def test_plugin_complex_with_or_rule_with_not_allowed_trustee_no_endorser(
write_auth_req_validator, write_request_validation, signatures,
is_owner, off_ledger_signature, amount):
validate(auth_constraint=AuthConstraintOr(auth_constraints=[
AuthConstraintForbidden(),
AuthConstraint(role="*",
sig_count=1,
need_to_be_owner=False,
off_ledger_signature=off_ledger_signature,
metadata={PLUGIN_FIELD: 2})
]),
valid_actions=[
Action(author=TRUSTEE,
endorser=None,
sigs={TRUSTEE: s1},
is_owner=owner,
amount=2,
extra_sigs=True) for s1 in range(1, MAX_SIG_COUNT + 1)
for owner in [True, False]
],
author=TRUSTEE,
endorser=None,
all_signatures=signatures,
is_owner=is_owner,
amount=amount,
write_auth_req_validator=write_auth_req_validator,
write_request_validation=write_request_validation)
def test_write_same_object_with_different_reqid_fails(looper, sdk_pool_handle,
sdk_wallet_endorser,
txn_type, rs_type,
content):
request1 = sdk_build_rich_schema_request(looper,
sdk_wallet_endorser,
txn_type,
rs_id=randomString(),
rs_name=randomString(),
rs_version='1.0',
rs_type=rs_type,
rs_content=json.dumps(content))
req = sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_endorser,
request1)
sdk_get_and_check_replies(looper, [req])
request2 = json.loads(request1)
request2[TXN_PAYLOAD_METADATA_REQ_ID] = random.randint(10, 1000000000)
request2 = json.dumps(request2)
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
req = sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_endorser,
request2)
sdk_get_and_check_replies(looper, [req])
def test_dynamic_validation_for_existing(handler_and_request):
handler, request = handler_and_request
make_rich_schema_object_exist(handler, request)
add_to_idr(handler.database_manager.idr_cache, request.identifier, TRUSTEE)
add_to_idr(handler.database_manager.idr_cache, request.endorser, ENDORSER)
with pytest.raises(UnauthorizedClientRequest,
match=str(AuthConstraintForbidden())):
handler.dynamic_validation(request, 0)
def test_incorrect_auth_rule(helpers, addresses, looper, sdk_wallet_trustee,
sdk_pool_handle):
set_fees(helpers, {NYM_FEES_ALIAS: 5})
constraint = AuthConstraintForbidden().as_dict
constraint[METADATA] = {FEES_FIELD_NAME: NYM_FEES_ALIAS}
sdk_send_and_check_auth_rule_invalid_request(looper,
sdk_pool_handle,
sdk_wallet_trustee,
constraint=constraint)
def constraints():
role_constraints = [
AuthConstraint(role=TRUSTEE, sig_count=1, need_to_be_owner=True),
AuthConstraint(role=STEWARD, sig_count=1, need_to_be_owner=True)
]
and_constraint = AuthConstraintAnd(role_constraints)
or_constraint = AuthConstraintOr(role_constraints)
forbidden_constraint = AuthConstraintForbidden()
return role_constraints[
0], and_constraint, or_constraint, forbidden_constraint
def test_plugin_simple_rule_not_allowed(write_auth_req_validator,
write_request_validation, signatures,
is_owner, amount):
validate(auth_constraint=AuthConstraintForbidden(),
valid_actions=[],
all_signatures=signatures,
is_owner=is_owner,
amount=amount,
write_auth_req_validator=write_auth_req_validator,
write_request_validation=write_request_validation)
def test_can_not_send_same_schema(looper, sdk_pool_handle,
sdk_wallet_endorser):
sdk_write_schema_and_check(looper, sdk_pool_handle, sdk_wallet_endorser,
["attrib1", "attrib2", "attrib3"], "business",
"1.8")
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
resp = sdk_write_schema_and_check(looper, sdk_pool_handle,
sdk_wallet_endorser,
["attrib1", "attrib2", "attrib3"],
"business", "1.8")
validate_write_reply(resp)
def test_get_one_disabled_auth_rule_transaction(looper,
sdk_wallet_trustee,
sdk_pool_handle):
key = generate_key(auth_action=EDIT_PREFIX, auth_type=SCHEMA,
field='*', old_value='*', new_value='*')
req, resp = sdk_send_and_check_get_auth_rule_request(looper,
sdk_pool_handle,
sdk_wallet_trustee,
**key)[0]
result = resp["result"][DATA]
assert len(result) == 1
_check_key(key, result[0])
assert result[0][CONSTRAINT] == AuthConstraintForbidden().as_dict
def test_dynamic_validation_for_existing(handler_and_request):
handler, request = handler_and_request
make_rich_schema_object_exist(handler, request)
add_to_idr(handler.database_manager.idr_cache, request.identifier, TRUSTEE)
add_to_idr(handler.database_manager.idr_cache, request.endorser, ENDORSER)
# default auth rules allow editing of CredDef and PresDef by the owner
if isinstance(handler, RichSchemaCredDefHandler) or isinstance(
handler, RichSchemaPresDefHandler):
handler.dynamic_validation(request, 0)
else:
with pytest.raises(UnauthorizedClientRequest,
match=str(AuthConstraintForbidden())):
handler.dynamic_validation(request, 0)
def test_forbid_set_fees(helpers, fees, addresses, looper, sdk_wallet_trustee,
sdk_pool_handle):
"""
1. Send a SET_FEES txn.
2. Forbid SET_FEES via the auth rule for editing SET_FEES.
3. Send a SET_FEES txn and check that action forbidden.
4. Change the auth rule to a default value.
6. Send and check a SET_FEES txn.
"""
set_fees(helpers, fees)
sdk_send_and_check_auth_rule_request(
looper,
sdk_pool_handle,
sdk_wallet_trustee,
auth_action=EDIT_PREFIX,
auth_type=SET_FEES,
field='*',
old_value='*',
new_value='*',
constraint=AuthConstraintForbidden().as_dict)
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
set_fees(helpers, fees)
sdk_send_and_check_auth_rule_request(
looper,
sdk_pool_handle,
sdk_wallet_trustee,
auth_action=EDIT_PREFIX,
auth_type=SET_FEES,
field='*',
old_value='*',
new_value='*',
constraint=sovtokenfees_auth_map[edit_fees.get_action_id()].as_dict)
set_fees(helpers, fees)
def test_plugin_complex_with_and_rule_with_not_allowed(write_auth_req_validator, write_request_validation,
signatures, is_owner, off_ledger_signature, amount):
validate(
auth_constraint=AuthConstraintAnd(auth_constraints=[
AuthConstraintForbidden(),
AuthConstraint(role="*", sig_count=1, need_to_be_owner=False,
off_ledger_signature=off_ledger_signature,
metadata={PLUGIN_FIELD: 2})
]),
valid_actions=[],
author=TRUSTEE, endorser=None,
all_signatures=signatures, is_owner=is_owner, amount=amount,
write_auth_req_validator=write_auth_req_validator,
write_request_validation=write_request_validation
)
def test_can_not_send_same_rs_schema(looper, sdk_pool_handle,
sdk_wallet_endorser):
_, identifier = sdk_wallet_endorser
authors_did, name, version, type = identifier, "ISO18023_Drivers_License", "1.3", "8"
_id = identifier + ':' + type + ':' + name + ':' + version
schema = {'@id': _id, '@type': "0od"}
request_json = build_rs_schema_request(identifier, schema, name, version)
sdk_write_rs_schema_and_check(looper, sdk_pool_handle, sdk_wallet_endorser,
request_json)
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
request_json = build_rs_schema_request(identifier, schema, name,
version)
sdk_write_rs_schema_and_check(looper, sdk_pool_handle,
sdk_wallet_endorser, request_json)
def test_plugin_complex_with_or_rule_with_not_allowed(write_auth_req_validator,
write_request_validation,
signatures, is_owner,
amount):
validate(auth_constraint=AuthConstraintOr(auth_constraints=[
AuthConstraintForbidden(),
AuthConstraint(role="*",
sig_count=1,
need_to_be_owner=False,
metadata={PLUGIN_FIELD: 2})
]),
valid_actions=[(signature, owner, 2) for signature in signatures
if signature for owner in [True, False]],
all_signatures=signatures,
is_owner=is_owner,
amount=amount,
write_auth_req_validator=write_auth_req_validator,
write_request_validation=write_request_validation)
def test_write_same_context_with_different_reqid_fails(looper, sdk_pool_handle, sdk_wallet_endorser):
sdk_write_context_and_check(
looper, sdk_pool_handle,
sdk_wallet_endorser,
SCHEMA_ORG_CONTEXT,
"Base_Context3",
"1.0",
1234
)
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
resp = sdk_write_context_and_check(
looper, sdk_pool_handle,
sdk_wallet_endorser,
SCHEMA_ORG_CONTEXT,
"Base_Context3",
"1.0",
2345
)
validate_write_reply(resp)
def test_check_equal(constraints):
same_role, same_and, same_or, same_forbidden = constraints
"""
The same constraints as from fixture but should have not the same id
"""
role_constraints = [
AuthConstraint(role=TRUSTEE, sig_count=1, need_to_be_owner=True),
AuthConstraint(role=STEWARD, sig_count=1, need_to_be_owner=True)
]
and_constraint = AuthConstraintAnd(role_constraints)
or_constraint = AuthConstraintOr(role_constraints)
forbidden_constraint = AuthConstraintForbidden()
assert id(same_role) != id(role_constraints[0])
assert id(same_or) != id(or_constraint)
assert id(same_and) != id(and_constraint)
assert id(same_forbidden) != id(forbidden_constraint)
assert same_role == role_constraints[0]
assert same_or == or_constraint
assert same_and == and_constraint
assert same_forbidden == forbidden_constraint
def test_send_rich_schema_obj(looper, sdk_pool_handle, sdk_wallet_endorser,
txn_type, rs_type, content, rs_id):
# 1. check that write is successful
request = sdk_build_rich_schema_request(looper, sdk_wallet_endorser,
txn_type, rs_id=rs_id, rs_name=randomString(),
rs_version='1.0', rs_type=rs_type,
rs_content=json.dumps(content))
req = sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_endorser, request)
rep1 = sdk_get_and_check_replies(looper, [req])
# 2. check that sending the same request gets the same reply
req = sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_endorser, request)
rep2 = sdk_get_and_check_replies(looper, [req])
assert rep1 == rep2
# 3. check that using a different reqId for the same request gets an error
request2 = json.loads(request)
request2[TXN_PAYLOAD_METADATA_REQ_ID] = random.randint(10, 1000000000)
request2 = json.dumps(request2)
with pytest.raises(RequestRejectedException,
match=str(AuthConstraintForbidden())):
req = sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_endorser, request2)
sdk_get_and_check_replies(looper, [req])
def test_schema_dynamic_validation_failed_existing_schema(
schema_request, schema_handler):
make_schema_exist(schema_request, schema_handler)
with pytest.raises(UnauthorizedClientRequest,
match=str(AuthConstraintForbidden())):
schema_handler.dynamic_validation(schema_request)
],
invalid_requests=[RequestParams(fees=0, wallets={STEWARD: 1})]),
# 13
InputParam(auth_constraint=AuthConstraintOr([
AuthConstraint(STEWARD, 1, metadata={FEES_FIELD_NAME: fee_5[0]}),
AuthConstraint(STEWARD, 1),
]),
valid_requests=[
RequestParams(fees=fee_5[1], wallets={STEWARD: 1}),
RequestParams(fees=0, wallets={STEWARD: 1})
],
invalid_requests=[
RequestParams(fees=0, wallets={IDENTITY_OWNER: 2})
]),
# 14
InputParam(auth_constraint=AuthConstraintForbidden(),
valid_requests=[],
invalid_requests=[
RequestParams(fees=0, wallets={IDENTITY_OWNER: 2}),
RequestParams(fees=fee_5[1], wallets={STEWARD: 1}),
RequestParams(fees=0, wallets={STEWARD: 1})
]),
# 15
InputParam(auth_constraint=AuthConstraintAnd([
AuthConstraintForbidden(),
AuthConstraint(STEWARD, 1),
]),
valid_requests=[],
invalid_requests=[
RequestParams(fees=fee_5[1], wallets={STEWARD: 1}),
RequestParams(fees=0, wallets={STEWARD: 1}),
def test_str_for_auth_constraint_forbidden():
constraint = AuthConstraintForbidden()
assert str(constraint) == 'The action is forbidden'
def test_context_dynamic_validation_failed_existing_context(
context_request, context_handler):
make_context_exist(context_request, context_handler)
with pytest.raises(UnauthorizedClientRequest,
match=str(AuthConstraintForbidden())):
context_handler.dynamic_validation(context_request)
edit_revoc_reg_def = AuthActionEdit(txn_type=REVOC_REG_DEF,
field='*',
old_value='*',
new_value='*')
edit_revoc_reg_entry = AuthActionEdit(txn_type=REVOC_REG_ENTRY,
field='*',
old_value='*',
new_value='*')
# Anyone constraint
anyone_constraint = AuthConstraint(role='*', sig_count=1)
# No one constraint
no_one_constraint = AuthConstraintForbidden()
# Owner constraint
owner_constraint = AuthConstraint(role='*', sig_count=1, need_to_be_owner=True)
# Steward owner constraint
steward_owner_constraint = AuthConstraint(STEWARD, 1, need_to_be_owner=True)
# One Trustee constraint
one_trustee_constraint = AuthConstraint(TRUSTEE, 1)
# Steward or Trustee constraint
steward_or_trustee_constraint = AuthConstraintOr(
[AuthConstraint(STEWARD, 1),
AuthConstraint(TRUSTEE, 1)])
