def validate(self, req: Request, config=None): operation = req.operation if operation.get(TXN_TYPE) == POOL_UPGRADE: origin = req.identifier try: originRole = self.idrCache.getRole(origin, isCommitted=False) except: raise UnauthorizedClientRequest( req.identifier, req.reqId, "Nym {} not added to the ledger yet".format(origin)) action = operation.get(ACTION) # TODO: Some validation needed for making sure name and version # present status = self.upgrader.statusInLedger(req.operation.get(NAME), req.operation.get(VERSION)) if status == START and action == START: raise InvalidClientRequest( req.identifier, req.reqId, "Upgrade '{}' is already scheduled".format( req.operation.get(NAME))) r, msg = Authoriser.authorised(POOL_UPGRADE, ACTION, originRole, oldVal=status, newVal=action) if not r: raise UnauthorizedClientRequest( req.identifier, req.reqId, "{} cannot do {}".format( Roles.nameFromValue(originRole), SovrinTransactions.POOL_UPGRADE.name))
def _validateNewNym(self, req: Request, op, originRole): role = op.get(ROLE) r, msg = Authoriser.authorised(NYM, ROLE, originRole, oldVal=None, newVal=role) if not r: raise UnauthorizedClientRequest( req.identifier, req.reqId, "{} cannot add {}".format( Roles.nameFromValue(originRole), Roles.nameFromValue(role)) )
def _validateExistingNym(self, req: Request, op, originRole, nymData): origin = req.identifier owner = self.idrCache.getOwnerFor(op[TARGET_NYM], isCommitted=False) isOwner = origin == owner updateKeys = [ROLE, VERKEY] for key in updateKeys: if key in op: newVal = op[key] oldVal = nymData.get(key) if oldVal != newVal: r, msg = Authoriser.authorised(NYM, key, originRole, oldVal=oldVal, newVal=newVal, isActorOwnerOfSubject=isOwner) if not r: raise UnauthorizedClientRequest( req.identifier, req.reqId, "{} cannot update {}".format(Roles.nameFromValue(originRole), key))
def _validateExistingNym(self, req: Request, op, originRole, nymData): origin = req.identifier owner = self.idrCache.getOwnerFor(op[TARGET_NYM], isCommitted=False) isOwner = origin == owner updateKeys = [ROLE, VERKEY] for key in updateKeys: if key in op: newVal = op[key] oldVal = nymData.get(key) if oldVal != newVal: r, msg = Authoriser.authorised( NYM, key, originRole, oldVal=oldVal, newVal=newVal, isActorOwnerOfSubject=isOwner) if not r: raise UnauthorizedClientRequest( req.identifier, req.reqId, "{} cannot update {}".format( Roles.nameFromValue(originRole), key))
def validate(self, req: Request, config=None): operation = req.operation typ = operation.get(TXN_TYPE) if typ not in [POOL_UPGRADE, POOL_CONFIG]: return origin = req.identifier try: originRole = self.idrCache.getRole(origin, isCommitted=False) except: raise UnauthorizedClientRequest( req.identifier, req.reqId, "Nym {} not added to the ledger yet".format(origin)) if typ == POOL_UPGRADE: trname = SovrinTransactions.POOL_UPGRADE.name action = operation.get(ACTION) # TODO: Some validation needed for making sure name and version # present status = self.upgrader.statusInLedger(req.operation.get(NAME), req.operation.get(VERSION)) if status == START and action == START: raise InvalidClientRequest( req.identifier, req.reqId, "Upgrade '{}' is already scheduled".format( req.operation.get(NAME))) elif typ == POOL_CONFIG: trname = SovrinTransactions.POOL_CONFIG.name action = None status = None r, msg = Authoriser.authorised(typ, ACTION, originRole, oldVal=status, newVal=action) if not r: raise UnauthorizedClientRequest( req.identifier, req.reqId, "{} cannot do {}".format(Roles.nameFromValue(originRole), trname))
def authErrorWhileUpdatingNode(self, request): origin = request.identifier operation = request.operation nodeNym = operation.get(TARGET_NYM) isSteward = self.node.secondaryStorage.isSteward(origin) actorRole = self.node.graphStore.getRole(origin) _, nodeInfo = self.getNodeInfoFromLedger(nodeNym, excludeLast=False) typ = operation.get(TXN_TYPE) data = deepcopy(operation.get(DATA)) data.pop(ALIAS, None) vals = [] msgs = [] for k in data: r, msg = Authoriser.authorised(typ, k, actorRole, oldVal=nodeInfo[DATA][k], newVal=data[k], isActorOwnerOfSubject=isSteward) vals.append(r) msgs.append(msg) msg = None if all(vals) else '\n'.join(msgs) return msg
def checkRequestAuthorized(self, request: Request): op = request.operation typ = op[TXN_TYPE] s = self.graphStore # type: identity_graph.IdentityGraph origin = request.identifier if typ == NYM: try: originRole = s.getRole(origin) except: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Nym {} not added to the ledger yet".format(origin)) nymV = self.graphStore.getNym(op[TARGET_NYM]) if not nymV: # If nym does not exist role = op.get(ROLE) r, msg = Authoriser.authorised(NYM, ROLE, originRole, oldVal=None, newVal=role) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot add {}".format(originRole, role)) else: nymData = nymV.oRecordData owner = self.graphStore.getOwnerFor(nymData.get(NYM_KEY)) isOwner = origin == owner updateKeys = [ROLE, VERKEY] for key in updateKeys: if key in op: newVal = op[key] oldVal = nymData.get(key) if oldVal != newVal: r, msg = Authoriser.authorised( NYM, key, originRole, oldVal=oldVal, newVal=newVal, isActorOwnerOfSubject=isOwner) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot update {}".format( originRole, key)) elif typ == ATTRIB: if op.get(TARGET_NYM) and \ op[TARGET_NYM] != request.identifier and \ not s.getOwnerFor(op[TARGET_NYM]) == origin: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Only identity owner/guardian can add attribute " "for that identity") # TODO: Just for now. Later do something meaningful here elif typ in [ DISCLO, GET_ATTR, SCHEMA, GET_SCHEMA, ISSUER_KEY, GET_ISSUER_KEY ]: pass elif request.operation.get(TXN_TYPE) in POOL_TXN_TYPES: return self.poolManager.checkRequestAuthorized(request) elif typ == POOL_UPGRADE: # TODO: Refactor urgently try: originRole = s.getRole(origin) except: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Nym {} not added to the ledger yet".format(origin)) action = request.operation.get(ACTION) # TODO: Some validation needed for making sure name and version # present status = self.upgrader.statusInLedger( request.operation.get(NAME), request.operation.get(VERSION)) r, msg = Authoriser.authorised(POOL_UPGRADE, ACTION, originRole, oldVal=status, newVal=action) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot do {}".format(originRole, POOL_UPGRADE))
def checkRequestAuthorized(self, request: Request): op = request.operation typ = op[TXN_TYPE] s = self.graphStore # type: identity_graph.IdentityGraph origin = request.identifier if typ == NYM: try: originRole = s.getRole(origin) except: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Nym {} not added to the ledger yet".format(origin)) role = op.get(ROLE) nym = self.graphStore.getNym(op[TARGET_NYM]) if not nym: # If nym does not exist r, msg = Authoriser.authorised(NYM, ROLE, originRole, oldVal=None, newVal=role) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot add {}".format(originRole, role)) else: nym = nym.oRecordData subjectRole = nym.get(ROLE) if subjectRole != role: r, msg = Authoriser.authorised(NYM, ROLE, originRole, oldVal=subjectRole, newVal=role) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot update {}".format(originRole, role)) elif typ == ATTRIB: if op.get(TARGET_NYM) and \ op[TARGET_NYM] != request.identifier and \ not s.getSponsorFor(op[TARGET_NYM]) == origin: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Only user's sponsor can add attribute for that user") # TODO: Just for now. Later do something meaningful here elif typ in [ DISCLO, GET_ATTR, CLAIM_DEF, GET_CLAIM_DEF, ISSUER_KEY, GET_ISSUER_KEY ]: pass elif request.operation.get(TXN_TYPE) in POOL_TXN_TYPES: return self.poolManager.checkRequestAuthorized(request) elif typ == POOL_UPGRADE: # TODO: Refactor urgently try: originRole = s.getRole(origin) except: raise UnauthorizedClientRequest( request.identifier, request.reqId, "Nym {} not added to the ledger yet".format(origin)) action = request.operation.get(ACTION) # TODO: Some validation needed for making sure name and version # present status = self.upgrader.statusInLedger( request.operation.get(NAME), request.operation.get(VERSION)) r, msg = Authoriser.authorised(POOL_UPGRADE, ACTION, originRole, oldVal=status, newVal=action) if not r: raise UnauthorizedClientRequest( request.identifier, request.reqId, "{} cannot do {}".format(originRole, POOL_UPGRADE))