def authorize(self, request: Request, auth_constraint: AuthConstraint, auth_action: AbstractAuthAction = None): # 1. Check that the Author is the owner # do first since it doesn't require going to state if not self.is_owner_accepted(auth_constraint, auth_action): if auth_action.field != '*': return False, "{} can not touch {} field since only the owner can modify it". \ format(self.get_named_role_from_req(request), auth_action.field) else: return False, "{} can not edit {} txn since only owner can modify it". \ format(self.get_named_role_from_req(request), IndyTransactions.get_name_from_code(auth_action.txn_type)) author_role = self.get_role(request) # 2. Check that the Author is present on the ledger if auth_constraint.sig_count > 0 and not auth_constraint.off_ledger_signature and author_role is None: return False, "sender's DID {} is not found in the Ledger".format( request.identifier) # 3. Check that the Author signed the transaction in case of multi-sig if auth_constraint.sig_count > 0 and request.signatures and request.identifier not in request.signatures: return False, "Author must sign the transaction" # 4. Check that there are enough signatures of the needed role if not self.is_sig_count_accepted(request, auth_constraint): role = Roles(auth_constraint.role ).name if auth_constraint.role != '*' else '*' return False, "Not enough {} signatures".format(role) return True, ""
def editor(editor_type, edited): if editor_type == NYMEditSignerTypes.self: return edited elif editor_type == NYMEditSignerTypes.creator: return edited.creator else: return did_editor_others[Roles(editor_type.value)]
def auth_check(action_id, signer, op, did_ledger=None): op_role = Roles(op[ROLE]) if ROLE in op else None def check_promotion(): # omitted role means IDENTITY_OWNER if op_role in (None, Roles.IDENTITY_OWNER): return signer.role in (Roles.TRUSTEE, Roles.STEWARD, Roles.TRUST_ANCHOR) elif op_role in (Roles.TRUSTEE, Roles.STEWARD): return signer.role == Roles.TRUSTEE elif op_role in (Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR): return signer.role in (Roles.TRUSTEE, Roles.STEWARD) def check_demotion(): if did_ledger.role in (Roles.TRUSTEE, Roles.STEWARD): return signer.role == Roles.TRUSTEE elif did_ledger.role == Roles.TRUST_ANCHOR: return (signer.role == Roles.TRUSTEE) # FIXME INDY-1968: uncomment when the task is addressed # return ((signer.role == Roles.TRUSTEE) or # (signer.role == Roles.TRUST_ANCHOR and # is_self and is_owner)) elif did_ledger.role == Roles.NETWORK_MONITOR: return signer.role in (Roles.TRUSTEE, Roles.STEWARD) if action_id == ActionIds.add: return check_promotion() elif action_id == ActionIds.edit: # is_self = signer.did == did_ledger.did is_owner = signer == (did_ledger if did_ledger.verkey is not None else did_ledger.creator) if (VERKEY in op) and (not is_owner): return False if ROLE in op: if op_role == did_ledger.role: # FIXME INDY-1969: related to the task return is_owner # TODO what is a case here, is it correctly designed elif op_role == Roles.IDENTITY_OWNER: # demotion of existent DID return check_demotion() elif did_ledger.role == Roles.IDENTITY_OWNER: # promotion of existent DID return check_promotion() else: # role updating: demotion + promotion return (check_demotion() and check_promotion()) else: return True return False
def authorize(self, request: Request, auth_constraint: AuthConstraint, auth_action: AbstractAuthAction = None): if self.get_role(request) is None: return False, "sender's DID {} is not found in the Ledger".format( request.identifier) if not self.is_sig_count_accepted(request, auth_constraint): return False, "Not enough {} signatures".format( Roles(auth_constraint.role).name) if not self.is_owner_accepted(auth_constraint, auth_action): if auth_action.field != '*': return False, "{} can not touch {} field since only the owner can modify it".\ format(self.get_named_role_from_req(request), auth_action.field) else: return False, "{} can not edit {} txn since only owner can modify it".\ format(self.get_named_role_from_req(request), IndyTransactions.get_name_from_code(auth_action.txn_type)) return True, ""