow-overriding.html
Overriding flows from external CorDapps: https://dzone.com/articles/extending-and-overriding-flows-from-external-corda
When you send and receive data between an initiator and its responders; the received data (on both ends) is considered untrusted; you must unwrap it and validate it: https://docs.corda.net/api-flows.html#receive
So in short:
Your initiator must validate any received data from the responder(s).
Your responder must validate any received data from the initiator; plus if you expect the initiator to be a certain entity, you must validate that the counter-party (that sent you the flow session) is who you expect it to be (e.g. flowSession.counterParty == "O=Good Org, L=London, C=UK").
Adel's answer covers the right ways to not trust your counterparties from the application flow level but there are also operational protections which can used. Strong contracts can help prevent badly formed transactions as Corda does not allow for unknown contracts in a well setup network.
The network parameters defines what smart contract cordapp jars are acceptable for validation. The most common form of contract constraints is signature constraints which means that any contract jar signed by the same developer key can be accepted. This prevents a malicious counterparty from forcing you to run weak validation: https://docs.corda.net/api-contract-constraints.html#signature-constraints
As of Corda 4 any unrecognized contract cordapp jar will not be trusted unless the node operator explicitly tells Corda to trust the jar. https://docs.corda.net/cordapp-build-systems.html#cordapp-contract-attachments Once a signature is trusted then any future jars signed by that signature will implicitly be trusted.
As per corda documentaion and my understanding contract verification called at time of transactionBuilder. For R&D I put logger on contract verification function. One thing observed that contract verification called at time of transactionBuilder also in collectSignature and in finalityflow also.
In collectSignatureFlow called 3 times and Finality flow also called 3 times.
Current setup have 2 nodes one notary in non-validating mode.
My question is that in collectSignatureFlow verify called on diffrent nodes and if yes does notary called verify function too. Same question is with finality flow.
CollectSignaturesFlow, called by the node gathering the signatures, calls verify. SignTransactionFlow, the responder flow called by the nodes adding their signatures, also calls verify before signing.
FinalityFlow calls verify. NotaryServiceFlow, the flow run by the notary in response to FinalityFlow, should call verify if the notary is validating (in fact, this is the definition of a validating notary). And finally, ReceiveTransactionFlow, the flow run by the transaction's participants in response to FinalityFlow, calls verify before storing the transaction.