diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 9041bf0ba..7e75dbb20 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -97,9 +97,9 @@ def test(options=[:]) { try { if (options.useRunner) { - sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" + sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest -v\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" } else { - sh "$options.python -m pytest --junitxml=$options.resFile $options.testDir" + sh "$options.python -m pytest -v --junitxml=$options.resFile $options.testDir" } } finally { diff --git a/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch b/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch index 723f1d9f6..8e37518a0 100644 --- a/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch +++ b/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch @@ -18,10 +18,22 @@ did new seed=TestTrustAnchor30000000000000003 metadata="test trust anchor 3" did new seed=RandomUser1000000000000000000003 metadata="test identity 1" did new seed=RandomUser2000000000000000000003 metadata="test identity 2" did new seed=RandomUser3000000000000000000003 metadata="test identity 3" +did new seed=NetworkMonitor000000000000000001 metadata="network monitor 1" +did new seed=NetworkMonitor000000000000000002 metadata="network monitor 2" +did new seed=NetworkMonitor000000000000000003 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=AhqUV2zHYdNaWLFCCe7xCn role=STEWARD verkey=~YUY2ChUGWJovtU6XTn61D8 - ledger get-nym did=AhqUV2zHYdNaWLFCCe7xCn +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=GSoagH52cX69hnn7npUTWy role=NETWORK_MONITOR verkey=~5JEp1pUJbzD1YqimvA6hk6 +- ledger get-nym did=GSoagH52cX69hnn7npUTWy +# AS Trustee CREATE NetworkMonitor (network monitor 2) and blacklist it +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role=NETWORK_MONITOR verkey=~MnEdozF43zQFRdZLN25mya +ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role= +- ledger get-nym did=CjPA39BhAVG5d3mV2ZEAYE # AS Trustee CREATE TrustAnchor (anchor1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=DriVwCMbtEgkmoEHKin6Ah role=TRUST_ANCHOR verkey=~YPZot1kM4DLwvsX6mtcKd9 @@ -71,11 +83,21 @@ did use LBbKEeczA9iL21p4Kgxcuf did use LBbKEeczA9iL21p4Kgxcuf ledger nym did=Fk9ENxnz1ztDgdivQBJTCZ verkey=~NT9ANFeDhCLKDg5PNKZXKK - ledger get-nym did=Fk9ENxnz1ztDgdivQBJTCZ -# #8 check that can't add roles back when don't have necessary permissions +# #8 AS IdentityOwner CREATE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=Nd4dUF85aa1JmDFScLfk7o role=NETWORK_MONITOR verkey=~5aJLqtphR3tqymWUwg98Sz +# #9.1 AS IdentityOwner REMOVE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=GSoagH52cX69hnn7npUTWy role= +# #9.2 CHECK NetworkMonitor IS VALID +did use GSoagH52cX69hnn7npUTWy +ledger get-validator-info nodes=Node1 +# #10 check that can't add roles back when don't have necessary permissions did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUST_ANCHOR - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=STEWARD - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUSTEE +- ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000003 @@ -102,4 +124,10 @@ did use UffJCJngTXc1o84dQ7aEUb # Identity Owner can create SCHEMA: (PASS with ANYONE_CAN_WRITE=True) ledger schema name=IdentityOwnerSchema version=1.0 attr_names=name,age # Identity Owner can create CLAIM_DEF: (PASS with ANYONE_CAN_WRITE=True, but will fail because of wrong schema id) -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 +# Identity Owner can't RESTART POOL +did use LBbKEeczA9iL21p4Kgxcuf +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use LBbKEeczA9iL21p4Kgxcuf +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch b/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch index d70d58da7..89af84b6d 100644 --- a/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch +++ b/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch @@ -18,10 +18,22 @@ did new seed=TestTrustAnchor30000000000000003 metadata="test trust anchor 3" did new seed=RandomUser1000000000000000000003 metadata="test identity 1" did new seed=RandomUser2000000000000000000003 metadata="test identity 2" did new seed=RandomUser3000000000000000000003 metadata="test identity 3" +did new seed=NetworkMonitor100000000000000003 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000003 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000003 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=AhqUV2zHYdNaWLFCCe7xCn role=STEWARD verkey=~YUY2ChUGWJovtU6XTn61D8 - ledger get-nym did=AhqUV2zHYdNaWLFCCe7xCn +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=zsFQSgcs9GdmHr6nYgJfj role=NETWORK_MONITOR verkey=~Y2gktifxXw9J85GXFKpZQ6 +- ledger get-nym did=zsFQSgcs9GdmHr6nYgJfj +# AS Trustee CREATE NetworkMonitor (network monitor 2) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role=NETWORK_MONITOR verkey=~usAvjM7QfLR9Qf2bZSBZU +ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role= +- ledger get-nym did=Pn1rJGNmmcKi88B2qo2Emn # AS Trustee CREATE TrustAnchor (anchor1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=DriVwCMbtEgkmoEHKin6Ah role=TRUST_ANCHOR verkey=~YPZot1kM4DLwvsX6mtcKd9 @@ -71,11 +83,21 @@ did use LBbKEeczA9iL21p4Kgxcuf did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Fk9ENxnz1ztDgdivQBJTCZ verkey=~NT9ANFeDhCLKDg5PNKZXKK - ledger get-nym did=Fk9ENxnz1ztDgdivQBJTCZ +# #8 AS IdentityOwner CREATE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=NGMUrRk7EDTRunXLgY7KWn role=NETWORK_MONITOR verkey=~NGMUrRk7EDTRunXLgY7KWn +# #9.1 AS IdentityOwner REMOVE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=zsFQSgcs9GdmHr6nYgJfj role= +# #9.2 CHECK NetworkMonitor IS VALID +did use zsFQSgcs9GdmHr6nYgJfj +ledger get-validator-info nodes=Node1 # #8 check that can't add roles back when don't have necessary permissions did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUST_ANCHOR - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=STEWARD - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUSTEE +- ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000003 @@ -102,4 +124,10 @@ did use UffJCJngTXc1o84dQ7aEUb # Identity Owner can't create SCHEMA: (FAIL) - ledger schema name=IdentityOwnerSchema version=1.0 attr_names=name,age # Identity Owner can't create CLAIM_DEF: (FAIL) -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 +# Identity Owner can't RESTART POOL +did use LBbKEeczA9iL21p4Kgxcuf +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use LBbKEeczA9iL21p4Kgxcuf +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-steward.batch b/acceptance/indy-cli-batches/AS-03-01-steward.batch index 6700e3cc0..a193d39ee 100644 --- a/acceptance/indy-cli-batches/AS-03-01-steward.batch +++ b/acceptance/indy-cli-batches/AS-03-01-steward.batch @@ -18,6 +18,9 @@ did new seed=RandomUser2000000000000000000001 metadata="test identity 2" did new seed=RandomUser4000000000000000000001 metadata="test identity 4" did new seed=RandomUser5000000000000000000001 metadata="test identity 5" did new seed=000000000000000000000000Trustee1 metadata="default trustee" +did new seed=NetworkMonitor100000000000000001 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000001 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000001 metadata="network monitor 3" did use V4SGRU86Z58d6TV7PBUe6f # AS Trustee CREATE Steward (steward1) ledger nym did=7qFmEyYCXcmUFVied5Sp3b role=STEWARD verkey=~Mj3PFUSi6qmrTRonFXHx9n @@ -80,8 +83,21 @@ ledger nym did=Xm3b3LtJ3UoL5KeYT7ti7j verkey=~GmTyyvE4eHWeSWuiAtmE19 did use 7qFmEyYCXcmUFVied5Sp3b - ledger nym did=7qFmEyYCXcmUFVied5Sp3b role= # #9.2 CHECK Steward IS VALID -ledger nym did=Jt7aMnw77aoaBMyhXUNjtt verkey=~DT5pLP1wcvsgAzM78sqiRJ +ledger nym did=Jt7aMnw77aoaBMyhXUNjt1 verkey=~DT5pLP1wcvsgAzM78sqiR1 role=TRUST_ANCHOR - ledger get-nym did=Jt7aMnw77aoaBMyhXUNjtt +# #10 AS Steward (steward1) CREATE NetworkMonitor (PASS) +did use 7qFmEyYCXcmUFVied5Sp3b +ledger nym did=7e6ttq44HKVSHitCE3BLXv role=NETWORK_MONITOR verkey=~9NGbkySmcB9d6rZ7pPxwtY +# #11.1 AS Steward (steward1) REMOVE NetworkMonitor (PASS) +ledger nym did=7e6ttq44HKVSHitCE3BLXv role= +# #11.2 CHECK NetworkMonitor IS INVALID +did use 7e6ttq44HKVSHitCE3BLXv +- ledger get-validator-info nodes=Node1 +# #12.1 AS Steward (steward1) RESTORE NetworkMonitor (PASS) +ledger nym did=7e6ttq44HKVSHitCE3BLXv role=NETWORK_MONITOR +# #12.2 CHECK NetworkMonitor IS VALID +did use 7e6ttq44HKVSHitCE3BLXv +ledger get-validator-info nodes=Node1 ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000001 @@ -108,4 +124,10 @@ did use 6LKnRH6hWPSpoWu824s5JH # Steward can create SCHEMA: ledger schema name=StewardSchema version=1.0 attr_names=name,age # Steward can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=1 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=1 +# Steward can't RESTART POOL +did use SvXt2QGwZF1kXTcpd2pJ37 +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Steward can get validator-info +did use SvXt2QGwZF1kXTcpd2pJ37 +ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch b/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch index da2eb4d10..ed9334e8f 100644 --- a/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch +++ b/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch @@ -17,6 +17,9 @@ did new seed=TestTrustAnchorCreateTrustAncho4 metadata="Trust Anchor 4" did new seed=TestTrustAnchorRandomUser1000002 metadata="Random User 1" did new seed=TestTrustAnchorRandomUser2000002 metadata="Random User 2" did new seed=TestTrustAnchorRandomUser3000002 metadata="Random User 3" +did new seed=NetworkMonitor100000000000000002 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000002 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000002 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=23LxaWGVajU7vMn7zcrHGK role=STEWARD verkey=~UgkZ1ktZV2DQg1sJn3tjdP @@ -29,7 +32,17 @@ ledger nym did=T6XTs3nSU3J7ptAcxSnaVo role=TRUST_ANCHOR verkey=~5izgZjWpw3gxeDB9 did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=TPrMRHHSunP3cEtpkY8gi7 role=TRUST_ANCHOR verkey=~ANMdNhQ3uuyXDmn7cxi8df - ledger get-nym did=TPrMRHHSunP3cEtpkY8gi7 -# test section +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=E26xPPB4bhNkq5Dg4VDjca role=NETWORK_MONITOR verkey=~5tog9W8jT14rWCEyhgSoTP +- ledger get-nym did=E26xPPB4bhNkq5Dg4VDjca +# AS Trustee CREATE NetworkMonitor (network monitor 2) and blacklist it +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=UR1jYsBfADbYK5FZoF76Mh role=NETWORK_MONITOR verkey=~TBtVAJCA6BwVyQSmCanRQy +ledger nym did=UR1jYsBfADbYK5FZoF76Mh role= +################ +# test section # +################ # #1 AS TrustAnchor CREATE IdentityOwner (user1) (PASS) did use T6XTs3nSU3J7ptAcxSnaVo ledger nym did=MXYSvpB5e549z6nqa1nTEh verkey=~PR7BXc75UwtiPvKjtDn26N @@ -73,11 +86,21 @@ did use T6XTs3nSU3J7ptAcxSnaVo # #8.2 CHECK TrustAnchor IS VALID ledger nym did=WDLETDtBugFiJvtkghHoH verkey=~QdAhvFaZ81ZZ1DxwqZ5i8i - ledger get-nym did=WDLETDtBugFiJvtkghHoH -# #9 check that can't add roles back when don't have necessary permissions +# #9 AS TrustAnchor CREATE NetworkMonitor (FAIL) +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger nym did=CUH8zNzehDNhpsGAnXJauU role=NETWORK_MONITOR verkey=~CgMAueZVNZRUsCrjgHsKs4 +# #10.1 AS TrustAnchor REMOVE NetworkMonitor (FAIL) +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger nym did=E26xPPB4bhNkq5Dg4VDjca role= +# #10.2 CHECK NetworkMonitor IS VALID +did use E26xPPB4bhNkq5Dg4VDjca +ledger get-validator-info nodes=Node1 +# #11 check that can't add roles back when don't have necessary permissions did use T6XTs3nSU3J7ptAcxSnaVo - ledger nym did=WDLETDtBugFiJvtkghHoH role=TRUST_ANCHOR - ledger nym did=WDLETDtBugFiJvtkghHoH role=STEWARD - ledger nym did=WDLETDtBugFiJvtkghHoH role=TRUSTEE +- ledger nym did=UR1jYsBfADbYK5FZoF76Mh role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000002 @@ -104,4 +127,10 @@ did use ETcbLj612u9oXr7adZSWZV # TrustAnchor can create SCHEMA: ledger schema name=TrustAnchorSchema version=1.0 attr_names=name,age # TrustAnchor can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=2 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=2 +# Identity Owner can't RESTART POOL +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-trustee.batch b/acceptance/indy-cli-batches/AS-03-01-trustee.batch index e6d9cab36..5c42812e2 100644 --- a/acceptance/indy-cli-batches/AS-03-01-trustee.batch +++ b/acceptance/indy-cli-batches/AS-03-01-trustee.batch @@ -17,6 +17,9 @@ did new seed=RandomUser2000000000000000000000 metadata="test identity 2" did new seed=RandomUser4000000000000000000000 metadata="test identity 4" did new seed=RandomUser5000000000000000000000 metadata="test identity 5" did new seed=000000000000000000000000Trustee1 metadata="default trustee" +did new seed=NetworkMonitor100000000000000000 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000000 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000000 metadata="network monitor 3" did use V4SGRU86Z58d6TV7PBUe6f # AS Trustee (default) CREATE Trustee (trustee2) ledger nym did=QQMQmb1mrBRJR3vx6GP4kg role=TRUSTEE verkey=~7Cj2MTAjyAbHdAiuafgCUW @@ -86,6 +89,19 @@ ledger nym did=NhF3hPZyV715sfmvsjhj1h verkey=~EjjPJGQcnFGhuyS35bVMGA did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=6nnZTxQ18EkVEjVV6hBMeT verkey=~2TBdyJLgAhkbogxjpUfPJD - ledger get-nym did=6nnZTxQ18EkVEjVV6hBMeT +# #10 AS Trustee (default) CREATE NetworkMonitor (PASS) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=5JNBLdovQap28Ncm8haqH4 role=NETWORK_MONITOR verkey=~VvRtNwrsLbgikyzAz3vohj +# #11.1 AS Trustee (default) REMOVE NetworkMonitor (PASS) +ledger nym did=5JNBLdovQap28Ncm8haqH4 role= +# #11.2 CHECK NetworkMonitor IS INVALID +did use V4SGRU86Z58d6TV7PBUe6f +- ledger get-validator-info nodes=Node1 +# #12.1 AS Trustee (default) RESTORE NetworkMonitor (PASS) +ledger nym did=5JNBLdovQap28Ncm8haqH4 role=NETWORK_MONITOR +# #12.2 CHECK NetworkMonitor IS VALID +did use 5JNBLdovQap28Ncm8haqH4 +ledger get-validator-info nodes=Node1 # #11 AS Trustee (trustee2) REMOVE self (trustee2) (PASS) did use QQMQmb1mrBRJR3vx6GP4kg ledger nym did=QQMQmb1mrBRJR3vx6GP4kg role= @@ -117,4 +133,10 @@ did use 484PvcK1gUqwWEWCkumDzA # Trustee can create SCHEMA: ledger schema name=TrusteeSchema version=1.0 attr_names=name,age # Trustee can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=10 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=10 +# Steward can RESTART POOL +did use 484PvcK1gUqwWEWCkumDzA +ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Steward can get validator-info +did use 484PvcK1gUqwWEWCkumDzA +ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/docs/source/auth_rules.md b/docs/source/auth_rules.md index 8ad85fed3..5101e2bd5 100644 --- a/docs/source/auth_rules.md +++ b/docs/source/auth_rules.md @@ -1,56 +1,354 @@ # Current implemented rules in auth_map -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -| NYM |`role` |`` | TRUSTEE | TRUSTEE|Adding new TRUSTEE| -| NYM |`role` |`` | STEWARD | TRUSTEE|Adding new STEWARD| -| NYM |`role` |`` | TRUST_ANCHOR| TRUSTEE, STEWARD|Adding new TRUST_ANCHOR| -| NYM |`role` |`` | NETWORK_MONITOR| TRUSTEE, STEWARD|Adding new NETWORK_MONITOR| -| NYM |`role` |`` |`` | TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new Identity Owner| -| NYM |`role` | TRUSTEE |`` | TRUSTEE | Blacklisting Trustee| -| NYM |`role` | STEWARD |`` | TRUSTEE | Blacklisting Steward| -| NYM |`role` | TRUST_ANCHOR |`` | TRUSTEE | Blacklisting Trust anchor| -| NYM |`role` | NETWORK_MONITOR|`` | TRUSTEE, STEWARD | Blacklisting user with NETWORK_MONITOR role| -| NYM |`verkey`|`*`|`*`| Owner of this nym | Key Rotation| -| SCHEMA |`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR | Adding new Schema| -| SCHEMA |`*`|`*`|`*`| No one can edit existing Schema | Editing Schema| -| CLAIM_DEF |`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new CLAIM_DEF transaction| -| CLAIM_DEF |`*`|`*`|`*`| Owner of claim_def txn| Editing CLAIM_DEF transaction| -| NODE |`services`|``|`[VALIDATOR]`| STEWARD if it is owner of this transaction| Adding new node to pool| -| NODE |`services`|`[VALIDATOR]`|`[]`| TRUSTEE, STEWARD if it is owner of this transaction| Demotion of node| -| NODE |`services`|`[]`|`[VALIDATOR]`| TRUSTEE, STEWARD if it is owner of this transaction| Promotion of node| -| NODE |`node_ip`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's ip address| -| NODE |`node_port`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's port| -| NODE |`client_ip`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Client's ip address| -| NODE |`client_port`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Client's port| -| NODE |`blskey`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's blskey| -| POOL_UPGRADE |`action`|``|`start`|TRUSTEE| Starting upgrade procedure| -| POOL_UPGRADE |`action`|`start`|`cancel`|TRUSTEE| Canceling upgrade procedure| -| POOL_RESTART |`action`|`*`|`*`|TRUSTEE| Restarting pool command| -| POOL_CONFIG |`action`|`*`|`*`|TRUSTEE| Pool config command (like a `read only` option)| -| VALIDATOR_INFO |`*`|`*`|`*`| TRUSTEE, STEWARD, NETWORK_MONITOR| Getting validator_info from pool| - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Transaction typeFieldPrevious valueNew valueWho canDescription
NYMrole<empty>TRUSTEETRUSTEEAdding new TRUSTEE
NYMrole<empty>STEWARDTRUSTEEAdding new STEWARD
NYMrole<empty>TRUST_ANCHORTRUSTEE, STEWARDAdding new TRUST_ANCHOR
NYMrole<empty>NETWORK_MONITORTRUSTEE, STEWARDAdding new NETWORK_MONITOR
NYMrole<empty><empty>TRUSTEE, STEWARD, TRUST_ANCHORAdding new Identity Owner
NYMroleTRUSTEE<empty>TRUSTEEBlacklisting Trustee
NYMroleSTEWARD<empty>TRUSTEEBlacklisting Steward
NYMroleTRUST_ANCHOR<empty>TRUSTEEBlacklisting Trust anchor
NYMroleNETWORK_MONITOR<empty>TRUSTEE, STEWARDBlacklisting user with NETWORK_MONITOR role
NYMverkey**Owner of this nymKey Rotation
SCHEMA***TRUSTEE, STEWARD, TRUST_ANCHORAdding new Schema
SCHEMA***No one can edit existing SchemaEditing Schema
CLAIM_DEF***TRUSTEE, STEWARD, TRUST_ANCHORAdding new CLAIM_DEF transaction
CLAIM_DEF***Owner of claim_def txnEditing CLAIM_DEF transaction
NODEservices<empty>[VALIDATOR]STEWARD if it doesn't own NODE transaction yetAdding new node to pool
NODEservices[VALIDATOR][]TRUSTEE, STEWARD if it is owner of this transactionDemotion of node
NODEservices[][VALIDATOR]TRUSTEE, STEWARD if it is owner of this transactionPromotion of node
NODEnode_ip**STEWARD if it is owner of this transactionChanging Node's ip address
NODEnode_port**STEWARD if it is owner of this transactionChanging Node's port
NODEclient_ip**STEWARD if it is owner of this transactionChanging Client's ip address
NODEclient_port**STEWARD if it is owner of this transactionChanging Client's port
NODEblskey**STEWARD if it is owner of this transactionChanging Node's blskey
POOL_UPGRADEaction<empty>startTRUSTEEStarting upgrade procedure
POOL_UPGRADEactionstartcancelTRUSTEECanceling upgrade procedure
POOL_RESTARTaction**TRUSTEERestarting pool command
POOL_CONFIGaction**TRUSTEEPool config command (like a read only option)
VALIDATOR_INFO***TRUSTEE, STEWARD, NETWORK_MONITORGetting validator_info from pool
### Also, there is a some optional rules for case if in config option ANYONE_CAN_WRITE is set to True: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|NYM |`role`|``|``| Anyone| Adding new nym| -|SCHEMA |`*`|`*`|`*`| Anyone| Any operations with SCHEMA transaction| -|CLAIM_DEF |`*`|`*`|`*`| Anyone| Any operations with CLAIM_DEF transaction| + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Transaction typeFieldPrevious valueNew valueWho canDescription
NYMrole<empty><empty>AnyoneAdding new nym
SCHEMA***AnyoneAny operations with SCHEMA transaction
CLAIM_DEF***AnyoneAny operations with CLAIM_DEF transaction
### As of now it's not implemented yet, but the next rules for Revocation feature are needed: #### If ANYONE_CAN_WRITE is set to False: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|REVOC_REG_DEF|`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new REVOC_REG_DEF| -|REVOC_REG_DEF|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_DEF| Editing REVOC_REG_DEF| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_ENTRY| Editing REVOC_REG_ENTRY| + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Transaction typeFieldPrevious valueNew valueWho canDescription
REVOC_REG_DEF***TRUSTEE, STEWARD, TRUST_ANCHORAdding new REVOC_REG_DEF
REVOC_REG_DEF***Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY***Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY***Only owners can edit existing REVOC_REG_ENTRYEditing REVOC_REG_ENTRY
+ #### If ANYONE_CAN_WRITE is set to True: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|REVOC_REG_DEF|`*`|`*`|`*`| Anyone can create new REVOC_REG_DEF| Adding new REVOC_REG_DEF| -|REVOC_REG_DEF|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_DEF| Editing REVOC_REG_DEF| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Transaction typeFieldPrevious valueNew valueWho canDescription
REVOC_REG_DEF***Anyone can create new REVOC_REG_DEFAdding new REVOC_REG_DEF
REVOC_REG_DEF***Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY***Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY***Only owners can edit existing REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
diff --git a/docs/source/transactions.md b/docs/source/transactions.md index 4ccce2422..6ee85bf59 100644 --- a/docs/source/transactions.md +++ b/docs/source/transactions.md @@ -5,15 +5,15 @@ * [Common Structure](#common-structure) * [Domain Ledger](#domain-ledger) - * [NYM](#nym) - * [ATTRIB](#attrib) + * [NYM](#nym) + * [ATTRIB](#attrib) * [SCHEMA](#schema) * [CLAIM_DEF](#claim_def) - -* [Pool Ledger](#pool-ledger) + +* [Pool Ledger](#pool-ledger) * [NODE](#node) - -* [Config Ledger](#config-ledger) + +* [Config Ledger](#config-ledger) * [POOL_UPGRADE](#pool_upgrade) * [NODE_UPGRADE](#node_upgrade) * [POOL_CONFIG](#pool_config) @@ -23,10 +23,10 @@ This doc is about supported transactions and their representation on the Ledger (that is, the internal one). If you are interested in the format of a client's request (both write and read), then have a look at [requests](requests.md). -- All transactions are stored in a distributed ledger (replicated on all nodes) +- All transactions are stored in a distributed ledger (replicated on all nodes) - The ledger is based on a [Merkle Tree](https://en.wikipedia.org/wiki/Merkle_tree) - The ledger consists of two things: - - transactions log as a sequence of key-value pairs + - transactions log as a sequence of key-value pairs where key is a sequence number of the transaction and value is the serialized transaction - merkle tree (where hashes for leaves and nodes are persisted) - Each transaction has a sequence number (no gaps) - keys in transactions log @@ -43,13 +43,13 @@ where key is a sequence number of the transaction and value is the serialized tr Below you can find the format and description of all supported transactions. ## Genesis Transactions -As Indy is a public **permissioned** blockchain, each ledger may have a number of pre-defined +As Indy is a public **permissioned** blockchain, each ledger may have a number of pre-defined transactions defining the initial pool and network. - pool genesis transactions define initial trusted nodes in the pool - domain genesis transactions define initial trusted trustees and stewards ## Common Structure -Each transaction has the following structure consisting of metadata values (common for all transaction types) and +Each transaction has the following structure consisting of metadata values (common for all transaction types) and transaction specific data: ``` { @@ -57,12 +57,12 @@ transaction specific data: "txn": { "type": <...>, "protocolVersion": <...>, - + "data": { "ver": <...>, }, - + "metadata": { "reqId": <...>, "from": <...> @@ -70,7 +70,7 @@ transaction specific data: }, "txnMetadata": { "txnTime": <...>, - "seqNo": <...>, + "seqNo": <...>, "txnId": <...> }, "reqSignature": { @@ -85,16 +85,16 @@ transaction specific data: - `ver` (string): Transaction version to be able to evolve content. - The content of all sub-fields may depend on this version. + The content of all sub-fields may depend on this version. - `txn` (dict): - + Transaction-specific payload (data) - `type` (enum number as string): - + Supported transaction types: - + - NODE = 0 - NYM = 1 - ATTRIB = 100 @@ -104,63 +104,63 @@ transaction specific data: - NODE_UPGRADE = 110 - POOL_CONFIG = 111 - - `protocolVersion` (integer; optional): - + - `protocolVersion` (integer; optional): + The version of client-to-node or node-to-node protocol. Each new version may introduce a new feature in requests/replies/data. Since clients and different nodes may be at different versions, we need this field to support backward compatibility - between clients and nodes. - + between clients and nodes. + - `data` (dict): - Transaction-specific data fields (see following sections for each transaction's description). - + Transaction-specific data fields (see following sections for each transaction's description). + - `metadata` (dict): - + Metadata as came from the request. - `from` (base58-encoded string): Identifier (DID) of the transaction submitter (client who sent the transaction) as base58-encoded string for 16 or 32 byte DID value. - It may differ from `did` field for some of transaction (for example NYM), where `did` is a + It may differ from `did` field for some of transaction (for example NYM), where `did` is a target identifier (for example, a newly created DID identifier). - + *Example*: `from` is a DID of a Trust Anchor creating a new DID, and `did` is a newly created DID. - - - `reqId` (integer): + + - `reqId` (integer): Unique ID number of the request with transaction. - + - `txnMetadata` (dict): - - Metadata attached to the transaction. - + + Metadata attached to the transaction. + - `version` (integer): Transaction version to be able to evolve `txnMetadata`. - The content of `txnMetadata` may depend on the version. - - - `txnTime` (integer as POSIX timestamp): + The content of `txnMetadata` may depend on the version. + + - `txnTime` (integer as POSIX timestamp): The time when transaction was written to the Ledger as POSIX timestamp. - + - `seqNo` (integer): A unique sequence number of the transaction on Ledger - + - `txnId` (string): Txn ID as State Trie key (address or descriptive data). It must be unique within the ledger. - - + + - `reqSignature` (dict): Submitter's signature over request with transaction (`txn` field). - + - `type` (string enum): - + - ED25519: ed25519 signature - ED25519_MULTI: ed25519 signature in multisig case. - - - `values` (list): - + + - `values` (list): + - `from` (base58-encoded string): Identifier (DID) of signer as base58-encoded string for 16 or 32 byte DID value. - + - `value` (base58-encoded string): signature value @@ -172,27 +172,27 @@ Please note that all these metadata fields may be absent for genesis transaction Creates a new NYM record for a specific user, trust anchor, steward or trustee. Note that only trustees and stewards can create new trust anchors and a trustee can be created only by other trustees (see [roles](https://github.com/hyperledger/indy-node/blob/master/docs/auth_rules.md)). -The transaction can be used for +The transaction can be used for creation of new DIDs, setting and rotation of verification key, setting and changing of roles. - `dest` (base58-encoded string): Target DID as base58-encoded string for 16 or 32 byte DID value. It differs from the `from` metadata field, where `from` is the DID of the submitter. - + *Example*: `from` is a DID of a Trust Anchor creating a new DID, and `dest` is a newly created DID. - -- `role` (enum number as integer; optional): + +- `role` (enum number as integer; optional): Role of a user that the NYM record is being created for. One of the following values - + - None (common USER) - 0 (TRUSTEE) - 2 (STEWARD) - 101 (TRUST_ANCHOR) - + A TRUSTEE can change any Nym's role to None, thus stopping it from making any further writes (see [roles](https://github.com/hyperledger/indy-node/blob/master/docs/auth_rules.md)). - + - `verkey` (base58-encoded string, possibly starting with "~"; optional): Target verification key as base58-encoded string. It can start with "~", which means that @@ -202,14 +202,15 @@ creation of new DIDs, setting and rotation of verification key, setting and chan (doesn't own the identifier yet). Verkey can be changed to "None" by owner, it means that this user goes back under guardianship. -- `alias` (string; optional): +- `alias` (string; optional): NYM's alias. -If there is no NYM transaction for the specified DID (`did`) yes, then this can be considered as the creation of a new DID. +If there is no NYM transaction for the specified DID (`did`) yet, then this can be considered as the creation of a new DID. If there is already a NYM transaction with the specified DID (`did`), then this is is considered an update of that DID. -In this case we can specify only the values we would like to update. All unspecified values remain unchanged. +In this case **only the values that need to be updated should be specified** since any specified one is treated as an update even if it matches the current value in ledger. All unspecified values remain unchanged. + So, if key rotation needs to be performed, the owner of the DID needs to send a NYM request with `did` and `verkey` only. `role` and `alias` will stay the same. @@ -221,14 +222,14 @@ So, if key rotation needs to be performed, the owner of the DID needs to send a "txn": { "type":"1", "protocolVersion":1, - + "data": { "ver": 1, "dest":"GEzcdDLhCpGCYRHW82kjHd", "verkey":"~HmUWn928bnFT6Ephf65YXv", "role":101, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -258,14 +259,14 @@ Adds an attribute to a NYM record Target DID we set an attribute for as base58-encoded string for 16 or 32 byte DID value. It differs from `from` metadata field, where `from` is the DID of the submitter. - + *Example*: `from` is a DID of a Trust Anchor setting an attribute for a DID, and `dest` is the DID we set an attribute for. - + - `raw` (sha256 hash string; mutually exclusive with `hash` and `enc`): - Hash of the raw attribute data. + Hash of the raw attribute data. Raw data is represented as JSON, where the key is the attribute name and the value is the attribute value. - The ledger only stores a hash of the raw data; the real (unhashed) raw data is stored in a separate + The ledger only stores a hash of the raw data; the real (unhashed) raw data is stored in a separate attribute store. - `hash` (sha256 hash string; mutually exclusive with `raw` and `enc`): @@ -276,8 +277,8 @@ Adds an attribute to a NYM record - `enc` (sha256 hash string; mutually exclusive with `raw` and `hash`): Hash of encrypted attribute data. - The ledger contains the hash only; the real encrypted data is stored in a separate - attribute store. + The ledger contains the hash only; the real encrypted data is stored in a separate + attribute store. **Example**: ``` @@ -286,13 +287,13 @@ Adds an attribute to a NYM record "txn": { "type":"100", "protocolVersion":1, - + "data": { "ver":1, "dest":"GEzcdDLhCpGCYRHW82kjHd", "raw":"3cba1e3cf23c8ce24b7e08171d823fbd9a4929aafd9f27516e30699d3a42026a", }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -300,7 +301,7 @@ Adds an attribute to a NYM record }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId": "N22KY2Dyvmuu2PyyqSFKue|02" }, "reqSignature": { @@ -321,13 +322,13 @@ It's not possible to update an existing schema. So, if the Schema needs to be evolved, a new Schema with a new version or new name needs to be created. - `data` (dict): - + Dictionary with Schema's data: - + - `attr_names`: array of attribute name strings - `name`: Schema's name string - `version`: Schema's version string - + **Example**: ``` @@ -336,7 +337,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "txn": { "type":101, "protocolVersion":1, - + "data": { "ver":1, "data": { @@ -345,7 +346,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "version":"1.0" }, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -353,7 +354,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"L5AD5g65TDQr1PPHHRoiGf1|Degree|1.0", }, "reqSignature": { @@ -363,7 +364,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "value": "4X3skpoEK2DRgZxQ9PwuEvCJpL8JHdQ8X4HDDFyztgqE15DM2ZnkvrAh9bQY16egVinZTzwHqznmnkaFM4jjyDgd" }] } - + } ``` @@ -374,14 +375,14 @@ It's not possible to update `data` in an existing claim definition. Therefore if an existing claim defintion needs to be evolved (for example, a key needs to be rotated), a new claim definition needs to be created for a new Issuer DID (`did`). - `data` (dict): - + Dictionary with claim definition's data: - + - `primary` (dict): primary claim public key - `revocation` (dict): revocation claim public key - + - `ref` (string): - + Sequence number of a schema transaction the claim definition is created for. - `signature_type` (string): @@ -391,8 +392,8 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key - `tag` (string, optional): A unique tag to have multiple public keys for the same Schema and type issued by the same DID. - A default tag `tag` will be used if not specified. - + A default tag `tag` will be used if not specified. + **Example**: ``` { @@ -400,7 +401,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key "txn": { "type":102, "protocolVersion":1, - + "data": { "ver":1, "data": { @@ -415,7 +416,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key "signature_type":"CL", 'tag': 'some_tag' }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -423,7 +424,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"HHAD5g65TDQr1PPHHRoiGf2L5AD5g65TDQr1PPHHRoiGf1|Degree1|CL|key1", }, "reqSignature": { @@ -443,29 +444,29 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key Adds a new node to the pool or updates an existing node in the pool - `data` (dict): - + Data associated with the Node: - + - `alias` (string): Node's alias - `blskey` (base58-encoded string; optional): BLS multi-signature key as base58-encoded string (it's needed for BLS signatures and state proofs support) - - `client_ip` (string; optional): Node's client listener IP address, that is the IP clients use to connect to the node when sending read and write requests (ZMQ with TCP) + - `client_ip` (string; optional): Node's client listener IP address, that is the IP clients use to connect to the node when sending read and write requests (ZMQ with TCP) - `client_port` (string; optional): Node's client listener port, that is the port clients use to connect to the node when sending read and write requests (ZMQ with TCP) - `node_ip` (string; optional): The IP address other Nodes use to communicate with this Node; no clients are allowed here (ZMQ with TCP) - `node_port` (string; optional): The port other Nodes use to communicate with this Node; no clients are allowed here (ZMQ with TCP) - - `services` (array of strings; optional): the service of the Node. `VALIDATOR` is the only supported one now. + - `services` (array of strings; optional): the service of the Node. `VALIDATOR` is the only supported one now. - `dest` (base58-encoded string): Target Node's DID as base58-encoded string for 16 or 32 byte DID value. It differs from `identifier` metadata field, where `identifier` is the DID of the transaction submitter (Steward's DID). - + *Example*: `identifier` is a DID of a Steward creating a new Node, and `dest` is the DID of this Node. - + - `verkey` (base58-encoded string, possibly starting with "~"; optional): Target Node verification key as base58-encoded string. - It may absent if `dest` is 32-bit cryptonym CID. - + It may absent if `dest` is 32-bit cryptonym CID. + If there is no NODE transaction with the specified Node ID (`dest`), then it can be considered as creation of a new NODE. @@ -482,7 +483,7 @@ There is no need to specify all other fields, and they will remain the same. "txn": { "type":0, "protocolVersion":1, - + "data": { "data": { "alias":"Delta", @@ -495,7 +496,7 @@ There is no need to specify all other fields, and they will remain the same. }, "dest":"4yC546FFzorLPgTNTc6V43DnpFrR8uHvtunBxb2Suaa2", }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -503,7 +504,7 @@ There is no need to specify all other fields, and they will remain the same. }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"Delta", }, "reqSignature": { @@ -530,29 +531,29 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( - `action` (enum: `start` or `cancel`): Starts or cancels the Upgrade. - + - `version` (string): The version of indy-node package we perform upgrade to. Must be greater than existing one (or equal if `reinstall` flag is True). - + - `schedule` (dict of node DIDs to timestamps): Schedule of when to perform upgrade on each node. This is a map where Node DIDs are keys, and upgrade time is a value (see example below). If `force` flag is False, then it's required that time difference between each Upgrade must be not less than 5 minutes (to give each Node enough time and not make the whole Pool go down during Upgrade). - + - `sha256` (sha256 hash string): sha256 hash of the package - + - `force` (boolean; optional): Whether we should apply transaction (schedule Upgrade) without waiting for consensus of this transaction. If false, then transaction is applied only after it's written to the ledger. Otherwise it's applied regardless of result of consensus, and there are no restrictions on the Upgrade `schedule` for each Node. - So, we can Upgrade the whole Pool at the same time when it's set to True. + So, we can Upgrade the whole Pool at the same time when it's set to True. False by default. Avoid setting to True without good reason. - `reinstall` (boolean; optional): @@ -575,7 +576,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( "txn": { "type":109, "protocolVersion":1, - + "data": { "ver":1, "name":"upgrade-13", @@ -588,7 +589,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( "timeout":1, "justification":null, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -597,7 +598,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, }, "reqSignature": { "type": "ED25519", @@ -612,14 +613,14 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( #### NODE_UPGRADE Status of each Node's upgrade (sent by each upgraded Node) -- `action` (enum string): +- `action` (enum string): One of `in_progress`, `complete` or `fail`. - -- `version` (string): - + +- `version` (string): + The version of indy-node the node was upgraded to. - + **Example:** ``` @@ -628,13 +629,13 @@ Status of each Node's upgrade (sent by each upgraded Node) "txn": { "type":110, "protocolVersion":1, - + "data": { "ver":1, "action":"complete", "version":"1.2" }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -642,7 +643,7 @@ Status of each Node's upgrade (sent by each upgraded Node) }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"upgrade-13", }, "reqSignature": { @@ -670,9 +671,9 @@ Command to change Pool's configuration Whether we should apply transaction (for example, move pool to read-only state) without waiting for consensus of this transaction. If false, then transaction is applied only after it's written to the ledger. - Otherwise it's applied regardless of result of consensus. + Otherwise it's applied regardless of result of consensus. False by default. Avoid setting to True without good reason. - + **Example:** ``` @@ -681,13 +682,13 @@ Command to change Pool's configuration "txn": { "type":111, "protocolVersion":1, - + "data": { "ver":1, "writes":false, "force":true, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -695,7 +696,7 @@ Command to change Pool's configuration }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"1111", }, "reqSignature": { diff --git a/indy_common/authorize/auth_constraints.py b/indy_common/authorize/auth_constraints.py index 7cbbc26f1..26bc3af58 100644 --- a/indy_common/authorize/auth_constraints.py +++ b/indy_common/authorize/auth_constraints.py @@ -1,6 +1,7 @@ from abc import ABCMeta, abstractmethod from typing import List +from indy_common.authorize.helper import get_named_role ROLE_CONSTRAINT_ID = 'ROLE' AND_CONSTRAINT_ID = 'AND' @@ -11,6 +12,9 @@ class AbstractAuthConstraint(metaclass=ABCMeta): def __init__(self): self.constraint_id = '' + def __str__(self): + return str(self) + class AuthConstraint(AbstractAuthConstraint): def __init__(self, role, sig_count, need_to_be_owner=False, metadata={}): @@ -20,18 +24,44 @@ def __init__(self, role, sig_count, need_to_be_owner=False, metadata={}): self.metadata = metadata self.constraint_id = ROLE_CONSTRAINT_ID + def __str__(self): + role = get_named_role(self.role) if self.role != '*' else 'ALL' + if role != 'ALL' and self.need_to_be_owner and self.sig_count > 1: + return "{} {} signatures are required and needs to be owner".format(self.sig_count, role) + elif role != 'ALL' and not self.need_to_be_owner and self.sig_count > 1: + return "{} {} signatures are required".format(self.sig_count, role) + elif role != 'ALL' and not self.need_to_be_owner and self.sig_count == 1: + return "1 {} signature is required".format(role) + elif role != 'ALL' and self.need_to_be_owner and self.sig_count == 1: + return "1 {} signature is required and needs to be owner".format(role) + + elif role == "ALL" and self.need_to_be_owner and self.sig_count == 1: + return "1 signature of any role is required and needs to be owner" + elif role == 'ALL' and not self.need_to_be_owner and self.sig_count == 1: + return "1 signature of any role is required".format(role) + elif role == 'ALL' and not self.need_to_be_owner and self.sig_count > 1: + return "{} signatures of any role are required".format(self.sig_count) + elif role == "ALL" and self.need_to_be_owner and self.sig_count > 1: + return "{} signatures of any role are required and needs to be owner".format(self.sig_count) + class AuthConstraintAnd(AbstractAuthConstraint): def __init__(self, auth_constraints): self.auth_constraints = auth_constraints self.constraint_id = AND_CONSTRAINT_ID + def __str__(self): + return " AND ".join([str(ac) for ac in self.auth_constraints]) + class AuthConstraintOr(AbstractAuthConstraint): def __init__(self, auth_constraints): self.auth_constraints = auth_constraints self.constraint_id = OR_CONSTRAINT_ID + def __str__(self): + return " OR ".join([str(ac) for ac in self.auth_constraints]) + class AbstractAuthConstraintParser(metaclass=ABCMeta): @staticmethod diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index e4b7473b9..684f238c2 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -3,6 +3,9 @@ from indy_common.authorize.auth_actions import AbstractAuthAction from indy_common.authorize.auth_constraints import AbstractAuthConstraint, AuthConstraint, ROLE_CONSTRAINT_ID, \ AuthConstraintAnd +from indy_common.authorize.helper import get_named_role +from indy_common.constants import NYM, CLAIM_DEF +from indy_common.transactions import IndyTransactions from indy_common.types import Request from indy_node.persistence.idr_cache import IdrCache @@ -65,6 +68,9 @@ def is_sig_count_accepted(self, request: Request, auth_constraint: AuthConstrain return sig_count >= auth_constraint.sig_count + def get_named_role_from_req(self, request: Request): + return get_named_role(self.get_role(request)) + def authorize(self, request: Request, auth_constraint: AuthConstraint, @@ -73,11 +79,18 @@ def authorize(self, if is_role_accepted is None: return False, "sender's DID {} is not found in the Ledger".format(request.identifier) if not is_role_accepted: - return False, "role is not accepted" + return False, "{} can not do this action".format(self.get_named_role_from_req(request)) if not self.is_sig_count_accepted(request, auth_constraint): - return False, "count of signatures is not accepted" + return False, "Not enough signatures" if not self.is_owner_accepted(auth_constraint, auth_action): - return False, "actor must be owner" + if auth_action.field != '*': + return False, "{} can not touch {} field since only the owner can modify it".\ + format(self.get_named_role_from_req(request), + auth_action.field) + else: + return False, "{} can not edit {} txn since only owner can modify it".\ + format(self.get_named_role_from_req(request), + IndyTransactions.get_name_from_code(auth_action.txn_type)) return True, "" @@ -135,5 +148,5 @@ def authorize(self, else: successes.append(True) if len(successes) == 0: - raise AuthValidationError("There is no accepted constraint") + raise AuthValidationError("Rule for this action is: {}".format(auth_constraint)) return True, "" diff --git a/indy_common/authorize/helper.py b/indy_common/authorize/helper.py new file mode 100644 index 000000000..38771492d --- /dev/null +++ b/indy_common/authorize/helper.py @@ -0,0 +1,8 @@ +from indy_common.roles import Roles + + +def get_named_role(role_code): + try: + return Roles.nameFromValue(role_code) + except ValueError: + return "Unknown role" diff --git a/indy_common/constants.py b/indy_common/constants.py index 559ebda75..f1fa63a23 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -123,6 +123,9 @@ ENDPOINT = "endpoint" # Roles + +# FIXME can be automated by iteration through Roles +# but it would be less self-descriptive TRUST_ANCHOR = Roles.TRUST_ANCHOR.value TRUST_ANCHOR_STRING = 'TRUST_ANCHOR' @@ -146,6 +149,7 @@ GET_REVOC_REG_DEF = IndyTransactions.GET_REVOC_REG_DEF.value GET_REVOC_REG = IndyTransactions.GET_REVOC_REG.value GET_REVOC_REG_DELTA = IndyTransactions.GET_REVOC_REG_DELTA.value +CHANGE_KEY = IndyTransactions.CHANGE_KEY.value POOL_UPGRADE = IndyTransactions.POOL_UPGRADE.value NODE_UPGRADE = IndyTransactions.NODE_UPGRADE.value diff --git a/indy_common/roles.py b/indy_common/roles.py index 52f3ab44d..d09a374de 100644 --- a/indy_common/roles.py +++ b/indy_common/roles.py @@ -8,6 +8,7 @@ class Roles(Enum): # These numeric constants CANNOT be changed once they have been used, # because that would break backwards compatibility with the ledger # Also the numeric constants CANNOT collide with the roles in plenum + IDENTITY_OWNER = Roles.IDENTITY_OWNER.value TRUSTEE = Roles.TRUSTEE.value STEWARD = Roles.STEWARD.value TRUST_ANCHOR = "101" diff --git a/indy_common/test/auth/test_auth_constraint.py b/indy_common/test/auth/test_auth_constraint.py new file mode 100644 index 000000000..e5d4004dd --- /dev/null +++ b/indy_common/test/auth/test_auth_constraint.py @@ -0,0 +1,82 @@ +from indy_common.authorize.auth_constraints import AuthConstraint, AuthConstraintOr, AuthConstraintAnd +from plenum.common.constants import TRUSTEE, STEWARD + + +def test_str_not_any_7_sig_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=7, + need_to_be_owner=True) + assert str(constraint) == '7 TRUSTEE signatures are required and needs to be owner' + + +def test_str_not_any_7_sig_not_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=7, + need_to_be_owner=False) + assert str(constraint) == '7 TRUSTEE signatures are required' + + +def test_str_not_any_1_sig_not_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=False) + assert str(constraint) == '1 TRUSTEE signature is required' + + +def test_str_not_any_1_sig_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True) + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner' + + +def test_str_any_1_sig_owner(): + constraint = AuthConstraint(role="*", + sig_count=1, + need_to_be_owner=True) + assert str(constraint) == '1 signature of any role is required and needs to be owner' + + +def test_str_any_1_sig_not_owner(): + constraint = AuthConstraint(role='*', + sig_count=1, + need_to_be_owner=False) + assert str(constraint) == '1 signature of any role is required' + + +def test_str_any_several_sig_not_owner(): + constraint = AuthConstraint(role='*', + sig_count=7, + need_to_be_owner=False) + assert str(constraint) == '7 signatures of any role are required' + + +def test_str_any_several_sig_owner(): + constraint = AuthConstraint(role='*', + sig_count=7, + need_to_be_owner=True) + assert str(constraint) == '7 signatures of any role are required and needs to be owner' + + +def test_str_for_auth_constraint_or(): + constraint = AuthConstraintOr([AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True), + AuthConstraint(role=STEWARD, + sig_count=1, + need_to_be_owner=True)]) + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner ' \ + 'OR ' \ + '1 STEWARD signature is required and needs to be owner' + + +def test_str_for_auth_constraint_and(): + constraint = AuthConstraintAnd([AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True), + AuthConstraint(role=STEWARD, + sig_count=1, + need_to_be_owner=True)]) + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner ' \ + 'AND ' \ + '1 STEWARD signature is required and needs to be owner' diff --git a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py index f77383df6..ca2a34d1e 100644 --- a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py +++ b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py @@ -134,3 +134,13 @@ def test_same_role_network_monitor(write_request_validation, req, is_owner): old_value=NETWORK_MONITOR, new_value=NETWORK_MONITOR, is_owner=is_owner)]) + + +def test_same_role_none(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value='', + new_value='', + is_owner=is_owner)]) diff --git a/indy_common/test/auth/test_helper.py b/indy_common/test/auth/test_helper.py new file mode 100644 index 000000000..13242a5a1 --- /dev/null +++ b/indy_common/test/auth/test_helper.py @@ -0,0 +1,10 @@ +from indy_common.authorize.helper import get_named_role +from plenum.common.constants import TRUSTEE_STRING, TRUSTEE + + +def test_for_known_role(): + assert get_named_role(TRUSTEE) == TRUSTEE_STRING + + +def test_for_unknown_role(): + assert get_named_role("SomeOtherRole") == "Unknown role" diff --git a/indy_common/test/auth/test_role_authorizer.py b/indy_common/test/auth/test_role_authorizer.py index 7f57b1288..212550c6d 100644 --- a/indy_common/test/auth/test_role_authorizer.py +++ b/indy_common/test/auth/test_role_authorizer.py @@ -88,7 +88,7 @@ def test_role_authorizer_not_authorize_role(idr_cache, req_auth): authorizer = RolesAuthorizer(cache=idr_cache) authorized, reason = authorizer.authorize(req_auth, AuthConstraint(role="SomeOtherRole", sig_count=1)) assert not authorized - assert reason == "role is not accepted" + assert reason == "Unknown role can not do this action" def test_role_authorizer_not_authorize_unknown_nym(idr_cache): diff --git a/indy_common/test/test_transactions.py b/indy_common/test/test_transactions.py index d8c594b36..c598838c6 100644 --- a/indy_common/test/test_transactions.py +++ b/indy_common/test/test_transactions.py @@ -1,5 +1,6 @@ from indy_common.constants import NYM, NODE, ATTRIB, SCHEMA, CLAIM_DEF, DISCLO, GET_ATTR, GET_NYM, GET_TXNS, \ - GET_SCHEMA, GET_CLAIM_DEF, POOL_UPGRADE, NODE_UPGRADE, POOL_CONFIG + GET_SCHEMA, GET_CLAIM_DEF, POOL_UPGRADE, NODE_UPGRADE, POOL_CONFIG, REVOC_REG_DEF, REVOC_REG_ENTRY, \ + GET_REVOC_REG_DEF, GET_REVOC_REG, GET_REVOC_REG_DELTA, POOL_RESTART, VALIDATOR_INFO, CHANGE_KEY from indy_common.transactions import IndyTransactions @@ -18,6 +19,16 @@ def testTransactionsAreEncoded(): assert POOL_UPGRADE == "109" assert NODE_UPGRADE == "110" assert POOL_CONFIG == "111" + assert CHANGE_KEY == "112" + + assert REVOC_REG_DEF == "113" + assert REVOC_REG_ENTRY == "114" + assert GET_REVOC_REG_DEF == "115" + assert GET_REVOC_REG == "116" + assert GET_REVOC_REG_DELTA == "117" + + assert POOL_RESTART == "118" + assert VALIDATOR_INFO == "119" def testTransactionEnumDecoded(): @@ -29,15 +40,26 @@ def testTransactionEnumDecoded(): assert IndyTransactions.CLAIM_DEF.name == "CLAIM_DEF" assert IndyTransactions.DISCLO.name == "DISCLO" + assert IndyTransactions.GET_ATTR.name == "GET_ATTR" assert IndyTransactions.GET_NYM.name == "GET_NYM" assert IndyTransactions.GET_TXNS.name == "GET_TXNS" assert IndyTransactions.GET_SCHEMA.name == "GET_SCHEMA" assert IndyTransactions.GET_CLAIM_DEF.name == "GET_CLAIM_DEF" + assert IndyTransactions.POOL_UPGRADE.name == "POOL_UPGRADE" assert IndyTransactions.NODE_UPGRADE.name == "NODE_UPGRADE" assert IndyTransactions.POOL_CONFIG.name == "POOL_CONFIG" assert IndyTransactions.POOL_RESTART.name == "POOL_RESTART" + assert IndyTransactions.CHANGE_KEY.name == "CHANGE_KEY" + + assert IndyTransactions.REVOC_REG_DEF.name == "REVOC_REG_DEF" + assert IndyTransactions.REVOC_REG_ENTRY.name == "REVOC_REG_ENTRY" + assert IndyTransactions.GET_REVOC_REG_DEF.name == "GET_REVOC_REG_DEF" + assert IndyTransactions.GET_REVOC_REG.name == "GET_REVOC_REG" + assert IndyTransactions.GET_REVOC_REG_DELTA.name == "GET_REVOC_REG_DELTA" + + assert IndyTransactions.VALIDATOR_INFO.name == "VALIDATOR_INFO" def testTransactionEnumEncoded(): @@ -57,4 +79,41 @@ def testTransactionEnumEncoded(): assert IndyTransactions.POOL_UPGRADE.value == "109" assert IndyTransactions.NODE_UPGRADE.value == "110" assert IndyTransactions.POOL_CONFIG.value == "111" + assert IndyTransactions.CHANGE_KEY.value == "112" + assert IndyTransactions.REVOC_REG_DEF.value == "113" + assert IndyTransactions.REVOC_REG_ENTRY.value == "114" + assert IndyTransactions.GET_REVOC_REG_DEF.value == "115" + assert IndyTransactions.GET_REVOC_REG.value == "116" + assert IndyTransactions.GET_REVOC_REG_DELTA.value == "117" assert IndyTransactions.POOL_RESTART.value == "118" + assert IndyTransactions.VALIDATOR_INFO.value == "119" + + +def test_get_name_from_code(): + assert IndyTransactions.get_name_from_code(IndyTransactions.NODE.value) == "NODE" + assert IndyTransactions.get_name_from_code(IndyTransactions.NYM.value) == "NYM" + + assert IndyTransactions.get_name_from_code(IndyTransactions.ATTRIB.value) == "ATTRIB" + assert IndyTransactions.get_name_from_code(IndyTransactions.SCHEMA.value) == "SCHEMA" + assert IndyTransactions.get_name_from_code(IndyTransactions.CLAIM_DEF.value) == "CLAIM_DEF" + + assert IndyTransactions.get_name_from_code(IndyTransactions.DISCLO.value) == "DISCLO" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_ATTR.value) == "GET_ATTR" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_NYM.value) == "GET_NYM" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_TXNS.value) == "GET_TXNS" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_SCHEMA.value) == "GET_SCHEMA" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_CLAIM_DEF.value) == "GET_CLAIM_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_UPGRADE.value) == "POOL_UPGRADE" + assert IndyTransactions.get_name_from_code(IndyTransactions.NODE_UPGRADE.value) == "NODE_UPGRADE" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_CONFIG.value) == "POOL_CONFIG" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_RESTART.value) == "POOL_RESTART" + + assert IndyTransactions.get_name_from_code(IndyTransactions.CHANGE_KEY.value) == "CHANGE_KEY" + assert IndyTransactions.get_name_from_code(IndyTransactions.REVOC_REG_DEF.value) == "REVOC_REG_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.REVOC_REG_ENTRY.value) == "REVOC_REG_ENTRY" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG_DEF.value) == "GET_REVOC_REG_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG.value) == "GET_REVOC_REG" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG_DELTA.value) == "GET_REVOC_REG_DELTA" + assert IndyTransactions.get_name_from_code(IndyTransactions.VALIDATOR_INFO.value) == "VALIDATOR_INFO" + + assert IndyTransactions.get_name_from_code("some_unexpected_code") == "Unknown_transaction_type" diff --git a/indy_common/transactions.py b/indy_common/transactions.py index 6b893c555..2982192de 100644 --- a/indy_common/transactions.py +++ b/indy_common/transactions.py @@ -33,3 +33,10 @@ class IndyTransactions(Transactions): POOL_RESTART = "118" VALIDATOR_INFO = "119" + + @staticmethod + def get_name_from_code(code: str): + try: + return IndyTransactions(code).name + except ValueError: + return "Unknown_transaction_type" diff --git a/indy_node/test/nym_txn/test_demote_network_monitor.py b/indy_node/test/nym_txn/test_demote_network_monitor.py index 19e2c6018..71c635e19 100644 --- a/indy_node/test/nym_txn/test_demote_network_monitor.py +++ b/indy_node/test/nym_txn/test_demote_network_monitor.py @@ -75,4 +75,4 @@ def test_network_monitor_suspension_by_itself(looper, op['verkey'] = new_network_monitor_verkey req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_network_monitor_did), op) with pytest.raises(RequestRejectedException): - sdk_get_and_check_replies(looper, [req]) \ No newline at end of file + sdk_get_and_check_replies(looper, [req]) diff --git a/indy_node/test/nym_txn/test_nym.py b/indy_node/test/nym_txn/test_nym.py index 163a5c709..9f69e36c6 100644 --- a/indy_node/test/nym_txn/test_nym.py +++ b/indy_node/test/nym_txn/test_nym.py @@ -6,29 +6,10 @@ from plenum.test.pool_transactions.helper import sdk_add_new_nym -def test_non_steward_cannot_create_trust_anchor( - nodeSet, looper, sdk_pool_handle, sdk_wallet_steward): - sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - with pytest.raises(RequestRejectedException) as e: - sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client, role=TRUST_ANCHOR_STRING) - e.match('There is no accepted constraint') - - def testStewardCreatesATrustAnchor(looper, sdk_pool_handle, sdk_wallet_steward): sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, role=TRUST_ANCHOR_STRING) +# FIXME why is it necessary to check def testStewardCreatesAnotherTrustAnchor(looper, sdk_pool_handle, sdk_wallet_steward): sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, role=TRUST_ANCHOR_STRING) - - -def test_non_trust_anchor_cannot_create_user( - nodeSet, looper, sdk_pool_handle, sdk_wallet_steward): - sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - with pytest.raises(RequestRejectedException) as e: - sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client) - e.match('There is no accepted constraint') - - -def testTrustAnchorCreatesAUser(sdk_user_wallet_a): - pass diff --git a/indy_node/test/nym_txn/test_nym_additional.py b/indy_node/test/nym_txn/test_nym_additional.py index d50c26dd7..a3c3fb3f8 100644 --- a/indy_node/test/nym_txn/test_nym_additional.py +++ b/indy_node/test/nym_txn/test_nym_additional.py @@ -36,24 +36,31 @@ def trust_anchor_did_verkey(looper, sdk_wallet_client): def test_pool_nodes_started(nodeSet): pass +@pytest.fixture(scope='function', params=['trustee', 'steward']) +def sdk_wallet(request, sdk_wallet_steward, sdk_wallet_trustee): + if request.param == 'steward': + yield sdk_wallet_steward + elif request.param == 'trustee': + yield sdk_wallet_trustee + def test_send_same_nyms_only_first_gets_written( - looper, sdk_pool_handle, sdk_wallet_steward): - wh, _ = sdk_wallet_steward + looper, sdk_pool_handle, sdk_wallet): + wh, _ = sdk_wallet seed = randomString(32) did, verkey = looper.loop.run_until_complete( create_and_store_my_did(wh, json.dumps({'seed': seed}))) # request 1 - _, did1 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, dest=did, verkey=verkey) + _, did1 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet, dest=did, verkey=verkey) seed = randomString(32) _, verkey = looper.loop.run_until_complete( create_and_store_my_did(wh, json.dumps({'seed': seed}))) # request 2 with pytest.raises(RequestRejectedException) as e: - _, did2 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, dest=did, verkey=verkey) - e.match('actor must be owner') + _, did2 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet, dest=did, verkey=verkey) + e.match('can not touch verkey field since only the owner can modify it') def get_nym(looper, sdk_pool_handle, sdk_wallet_steward, t_did): diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py new file mode 100644 index 000000000..54ff8236e --- /dev/null +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -0,0 +1,314 @@ +import sys +import pytest + +from enum import Enum, unique + +from indy.did import create_and_store_my_did + +from plenum.common.constants import TRUSTEE, STEWARD, NYM +from plenum.common.exceptions import RequestRejectedException +from plenum.test.helper import sdk_sign_and_submit_op, sdk_get_and_check_replies +from plenum.test.pool_transactions.helper import sdk_add_new_nym + +from indy_common.roles import Roles +from indy_node.test.helper import createHalfKeyIdentifierAndAbbrevVerkey + + +# TODO +# - more specific string patterns for auth exc check +# - mixed cases: both verkey and role are presented in NYM txn +# ??? possibly not necessary for now since role and verkey related constrains +# are composed like logical AND validation fails if any of them fails +# - ANYONE_CAN_WRITE=True case + + +# FIXTURES + +class EnumBase(Enum): + def __str__(self): + return self.name + + +@unique +class ActionIds(EnumBase): + add = 0 + demote = 1 + rotate = 2 + + +@unique +class Demotions(EnumBase): + # other DID-without-verkey created by the demoter + self_created_no_verkey = 1 + # other DID-with-verkey created by the demoter + self_created_verkey = 2 + # other DID-without-verkey created by other + other_created_no_verkey = 3 + # other DID-with-verkey created by other + other_created_verkey = 4 + + +@unique +class Rotations(EnumBase): + none_val = 1 + val_val = 2 + val_none = 3 + none_none = 4 + + +@unique +class Rotator(EnumBase): + self = 1 + creator = 2 + other = 3 + + +# FIXME class name +class DIDWallet(object): + def __init__(self, did=None, role=Roles.IDENTITY_OWNER, verkey=None, creator=None, wallet_handle=None): + self.did = did + self.role = role + self.verkey = verkey + self.creator = creator + self.wallet_handle = wallet_handle + + @property + def wallet_did(self): + return (self.wallet_handle, self.did) + + +def auth_check(action_id, signer, dest): + + # is_self = signer.did == dest.did + is_owner = signer == (dest if dest.verkey is not None else dest.creator) + + if action_id == ActionIds.add: + if dest.role in (Roles.TRUSTEE, Roles.STEWARD): + return signer.role == Roles.TRUSTEE + elif dest.role in (Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR): + return signer.role in (Roles.TRUSTEE, Roles.STEWARD) + elif dest.role == Roles.IDENTITY_OWNER: + return signer.role in (Roles.TRUSTEE, Roles.STEWARD, Roles.TRUST_ANCHOR) + + elif action_id == ActionIds.demote: + if dest.role in (Roles.TRUSTEE, Roles.STEWARD): + return signer.role == Roles.TRUSTEE + elif dest.role == Roles.TRUST_ANCHOR: + return (signer.role == Roles.TRUSTEE) + # FIXME INDY-1968: uncomment when the task is addressed + # return ((signer.role == Roles.TRUSTEE) or + # (signer.role == Roles.TRUST_ANCHOR and + # is_self and is_owner)) + elif dest.role == Roles.NETWORK_MONITOR: + return signer.role in (Roles.TRUSTEE, Roles.STEWARD) + # FIXME INDY-1969: remove when the task is addressed + elif dest.role == Roles.IDENTITY_OWNER: + return is_owner + + elif action_id == ActionIds.rotate: + return is_owner + + return False + + +def create_new_did(looper, sdk_pool_handle, creator, role, skipverkey=False): + + op = { + 'type': NYM, + 'role': role.value + } + + new_did_verkey = None + + if skipverkey: + new_did, _ = createHalfKeyIdentifierAndAbbrevVerkey() + op.update({'dest': new_did}) + else: + new_did, new_did_verkey = looper.loop.run_until_complete( + create_and_store_my_did(creator.wallet_handle, "{}")) + + op.update({'dest': new_did, 'verkey': new_did_verkey}) + + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, creator.wallet_did, op) + sdk_get_and_check_replies(looper, [req]) + + return DIDWallet(did=new_did, role=role, verkey=new_did_verkey, + creator=creator, wallet_handle=creator.wallet_handle) + + +@pytest.fixture(scope="module") +def trustee(sdk_wallet_trustee): + return DIDWallet(did=sdk_wallet_trustee[1], role=Roles.TRUSTEE, wallet_handle=sdk_wallet_trustee[0]) + + +def did_fixture_wrapper(): + def _fixture(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): + marker = request.node.get_marker('skip_did_verkey') + return create_new_did(looper, sdk_pool_handle, trustee, request.param, + skipverkey=(marker is not None)) + return _fixture + + +# adds did_per_module and did_per_function fixtures +for scope in ('module', 'function'): + setattr( + sys.modules[__name__], + "did_per_{}".format(scope), + pytest.fixture(scope=scope, params=list(Roles))(did_fixture_wrapper())) + + +@pytest.fixture(scope="module") +def provisioner(did_per_module): + return did_per_module + + +@pytest.fixture(scope="module", params=list(Roles) + [None], + ids=lambda r: str(r) if r else 'omitted_role') +def provisioned_role(request): + return request.param + + +@pytest.fixture(scope="function") +def provisioned(provisioned_role): + did, verkey = createHalfKeyIdentifierAndAbbrevVerkey() + return ( + DIDWallet( + did=did, + role=provisioned_role if provisioned_role else Roles.IDENTITY_OWNER, + verkey=verkey), + provisioned_role is None) + + +# scope is 'function' since demoter demotes +# themselves at the end of the each demotion test +@pytest.fixture(scope="function") +def demoter(did_per_function): + return did_per_function + + +@pytest.fixture(scope="function", + params=[(x, y) for x in Demotions for y in Roles] + [None], + ids=lambda p: "{}-{}".format(p[0], p[1]) if p else 'self') +def demotion(request): + return request.param + + +@pytest.fixture(scope="function") +def demoted(looper, sdk_pool_handle, txnPoolNodeSet, trustee, demoter, demotion): + if demotion is None: # self demotion + return demoter + else: + demotion_type, role = demotion + if demotion_type == Demotions.self_created_no_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return create_new_did(looper, sdk_pool_handle, demoter, role, skipverkey=True) + elif demotion_type == Demotions.self_created_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return create_new_did(looper, sdk_pool_handle, demoter, role) + elif demotion_type == Demotions.other_created_no_verkey: + return create_new_did(looper, sdk_pool_handle, trustee, role, skipverkey=True) + elif demotion_type == Demotions.other_created_verkey: + return create_new_did(looper, sdk_pool_handle, trustee, role) + + +# Note. dedicated trustee is used to test rotations by other +# (not creator and not self). Other other-rotators (e.g. TRUST_ANCHOR) +# are ignored as less powerful. +@pytest.fixture(scope="module") +def trustee_not_creator(looper, sdk_pool_handle, txnPoolNodeSet, trustee): + return create_new_did(looper, sdk_pool_handle, trustee, Roles.TRUSTEE) + + +@pytest.fixture(scope="function", params=list(Rotations)) +def rotation_verkey(request): + if request.param in (Rotations.none_none, Rotations.none_val): + request.node.add_marker('skip_did_verkey') + + verkey = None + if request.param in (Rotations.val_val, Rotations.none_val): + _, verkey_ = createHalfKeyIdentifierAndAbbrevVerkey() + + return verkey + + +@pytest.fixture(scope="function", params=list(Rotator)) +def rotator(did_per_function, trustee_not_creator, request): + if request.param == Rotator.self: + return did_per_function + elif request.param == Rotator.creator: + return did_per_function.creator + elif request.param == Rotator.other: + return trustee_not_creator + + +@pytest.fixture(scope="function") +def rotated(did_per_function): + return did_per_function + + +# TEST HELPERS + +def sign_submit_check(looper, sdk_pool_handle, signer, dest, action_id, op): + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, signer.wallet_did, op) + + if auth_check(action_id, signer, dest): + sdk_get_and_check_replies(looper, [req]) + else: + with pytest.raises(RequestRejectedException) as excinfo: + sdk_get_and_check_replies(looper, [req]) + excinfo.match('UnauthorizedClientRequest') + + +def add(looper, sdk_pool_handle, provisioner, provisioned, omit_role=False): + op = { + 'type': NYM, + 'dest': provisioned.did, + 'verkey': provisioned.verkey, + } + + if not omit_role: + op['role'] = provisioned.role.value + + sign_submit_check(looper, sdk_pool_handle, provisioner, provisioned, ActionIds.add, op) + + +def demote(looper, sdk_pool_handle, demoter, demoted): + op = { + 'type': NYM, + 'dest': demoted.did, + 'role': None + } + + sign_submit_check(looper, sdk_pool_handle, demoter, + demoted, ActionIds.demote, op) + + +def rotate(looper, sdk_pool_handle, rotator, rotated, new_verkey): + op = { + 'type': NYM, + 'dest': rotated.did, + 'verkey': new_verkey + } + + sign_submit_check(looper, sdk_pool_handle, rotator, + rotated, ActionIds.rotate, op) + + +# TESTS + +def test_nym_add(looper, sdk_pool_handle, txnPoolNodeSet, provisioner, provisioned): + provisioned, omit_role = provisioned + add(looper, sdk_pool_handle, provisioner, provisioned, omit_role=omit_role) + + +# Demotion is considered as NYM with only 'role' field specified and it's None. +# If NYM includes 'verkey' field as well it mixes role demotion/promotion and +# verkey rotation and should be checked separately. +def test_nym_demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoted): + # might be None for cases 'self_created_no_verkey' and 'self_created_verkey' or self demotion + if demoted: + demote(looper, sdk_pool_handle, demoter, demoted) + + +def test_nym_rotate(looper, sdk_pool_handle, txnPoolNodeSet, rotator, rotated, rotation_verkey): + rotate(looper, sdk_pool_handle, rotator, rotated, rotation_verkey) diff --git a/indy_node/test/nym_txn/test_nym_blacklisting.py b/indy_node/test/nym_txn/test_nym_blacklisting.py index 3491112a6..6b3923c3c 100644 --- a/indy_node/test/nym_txn/test_nym_blacklisting.py +++ b/indy_node/test/nym_txn/test_nym_blacklisting.py @@ -40,10 +40,10 @@ def test_steward_suspension_by_another_trustee(looper, sdk_get_and_check_replies(looper, [req]) -def test_steward_cannot_create_trust_anchors_after_demote (looper, - sdk_pool_handle, - sdk_wallet_trustee, - sdk_wallet_handle): +def test_steward_cannot_create_trust_anchors_after_demote(looper, + sdk_pool_handle, + sdk_wallet_trustee, + sdk_wallet_handle): new_steward_did, new_steward_verkey = looper.loop.run_until_complete( did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) new_ta_did, new_ta_verkey = looper.loop.run_until_complete( @@ -79,4 +79,3 @@ def test_steward_cannot_create_trust_anchors_after_demote (looper, 'newSteward', TRUST_ANCHOR_STRING, verkey=new_ta_2_verkey, dest=new_ta_2_did) - diff --git a/indy_node/test/nym_txn/test_send_nym_validation.py b/indy_node/test/nym_txn/test_send_nym_validation.py index 1bcade423..1083555b6 100644 --- a/indy_node/test/nym_txn/test_send_nym_validation.py +++ b/indy_node/test/nym_txn/test_send_nym_validation.py @@ -69,77 +69,6 @@ def testSendNymSucceedsForHalfKeyIdentifierAndAbbrevVerkey( sdk_get_and_check_replies(looper, [request_couple]) -def testSendNymSucceedsForTrusteeRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': TRUSTEE - } - - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForStewardRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': STEWARD - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForTrustAnchorRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': TRUST_ANCHOR - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForOmittedRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey - } - del nym_request[OPERATION][ROLE] - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForNoneRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': None - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - @pytest.mark.skip(reason='INDY-210') def testSendNymFailsForCryptonymIdentifierAnsdk_pool_handlemittedVerkey( looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): diff --git a/indy_node/test/pool_config/test_send_pool_config_only_trustee.py b/indy_node/test/pool_config/test_send_pool_config_only_trustee.py index 7c051de1d..b3128f54e 100644 --- a/indy_node/test/pool_config/test_send_pool_config_only_trustee.py +++ b/indy_node/test/pool_config/test_send_pool_config_only_trustee.py @@ -10,7 +10,7 @@ def test_only_trustee_send_pool_config_writes_true_force_false( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWTFF) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_false_force_false( @@ -18,7 +18,7 @@ def test_only_trustee_send_pool_config_writes_false_force_false( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWFFF) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_true_force_true( @@ -26,7 +26,7 @@ def test_only_trustee_send_pool_config_writes_true_force_true( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWTFT) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_false_force_true( @@ -34,4 +34,4 @@ def test_only_trustee_send_pool_config_writes_false_force_true( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWFFT) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) diff --git a/indy_node/test/pool_restart/test_fail_pool_restart.py b/indy_node/test/pool_restart/test_fail_pool_restart.py index d55b7466e..5213165db 100644 --- a/indy_node/test/pool_restart/test_fail_pool_restart.py +++ b/indy_node/test/pool_restart/test_fail_pool_restart.py @@ -4,7 +4,7 @@ RequestNackedException from indy_common.constants import POOL_RESTART, ACTION, START, DATETIME -from plenum.common.constants import TXN_TYPE +from plenum.common.constants import TXN_TYPE, STEWARD_STRING from plenum.test.helper import sdk_gen_request, sdk_sign_and_submit_req_obj, \ sdk_get_reply, sdk_get_and_check_replies @@ -22,7 +22,7 @@ def test_fail_pool_restart_with_steward_role( req_obj) with pytest.raises(RequestRejectedException) as excinfo: sdk_get_and_check_replies(looper, [req], 100) - assert excinfo.match("role is not accepted") + assert excinfo.match('{} can not do this action'.format(STEWARD_STRING)) def test_fail_pool_restart_with_invalid_datetime( diff --git a/indy_node/test/suspension/test_nym_suspension.py b/indy_node/test/suspension/test_nym_suspension.py index 0e99a46cf..6854e9e84 100644 --- a/indy_node/test/suspension/test_nym_suspension.py +++ b/indy_node/test/suspension/test_nym_suspension.py @@ -13,7 +13,7 @@ def testTrusteeSuspendingTrustAnchor(looper, sdk_pool_handle, sdk_wallet_trustee sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trust_anchor) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrusteeSuspendingTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, @@ -22,7 +22,7 @@ def testTrusteeSuspendingTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, another_trustee) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrusteeSuspendingSteward(looper, sdk_pool_handle, sdk_wallet_trustee, @@ -31,7 +31,7 @@ def testTrusteeSuspendingSteward(looper, sdk_pool_handle, sdk_wallet_trustee, sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrustAnchorSuspendingHimselfByVerkeyFlush(looper, sdk_pool_handle, diff --git a/indy_node/test/suspension/test_suspension.py b/indy_node/test/suspension/test_suspension.py index 1897e5f90..d8f4baf45 100644 --- a/indy_node/test/suspension/test_suspension.py +++ b/indy_node/test/suspension/test_suspension.py @@ -86,7 +86,7 @@ def testTrusteeSuspensionByTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, _, did = sdk_wallet_trustee with pytest.raises(RequestRejectedException) as e: sdk_suspend_role(looper, sdk_pool_handle, another_steward1, did) - e.match('role is not accepted') + e.match('{} can not do this action'.format(STEWARD_STRING)) # Keep the test below at the end of the suite since it will make one of the diff --git a/indy_node/test/upgrade/test_pool_upgrade_reject.py b/indy_node/test/upgrade/test_pool_upgrade_reject.py index 31b570226..8742e5a80 100644 --- a/indy_node/test/upgrade/test_pool_upgrade_reject.py +++ b/indy_node/test/upgrade/test_pool_upgrade_reject.py @@ -1,6 +1,6 @@ from copy import deepcopy -from plenum.common.constants import NAME, VERSION +from plenum.common.constants import NAME, VERSION, STEWARD_STRING from plenum.common.exceptions import RequestNackedException, RequestRejectedException from indy_common.constants import CANCEL, \ ACTION @@ -22,7 +22,7 @@ def testOnlyTrusteeCanSendPoolUpgrade(looper, sdk_pool_handle, sdk_wallet_stewar validUpgrade[NAME] = 'upgrade-20' validUpgrade[VERSION] = bumpedVersion(validUpgrade['version']) req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgrade) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def testNonTrustyCannotCancelUpgrade(looper, validUpgradeSent, sdk_pool_handle, @@ -30,7 +30,7 @@ def testNonTrustyCannotCancelUpgrade(looper, validUpgradeSent, sdk_pool_handle, validUpgradeCopy = deepcopy(validUpgrade) validUpgradeCopy[ACTION] = CANCEL req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeCopy) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_accept_then_reject_upgrade( @@ -48,4 +48,4 @@ def test_accept_then_reject_upgrade( def testOnlyTrusteeCanSendPoolUpgradeForceTrue( looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeExpForceTrue): req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeExpForceTrue) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) diff --git a/indy_node/test/validator_info/test_validator_info_command.py b/indy_node/test/validator_info/test_validator_info_command.py index b8cc1b12f..97785d41e 100644 --- a/indy_node/test/validator_info/test_validator_info_command.py +++ b/indy_node/test/validator_info/test_validator_info_command.py @@ -25,7 +25,7 @@ def test_fail_validator_info_command( sdk_get_validator_info(looper, sdk_wallet_client, sdk_pool_handle) - assert excinfo.match("There is no accepted constraint") + assert excinfo.match("Rule for this action is") def _comparison_reply(responses, req_obj): diff --git a/indy_node/test/write_permission/test_send_write_permission_no_client.py b/indy_node/test/write_permission/test_send_write_permission_no_client.py index e3bcaa743..cdda5e3c0 100644 --- a/indy_node/test/write_permission/test_send_write_permission_no_client.py +++ b/indy_node/test/write_permission/test_send_write_permission_no_client.py @@ -41,7 +41,7 @@ def test_client_cant_send_nym(looper, # client cant create another client NYM when ANYONE_CAN_WRITE set to False with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def test_client_can_send_attrib(looper, @@ -80,7 +80,7 @@ def test_client_cant_send_schema(looper, issuer_create_schema(identifier, "another_name", "2.0", json.dumps(["first", "last"]))) request = looper.loop.run_until_complete(build_schema_request(identifier, schema_json)) sdk_get_bad_response(looper, [sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_client, request)], - RequestRejectedException, 'There is no accepted constraint') + RequestRejectedException, 'Rule for this action is') def test_client_cant_send_claim_def(looper, @@ -96,4 +96,4 @@ def test_client_cant_send_claim_def(looper, # Client cant send create if ANYONE_CAN_WRITE flag set to True req = sdk_sign_request_from_dict(looper, sdk_wallet_client, claim_def) req = sdk_send_signed_requests(sdk_pool_handle, [json.dumps(req)]) - sdk_get_bad_response(looper, req, RequestRejectedException, 'There is no accepted constraint') + sdk_get_bad_response(looper, req, RequestRejectedException, 'Rule for this action is') diff --git a/setup.py b/setup.py index 88b35881d..a433d80f6 100644 --- a/setup.py +++ b/setup.py @@ -56,7 +56,7 @@ data_files=[( (BASE_DIR, ['data/nssm_original.exe']) )], - install_requires=['indy-plenum-dev==1.6.665', + install_requires=['indy-plenum-dev==1.6.669', 'python-dateutil', 'timeout-decorator==0.4.0', 'distro==1.3.0'],