def create_role(txn_key, batch_key, role_name, role_id, metadata, admins, owners): """Create a BatchList with a CreateRole transaction in it. Args: txn_key (Key): The transaction signer's key pair. batch_key (Key): The batch signer's key pair. role_name (str): The name of the Role. role_id (str): A uuid that identifies this Role. metadata (str): Client supplied information that is not parsed. admins (list): A list of User ids of the Users who are admins of this Role. owners (list): A list of User ids of the Users who are owners of this Role. Returns: tuple BatchList, batch header_signature tuple """ create_role_payload = role_transaction_pb2.CreateRole(role_id=role_id, name=role_name, metadata=metadata, admins=admins, owners=owners) inputs = [ addresser.make_sysadmin_members_address(txn_key.public_key), addresser.make_role_attributes_address(role_id) ] inputs.extend([addresser.make_user_address(u) for u in admins]) inputs.extend([addresser.make_user_address(u) for u in owners]) inputs.extend([ addresser.make_role_admins_address(role_id=role_id, user_id=a) for a in admins ]) inputs.extend([ addresser.make_role_owners_address(role_id=role_id, user_id=o) for o in owners ]) outputs = [addresser.make_role_attributes_address(role_id)] outputs.extend([ addresser.make_role_admins_address(role_id=role_id, user_id=a) for a in admins ]) outputs.extend([ addresser.make_role_owners_address(role_id=role_id, user_id=o) for o in owners ]) rbac_payload = rbac_payload_pb2.RBACPayload( content=create_role_payload.SerializeToString(), message_type=rbac_payload_pb2.RBACPayload.CREATE_ROLE) return make_header_and_batch(rbac_payload, inputs, outputs, txn_key, batch_key)
def test_deterministic_role_address(self): """Tests that a specific role_id generates the expected role address, and thus is probably deterministic. """ ident = '99968acb8f1a48b3a4bc21e2cd252e67' expected_address = '9f444809326a1713a905b26359fc8d\ a2817c1a5f67de6f464701f0c10042da345d2800' address = addresser.make_role_attributes_address(ident) self.assertEqual(len(address), addresser.ADDRESS_LENGTH, "The address is 70 characters") self.assertTrue(addresser.is_address(address), "The address is 70 character hexidecimal") self.assertTrue(addresser.namespace_ok(address), "The address has correct namespace prefix") self.assertTrue( addresser.is_family_address(address), "The address is 70 character hexidecimal with family prefix") self.assertEqual(address, expected_address, "The address is the one we expected it to be") self.assertEqual( addresser.address_is(address), AddressSpace.ROLES_ATTRIBUTES, "The address created must be a Role Attributes address.")
def propose_add_role_tasks(txn_key, batch_key, proposal_id, role_id, task_id, reason, metadata): propose_payload = role_transaction_pb2.ProposeAddRoleTask( proposal_id=proposal_id, role_id=role_id, task_id=task_id, reason=reason, metadata=metadata) inputs = [ addresser.make_proposal_address(role_id, task_id), addresser.make_role_tasks_address(role_id, task_id), addresser.make_role_owners_address(role_id, txn_key.public_key), addresser.make_role_attributes_address(role_id), addresser.make_task_attributes_address(task_id) ] outputs = [addresser.make_proposal_address(role_id, task_id)] rbac_payload = rbac_payload_pb2.RBACPayload( content=propose_payload.SerializeToString(), message_type=rbac_payload_pb2.RBACPayload.PROPOSE_ADD_ROLE_TASKS) return make_header_and_batch(rbac_payload, inputs, outputs, txn_key, batch_key)
def _handle_role_state_set(create_role, state): role_container = role_state_pb2.RoleAttributesContainer() role = role_container.role_attributes.add() role.role_id = create_role.role_id role.name = create_role.name role.metadata = create_role.metadata entries_to_set = [ StateEntry(address=addresser.make_role_attributes_address( create_role.role_id), data=role_container.SerializeToString()) ] pubkeys_by_address = {} for admin in list(create_role.admins): admin_address = addresser.make_role_admins_address( role_id=create_role.role_id, user_id=admin) if admin_address in pubkeys_by_address: pubkeys_by_address[admin_address].append(admin) else: pubkeys_by_address[admin_address] = [admin] for owner in list(create_role.owners): owner_address = addresser.make_role_owners_address( role_id=create_role.role_id, user_id=owner) if owner_address in pubkeys_by_address: pubkeys_by_address[owner_address].append(owner) else: pubkeys_by_address[owner_address] = [owner] state_returns = get_state(state, [ addresser.make_role_admins_address(role_id=create_role.role_id, user_id=a) for a in create_role.admins ] + [ addresser.make_role_owners_address(role_id=create_role.role_id, user_id=o) for o in create_role.owners ]) for addr, pubkeys in pubkeys_by_address.items(): try: state_entry = get_state_entry(state_returns, addr) container = role_state_pb2.RoleRelationshipContainer() container.ParseFromString(state_entry.data) except KeyError: container = role_state_pb2.RoleRelationshipContainer() _add_role_rel_to_container(container, create_role.role_id, pubkeys) entries_to_set.append( StateEntry(address=addr, data=container.SerializeToString())) set_state(state, entries_to_set)
def validate_role_rel_proposal(header, propose, rel_address, state): """Validates that the User exists, the Role exists, and the User is not in the Role's relationship specified by rel_address. Args: header (TransactionHeader): The transaction header. propose (ProposeAddRole_____): The role relationship proposal. rel_address (str): The Role relationship address produced by the Role and the User. state (sawtooth_sdk.Context): The way to communicate to the validator the state gets and sets. Returns: (dict of addresses) """ user_address = addresser.make_user_address(propose.user_id) role_address = addresser.make_role_attributes_address(propose.role_id) proposal_address = addresser.make_proposal_address( object_id=propose.role_id, related_id=propose.user_id) state_entries = get_state( state, [user_address, role_address, proposal_address, rel_address]) validate_identifier_is_user(state_entries, identifier=propose.user_id, address=user_address) user_entry = get_state_entry(state_entries, user_address) user = get_user_from_container(return_user_container(user_entry), propose.user_id) if header.signer_public_key not in [user.user_id, user.manager_id]: raise InvalidTransaction( "Txn signer {} is not the user or the user's " "manager {}".format(header.signer_public_key, [user.user_id, user.manager_id])) validate_identifier_is_role(state_entries, identifier=propose.role_id, address=role_address) try: role_admins_entry = get_state_entry(state_entries, rel_address) role_rel_container = return_role_rel_container(role_admins_entry) if is_in_role_rel_container(role_rel_container, propose.role_id, propose.user_id): raise InvalidTransaction("User {} is already in the Role {} " "relationship".format( propose.user_id, propose.role_id)) except KeyError: # The role rel container doesn't exist so no role relationship exists pass return state_entries
def _validate_create_role_state(create_role, state): state_return = get_state( state, [addresser.make_role_attributes_address(create_role.role_id)]) if _role_already_exists(state_return, create_role.role_id): raise InvalidTransaction("Role id {} is already in state".format( create_role.role_id)) users = list(create_role.admins) + list(create_role.owners) user_state_return = get_state( state, [addresser.make_user_address(u) for u in users]) validate_list_of_user_are_users(user_state_return, users)
def propose_add_role_admins(txn_key, batch_key, proposal_id, role_id, user_id, reason, metadata): """Create a BatchList with a ProposeAddRoleAdmins transaction in it. Args: txn_key (Key): The txn signer key pair. batch_key (Key): The batch signer key pair. role_id (str): The role's id. user_id (str): The user that is being proposed to be an admin. reason (str): The client supplied reason for the proposal. metadata (str): The client supplied metadata. Returns: tuple BatchList, batch header_signature tuple """ propose_add_payload = role_transaction_pb2.ProposeAddRoleAdmin( proposal_id=proposal_id, role_id=role_id, user_id=user_id, reason=reason, metadata=metadata) inputs = [ addresser.make_user_address(user_id=user_id), addresser.make_proposal_address(role_id, user_id), addresser.make_role_admins_address(role_id, user_id), addresser.make_role_attributes_address(role_id=role_id) ] outputs = [addresser.make_proposal_address(role_id, user_id)] rbac_payload = rbac_payload_pb2.RBACPayload( content=propose_add_payload.SerializeToString(), message_type=rbac_payload_pb2.RBACPayload.PROPOSE_ADD_ROLE_ADMINS) return make_header_and_batch(rbac_payload, inputs, outputs, txn_key, batch_key)
def test_generated_role_address(self): """Tests the role address creation function as well as the address_is function. """ ident = uuid4().hex address = addresser.make_role_attributes_address(ident) self.assertEqual(len(address), addresser.ADDRESS_LENGTH, "The address is 70 characters") self.assertTrue(addresser.is_address(address), "The address is 70 character hexidecimal") self.assertTrue(addresser.namespace_ok(address), "The address has correct namespace prefix") self.assertTrue( addresser.is_family_address(address), "The address is 70 character hexidecimal with family prefix") self.assertEqual( addresser.address_is(address), AddressSpace.ROLES_ATTRIBUTES, "The address created must be a Role Attributes address.")
def propose_remove_role_members(txn_key, batch_key, proposal_id, role_id, user_id, reason, metadata): propose = role_transaction_pb2.ProposeRemoveRoleMember( proposal_id=proposal_id, role_id=role_id, user_id=user_id, reason=reason, metadata=metadata) inputs = [ addresser.make_role_members_address(role_id, user_id), addresser.make_role_attributes_address(role_id=role_id), addresser.make_user_address(user_id=user_id), addresser.make_proposal_address(role_id, user_id) ] outputs = [addresser.make_proposal_address(role_id, user_id)] rbac_payload = rbac_payload_pb2.RBACPayload( content=propose.SerializeToString(), message_type=rbac_payload_pb2.RBACPayload.PROPOSE_REMOVE_ROLE_MEMBERS) return make_header_and_batch(rbac_payload, inputs, outputs, txn_key, batch_key)
def validate_role_task_proposal(header, propose, state): """Applies state validation rules for ADDRoleTaskProposal. - The Role exists. - The Task exists. - The Transaction was signed by a Role Owner. - There is no open Proposal for the same change. - The task is not already part of the Role. Args: header (TransactionHeader): The propobuf transaction header. propose (ProposeAddRoleTask): The protobuf transaction. state (Context): A connection to the validator to ask about state. Returns: (list of StateEntry) """ role_address = addresser.make_role_attributes_address(propose.role_id) task_address = addresser.make_task_attributes_address(propose.task_id) proposal_address = addresser.make_proposal_address( propose.role_id, propose.task_id) txn_signer_role_owner_address = addresser.make_role_owners_address( role_id=propose.role_id, user_id=header.signer_pubkey) role_tasks_address = addresser.make_role_tasks_address(propose.role_id, propose.task_id) state_entries = get_state( state=state, addresses=[role_address, task_address, proposal_address, role_tasks_address, txn_signer_role_owner_address]) validate_identifier_is_role( state_entries=state_entries, address=role_address, identifier=propose.role_id) validate_identifier_is_task( state_entries=state_entries, identifier=propose.task_id, address=task_address) try: role_task_entry = get_state_entry(state_entries, role_tasks_address) role_task_container = return_role_rel_container(role_task_entry) if is_in_role_rel_container(role_task_container, role_id=propose.role_id, identifier=propose.task_id): raise InvalidTransaction("Role {} already contains task {}".format( propose.role_id, propose.task_id)) except KeyError: # The Task is not in the RoleTask state pass try: role_owner_entry = get_state_entry( state_entries, txn_signer_role_owner_address) role_owner_container = return_role_rel_container(role_owner_entry) if not is_in_role_rel_container(role_owner_container, role_id=propose.role_id, identifier=header.signer_pubkey): raise InvalidTransaction( "Txn signer {} is not a role owner".format( header.signer_pubkey)) except KeyError: raise InvalidTransaction( "Txn signer {} is not a role owner.".format(header.signer_pubkey)) if not no_open_proposal( state_entries=state_entries, object_id=propose.role_id, related_id=propose.task_id, proposal_address=proposal_address, proposal_type=proposal_state_pb2.Proposal.ADD_ROLE_TASKS): raise InvalidTransaction( "There is already an open proposal to add task {} to " "role {}".format(propose.task_id, propose.role_id)) return state_entries
def test_role_addresses(self): """Tests the Role address creation functions as well as the address_is function. Notes: 1. Create an address of a particular type: - Role Attributes - Role Members - Role Owners - Role Admins - Role Tasks 2. Assert that address_is returns the correct address type. """ role_address = addresser.make_role_attributes_address( role_id=uuid4().hex) self.assertEqual(len(role_address), 70, "The address is a well-formed address.") self.assertEqual( addresser.address_is(role_address), AddressSpace.ROLES_ATTRIBUTES, "The Role Attributes address created must " "be found to be a Role Attributes address.") role_members_address = addresser.make_role_members_address( role_id=uuid4().hex, user_id=uuid4().hex) self.assertEqual(len(role_members_address), 70, "The address is a well-formed address.") self.assertEqual( addresser.address_is(role_members_address), AddressSpace.ROLES_MEMBERS, "The Role Members address created must be " "found to be a Role Members address.") role_owners_address = addresser.make_role_owners_address( role_id=uuid4().hex, user_id=uuid4().hex) self.assertEqual(len(role_owners_address), 70, "The address is a well-formed address.") self.assertEqual( addresser.address_is(role_owners_address), AddressSpace.ROLES_OWNERS, "The Role Owners address created must be found to be " "a Role Members address.") role_admins_address = addresser.make_role_admins_address( role_id=uuid4().hex, user_id=uuid4().hex) self.assertEqual(len(role_admins_address), 70, "The address is a well-formed address.") self.assertEqual( addresser.address_is(role_admins_address), AddressSpace.ROLES_ADMINS, "The Role Admins address created must be " "found to be a Role Admins address.") role_tasks_address = addresser.make_role_tasks_address( role_id=uuid4().hex, task_id=uuid4().hex) self.assertEqual(len(role_tasks_address), 70, "The address is a well-formed address.") self.assertEqual( addresser.address_is(role_tasks_address), AddressSpace.ROLES_TASKS, "The Role Tasks address created must be " "found to be a Role Tasks address.")