def test_is_valid(self):
# create a contract
cm = contracts.ContractManifest("test_contract")
method1 = contracts.ContractMethodDescriptor(
name="main_entry",
offset=0,
parameters=[],
return_type=contracts.ContractParameterType.INTEGER,
safe=True)
cm.abi.methods = [method1]
# A contract hash is normally created from a combination of transaction sender (UInt160), NEF checksum and manifest.name
# For this test we'll keep it simple and pretend that hash is all zeros
dummy_contract_hash = types.UInt160.zero()
# a "default" contract has no groups data, which is the same as always allow
self.assertTrue(cm.is_valid(dummy_contract_hash))
# now try to add a malicious group member (meaning; the member did not actually sign the ABI)
private_key = b'\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'
keypair = cryptography.KeyPair(private_key)
bad_signature = bytes(64)
cm.groups = [
contracts.ContractGroup(keypair.public_key, bad_signature)
]
# this time validation should fail
self.assertFalse(cm.is_valid(dummy_contract_hash))
# Finally test with a group member that did sign the ABI
good_signature = cryptography.sign(dummy_contract_hash.to_array(),
keypair.private_key)
cm.groups = [
contracts.ContractGroup(keypair.public_key, good_signature)
]
self.assertTrue(cm.is_valid(dummy_contract_hash))
def test_is_allowed_based_on_group(self):
# We test the group permissions where all methods are allowed to be called
# if the 'groups' member is valid.
private_key = b'\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'
keypair = cryptography.KeyPair(private_key)
dummy_contract_hash = types.UInt160.from_string("01" * 20)
contract_state = contracts.ContractState(1, contracts.NEF(),
contracts.ContractManifest(),
0, dummy_contract_hash)
signature = cryptography.sign(contract_state.hash.to_array(),
keypair.private_key)
contract_state.manifest.groups = [
contracts.ContractGroup(keypair.public_key, signature)
]
cpd = contracts.ContractPermissionDescriptor(group=keypair.public_key)
cp = contracts.ContractPermission(
contract=cpd,
methods=contracts.WildcardContainer.create_wildcard())
self.assertTrue(cp.is_allowed(contract_state, "dummy_method"))
# now modify the manifest to have a different `groups` attribute such that validation fails
public_key = cryptography.ECPoint.deserialize_from_bytes(
b'\x00') # ECPoint.Infinity
contract_state.manifest.groups = [
contracts.ContractGroup(public_key, signature)
]
self.assertFalse(cp.is_allowed(contract_state, "dummy_method"))
def test_is_valid(self):
"""
var private_key = new byte[]
{
0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1
};
var bad_signature = new byte[]
{
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0
};
var kp = new KeyPair(private_key);
var cg = new ContractGroup() { PubKey = kp.PublicKey, Signature = bad_signature};
Console.Write(cg.ToJson());
"""
bad_signature = b'\x00' * 64
cg = contracts.ContractGroup(self.keypair.public_key, bad_signature)
self.assertFalse(cg.is_valid(types.UInt160.zero()))
# finally test is_valid() with a keypair we know the private key off
contract_hash = b'\x01' * 20
signature = cryptography.sign(contract_hash, self.keypair.private_key)
cg2 = contracts.ContractGroup(self.keypair.public_key, signature)
self.assertTrue(cg2.is_valid(types.UInt160(contract_hash)))
def test_json(self):
bad_signature = b'\x00' * 64
cg = contracts.ContractGroup(self.keypair.public_key, bad_signature)
self.assertEqual(self.expected_json, cg.to_json())
# if the test_to_json() passes then we know our manually created ControlGroup (cg) is valid,
# we can now use that to validate our `from_json` object
cg2 = contracts.ContractGroup.from_json(self.expected_json)
self.assertEqual(cg.public_key, cg2.public_key)
self.assertEqual(cg.signature, cg2.signature)
def test_is_valid(self):
# create a default contract
cm = contracts.ContractManifest()
# a default contract uses a UInt160.zero as contract hash
self.assertTrue(cm.is_valid(types.UInt160.zero()))
self.assertFalse(cm.is_valid(types.UInt160.from_string("11" * 20)))
# now try to add a malicious group member (meaning; the member did not actually sign the ABI)
private_key = b'\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'
keypair = cryptography.KeyPair(private_key)
bad_signature = bytes(64)
cm.groups = [
contracts.ContractGroup(keypair.public_key, bad_signature)
]
# this time validation should fail
self.assertFalse(cm.is_valid(types.UInt160.zero()))
# Finally test with a group member that did sign the ABI
good_signature = cryptography.sign(cm.abi.contract_hash.to_array(),
keypair.private_key)
cm.groups = [
contracts.ContractGroup(keypair.public_key, good_signature)
]
self.assertTrue(cm.is_valid(types.UInt160.zero()))
def test_checkwitness_custom_groups(self):
"""
We need to setup 2 contracts
1) caller_contract: uses a System.Contract.Call to call callee_contract. This will set the calling script hash on the ExecutionContext of the callee_contract
2) callee_contract: uses a System.Runtime.CheckWitness
"""
engine = test_engine(has_snapshot=True, default_script=False)
tx = test_tx()
engine.script_container = tx
'''
Create the callee contract, which does a checkwitness on its caller.
Checkwitness shall only pass if the caller == "caller_contract" as defined by CustomGroup
'''
sb = vm.ScriptBuilder()
sb.emit_syscall(
syscall_name_to_int("System.Runtime.GetCallingScriptHash")
) # get script hash of "caller_contract"
sb.emit_syscall(syscall_name_to_int("System.Runtime.CheckWitness"))
callee_contract_script = sb.to_array()
callee_nef = contracts.NEF(script=callee_contract_script)
callee_contract_name = "callee_contract"
callee_manifest = contracts.ContractManifest(callee_contract_name)
callee_manifest.abi.methods = [
contracts.ContractMethodDescriptor(
"test_func", 0, [], contracts.ContractParameterType.ANY, True)
]
callee_contract_hash = contract_hash(tx.sender, callee_nef.checksum,
callee_contract_name)
callee_contract = contracts.ContractState(1, callee_nef,
callee_manifest, 0,
callee_contract_hash)
sb = vm.ScriptBuilder()
sb.emit_dynamic_call(callee_contract.hash, "test_func")
caller_script = sb.to_array()
caller_nef = contracts.NEF(script=caller_script)
caller_contract_name = "caller_contract"
caller_manifest = contracts.ContractManifest(caller_contract_name)
keypair = cryptography.KeyPair(private_key=b'\x01' * 32)
signature = cryptography.sign(caller_script, keypair.private_key)
caller_manifest.groups = [
contracts.ContractGroup(public_key=keypair.public_key,
signature=signature)
]
caller_contract_hash = contract_hash(tx.sender, caller_nef.checksum,
caller_contract_name)
caller_contract = contracts.ContractState(2, caller_nef,
caller_manifest, 0,
caller_contract_hash)
engine.snapshot.contracts.put(caller_contract)
engine.snapshot.contracts.put(callee_contract)
engine.load_script(vm.Script(caller_script))
tx.signers[0].scope = payloads.WitnessScope.CUSTOM_GROUPS
tx.signers[0].allowed_groups = [keypair.public_key]
engine.execute()
self.assertEqual(vm.VMState.HALT, engine.state)
self.assertEqual(1, len(engine.result_stack))
item = engine.result_stack.pop()
self.assertTrue(item.to_boolean())
# now try again but make sure it fails if the public key is not listed in the allowed groups
engine = test_engine(has_snapshot=True, default_script=False)
tx = test_tx()
engine.script_container = tx
engine.snapshot.contracts.put(caller_contract)
engine.snapshot.contracts.put(callee_contract)
engine.load_script(vm.Script(caller_script))
tx.signers[0].scope = payloads.WitnessScope.CUSTOM_GROUPS
keypair = cryptography.KeyPair(private_key=b'\x02' * 32)
tx.signers[0].allowed_groups = [keypair.public_key]
engine.execute()
self.assertEqual(vm.VMState.HALT, engine.state)
self.assertEqual(1, len(engine.result_stack))
item = engine.result_stack.pop()
self.assertFalse(item.to_boolean())
def test_checkwitness_custom_groups(self):
"""
We need to setup 2 contracts
1) caller_contract: uses a System.Contract.Call to call callee_contract. This will set the calling script hash on the ExecutionContext of the callee_contract
2) callee_contract: uses a System.Runtime.CheckWitness
"""
engine = test_engine(has_snapshot=True, default_script=False)
tx = test_tx()
engine.script_container = tx
sb = vm.ScriptBuilder()
sb.emit_push(tx.sender.to_array())
sb.emit_syscall(syscall_name_to_int("System.Runtime.CheckWitness"))
callee_contract_script = sb.to_array()
callee_manifest = contracts.ContractManifest(
contract_hash=to_script_hash(callee_contract_script))
callee_manifest.abi.methods = [
contracts.ContractMethodDescriptor(
"test_func", 0, [], contracts.ContractParameterType.ANY)
]
callee_contract = storage.ContractState(callee_contract_script,
callee_manifest)
sb = vm.ScriptBuilder()
sb.emit(vm.OpCode.NEWARRAY0) # args (empty array)
sb.emit_push('test_func') # target method name
sb.emit_push(callee_contract.script_hash().to_array()) # contract hash
sb.emit_syscall(syscall_name_to_int("System.Contract.Call"))
caller_script = sb.to_array()
caller_manifest = contracts.ContractManifest(
contract_hash=to_script_hash(caller_script))
keypair = cryptography.KeyPair(private_key=b'\x01' * 32)
signature = cryptography.sign(caller_script, keypair.private_key)
caller_manifest.groups = [
contracts.ContractGroup(public_key=keypair.public_key,
signature=signature)
]
caller_contract = storage.ContractState(caller_script, caller_manifest)
engine.snapshot.contracts.put(caller_contract)
engine.snapshot.contracts.put(callee_contract)
engine.load_script(vm.Script(caller_script))
tx.signers[0].scope = payloads.WitnessScope.CUSTOM_GROUPS
tx.signers[0].allowed_groups = [keypair.public_key]
engine.execute()
self.assertEqual(vm.VMState.HALT, engine.state)
self.assertEqual(1, len(engine.result_stack))
item = engine.result_stack.pop()
self.assertTrue(item.to_boolean())
# now try again but make sure it fails if the public key is not listed in the allowed groups
engine = test_engine(has_snapshot=True, default_script=False)
tx = test_tx()
engine.script_container = tx
engine.snapshot.contracts.put(caller_contract)
engine.snapshot.contracts.put(callee_contract)
engine.load_script(vm.Script(caller_script))
tx.signers[0].scope = payloads.WitnessScope.CUSTOM_GROUPS
keypair = cryptography.KeyPair(private_key=b'\x02' * 32)
tx.signers[0].allowed_groups = [keypair.public_key]
engine.execute()
self.assertEqual(vm.VMState.HALT, engine.state)
self.assertEqual(1, len(engine.result_stack))
item = engine.result_stack.pop()
self.assertFalse(item.to_boolean())