Editor.sh

#!/bin/bash

#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  SPDX-License-Identifier: MIT-0

#  Permission is hereby granted, free of charge, to any person obtaining a copy of this
#  software and associated documentation files (the "Software"), to deal in the Software
#  without restriction, including without limitation the rights to use, copy, modify,
#  merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
#  permit persons to whom the Software is furnished to do so.

#  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
#  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
#  PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
#  HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
#  OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
#  SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# ------------------------------------------------------------------
# EDITOR WORKFLOW
# As an editor, prepare, sign and insert data into the QLDB ledger's SharedData table
# Prerequisites: 
#   - Run the Installer.sh script to complete the installation process
#   - Run the Editor.sh script successfully to complete the Editor's workflow
# ------------------------------------------------------------------

# Step 1 - Assume the Editor role
# Retrieve the ARN of the IAM role for the Editor
export QLDB_EDITOR_ROLE_ARN=$(aws cloudformation describe-stacks --stack-name QLDB-KMS-TEST --region us-east-1 --query 'Stacks[0].Outputs[?OutputKey==`oEditorRoleARN`].OutputValue' --output text)
# Assume the IAM role of the Editor
export QLDB_EDITOR_ROLE_CREDENTIALS=$(aws sts assume-role --role-arn $QLDB_EDITOR_ROLE_ARN --role-session-name AWSCLI-Session --output json)
export AWS_ACCESS_KEY_ID=$(echo $QLDB_EDITOR_ROLE_CREDENTIALS | jq .Credentials.AccessKeyId | sed 's/"//g')
export AWS_SECRET_ACCESS_KEY=$(echo $QLDB_EDITOR_ROLE_CREDENTIALS | jq .Credentials.SecretAccessKey | sed 's/"//g')
export AWS_SESSION_TOKEN=$(echo $QLDB_EDITOR_ROLE_CREDENTIALS | jq .Credentials.SessionToken | sed 's/"//g')

# Step 2 - Prepare for signing the data
# Create a sample message to insert in the table QLDB ledger
export QLDB_DATA="Transfer from AcmeCorpToken.ABC to DoeBankToken.DEF and equivalent of 10 AcmeToken as 20 DoeBankToken"
# Convert the sample data to base64 encoded format
export QLDB_DATA_BASE64=$(echo -n $QLDB_DATA | base64 --wrap=0)
echo $QLDB_DATA_BASE64 > msg_orig.txt
# Retrieve the ARN of the AWS KMS signing key
export QLDB_SIGNING_KMS_KEY_ARN=$(aws cloudformation describe-stacks --stack-name QLDB-KMS-TEST --region us-east-1 --query 'Stacks[0].Outputs[?OutputKey==`oSigningKeyARN`].OutputValue' --output text)

# Step 3 - Sign the data
# Sign the data by specifying the KMS Signing key ARN
export QLDB_DATA_SIGNATURE=$(aws kms sign --key-id $QLDB_SIGNING_KMS_KEY_ARN --message fileb://msg_orig.txt --message-type "RAW" --signing-algorithm "ECDSA_SHA_256" --output text --query Signature)
# Export the DER encoded Public Key from KMS
export QLDB_KMS_PUBLIC_KEY=$(aws kms get-public-key --key-id $QLDB_SIGNING_KMS_KEY_ARN --query PublicKey | sed 's/"//g' )
# Output the signature and public key
echo "QLDB data signature: "$QLDB_DATA_SIGNATURE
echo "QLDB public part of signing key: "$QLDB_KMS_PUBLIC_KEY
export WORK_DIR=$(pwd)
cd ~/qldb-v2.0.1-linux
# Step 4 - Insert the record composed of the message, signature and public key into the table
# Add Data into the QLDB 'SharedData' table within the ledger
cat <<EOT > transferDataSigned.sql
INSERT INTO SharedData << {'data': '$QLDB_DATA', 'signature': { 'kmsKeyARN': '$QLDB_SIGNING_KMS_KEY_ARN', 'publicKey': '$QLDB_KMS_PUBLIC_KEY', 'signature': '$QLDB_DATA_SIGNATURE', 'signingAlgorithm': 'ECDSA_SHA_256'}} >>
EOT
export QLDB_DATA_DOC_ID=$(./qldb < transferDataSigned.sql)
export QLDB_DATA_DOC_ID=$(echo $QLDB_DATA_DOC_ID | sed 's/{ documentId: "//g' | sed 's/" }//g')
cd $WORK_DIR
echo "Document ID generated by QLDB: "$QLDB_DATA_DOC_ID
echo $QLDB_DATA_DOC_ID > document_id.txt