def validate(self, req: Request, config=None):
operation = req.operation
if operation.get(TXN_TYPE) == POOL_UPGRADE:
origin = req.identifier
try:
originRole = self.idrCache.getRole(origin, isCommitted=False)
except:
raise UnauthorizedClientRequest(
req.identifier,
req.reqId,
"Nym {} not added to the ledger yet".format(origin))
action = operation.get(ACTION)
# TODO: Some validation needed for making sure name and version
# present
status = self.upgrader.statusInLedger(req.operation.get(NAME),
req.operation.get(VERSION))
if status == START and action == START:
raise InvalidClientRequest(
req.identifier,
req.reqId,
"Upgrade '{}' is already scheduled".format(
req.operation.get(NAME)))
r, msg = Authoriser.authorised(POOL_UPGRADE, ACTION, originRole,
oldVal=status, newVal=action)
if not r:
raise UnauthorizedClientRequest(
req.identifier,
req.reqId,
"{} cannot do {}".format(
Roles.nameFromValue(originRole),
SovrinTransactions.POOL_UPGRADE.name))
def _validateNewNym(self, req: Request, op, originRole):
role = op.get(ROLE)
r, msg = Authoriser.authorised(NYM, ROLE, originRole,
oldVal=None, newVal=role)
if not r:
raise UnauthorizedClientRequest(
req.identifier,
req.reqId,
"{} cannot add {}".format(
Roles.nameFromValue(originRole),
Roles.nameFromValue(role))
)
def _validateExistingNym(self, req: Request, op, originRole, nymData):
origin = req.identifier
owner = self.idrCache.getOwnerFor(op[TARGET_NYM], isCommitted=False)
isOwner = origin == owner
updateKeys = [ROLE, VERKEY]
for key in updateKeys:
if key in op:
newVal = op[key]
oldVal = nymData.get(key)
if oldVal != newVal:
r, msg = Authoriser.authorised(NYM, key, originRole,
oldVal=oldVal,
newVal=newVal,
isActorOwnerOfSubject=isOwner)
if not r:
raise UnauthorizedClientRequest(
req.identifier,
req.reqId,
"{} cannot update {}".format(Roles.nameFromValue(originRole),
key))
def _validateExistingNym(self, req: Request, op, originRole, nymData):
origin = req.identifier
owner = self.idrCache.getOwnerFor(op[TARGET_NYM], isCommitted=False)
isOwner = origin == owner
updateKeys = [ROLE, VERKEY]
for key in updateKeys:
if key in op:
newVal = op[key]
oldVal = nymData.get(key)
if oldVal != newVal:
r, msg = Authoriser.authorised(
NYM,
key,
originRole,
oldVal=oldVal,
newVal=newVal,
isActorOwnerOfSubject=isOwner)
if not r:
raise UnauthorizedClientRequest(
req.identifier, req.reqId,
"{} cannot update {}".format(
Roles.nameFromValue(originRole), key))
def validate(self, req: Request, config=None):
operation = req.operation
typ = operation.get(TXN_TYPE)
if typ not in [POOL_UPGRADE, POOL_CONFIG]:
return
origin = req.identifier
try:
originRole = self.idrCache.getRole(origin, isCommitted=False)
except:
raise UnauthorizedClientRequest(
req.identifier, req.reqId,
"Nym {} not added to the ledger yet".format(origin))
if typ == POOL_UPGRADE:
trname = SovrinTransactions.POOL_UPGRADE.name
action = operation.get(ACTION)
# TODO: Some validation needed for making sure name and version
# present
status = self.upgrader.statusInLedger(req.operation.get(NAME),
req.operation.get(VERSION))
if status == START and action == START:
raise InvalidClientRequest(
req.identifier, req.reqId,
"Upgrade '{}' is already scheduled".format(
req.operation.get(NAME)))
elif typ == POOL_CONFIG:
trname = SovrinTransactions.POOL_CONFIG.name
action = None
status = None
r, msg = Authoriser.authorised(typ,
ACTION,
originRole,
oldVal=status,
newVal=action)
if not r:
raise UnauthorizedClientRequest(
req.identifier, req.reqId,
"{} cannot do {}".format(Roles.nameFromValue(originRole),
trname))
def authErrorWhileUpdatingNode(self, request):
origin = request.identifier
operation = request.operation
nodeNym = operation.get(TARGET_NYM)
isSteward = self.node.secondaryStorage.isSteward(origin)
actorRole = self.node.graphStore.getRole(origin)
_, nodeInfo = self.getNodeInfoFromLedger(nodeNym, excludeLast=False)
typ = operation.get(TXN_TYPE)
data = deepcopy(operation.get(DATA))
data.pop(ALIAS, None)
vals = []
msgs = []
for k in data:
r, msg = Authoriser.authorised(typ,
k,
actorRole,
oldVal=nodeInfo[DATA][k],
newVal=data[k],
isActorOwnerOfSubject=isSteward)
vals.append(r)
msgs.append(msg)
msg = None if all(vals) else '\n'.join(msgs)
return msg
def checkRequestAuthorized(self, request: Request):
op = request.operation
typ = op[TXN_TYPE]
s = self.graphStore # type: identity_graph.IdentityGraph
origin = request.identifier
if typ == NYM:
try:
originRole = s.getRole(origin)
except:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Nym {} not added to the ledger yet".format(origin))
nymV = self.graphStore.getNym(op[TARGET_NYM])
if not nymV:
# If nym does not exist
role = op.get(ROLE)
r, msg = Authoriser.authorised(NYM,
ROLE,
originRole,
oldVal=None,
newVal=role)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot add {}".format(originRole, role))
else:
nymData = nymV.oRecordData
owner = self.graphStore.getOwnerFor(nymData.get(NYM_KEY))
isOwner = origin == owner
updateKeys = [ROLE, VERKEY]
for key in updateKeys:
if key in op:
newVal = op[key]
oldVal = nymData.get(key)
if oldVal != newVal:
r, msg = Authoriser.authorised(
NYM,
key,
originRole,
oldVal=oldVal,
newVal=newVal,
isActorOwnerOfSubject=isOwner)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot update {}".format(
originRole, key))
elif typ == ATTRIB:
if op.get(TARGET_NYM) and \
op[TARGET_NYM] != request.identifier and \
not s.getOwnerFor(op[TARGET_NYM]) == origin:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Only identity owner/guardian can add attribute "
"for that identity")
# TODO: Just for now. Later do something meaningful here
elif typ in [
DISCLO, GET_ATTR, SCHEMA, GET_SCHEMA, ISSUER_KEY,
GET_ISSUER_KEY
]:
pass
elif request.operation.get(TXN_TYPE) in POOL_TXN_TYPES:
return self.poolManager.checkRequestAuthorized(request)
elif typ == POOL_UPGRADE:
# TODO: Refactor urgently
try:
originRole = s.getRole(origin)
except:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Nym {} not added to the ledger yet".format(origin))
action = request.operation.get(ACTION)
# TODO: Some validation needed for making sure name and version
# present
status = self.upgrader.statusInLedger(
request.operation.get(NAME), request.operation.get(VERSION))
r, msg = Authoriser.authorised(POOL_UPGRADE,
ACTION,
originRole,
oldVal=status,
newVal=action)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot do {}".format(originRole, POOL_UPGRADE))
def checkRequestAuthorized(self, request: Request):
op = request.operation
typ = op[TXN_TYPE]
s = self.graphStore # type: identity_graph.IdentityGraph
origin = request.identifier
if typ == NYM:
try:
originRole = s.getRole(origin)
except:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Nym {} not added to the ledger yet".format(origin))
role = op.get(ROLE)
nym = self.graphStore.getNym(op[TARGET_NYM])
if not nym:
# If nym does not exist
r, msg = Authoriser.authorised(NYM,
ROLE,
originRole,
oldVal=None,
newVal=role)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot add {}".format(originRole, role))
else:
nym = nym.oRecordData
subjectRole = nym.get(ROLE)
if subjectRole != role:
r, msg = Authoriser.authorised(NYM,
ROLE,
originRole,
oldVal=subjectRole,
newVal=role)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot update {}".format(originRole, role))
elif typ == ATTRIB:
if op.get(TARGET_NYM) and \
op[TARGET_NYM] != request.identifier and \
not s.getSponsorFor(op[TARGET_NYM]) == origin:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Only user's sponsor can add attribute for that user")
# TODO: Just for now. Later do something meaningful here
elif typ in [
DISCLO, GET_ATTR, CLAIM_DEF, GET_CLAIM_DEF, ISSUER_KEY,
GET_ISSUER_KEY
]:
pass
elif request.operation.get(TXN_TYPE) in POOL_TXN_TYPES:
return self.poolManager.checkRequestAuthorized(request)
elif typ == POOL_UPGRADE:
# TODO: Refactor urgently
try:
originRole = s.getRole(origin)
except:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"Nym {} not added to the ledger yet".format(origin))
action = request.operation.get(ACTION)
# TODO: Some validation needed for making sure name and version
# present
status = self.upgrader.statusInLedger(
request.operation.get(NAME), request.operation.get(VERSION))
r, msg = Authoriser.authorised(POOL_UPGRADE,
ACTION,
originRole,
oldVal=status,
newVal=action)
if not r:
raise UnauthorizedClientRequest(
request.identifier, request.reqId,
"{} cannot do {}".format(originRole, POOL_UPGRADE))