def test_authorization_trust_request(self):
"""
Test the AuthorizationTrustRequestHandler returns an
AuthorizationTrustResponse if the AuthorizationTrustRequest should be
approved.
"""
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")], public_key="public_key")
roles = {"network": AuthorizationType.TRUST}
network = MockNetwork(roles,
connection_status={
"connection_id":
ConnectionStatus.CONNECTION_REQUEST
})
permission_verifer = MockPermissionVerifier()
gossip = MockGossip()
handler = AuthorizationTrustRequestHandler(network, permission_verifer,
gossip)
handler_status = handler.handle("connection_id",
auth_trust_request.SerializeToString())
self.assertEqual(handler_status.status, HandlerStatus.RETURN)
self.assertEqual(handler_status.message_type,
validator_pb2.Message.AUTHORIZATION_TRUST_RESPONSE)
def test_authorization_trust_request_not_permitted(self):
"""
Test the AuthorizationTrustRequestHandler returns an
AuthorizationViolation and closes the connection if the permission
verifier does not permit the connections public key.
"""
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")], public_key="public_key")
roles = {"network": AuthorizationType.TRUST}
network = MockNetwork(roles,
connection_status={
"connection_id":
ConnectionStatus.CONNECTION_REQUEST
})
# say that connection is not permitted
permission_verifer = MockPermissionVerifier(allow=False)
gossip = MockGossip()
handler = AuthorizationTrustRequestHandler(network, permission_verifer,
gossip)
handler_status = handler.handle("connection_id",
auth_trust_request.SerializeToString())
self.assertEqual(handler_status.status, HandlerStatus.RETURN_AND_CLOSE)
self.assertEqual(handler_status.message_type,
validator_pb2.Message.AUTHORIZATION_VIOLATION)
def _inbound_connection_request_callback(self,
request,
result,
connection=None):
connection_response = ConnectionResponse()
connection_response.ParseFromString(result.content)
if connection_response.status == connection_response.ERROR:
LOGGER.debug(
"Received an error response to the NETWORK_CONNECT "
"we sent. Removing connection: %s", connection.connection_id)
self.remove_connection(connection.connection_id)
# Send correct Authorization Request for network role
auth_type = {"trust": [], "challenge": []}
for role_entry in connection_response.roles:
if role_entry.auth_type == connection_response.TRUST:
auth_type["trust"].append(role_entry.role)
elif role_entry.auth_type == connection_response.CHALLENGE:
auth_type["challenge"].append(role_entry.role)
if auth_type["trust"]:
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")], public_key=self._public_key)
self.send(validator_pb2.Message.AUTHORIZATION_TRUST_REQUEST,
auth_trust_request.SerializeToString(), connection)
if auth_type["challenge"]:
auth_challenge_request = AuthorizationChallengeRequest()
self.send(validator_pb2.Message.AUTHORIZATION_CHALLENGE_REQUEST,
auth_challenge_request.SerializeToString(),
connection,
callback=partial(
self._inbound_challenge_authorization_callback,
connection=connection))
def test_authorization_trust_request_bad_last_message(self):
"""
Test the AuthorizationTrustRequestHandler returns an
AuthorizationViolation and closes the connection if the last message
was not a ConnectionRequest.
"""
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")],
public_key="public_key")
roles = {"network": AuthorizationType.TRUST}
network = MockNetwork(
roles,
connection_status={"connection_id":
"other"})
permission_verifer = MockPermissionVerifier()
gossip = MockGossip()
handler = AuthorizationTrustRequestHandler(
network, permission_verifer, gossip)
handler_status = handler.handle(
"connection_id",
auth_trust_request.SerializeToString())
self.assertEqual(handler_status.status, HandlerStatus.RETURN_AND_CLOSE)
self.assertEqual(
handler_status.message_type,
validator_pb2.Message.AUTHORIZATION_VIOLATION)
def _connect_callback(self,
request,
result,
connection=None,
success_callback=None,
failure_callback=None):
connection_response = ConnectionResponse()
connection_response.ParseFromString(result.content)
if connection_response.status == connection_response.ERROR:
LOGGER.debug(
"Received an error response to the NETWORK_CONNECT "
"we sent. Removing connection: %s", connection.connection_id)
self.remove_connection(connection.connection_id)
if failure_callback:
failure_callback(connection_id=connection.connection_id)
elif connection_response.status == connection_response.OK:
LOGGER.debug("Connection to %s was acknowledged",
connection.connection_id)
if self._authorize:
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")],
public_key=self._pub_key)
connection.send(
validator_pb2.Message.AUTHORIZATION_TRUST_REQUEST,
auth_trust_request.SerializeToString(),
callback=partial(self._authorization_callback,
connection=connection,
success_callback=success_callback,
failure_callback=failure_callback))
else:
if success_callback:
success_callback(connection_id=connection.connection_id)
def _inbound_connection_request_callback(self,
request,
result,
connection=None):
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")], public_key=self._pub_key)
self.send(
validator_pb2.Message.AUTHORIZATION_TRUST_REQUEST,
auth_trust_request.SerializeToString(),
connection,
)
def do_authorization_trust_request():
"""
Test the AuthorizationTrustRequestHandler returns an
AuthorizationTrustResponse if the AuthorizationTrustRequest should be
approved.
"""
auth_trust_request = AuthorizationTrustRequest(
roles=[RoleType.Value("NETWORK")], public_key="public_key")
roles = {"network": AuthorizationType.TRUST}
network = MockNetwork(roles,
connection_status={
"connection_id":
ConnectionStatus.CONNECTION_REQUEST
})
permission_verifer = MockPermissionVerifier()
gossip = MockGossip()
handler = AuthorizationTrustRequestHandler(network, permission_verifer,
gossip)
handler_status = handler.handle("connection_id",
auth_trust_request.SerializeToString())
return handler_status
def handle(self, connection_id, message_content):
"""
The simplest authorization type will be Trust. If Trust authorization
is enabled, the validator will trust the connection and approve any
roles requested that are available on that endpoint. If the requester
wishes to gain access to every role it has permission to access, it can
request access to the role ALL, and the validator will respond with all
available roles. If the permission verifier deems the connection to not
have access to a role, the connection has not sent a ConnectionRequest
or a the connection has already recieved a AuthorizationTrustResponse,
an AuthorizatinViolation will be returned and the connection will be
closed.
"""
if self._network.get_connection_status(connection_id) != \
ConnectionStatus.CONNECTION_REQUEST:
LOGGER.debug(
"Connection's previous message was not a"
" ConnectionRequest, Remove connection to %s", connection_id)
violation = AuthorizationViolation(
violation=RoleType.Value("NETWORK"))
return HandlerResult(
HandlerStatus.RETURN_AND_CLOSE,
message_out=violation,
message_type=validator_pb2.Message.AUTHORIZATION_VIOLATION)
request = AuthorizationTrustRequest()
request.ParseFromString(message_content)
# Check that the connection's public key is allowed by the network role
roles = self._network.roles
for role in request.roles:
if role == RoleType.Value("NETWORK") or role == \
RoleType.Value("ALL"):
permitted = False
if "network" in roles:
permitted = self._permission_verifier.check_network_role(
request.public_key)
if not permitted:
violation = AuthorizationViolation(
violation=RoleType.Value("NETWORK"))
return HandlerResult(HandlerStatus.RETURN_AND_CLOSE,
message_out=violation,
message_type=validator_pb2.Message.
AUTHORIZATION_VIOLATION)
self._network.update_connection_public_key(connection_id,
request.public_key)
if RoleType.Value("NETWORK") in request.roles:
# Need to send ConnectionRequest to authorize ourself with the
# connection if they initialized the connection
try:
is_outbound_connection = self._network.is_outbound_connection(
connection_id)
except KeyError:
# Connection has gone away, drop message
return HandlerResult(HandlerStatus.DROP)
if not is_outbound_connection:
self._network.send_connect_request(connection_id)
else:
# If this is an outbound connection, authorization is complete
# for both connections and peering can begin.
self._gossip.connect_success(connection_id)
auth_trust_response = AuthorizationTrustResponse(
roles=[RoleType.Value("NETWORK")])
LOGGER.debug("Connection: %s is approved", connection_id)
self._network.update_connection_status(connection_id,
ConnectionStatus.CONNECTED)
return HandlerResult(
HandlerStatus.RETURN,
message_out=auth_trust_response,
message_type=validator_pb2.Message.AUTHORIZATION_TRUST_RESPONSE)