def dynamic_validation(self, request: Request, req_pp_time: Optional[int]):
# we can not add a Claim Def with existent ISSUER_DID
# sine a Claim Def needs to be identified by seqNo
self._validate_request_type(request)
identifier, req_id, operation = get_request_data(request)
ref = operation[REF]
try:
txn = self.ledger.get_by_seq_no_uncommitted(ref)
except KeyError:
raise InvalidClientRequest(identifier,
req_id,
"Mentioned seqNo ({}) doesn't exist.".format(ref))
if txn['txn']['type'] != SCHEMA:
raise InvalidClientRequest(identifier,
req_id,
"Mentioned seqNo ({}) isn't seqNo of the schema.".format(ref))
signature_type = get_write_claim_def_signature_type(request)
schema_ref = get_write_claim_def_schema_ref(request)
tag = get_write_claim_def_tag(request)
path = self.make_state_path_for_claim_def(identifier, schema_ref, signature_type, tag)
claim_def, _, _ = self.get_from_state(path, is_committed=False)
if claim_def:
self.write_req_validator.validate(request,
[AuthActionEdit(txn_type=CLAIM_DEF,
field='*',
old_value='*',
new_value='*')])
else:
self.write_req_validator.validate(request,
[AuthActionAdd(txn_type=CLAIM_DEF,
field='*',
value='*')])
def validate(self, request: Request):
req_type = request.operation[TXN_TYPE]
if req_type == MINT_PUBLIC:
return self.write_req_validator.validate(
request,
[AuthActionAdd(txn_type=MINT_PUBLIC, field="*", value="*")])
elif req_type == XFER_PUBLIC:
self.handle_xfer_public_txn(request)
return self.write_req_validator.validate(
request,
[AuthActionAdd(txn_type=XFER_PUBLIC, field="*", value="*")])
raise InvalidClientMessageException(
request.identifier, getattr(request, 'reqId', None),
'Unsupported request type - {}'.format(req_type))
def test_schema_adding(write_request_validation, req, is_owner):
assert write_request_validation(req, [
AuthActionAdd(txn_type=SCHEMA,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_make_network_monitor(write_request_validation, req, is_owner):
authorized = req.identifier in ("trustee_identifier", "steward_identifier")
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=NYM,
field=ROLE,
value=NETWORK_MONITOR,
is_owner=is_owner)])
def build_req_and_action(signatures, need_to_be_owner, amount=None):
sig = None
sigs = None
identifier = None
if signatures:
role = next(iter(signatures.keys()))
identifier = IDENTIFIERS[role][0]
if len(signatures) == 1 and next(iter(signatures.values())) == 1:
sig = 'signature'
else:
sigs = {
IDENTIFIERS[role][i]: 'signature'
for role, sig_count in signatures.items() for i in range(sig_count)
}
operation = randomOperation()
if amount is not None:
operation[PLUGIN_FIELD] = amount
req = Request(identifier=identifier,
operation=operation,
signature=sig,
signatures=sigs)
action = AuthActionAdd(txn_type=req.operation[TYPE],
field='some_field',
value='new_value',
is_owner=need_to_be_owner)
return req, [action]
def test_make_trust_anchor(write_request_validation, req, is_owner):
authorized = req.identifier in ("trustee_identifier", "steward_identifier")
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=NYM,
field=ROLE,
value=TRUST_ANCHOR,
is_owner=is_owner)])
def test_make_steward(write_request_validation, req, is_owner):
authorized = (req.identifier == "trustee_identifier")
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=NYM,
field=ROLE,
value=STEWARD,
is_owner=is_owner)])
def dynamic_validation(self, request: Request):
self._validate_request_type(request)
rev_reg_tags = request.operation[REVOC_REG_DEF_ID]
author_did, req_id, operation = get_request_data(request)
current_entry, revoc_def = self._get_current_revoc_entry_and_revoc_def(
author_did=author_did,
revoc_reg_def_id=operation[REVOC_REG_DEF_ID],
req_id=req_id)
rev_ref_def_author_did = rev_reg_tags.split(":", 1)[0]
is_owner = rev_ref_def_author_did == author_did
if current_entry:
self.write_req_validator.validate(request, [
AuthActionEdit(txn_type=REVOC_REG_ENTRY,
field='*',
old_value='*',
new_value='*',
is_owner=is_owner)
])
else:
self.write_req_validator.validate(request, [
AuthActionAdd(txn_type=REVOC_REG_ENTRY,
field='*',
value='*',
is_owner=is_owner)
])
validator_cls = self.get_revocation_strategy(
revoc_def[VALUE][ISSUANCE_TYPE])
validator = validator_cls(self.state)
validator.validate(current_entry, request)
def test_node_enable_with_empty_services(write_request_validation, req, is_owner):
authorized = (req.identifier == "steward_identifier" and is_owner)
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=NODE,
field=SERVICES,
value=[],
is_owner=is_owner)])
def dynamic_validation(self, request: Request):
self._validate_request_type(request)
operation = request.operation
cred_def_id = operation.get(CRED_DEF_ID)
revoc_def_type = operation.get(REVOC_TYPE)
revoc_def_tag = operation.get(TAG)
assert cred_def_id
assert revoc_def_tag
assert revoc_def_type
revoc_def_id = RevocRegDefHandler.make_state_path_for_revoc_def(
request.identifier, cred_def_id, revoc_def_type, revoc_def_tag)
revoc_def, _, _ = self.get_from_state(revoc_def_id)
if revoc_def is None:
self.write_req_validator.validate(
request,
[AuthActionAdd(txn_type=REVOC_REG_DEF, field='*', value='*')])
else:
self.write_req_validator.validate(request, [
AuthActionEdit(txn_type=REVOC_REG_DEF,
field='*',
old_value='*',
new_value='*')
])
cred_def, _, _ = self.get_from_state(cred_def_id)
if cred_def is None:
raise InvalidClientRequest(
request.identifier, request.reqId,
"There is no any CRED_DEF by path: {}".format(cred_def_id))
def test_claim_def_adding(write_request_validation, req, is_owner):
assert write_request_validation(req, [
AuthActionAdd(txn_type=CLAIM_DEF,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_pool_config_change(write_request_validation, is_owner, req):
authorized = req.identifier == "trustee_identifier"
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=POOL_CONFIG,
field=ACTION,
value='value',
is_owner=is_owner)])
def build_req_and_action(action: Action):
sig = None
sigs = None
identifier = IDENTIFIERS[action.author][0]
endorser_did = None
# if there is only 1 sig from the Author - use `signature` instead of `signatures`
if len(action.sigs) == 1 and next(iter(action.sigs.values())) == 1 and next(
iter(action.sigs.keys())) == action.author:
sig = 'signature'
else:
sigs = {IDENTIFIERS[role][i]: 'signature' for role, sig_count in action.sigs.items() for i in
range(sig_count)}
if action.endorser is not None:
endorser_did = IDENTIFIERS[action.endorser][0]
operation = randomOperation()
if action.amount is not None:
operation[PLUGIN_FIELD] = action.amount
req = Request(identifier=identifier,
operation=operation,
signature=sig,
signatures=sigs,
endorser=endorser_did)
action = AuthActionAdd(txn_type=req.operation[TYPE],
field='some_field',
value='new_value',
is_owner=action.is_owner)
return req, [action]
def validate(self, req: Request):
operation = req.operation
typ = operation.get(TXN_TYPE)
if typ not in self.operation_types:
return
if typ == POOL_RESTART:
action = operation.get(ACTION)
self.write_req_validator.validate(req,
[AuthActionAdd(txn_type=POOL_RESTART,
field=ACTION,
value=action)])
elif typ == VALIDATOR_INFO:
self.write_req_validator.validate(req,
[AuthActionAdd(txn_type=VALIDATOR_INFO,
field='*',
value='*')])
def test_schema_adding(write_request_validation, req, is_owner):
authorized = req.identifier in ("trustee_identifier", "steward_identifier", "trust_anchor_identifier")
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=SCHEMA,
field='some_field',
value='some_value',
is_owner=is_owner)])
def test_node_enable(write_request_validation, req, is_owner):
authorized = (req.identifier == "steward_identifier" and is_owner)
assert authorized == write_request_validation(req,
[AuthActionAdd(txn_type=NODE,
field=SERVICES,
value='[\'VALIDATOR\']',
is_owner=is_owner)])
def test_catching_up_auth_rule_txn(looper, txnPoolNodeSet, sdk_wallet_trustee,
sdk_wallet_steward, sdk_pool_handle):
delayed_node = txnPoolNodeSet[-1]
wh, _ = sdk_wallet_trustee
new_steward_did, new_steward_verkey = create_verkey_did(looper, wh)
changed_constraint = AuthConstraint(role=STEWARD, sig_count=1)
action = AuthActionAdd(txn_type=NYM, field=ROLE, value=STEWARD)
with pytest.raises(RequestRejectedException,
match="Not enough TRUSTEE signatures"):
sdk_add_new_nym(looper,
sdk_pool_handle,
sdk_wallet_steward,
'newSteward2',
STEWARD_STRING,
dest=new_steward_did,
verkey=new_steward_verkey)
with delay_rules_without_processing(delayed_node.nodeIbStasher, cDelay(),
pDelay(), ppDelay()):
sdk_send_and_check_auth_rule_request(
looper,
sdk_wallet_trustee,
sdk_pool_handle,
auth_action=ADD_PREFIX,
auth_type=action.txn_type,
field=action.field,
new_value=action.value,
old_value=None,
constraint=changed_constraint.as_dict)
delayed_node.start_catchup()
looper.run(
eventually(
lambda: assertExp(delayed_node.mode == Mode.participating)))
sdk_add_new_nym(looper,
sdk_pool_handle,
sdk_wallet_steward,
'newSteward2',
STEWARD_STRING,
dest=new_steward_did,
verkey=new_steward_verkey)
ensure_all_nodes_have_same_data(looper, txnPoolNodeSet)
config_state = delayed_node.states[CONFIG_LEDGER_ID]
config_req_handler = delayed_node.get_req_handler(CONFIG_LEDGER_ID)
from_state = config_state.get(config.make_state_path_for_auth_rule(
action.get_action_id()),
isCommitted=True)
assert changed_constraint == config_req_handler.constraint_serializer.deserialize(
from_state)
def test_pool_upgrade_start(write_request_validation, is_owner, req):
authorized = req.identifier == "trustee_identifier"
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=POOL_UPGRADE,
field=ACTION,
value='start',
is_owner=is_owner)
])
def test_pool_restart_add_action(write_request_validation, is_owner, req):
authorized = req.identifier in ("trustee_identifier", "steward_identifier")
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=VALIDATOR_INFO,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_pool_restart_add_action(write_request_validation, is_owner, req):
authorized = req.identifier == "trustee_identifier"
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=POOL_RESTART,
field=ACTION,
value='start',
is_owner=is_owner)
])
def test_taa_aml_with_new_auth_map(write_request_validation, is_owner, req):
authorized = req.identifier == "trustee_identifier"
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=TXN_AUTHOR_AGREEMENT_AML,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_revert_auth_rule_changing(looper, txnPoolNodeSet, sdk_wallet_trustee,
sdk_wallet_steward, sdk_pool_handle):
node_stashers = [n.nodeIbStasher for n in txnPoolNodeSet]
wh, _ = sdk_wallet_trustee
new_steward_did, new_steward_verkey = create_verkey_did(looper, wh)
new_steward_did2, new_steward_verkey2 = create_verkey_did(looper, wh)
"""We try to change rule for adding new steward. For this case we """
changed_constraint = AuthConstraint(role=STEWARD, sig_count=1)
action = AuthActionAdd(txn_type=NYM, field=ROLE, value=STEWARD)
with delay_rules_without_processing(node_stashers, pDelay(), cDelay()):
sdk_send_and_check_auth_rule_request(
looper,
sdk_wallet_trustee,
sdk_pool_handle,
auth_action=ADD_PREFIX,
auth_type=action.txn_type,
field=action.field,
new_value=action.value,
old_value=None,
constraint=changed_constraint.as_dict,
no_wait=True)
looper.runFor(waits.expectedPrePrepareTime(len(txnPoolNodeSet)))
"""
Try to add new steward by already existed trustee.
Validation should raise exception because we change uncommitted state
by adding new rule, that "Only steward can add new steward"
"""
with pytest.raises(RequestRejectedException,
match="TRUSTEE can not do this action"):
sdk_add_new_nym(looper,
sdk_pool_handle,
sdk_wallet_trustee,
'newSteward1',
STEWARD_STRING,
dest=new_steward_did,
verkey=new_steward_verkey)
looper.runFor(waits.expectedPrePrepareTime(len(txnPoolNodeSet)))
"""
Catchup should revert config_state and discard rule changing
"""
for n in txnPoolNodeSet:
n.start_catchup()
for n in txnPoolNodeSet:
looper.run(
eventually(lambda: assertExp(n.mode == Mode.participating)))
"""
Try to create new steward by steward
We can not do this, because AUTH_RULE txn was reverted
"""
with pytest.raises(RequestRejectedException,
match="STEWARD can not do this action"):
sdk_add_new_nym(looper,
sdk_pool_handle,
sdk_wallet_steward,
'newSteward2',
STEWARD_STRING,
dest=new_steward_did2,
verkey=new_steward_verkey2)
def test_context_adding(write_request_validation, req, is_owner):
authorized = req.identifier in ("trustee_identifier", "steward_identifier",
"endorser_identifier")
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=SET_CONTEXT,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def _validateAttrib(self, req: Request):
origin = req.identifier
op = req.operation
if not (not op.get(TARGET_NYM) or
self.hasNym(op[TARGET_NYM], isCommitted=False)):
raise InvalidClientRequest(origin, req.reqId,
'{} should be added before adding '
'attribute for it'.
format(TARGET_NYM))
is_owner = self.idrCache.getOwnerFor(op[TARGET_NYM],
isCommitted=False) == origin
field = None
value = None
for key in (RAW, ENC, HASH):
if key in op:
field = key
value = op[key]
break
if field is None or value is None:
raise LogicError('Attribute data cannot be empty')
get_key = None
if field == RAW:
try:
get_key = attrib_raw_data_serializer.deserialize(value)
if len(get_key) == 0:
raise InvalidClientRequest(origin, req.reqId,
'"row" attribute field must contain non-empty dict'.
format(TARGET_NYM))
get_key = next(iter(get_key.keys()))
except JSONDecodeError:
raise InvalidClientRequest(origin, req.reqId,
'Attribute field must be dict while adding it as a row field'.
format(TARGET_NYM))
else:
get_key = value
if get_key is None:
raise LogicError('Attribute data must be parsed')
old_value, seq_no, _, _ = self.getAttr(op[TARGET_NYM], get_key, field, isCommitted=False)
if seq_no is not None:
self.write_req_validator.validate(req,
[AuthActionEdit(txn_type=ATTRIB,
field=field,
old_value=old_value,
new_value=value,
is_owner=is_owner)])
else:
self.write_req_validator.validate(req,
[AuthActionAdd(txn_type=ATTRIB,
field=field,
value=value,
is_owner=is_owner)])
def test_role_authorizer_is_owner_accepted(idr_cache, is_owner):
authorizer = RolesAuthorizer(cache=idr_cache)
authorized = is_owner
assert authorized == authorizer.is_owner_accepted(
AuthConstraint(role="SomeRole", sig_count=1, need_to_be_owner=True),
AuthActionAdd(txn_type=NYM,
field='some_field',
value='some_value',
is_owner=is_owner))
def test_rev_reg_def_adding(write_request_validation, req, is_owner):
authorized = req.identifier in ("trustee_identifier", "steward_identifier",
"endorser_identifier")
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=REVOC_REG_DEF,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_rich_schema_object_adding(write_request_validation, req, is_owner,
txn_type):
authorized = req.identifier in ("trustee_identifier", "steward_identifier",
"endorser_identifier")
assert authorized == write_request_validation(req, [
AuthActionAdd(txn_type=txn_type,
field='some_field',
value='some_value',
is_owner=is_owner)
])
def test_role_authorizer_authorize_with_owner(idr_cache, req_auth, is_owner):
req = Request(identifier=req_auth.identifier,
operation={TARGET_NYM: req_auth.identifier,
TXN_TYPE: NYM},
signature='signature')
authorizer = RolesAuthorizer(cache=idr_cache)
authorized, reason = authorizer.authorize(req,
AuthConstraint(role=STEWARD, sig_count=1, need_to_be_owner=True),
AuthActionAdd(txn_type=NYM, field='some_field', value='some_value', is_owner=is_owner))
assert authorized == is_owner
def dynamic_validation(self, request: Request):
self._validate_request_type(request)
identifier, req_id, operation = get_request_data(request)
status = '*'
pkt_to_upgrade = operation.get(PACKAGE, getConfig().UPGRADE_ENTRY)
if pkt_to_upgrade:
currentVersion, cur_deps = self.curr_pkt_info(pkt_to_upgrade)
if not currentVersion:
raise InvalidClientRequest(
identifier, req_id,
"Packet {} is not installed and cannot be upgraded".format(
pkt_to_upgrade))
if all([APP_NAME not in d for d in cur_deps]):
raise InvalidClientRequest(
identifier, req_id,
"Packet {} doesn't belong to pool".format(pkt_to_upgrade))
else:
raise InvalidClientRequest(identifier, req_id,
"Upgrade packet name is empty")
targetVersion = operation[VERSION]
reinstall = operation.get(REINSTALL, False)
if not Upgrader.is_version_upgradable(currentVersion, targetVersion,
reinstall):
# currentVersion > targetVersion
raise InvalidClientRequest(identifier, req_id,
"Version is not upgradable")
action = operation.get(ACTION)
# TODO: Some validation needed for making sure name and version
# present
txn = self.upgrader.get_upgrade_txn(
lambda txn: get_payload_data(txn).get(NAME, None) == operation.get(
NAME, None) and get_payload_data(txn).get(
VERSION) == operation.get(VERSION),
reverse=True)
if txn:
status = get_payload_data(txn).get(ACTION, '*')
if status == START and action == START:
raise InvalidClientRequest(
identifier, req_id, "Upgrade '{}' is already scheduled".format(
operation.get(NAME)))
if status == '*':
auth_action = AuthActionAdd(txn_type=POOL_UPGRADE,
field=ACTION,
value=action)
else:
auth_action = AuthActionEdit(txn_type=POOL_UPGRADE,
field=ACTION,
old_value=status,
new_value=action)
self.write_request_validator.validate(request, [auth_action])
def authorize(self, request):
version = request.operation.get(TXN_AUTHOR_AGREEMENT_VERSION)
if StaticTAAHelper.get_taa_digest(self.state, version, isCommitted=False) is None:
self.write_req_validator.validate(request,
[AuthActionAdd(txn_type=self.txn_type,
field='*',
value='*')])
else:
self.write_req_validator.validate(request,
[AuthActionEdit(txn_type=self.txn_type,
field='*',
old_value='*',
new_value='*')])
