From 3ca801874e86c8495776af16b61e176d3bd4349c Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Tue, 22 Jan 2019 14:58:00 +0300 Subject: [PATCH 01/34] updates docs Signed-off-by: Andrey Kononykhin --- docs/auth_rules.md | 2 +- docs/transactions.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/auth_rules.md b/docs/auth_rules.md index 8ad85fed3..5d640cf21 100644 --- a/docs/auth_rules.md +++ b/docs/auth_rules.md @@ -15,7 +15,7 @@ | SCHEMA |`*`|`*`|`*`| No one can edit existing Schema | Editing Schema| | CLAIM_DEF |`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new CLAIM_DEF transaction| | CLAIM_DEF |`*`|`*`|`*`| Owner of claim_def txn| Editing CLAIM_DEF transaction| -| NODE |`services`|``|`[VALIDATOR]`| STEWARD if it is owner of this transaction| Adding new node to pool| +| NODE |`services`|``|`[VALIDATOR]`| STEWARD if it doesn't own NODE transaction yet| Adding new node to pool| | NODE |`services`|`[VALIDATOR]`|`[]`| TRUSTEE, STEWARD if it is owner of this transaction| Demotion of node| | NODE |`services`|`[]`|`[VALIDATOR]`| TRUSTEE, STEWARD if it is owner of this transaction| Promotion of node| | NODE |`node_ip`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's ip address| diff --git a/docs/transactions.md b/docs/transactions.md index 4ccce2422..de48af699 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -206,7 +206,7 @@ creation of new DIDs, setting and rotation of verification key, setting and chan NYM's alias. -If there is no NYM transaction for the specified DID (`did`) yes, then this can be considered as the creation of a new DID. +If there is no NYM transaction for the specified DID (`did`) yet, then this can be considered as the creation of a new DID. If there is already a NYM transaction with the specified DID (`did`), then this is is considered an update of that DID. In this case we can specify only the values we would like to update. All unspecified values remain unchanged. From a989672e226140840df340a9ac925e3380417d43 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Sun, 27 Jan 2019 19:02:21 +0300 Subject: [PATCH 02/34] adds separate auth tests for NYM Signed-off-by: Andrey Kononykhin --- indy_common/constants.py | 6 + indy_common/roles.py | 1 + .../nym_txn/test_demote_network_monitor.py | 2 +- indy_node/test/nym_txn/test_nym.py | 21 +- indy_node/test/nym_txn/test_nym_auth_rules.py | 228 ++++++++++++++++++ .../test/nym_txn/test_nym_blacklisting.py | 9 +- .../test/nym_txn/test_send_nym_validation.py | 71 ------ 7 files changed, 241 insertions(+), 97 deletions(-) create mode 100644 indy_node/test/nym_txn/test_nym_auth_rules.py diff --git a/indy_common/constants.py b/indy_common/constants.py index 559ebda75..881e944e8 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -123,6 +123,12 @@ ENDPOINT = "endpoint" # Roles + +# FIXME can be automated by oteration through Roles +# but it would be less self-descriptive +CLIENT = Roles.CLIENT.value +CLIENT_STRING = None + TRUST_ANCHOR = Roles.TRUST_ANCHOR.value TRUST_ANCHOR_STRING = 'TRUST_ANCHOR' diff --git a/indy_common/roles.py b/indy_common/roles.py index 52f3ab44d..5f133c60d 100644 --- a/indy_common/roles.py +++ b/indy_common/roles.py @@ -8,6 +8,7 @@ class Roles(Enum): # These numeric constants CANNOT be changed once they have been used, # because that would break backwards compatibility with the ledger # Also the numeric constants CANNOT collide with the roles in plenum + CLIENT = None # FIXME might makes sense to move to plenum TRUSTEE = Roles.TRUSTEE.value STEWARD = Roles.STEWARD.value TRUST_ANCHOR = "101" diff --git a/indy_node/test/nym_txn/test_demote_network_monitor.py b/indy_node/test/nym_txn/test_demote_network_monitor.py index 19e2c6018..71c635e19 100644 --- a/indy_node/test/nym_txn/test_demote_network_monitor.py +++ b/indy_node/test/nym_txn/test_demote_network_monitor.py @@ -75,4 +75,4 @@ def test_network_monitor_suspension_by_itself(looper, op['verkey'] = new_network_monitor_verkey req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_network_monitor_did), op) with pytest.raises(RequestRejectedException): - sdk_get_and_check_replies(looper, [req]) \ No newline at end of file + sdk_get_and_check_replies(looper, [req]) diff --git a/indy_node/test/nym_txn/test_nym.py b/indy_node/test/nym_txn/test_nym.py index 163a5c709..9f69e36c6 100644 --- a/indy_node/test/nym_txn/test_nym.py +++ b/indy_node/test/nym_txn/test_nym.py @@ -6,29 +6,10 @@ from plenum.test.pool_transactions.helper import sdk_add_new_nym -def test_non_steward_cannot_create_trust_anchor( - nodeSet, looper, sdk_pool_handle, sdk_wallet_steward): - sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - with pytest.raises(RequestRejectedException) as e: - sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client, role=TRUST_ANCHOR_STRING) - e.match('There is no accepted constraint') - - def testStewardCreatesATrustAnchor(looper, sdk_pool_handle, sdk_wallet_steward): sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, role=TRUST_ANCHOR_STRING) +# FIXME why is it necessary to check def testStewardCreatesAnotherTrustAnchor(looper, sdk_pool_handle, sdk_wallet_steward): sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, role=TRUST_ANCHOR_STRING) - - -def test_non_trust_anchor_cannot_create_user( - nodeSet, looper, sdk_pool_handle, sdk_wallet_steward): - sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - with pytest.raises(RequestRejectedException) as e: - sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client) - e.match('There is no accepted constraint') - - -def testTrustAnchorCreatesAUser(sdk_user_wallet_a): - pass diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py new file mode 100644 index 000000000..22a28e511 --- /dev/null +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -0,0 +1,228 @@ +import pytest + +from enum import Enum, unique + +from indy.did import create_and_store_my_did + +from plenum.common.constants import TRUSTEE, STEWARD, NYM +from plenum.common.exceptions import RequestRejectedException +from plenum.test.helper import sdk_sign_and_submit_op, sdk_get_and_check_replies +from plenum.test.pool_transactions.helper import sdk_add_new_nym + +from indy_common.constants import CLIENT, TRUST_ANCHOR, NETWORK_MONITOR +from indy_common.roles import Roles +from indy_node.test.helper import createHalfKeyIdentifierAndAbbrevVerkey + + +# FIXME terms +# - add/create/provision +# - remove/demote/revoke/blacklist/suspend/flush +# - owner/holder +# - signer/initiator ??? +# +# +# TODO +# - more specific string patterns for auth exc check +# - DRY: send requests and check replies +# +# +# - ptomoter after demotion + + +# FIXTURES + + +@unique +class ActionIds(Enum): + add = 0 + demote = 1 + + +@unique +class Demotions(Enum): + # other DID-without-verkey created by the demoter + self_created_no_verkey = 1 + # other DID-with-verkey created by the demoter + self_created_verkey = 2 + # other DID-without-verkey created by other + other_created_no_verkey = 3 + # other DID-with-verkey created by other + other_created_verkey = 4 + + +# FIXME class name +class DIDWallet(object): + def __init__(self, did=None, role=Roles.CLIENT, verkey=None, creator=None, wallet_handle=None): + self.did = did + self.role = role + self.verkey = verkey + self.creator = creator + self.wallet_handle = wallet_handle + + @property + def wallet_did(self): + return (self.wallet_handle, self.did) + + +def auth_check(action_id, signer, dest): + + is_self = signer.did == dest.did + # is_creator = signer.did == dest.creator.did + dest_with_verkey = dest.verkey is not None + + if action_id == ActionIds.add: + if signer.role == Roles.TRUSTEE: + return True + elif (signer.role == Roles.STEWARD and + dest.role in (Roles.CLIENT, Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR)): + return True + elif signer.role == Roles.TRUST_ANCHOR and dest.role == Roles.CLIENT: + return True + + elif action_id == ActionIds.demote: + if signer.role == Roles.TRUSTEE: + return True + elif (signer.role == Roles.TRUST_ANCHOR and dest.role == Roles.TRUST_ANCHOR and + is_self and dest_with_verkey): + return True + + return False + + +@pytest.fixture(scope="module") +def client(sdk_wallet_client): + return DIDWallet(did=sdk_wallet_client[1], role=Roles.CLIENT, wallet_handle=sdk_wallet_client[0]) + + +@pytest.fixture(scope="module") +def trustee(sdk_wallet_trustee): + return DIDWallet(did=sdk_wallet_trustee[1], role=Roles.TRUSTEE, wallet_handle=sdk_wallet_trustee[0]) + + +@pytest.fixture(scope="module") +def steward(sdk_wallet_steward): + return DIDWallet(did=sdk_wallet_steward[1], role=Roles.STEWARD, wallet_handle=sdk_wallet_steward[0]) + + +def idfn_enum(item): + return item.name + + +def _create_new_nym(looper, sdk_pool_handle, creator, role, *args, **kwargs): + new_did, new_did_verkey = looper.loop.run_until_complete( + create_and_store_my_did(creator.wallet_handle, "{}")) + + op = {'type': NYM, + 'dest': new_did, + 'role': role.value, + 'verkey': new_did_verkey} + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (creator.wallet_handle, creator.did), op) + sdk_get_and_check_replies(looper, [req]) + + return DIDWallet(did=new_did, role=role, verkey=new_did_verkey, creator=creator, wallet_handle=creator.wallet_handle) + + +@pytest.fixture(scope="module", + params=[Roles.CLIENT, Roles.TRUSTEE, Roles.STEWARD], + ids=idfn_enum) +def provisioner(request, client, trustee, steward): + # TODO + # - wallets for TRUST_ANCHOR and NETWORK_MONITOR + return { + Roles.CLIENT: client, + Roles.TRUSTEE: trustee, + Roles.STEWARD: steward, + }[request.param] + + +# scope is 'function' since demoter demotes +# themselves at the end of the each demotion test +@pytest.fixture(scope="function", + params=list(Roles), + ids=idfn_enum) +def demoter(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): + return _create_new_nym(looper, sdk_pool_handle, trustee, request.param) + + +@pytest.fixture(scope="module", params=list(Roles), ids=idfn_enum) +def role(request): + return request.param + + +@pytest.fixture(scope="function") +def nym_op(): + halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() + return { + 'type': NYM, + 'dest': halfKeyIdentifier, + 'verkey': abbrevVerkey, + } + + +@pytest.fixture(scope="function", + params=list(Demotions), + ids=idfn_enum) +# TODO parametrize by verkey in op +def demoted(looper, sdk_pool_handle, txnPoolNodeSet, trustee, demoter, role, request): + if request.param == Demotions.self_created_no_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return _create_new_nym(looper, sdk_pool_handle, demoter, role, skipverkey=True) + elif request.param == Demotions.self_created_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return _create_new_nym(looper, sdk_pool_handle, demoter, role) + elif request.param == Demotions.other_created_no_verkey: + return _create_new_nym(looper, sdk_pool_handle, trustee, role, skipverkey=True) + elif request.param == Demotions.other_created_verkey: + return _create_new_nym(looper, sdk_pool_handle, trustee, role) + + +# TEST HELPERS + +def sign_submit_check(looper, sdk_pool_handle, signer, dest, action_id, op): + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, signer.wallet_did, op) + + if auth_check(action_id, signer, dest): + sdk_get_and_check_replies(looper, [req]) + else: + with pytest.raises(RequestRejectedException) as excinfo: + sdk_get_and_check_replies(looper, [req]) + excinfo.match('UnauthorizedClientRequest') + + +def demote(looper, sdk_pool_handle, txnPoolNodeSet, + demoter, demoted): + + op = { + 'type': NYM, + 'dest': demoted.did, + 'role': None + } + + sign_submit_check(looper, sdk_pool_handle, demoter, + demoted, ActionIds.demote, op) + +# TESTS + + +def test_add_nym(looper, sdk_pool_handle, txnPoolNodeSet, nym_op, provisioner, role): + nym_op['role'] = role.value + sign_submit_check(looper, sdk_pool_handle, provisioner, DIDWallet(role=role), ActionIds.add, nym_op) + + +def test_add_nym_omitted_role(looper, sdk_pool_handle, txnPoolNodeSet, nym_op, provisioner): + sign_submit_check(looper, sdk_pool_handle, provisioner, DIDWallet(role=role), ActionIds.add, nym_op) + + +# TODO parametrize by verkey in op +def test_demote_self_nym( + looper, sdk_pool_handle, txnPoolNodeSet, + demoter): + demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoter) + + +# TODO parametrize by verkey in op +def test_demote_nym( + looper, sdk_pool_handle, txnPoolNodeSet, + demoter, demoted): + if demoted: + demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoted) diff --git a/indy_node/test/nym_txn/test_nym_blacklisting.py b/indy_node/test/nym_txn/test_nym_blacklisting.py index 3491112a6..6b3923c3c 100644 --- a/indy_node/test/nym_txn/test_nym_blacklisting.py +++ b/indy_node/test/nym_txn/test_nym_blacklisting.py @@ -40,10 +40,10 @@ def test_steward_suspension_by_another_trustee(looper, sdk_get_and_check_replies(looper, [req]) -def test_steward_cannot_create_trust_anchors_after_demote (looper, - sdk_pool_handle, - sdk_wallet_trustee, - sdk_wallet_handle): +def test_steward_cannot_create_trust_anchors_after_demote(looper, + sdk_pool_handle, + sdk_wallet_trustee, + sdk_wallet_handle): new_steward_did, new_steward_verkey = looper.loop.run_until_complete( did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) new_ta_did, new_ta_verkey = looper.loop.run_until_complete( @@ -79,4 +79,3 @@ def test_steward_cannot_create_trust_anchors_after_demote (looper, 'newSteward', TRUST_ANCHOR_STRING, verkey=new_ta_2_verkey, dest=new_ta_2_did) - diff --git a/indy_node/test/nym_txn/test_send_nym_validation.py b/indy_node/test/nym_txn/test_send_nym_validation.py index 1bcade423..1083555b6 100644 --- a/indy_node/test/nym_txn/test_send_nym_validation.py +++ b/indy_node/test/nym_txn/test_send_nym_validation.py @@ -69,77 +69,6 @@ def testSendNymSucceedsForHalfKeyIdentifierAndAbbrevVerkey( sdk_get_and_check_replies(looper, [request_couple]) -def testSendNymSucceedsForTrusteeRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': TRUSTEE - } - - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForStewardRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': STEWARD - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForTrustAnchorRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': TRUST_ANCHOR - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForOmittedRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey - } - del nym_request[OPERATION][ROLE] - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - -def testSendNymSucceedsForNoneRole( - looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - parameters = { - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - 'role': None - } - nym_request[OPERATION].update(parameters) - request_couple = sdk_sign_and_send_prepared_request(looper, sdk_wallet_trustee, - sdk_pool_handle, json.dumps(nym_request)) - sdk_get_and_check_replies(looper, [request_couple]) - - @pytest.mark.skip(reason='INDY-210') def testSendNymFailsForCryptonymIdentifierAnsdk_pool_handlemittedVerkey( looper, sdk_pool_handle, txnPoolNodeSet, nym_request, sdk_wallet_trustee): From 30a82fd455961e63b47f9d647597d2a885944a0b Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Tue, 29 Jan 2019 19:06:41 +0300 Subject: [PATCH 03/34] [INDY-1963] make error messages more cleanly Signed-off-by: Andrew Nikitin --- indy_common/authorize/auth_constraints.py | 16 +++++++++ indy_common/authorize/authorizer.py | 14 +++++--- indy_common/authorize/helper.py | 8 +++++ indy_common/test/auth/test_auth_constraint.py | 33 +++++++++++++++++++ .../auth/test_auth_nym_with_new_auth_map.py | 10 ++++++ indy_common/test/auth/test_helper.py | 10 ++++++ indy_common/test/auth/test_role_authorizer.py | 2 +- indy_node/test/nym_txn/test_nym.py | 4 +-- 8 files changed, 90 insertions(+), 7 deletions(-) create mode 100644 indy_common/authorize/helper.py create mode 100644 indy_common/test/auth/test_auth_constraint.py create mode 100644 indy_common/test/auth/test_helper.py diff --git a/indy_common/authorize/auth_constraints.py b/indy_common/authorize/auth_constraints.py index 7cbbc26f1..5df2eed8e 100644 --- a/indy_common/authorize/auth_constraints.py +++ b/indy_common/authorize/auth_constraints.py @@ -1,6 +1,7 @@ from abc import ABCMeta, abstractmethod from typing import List +from indy_common.authorize.helper import get_named_role ROLE_CONSTRAINT_ID = 'ROLE' AND_CONSTRAINT_ID = 'AND' @@ -11,6 +12,9 @@ class AbstractAuthConstraint(metaclass=ABCMeta): def __init__(self): self.constraint_id = '' + def __str__(self): + return str(self) + class AuthConstraint(AbstractAuthConstraint): def __init__(self, role, sig_count, need_to_be_owner=False, metadata={}): @@ -20,18 +24,30 @@ def __init__(self, role, sig_count, need_to_be_owner=False, metadata={}): self.metadata = metadata self.constraint_id = ROLE_CONSTRAINT_ID + def __str__(self): + role = get_named_role(self.role) if self.role != '*' else 'ALL' + return "Required role: {}, Count of signatures: {}, Need to be owner: {}".format(role, + self.sig_count, + self.need_to_be_owner) + class AuthConstraintAnd(AbstractAuthConstraint): def __init__(self, auth_constraints): self.auth_constraints = auth_constraints self.constraint_id = AND_CONSTRAINT_ID + def __str__(self): + return " AND ".join([str(ac) for ac in self.auth_constraints]) + class AuthConstraintOr(AbstractAuthConstraint): def __init__(self, auth_constraints): self.auth_constraints = auth_constraints self.constraint_id = OR_CONSTRAINT_ID + def __str__(self): + return " OR ".join([str(ac) for ac in self.auth_constraints]) + class AbstractAuthConstraintParser(metaclass=ABCMeta): @staticmethod diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index e4b7473b9..915998cb7 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -3,6 +3,7 @@ from indy_common.authorize.auth_actions import AbstractAuthAction from indy_common.authorize.auth_constraints import AbstractAuthConstraint, AuthConstraint, ROLE_CONSTRAINT_ID, \ AuthConstraintAnd +from indy_common.authorize.helper import get_named_role from indy_common.types import Request from indy_node.persistence.idr_cache import IdrCache @@ -65,6 +66,10 @@ def is_sig_count_accepted(self, request: Request, auth_constraint: AuthConstrain return sig_count >= auth_constraint.sig_count + def get_named_role_from_req(self, request: Request): + return get_named_role(self.get_role(request)) + + def authorize(self, request: Request, auth_constraint: AuthConstraint, @@ -73,11 +78,12 @@ def authorize(self, if is_role_accepted is None: return False, "sender's DID {} is not found in the Ledger".format(request.identifier) if not is_role_accepted: - return False, "role is not accepted" + return False, "{} can not do this action".format(self.get_named_role_from_req(request)) if not self.is_sig_count_accepted(request, auth_constraint): - return False, "count of signatures is not accepted" + return False, "Count of signatures is not accepted" if not self.is_owner_accepted(auth_constraint, auth_action): - return False, "actor must be owner" + return False, "{} can not touch verkey field since only the owner can modify it".\ + format(self.get_named_role_from_req(request)) return True, "" @@ -135,5 +141,5 @@ def authorize(self, else: successes.append(True) if len(successes) == 0: - raise AuthValidationError("There is no accepted constraint") + raise AuthValidationError("Rule for this action is: {}".format(auth_constraint)) return True, "" diff --git a/indy_common/authorize/helper.py b/indy_common/authorize/helper.py new file mode 100644 index 000000000..38771492d --- /dev/null +++ b/indy_common/authorize/helper.py @@ -0,0 +1,8 @@ +from indy_common.roles import Roles + + +def get_named_role(role_code): + try: + return Roles.nameFromValue(role_code) + except ValueError: + return "Unknown role" diff --git a/indy_common/test/auth/test_auth_constraint.py b/indy_common/test/auth/test_auth_constraint.py new file mode 100644 index 000000000..f0c3d3d79 --- /dev/null +++ b/indy_common/test/auth/test_auth_constraint.py @@ -0,0 +1,33 @@ +from indy_common.authorize.auth_constraints import AuthConstraint, AuthConstraintOr, AuthConstraintAnd +from plenum.common.constants import TRUSTEE, STEWARD + + +def test_str_for_auth_constraint(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True) + assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True' + + +def test_str_for_auth_constraint_or(): + constraint = AuthConstraintOr([AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True), + AuthConstraint(role=STEWARD, + sig_count=1, + need_to_be_owner=True)]) + assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True ' \ + 'OR ' \ + 'Required role: STEWARD, Count of signatures: 1, Need to be owner: True' + + +def test_str_for_auth_constraint_and(): + constraint = AuthConstraintAnd([AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=True), + AuthConstraint(role=STEWARD, + sig_count=1, + need_to_be_owner=True)]) + assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True ' \ + 'AND ' \ + 'Required role: STEWARD, Count of signatures: 1, Need to be owner: True' diff --git a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py index f77383df6..ca2a34d1e 100644 --- a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py +++ b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py @@ -134,3 +134,13 @@ def test_same_role_network_monitor(write_request_validation, req, is_owner): old_value=NETWORK_MONITOR, new_value=NETWORK_MONITOR, is_owner=is_owner)]) + + +def test_same_role_none(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value='', + new_value='', + is_owner=is_owner)]) diff --git a/indy_common/test/auth/test_helper.py b/indy_common/test/auth/test_helper.py new file mode 100644 index 000000000..13242a5a1 --- /dev/null +++ b/indy_common/test/auth/test_helper.py @@ -0,0 +1,10 @@ +from indy_common.authorize.helper import get_named_role +from plenum.common.constants import TRUSTEE_STRING, TRUSTEE + + +def test_for_known_role(): + assert get_named_role(TRUSTEE) == TRUSTEE_STRING + + +def test_for_unknown_role(): + assert get_named_role("SomeOtherRole") == "Unknown role" diff --git a/indy_common/test/auth/test_role_authorizer.py b/indy_common/test/auth/test_role_authorizer.py index 7f57b1288..212550c6d 100644 --- a/indy_common/test/auth/test_role_authorizer.py +++ b/indy_common/test/auth/test_role_authorizer.py @@ -88,7 +88,7 @@ def test_role_authorizer_not_authorize_role(idr_cache, req_auth): authorizer = RolesAuthorizer(cache=idr_cache) authorized, reason = authorizer.authorize(req_auth, AuthConstraint(role="SomeOtherRole", sig_count=1)) assert not authorized - assert reason == "role is not accepted" + assert reason == "Unknown role can not do this action" def test_role_authorizer_not_authorize_unknown_nym(idr_cache): diff --git a/indy_node/test/nym_txn/test_nym.py b/indy_node/test/nym_txn/test_nym.py index 163a5c709..fc7fede58 100644 --- a/indy_node/test/nym_txn/test_nym.py +++ b/indy_node/test/nym_txn/test_nym.py @@ -11,7 +11,7 @@ def test_non_steward_cannot_create_trust_anchor( sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client, role=TRUST_ANCHOR_STRING) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testStewardCreatesATrustAnchor(looper, sdk_pool_handle, sdk_wallet_steward): @@ -27,7 +27,7 @@ def test_non_trust_anchor_cannot_create_user( sdk_wallet_client = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrustAnchorCreatesAUser(sdk_user_wallet_a): From 38d87b63d8b37368324049ba3b0fdaefb9e292a0 Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Tue, 29 Jan 2019 19:07:16 +0300 Subject: [PATCH 04/34] [Some improvements] parametrize test for several wallets Signed-off-by: Andrew Nikitin --- indy_node/test/nym_txn/test_nym_additional.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/indy_node/test/nym_txn/test_nym_additional.py b/indy_node/test/nym_txn/test_nym_additional.py index d50c26dd7..a3c3fb3f8 100644 --- a/indy_node/test/nym_txn/test_nym_additional.py +++ b/indy_node/test/nym_txn/test_nym_additional.py @@ -36,24 +36,31 @@ def trust_anchor_did_verkey(looper, sdk_wallet_client): def test_pool_nodes_started(nodeSet): pass +@pytest.fixture(scope='function', params=['trustee', 'steward']) +def sdk_wallet(request, sdk_wallet_steward, sdk_wallet_trustee): + if request.param == 'steward': + yield sdk_wallet_steward + elif request.param == 'trustee': + yield sdk_wallet_trustee + def test_send_same_nyms_only_first_gets_written( - looper, sdk_pool_handle, sdk_wallet_steward): - wh, _ = sdk_wallet_steward + looper, sdk_pool_handle, sdk_wallet): + wh, _ = sdk_wallet seed = randomString(32) did, verkey = looper.loop.run_until_complete( create_and_store_my_did(wh, json.dumps({'seed': seed}))) # request 1 - _, did1 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, dest=did, verkey=verkey) + _, did1 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet, dest=did, verkey=verkey) seed = randomString(32) _, verkey = looper.loop.run_until_complete( create_and_store_my_did(wh, json.dumps({'seed': seed}))) # request 2 with pytest.raises(RequestRejectedException) as e: - _, did2 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward, dest=did, verkey=verkey) - e.match('actor must be owner') + _, did2 = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet, dest=did, verkey=verkey) + e.match('can not touch verkey field since only the owner can modify it') def get_nym(looper, sdk_pool_handle, sdk_wallet_steward, t_did): From 6130b5b0c312a021435f37c90515f4d177b1452c Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Tue, 29 Jan 2019 19:08:55 +0300 Subject: [PATCH 05/34] [INY-1963] flake8 Signed-off-by: Andrew Nikitin --- indy_common/authorize/authorizer.py | 1 - 1 file changed, 1 deletion(-) diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index 915998cb7..06bd43234 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -69,7 +69,6 @@ def is_sig_count_accepted(self, request: Request, auth_constraint: AuthConstrain def get_named_role_from_req(self, request: Request): return get_named_role(self.get_role(request)) - def authorize(self, request: Request, auth_constraint: AuthConstraint, From d73101fc6a21129907b867a4f10ca8a650d65113 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 07:23:33 +0300 Subject: [PATCH 06/34] adds tests for key rotation, improves fixtures Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 286 ++++++++++++------ 1 file changed, 188 insertions(+), 98 deletions(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 22a28e511..6a4513419 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -1,3 +1,4 @@ +import sys import pytest from enum import Enum, unique @@ -14,32 +15,26 @@ from indy_node.test.helper import createHalfKeyIdentifierAndAbbrevVerkey -# FIXME terms -# - add/create/provision -# - remove/demote/revoke/blacklist/suspend/flush -# - owner/holder -# - signer/initiator ??? -# -# # TODO # - more specific string patterns for auth exc check -# - DRY: send requests and check replies -# -# -# - ptomoter after demotion # FIXTURES +class EnumBase(Enum): + def __str__(self): + return self.name + @unique -class ActionIds(Enum): +class ActionIds(EnumBase): add = 0 demote = 1 + rotate = 2 @unique -class Demotions(Enum): +class Demotions(EnumBase): # other DID-without-verkey created by the demoter self_created_no_verkey = 1 # other DID-with-verkey created by the demoter @@ -50,6 +45,21 @@ class Demotions(Enum): other_created_verkey = 4 +@unique +class Rotations(EnumBase): + none_val = 1 + val_val = 2 + val_none = 3 + none_none = 4 + + +@unique +class Rotator(EnumBase): + self = 1 + creator = 2 + other = 3 + + # FIXME class name class DIDWallet(object): def __init__(self, did=None, role=Roles.CLIENT, verkey=None, creator=None, wallet_handle=None): @@ -67,28 +77,57 @@ def wallet_did(self): def auth_check(action_id, signer, dest): is_self = signer.did == dest.did - # is_creator = signer.did == dest.creator.did - dest_with_verkey = dest.verkey is not None + is_owner = signer == (dest if dest.verkey is not None else dest.creator) if action_id == ActionIds.add: - if signer.role == Roles.TRUSTEE: - return True - elif (signer.role == Roles.STEWARD and - dest.role in (Roles.CLIENT, Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR)): - return True - elif signer.role == Roles.TRUST_ANCHOR and dest.role == Roles.CLIENT: - return True + if dest.role in (Roles.TRUSTEE, Roles.STEWARD): + return signer.role == Roles.TRUSTEE + elif dest.role in (Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR): + return signer.role in (Roles.TRUSTEE, Roles.STEWARD) + elif dest.role == Roles.CLIENT: + return signer.role in (Roles.TRUSTEE, Roles.STEWARD, Roles.TRUST_ANCHOR) elif action_id == ActionIds.demote: - if signer.role == Roles.TRUSTEE: - return True - elif (signer.role == Roles.TRUST_ANCHOR and dest.role == Roles.TRUST_ANCHOR and - is_self and dest_with_verkey): - return True + if dest.role in (Roles.TRUSTEE, Roles.STEWARD): + return signer.role == Roles.TRUSTEE + elif dest.role == Roles.TRUST_ANCHOR: + return ((signer.role == Roles.TRUSTEE) or + (signer.role == Roles.TRUST_ANCHOR and + is_self and is_owner)) + elif dest.role == Roles.NETWORK_MONITOR: + return signer.role in (Roles.TRUSTEE, Roles.STEWARD) + + elif action_id == ActionIds.rotate: + return is_owner return False +def create_new_did(looper, sdk_pool_handle, creator, role, skipverkey=False): + + op = { + 'type': NYM, + 'role': role.value + } + + new_did_verkey = None + + if skipverkey: + new_did, _ = createHalfKeyIdentifierAndAbbrevVerkey() + op.update({'dest': new_did}) + else: + new_did, new_did_verkey = looper.loop.run_until_complete( + create_and_store_my_did(creator.wallet_handle, "{}")) + + op.update({'dest': new_did, 'verkey': new_did_verkey}) + + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, creator.wallet_did, op) + sdk_get_and_check_replies(looper, [req]) + + return DIDWallet(did=new_did, role=role, verkey=new_did_verkey, + creator=creator, wallet_handle=creator.wallet_handle) + + @pytest.fixture(scope="module") def client(sdk_wallet_client): return DIDWallet(did=sdk_wallet_client[1], role=Roles.CLIENT, wallet_handle=sdk_wallet_client[0]) @@ -104,76 +143,111 @@ def steward(sdk_wallet_steward): return DIDWallet(did=sdk_wallet_steward[1], role=Roles.STEWARD, wallet_handle=sdk_wallet_steward[0]) -def idfn_enum(item): - return item.name +@pytest.fixture(scope="module", params=list(Roles)) +def role(request): + return request.param -def _create_new_nym(looper, sdk_pool_handle, creator, role, *args, **kwargs): - new_did, new_did_verkey = looper.loop.run_until_complete( - create_and_store_my_did(creator.wallet_handle, "{}")) +def did_fixture_wrapper(): + def _fixture(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): + marker = request.node.get_marker('skip_did_verkey') + return create_new_did(looper, sdk_pool_handle, trustee, request.param, + skipverkey=(marker is not None)) + return _fixture - op = {'type': NYM, - 'dest': new_did, - 'role': role.value, - 'verkey': new_did_verkey} - req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (creator.wallet_handle, creator.did), op) - sdk_get_and_check_replies(looper, [req]) - return DIDWallet(did=new_did, role=role, verkey=new_did_verkey, creator=creator, wallet_handle=creator.wallet_handle) +for scope in ('module', 'function'): + setattr( + sys.modules[__name__], + "did_per_{}".format(scope), + pytest.fixture(scope=scope, params=list(Roles))(did_fixture_wrapper())) -@pytest.fixture(scope="module", - params=[Roles.CLIENT, Roles.TRUSTEE, Roles.STEWARD], - ids=idfn_enum) -def provisioner(request, client, trustee, steward): - # TODO - # - wallets for TRUST_ANCHOR and NETWORK_MONITOR - return { - Roles.CLIENT: client, - Roles.TRUSTEE: trustee, - Roles.STEWARD: steward, - }[request.param] +@pytest.fixture(scope="module") +def provisioner(did_per_module): + return did_per_module + + +@pytest.fixture(scope="module", params=list(Roles) + [None], + ids=lambda r: str(r) if r else 'omitted_role') +def provisioned_role(request): + return request.param + + +@pytest.fixture(scope="module") +def provisioned(provisioned_role): + did, verkey = createHalfKeyIdentifierAndAbbrevVerkey() + return (DIDWallet(did=did, + role=provisioned_role if provisioned_role else Roles.CLIENT, + verkey=verkey), + provisioned_role is None) # scope is 'function' since demoter demotes # themselves at the end of the each demotion test -@pytest.fixture(scope="function", - params=list(Roles), - ids=idfn_enum) -def demoter(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): - return _create_new_nym(looper, sdk_pool_handle, trustee, request.param) +@pytest.fixture(scope="function") +def demoter(did_per_function): + return did_per_function -@pytest.fixture(scope="module", params=list(Roles), ids=idfn_enum) -def role(request): +@pytest.fixture(scope="function", + params=[(x, y) for x in Demotions for y in Roles] + [None], + ids=lambda p: "{}-{}".format(p[0], p[1]) if p else 'self') +def demotion(request): return request.param @pytest.fixture(scope="function") -def nym_op(): - halfKeyIdentifier, abbrevVerkey = createHalfKeyIdentifierAndAbbrevVerkey() - return { - 'type': NYM, - 'dest': halfKeyIdentifier, - 'verkey': abbrevVerkey, - } +def demoted(looper, sdk_pool_handle, txnPoolNodeSet, trustee, demoter, demotion): + if demotion is None: # self demotion + return demoter + else: + demotion_type, role = demotion + if demotion_type == Demotions.self_created_no_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return create_new_did(looper, sdk_pool_handle, demoter, role, skipverkey=True) + elif demotion_type == Demotions.self_created_verkey: + if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): + return create_new_did(looper, sdk_pool_handle, demoter, role) + elif demotion_type == Demotions.other_created_no_verkey: + return create_new_did(looper, sdk_pool_handle, trustee, role, skipverkey=True) + elif demotion_type == Demotions.other_created_verkey: + return create_new_did(looper, sdk_pool_handle, trustee, role) + + +# Note. dedicated trustee is used to test rotations by other +# (not creator and not self). Other other-rotators (e.g. TRUST_ANCHOR) +# are ignored as less powerful. +@pytest.fixture(scope="module") +def trustee_not_creator(looper, sdk_pool_handle, txnPoolNodeSet, trustee): + return create_new_did(looper, sdk_pool_handle, trustee, Roles.TRUSTEE) -@pytest.fixture(scope="function", - params=list(Demotions), - ids=idfn_enum) -# TODO parametrize by verkey in op -def demoted(looper, sdk_pool_handle, txnPoolNodeSet, trustee, demoter, role, request): - if request.param == Demotions.self_created_no_verkey: - if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): - return _create_new_nym(looper, sdk_pool_handle, demoter, role, skipverkey=True) - elif request.param == Demotions.self_created_verkey: - if auth_check(ActionIds.add, demoter, DIDWallet(role=role)): - return _create_new_nym(looper, sdk_pool_handle, demoter, role) - elif request.param == Demotions.other_created_no_verkey: - return _create_new_nym(looper, sdk_pool_handle, trustee, role, skipverkey=True) - elif request.param == Demotions.other_created_verkey: - return _create_new_nym(looper, sdk_pool_handle, trustee, role) +@pytest.fixture(scope="function", params=list(Rotations)) +def rotation_verkey(request): + if request.param in (Rotations.none_none, Rotations.none_val): + request.node.add_marker('skip_did_verkey') + + verkey = None + if request.param in (Rotations.val_val, Rotations.none_val): + _, verkey_ = createHalfKeyIdentifierAndAbbrevVerkey() + + return verkey + + +@pytest.fixture(scope="function", params=list(Rotator)) +def rotator(did_per_function, trustee_not_creator, request): + if request.param == Rotator.self: + return did_per_function + elif request.param == Rotator.creator: + return did_per_function.creator + elif request.param == Rotator.other: + return trustee_not_creator + + +@pytest.fixture(scope="function") +def rotated(did_per_function): + return did_per_function # TEST HELPERS @@ -189,9 +263,20 @@ def sign_submit_check(looper, sdk_pool_handle, signer, dest, action_id, op): excinfo.match('UnauthorizedClientRequest') -def demote(looper, sdk_pool_handle, txnPoolNodeSet, - demoter, demoted): +def add(looper, sdk_pool_handle, provisioner, provisioned, omit_role=False): + op = { + 'type': NYM, + 'dest': provisioned.did, + 'verkey': provisioned.verkey, + } + + if not omit_role: + op['role'] = provisioned.role.value + + sign_submit_check(looper, sdk_pool_handle, provisioner, provisioned, ActionIds.add, op) + +def demote(looper, sdk_pool_handle, demoter, demoted): op = { 'type': NYM, 'dest': demoted.did, @@ -201,28 +286,33 @@ def demote(looper, sdk_pool_handle, txnPoolNodeSet, sign_submit_check(looper, sdk_pool_handle, demoter, demoted, ActionIds.demote, op) -# TESTS +def rotate(looper, sdk_pool_handle, rotator, rotated, new_verkey): + op = { + 'type': NYM, + 'dest': rotated.did, + 'verkey': new_verkey + } -def test_add_nym(looper, sdk_pool_handle, txnPoolNodeSet, nym_op, provisioner, role): - nym_op['role'] = role.value - sign_submit_check(looper, sdk_pool_handle, provisioner, DIDWallet(role=role), ActionIds.add, nym_op) - + sign_submit_check(looper, sdk_pool_handle, rotator, + rotated, ActionIds.rotate, op) -def test_add_nym_omitted_role(looper, sdk_pool_handle, txnPoolNodeSet, nym_op, provisioner): - sign_submit_check(looper, sdk_pool_handle, provisioner, DIDWallet(role=role), ActionIds.add, nym_op) +# TESTS -# TODO parametrize by verkey in op -def test_demote_self_nym( - looper, sdk_pool_handle, txnPoolNodeSet, - demoter): - demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoter) +def test_nym_add(looper, sdk_pool_handle, txnPoolNodeSet, provisioner, provisioned): + provisioned, omit_role = provisioned + add(looper, sdk_pool_handle, provisioner, provisioned, omit_role=omit_role) -# TODO parametrize by verkey in op -def test_demote_nym( - looper, sdk_pool_handle, txnPoolNodeSet, - demoter, demoted): +# Demotion is considered as NYM with only 'role' field specified and it's None. +# If NYM includes 'verkey' field as well it mixes role demotion/promotion and +# verkey rotation and should be checked separately. TODO mixed cases +def test_nym_demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoted): + # might be None for cases 'self_created_no_verkey' and 'self_created_verkey' or self demotion if demoted: - demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoted) + demote(looper, sdk_pool_handle, demoter, demoted) + + +def test_nym_rotate(looper, sdk_pool_handle, txnPoolNodeSet, rotator, rotated, rotation_verkey): + rotate(looper, sdk_pool_handle, rotator, rotated, rotation_verkey) From 636b4be59161ae6a94a9b72ff41a72ffe1d332cf Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Wed, 30 Jan 2019 08:31:15 +0300 Subject: [PATCH 07/34] [INDY-1963] Fix error string checking in tests Signed-off-by: Andrew Nikitin --- .../pool_config/test_send_pool_config_only_trustee.py | 8 ++++---- indy_node/test/pool_restart/test_fail_pool_restart.py | 4 ++-- .../test/validator_info/test_validator_info_command.py | 2 +- .../test_send_write_permission_no_client.py | 6 +++--- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/indy_node/test/pool_config/test_send_pool_config_only_trustee.py b/indy_node/test/pool_config/test_send_pool_config_only_trustee.py index 7c051de1d..b3128f54e 100644 --- a/indy_node/test/pool_config/test_send_pool_config_only_trustee.py +++ b/indy_node/test/pool_config/test_send_pool_config_only_trustee.py @@ -10,7 +10,7 @@ def test_only_trustee_send_pool_config_writes_true_force_false( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWTFF) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_false_force_false( @@ -18,7 +18,7 @@ def test_only_trustee_send_pool_config_writes_false_force_false( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWFFF) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_true_force_true( @@ -26,7 +26,7 @@ def test_only_trustee_send_pool_config_writes_true_force_true( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWTFT) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) def test_only_trustee_send_pool_config_writes_false_force_true( @@ -34,4 +34,4 @@ def test_only_trustee_send_pool_config_writes_false_force_true( sdk_wallet_steward = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee, 'tmpname', STEWARD_STRING) req = sdk_pool_config_sent(looper, sdk_pool_handle, sdk_wallet_steward, poolConfigWFFT) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) diff --git a/indy_node/test/pool_restart/test_fail_pool_restart.py b/indy_node/test/pool_restart/test_fail_pool_restart.py index d55b7466e..5213165db 100644 --- a/indy_node/test/pool_restart/test_fail_pool_restart.py +++ b/indy_node/test/pool_restart/test_fail_pool_restart.py @@ -4,7 +4,7 @@ RequestNackedException from indy_common.constants import POOL_RESTART, ACTION, START, DATETIME -from plenum.common.constants import TXN_TYPE +from plenum.common.constants import TXN_TYPE, STEWARD_STRING from plenum.test.helper import sdk_gen_request, sdk_sign_and_submit_req_obj, \ sdk_get_reply, sdk_get_and_check_replies @@ -22,7 +22,7 @@ def test_fail_pool_restart_with_steward_role( req_obj) with pytest.raises(RequestRejectedException) as excinfo: sdk_get_and_check_replies(looper, [req], 100) - assert excinfo.match("role is not accepted") + assert excinfo.match('{} can not do this action'.format(STEWARD_STRING)) def test_fail_pool_restart_with_invalid_datetime( diff --git a/indy_node/test/validator_info/test_validator_info_command.py b/indy_node/test/validator_info/test_validator_info_command.py index b8cc1b12f..97785d41e 100644 --- a/indy_node/test/validator_info/test_validator_info_command.py +++ b/indy_node/test/validator_info/test_validator_info_command.py @@ -25,7 +25,7 @@ def test_fail_validator_info_command( sdk_get_validator_info(looper, sdk_wallet_client, sdk_pool_handle) - assert excinfo.match("There is no accepted constraint") + assert excinfo.match("Rule for this action is") def _comparison_reply(responses, req_obj): diff --git a/indy_node/test/write_permission/test_send_write_permission_no_client.py b/indy_node/test/write_permission/test_send_write_permission_no_client.py index e3bcaa743..cdda5e3c0 100644 --- a/indy_node/test/write_permission/test_send_write_permission_no_client.py +++ b/indy_node/test/write_permission/test_send_write_permission_no_client.py @@ -41,7 +41,7 @@ def test_client_cant_send_nym(looper, # client cant create another client NYM when ANYONE_CAN_WRITE set to False with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_client) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def test_client_can_send_attrib(looper, @@ -80,7 +80,7 @@ def test_client_cant_send_schema(looper, issuer_create_schema(identifier, "another_name", "2.0", json.dumps(["first", "last"]))) request = looper.loop.run_until_complete(build_schema_request(identifier, schema_json)) sdk_get_bad_response(looper, [sdk_sign_and_submit_req(sdk_pool_handle, sdk_wallet_client, request)], - RequestRejectedException, 'There is no accepted constraint') + RequestRejectedException, 'Rule for this action is') def test_client_cant_send_claim_def(looper, @@ -96,4 +96,4 @@ def test_client_cant_send_claim_def(looper, # Client cant send create if ANYONE_CAN_WRITE flag set to True req = sdk_sign_request_from_dict(looper, sdk_wallet_client, claim_def) req = sdk_send_signed_requests(sdk_pool_handle, [json.dumps(req)]) - sdk_get_bad_response(looper, req, RequestRejectedException, 'There is no accepted constraint') + sdk_get_bad_response(looper, req, RequestRejectedException, 'Rule for this action is') From f7968ead3e1afe56f62f817eced8f3faebfa64db Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Wed, 30 Jan 2019 09:46:47 +0300 Subject: [PATCH 08/34] [INDY-1963] Fix errors checking in tests Signed-off-by: Andrew Nikitin --- indy_node/test/suspension/test_nym_suspension.py | 6 +++--- indy_node/test/suspension/test_suspension.py | 2 +- indy_node/test/upgrade/test_pool_upgrade_reject.py | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/indy_node/test/suspension/test_nym_suspension.py b/indy_node/test/suspension/test_nym_suspension.py index 0e99a46cf..6854e9e84 100644 --- a/indy_node/test/suspension/test_nym_suspension.py +++ b/indy_node/test/suspension/test_nym_suspension.py @@ -13,7 +13,7 @@ def testTrusteeSuspendingTrustAnchor(looper, sdk_pool_handle, sdk_wallet_trustee sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trust_anchor) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrusteeSuspendingTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, @@ -22,7 +22,7 @@ def testTrusteeSuspendingTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, another_trustee) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrusteeSuspendingSteward(looper, sdk_pool_handle, sdk_wallet_trustee, @@ -31,7 +31,7 @@ def testTrusteeSuspendingSteward(looper, sdk_pool_handle, sdk_wallet_trustee, sdk_suspend_role(looper, sdk_pool_handle, sdk_wallet_trustee, did) with pytest.raises(RequestRejectedException) as e: sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_steward) - e.match('There is no accepted constraint') + e.match('Rule for this action is') def testTrustAnchorSuspendingHimselfByVerkeyFlush(looper, sdk_pool_handle, diff --git a/indy_node/test/suspension/test_suspension.py b/indy_node/test/suspension/test_suspension.py index 1897e5f90..d8f4baf45 100644 --- a/indy_node/test/suspension/test_suspension.py +++ b/indy_node/test/suspension/test_suspension.py @@ -86,7 +86,7 @@ def testTrusteeSuspensionByTrustee(looper, sdk_pool_handle, sdk_wallet_trustee, _, did = sdk_wallet_trustee with pytest.raises(RequestRejectedException) as e: sdk_suspend_role(looper, sdk_pool_handle, another_steward1, did) - e.match('role is not accepted') + e.match('{} can not do this action'.format(STEWARD_STRING)) # Keep the test below at the end of the suite since it will make one of the diff --git a/indy_node/test/upgrade/test_pool_upgrade_reject.py b/indy_node/test/upgrade/test_pool_upgrade_reject.py index 31b570226..8742e5a80 100644 --- a/indy_node/test/upgrade/test_pool_upgrade_reject.py +++ b/indy_node/test/upgrade/test_pool_upgrade_reject.py @@ -1,6 +1,6 @@ from copy import deepcopy -from plenum.common.constants import NAME, VERSION +from plenum.common.constants import NAME, VERSION, STEWARD_STRING from plenum.common.exceptions import RequestNackedException, RequestRejectedException from indy_common.constants import CANCEL, \ ACTION @@ -22,7 +22,7 @@ def testOnlyTrusteeCanSendPoolUpgrade(looper, sdk_pool_handle, sdk_wallet_stewar validUpgrade[NAME] = 'upgrade-20' validUpgrade[VERSION] = bumpedVersion(validUpgrade['version']) req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgrade) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def testNonTrustyCannotCancelUpgrade(looper, validUpgradeSent, sdk_pool_handle, @@ -30,7 +30,7 @@ def testNonTrustyCannotCancelUpgrade(looper, validUpgradeSent, sdk_pool_handle, validUpgradeCopy = deepcopy(validUpgrade) validUpgradeCopy[ACTION] = CANCEL req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeCopy) - sdk_get_bad_response(looper, [req], RequestRejectedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestRejectedException, '{} can not do this action'.format(STEWARD_STRING)) def test_accept_then_reject_upgrade( @@ -48,4 +48,4 @@ def test_accept_then_reject_upgrade( def testOnlyTrusteeCanSendPoolUpgradeForceTrue( looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeExpForceTrue): req = sdk_send_upgrade(looper, sdk_pool_handle, sdk_wallet_steward, validUpgradeExpForceTrue) - sdk_get_bad_response(looper, [req], RequestNackedException, 'role is not accepted') + sdk_get_bad_response(looper, [req], RequestNackedException, '{} can not do this action'.format(STEWARD_STRING)) From cecc538aa58296f97a18f186dde4d4e0294e0262 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 11:58:03 +0300 Subject: [PATCH 09/34] makes some wrong cases pass, links to jira tasks Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 6a4513419..fc3df0472 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -17,6 +17,9 @@ # TODO # - more specific string patterns for auth exc check +# - mixed cases: both verkey and role are presented in NYM txn +# ??? possibly not necessary for now since role and verkey related constrains +# are composed like logical AND validation fails if any of them fails # FIXTURES @@ -91,11 +94,16 @@ def auth_check(action_id, signer, dest): if dest.role in (Roles.TRUSTEE, Roles.STEWARD): return signer.role == Roles.TRUSTEE elif dest.role == Roles.TRUST_ANCHOR: - return ((signer.role == Roles.TRUSTEE) or - (signer.role == Roles.TRUST_ANCHOR and - is_self and is_owner)) + return (signer.role == Roles.TRUSTEE) + # FIXME INDY-1968: uncomment when the task is addressed + #return ((signer.role == Roles.TRUSTEE) or + # (signer.role == Roles.TRUST_ANCHOR and + # is_self and is_owner)) elif dest.role == Roles.NETWORK_MONITOR: return signer.role in (Roles.TRUSTEE, Roles.STEWARD) + # FIXME INDY-1969: remove when the task is addressed + elif dest.role == Roles.CLIENT: + return is_owner elif action_id == ActionIds.rotate: return is_owner @@ -307,7 +315,7 @@ def test_nym_add(looper, sdk_pool_handle, txnPoolNodeSet, provisioner, provision # Demotion is considered as NYM with only 'role' field specified and it's None. # If NYM includes 'verkey' field as well it mixes role demotion/promotion and -# verkey rotation and should be checked separately. TODO mixed cases +# verkey rotation and should be checked separately. def test_nym_demote(looper, sdk_pool_handle, txnPoolNodeSet, demoter, demoted): # might be None for cases 'self_created_no_verkey' and 'self_created_verkey' or self demotion if demoted: From a59ffe161e3a2ad9a13ad3d9f2f3d7c107bcb3a2 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 12:52:20 +0300 Subject: [PATCH 10/34] makes flake8 happy Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index fc3df0472..3c1998fde 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -79,7 +79,7 @@ def wallet_did(self): def auth_check(action_id, signer, dest): - is_self = signer.did == dest.did + # is_self = signer.did == dest.did is_owner = signer == (dest if dest.verkey is not None else dest.creator) if action_id == ActionIds.add: @@ -96,7 +96,7 @@ def auth_check(action_id, signer, dest): elif dest.role == Roles.TRUST_ANCHOR: return (signer.role == Roles.TRUSTEE) # FIXME INDY-1968: uncomment when the task is addressed - #return ((signer.role == Roles.TRUSTEE) or + # return ((signer.role == Roles.TRUSTEE) or # (signer.role == Roles.TRUST_ANCHOR and # is_self and is_owner)) elif dest.role == Roles.NETWORK_MONITOR: From 17ac8d6d61e4de7ceab443bf9f336ebfd00714e8 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 12:52:54 +0300 Subject: [PATCH 11/34] fixes a typo Signed-off-by: Andrey Kononykhin --- indy_common/constants.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/indy_common/constants.py b/indy_common/constants.py index 881e944e8..94c41f346 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -124,7 +124,7 @@ # Roles -# FIXME can be automated by oteration through Roles +# FIXME can be automated by iteration through Roles # but it would be less self-descriptive CLIENT = Roles.CLIENT.value CLIENT_STRING = None From 2dc072144bf9f0de9a83b136203f60fbb7449a1a Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 13:12:48 +0300 Subject: [PATCH 12/34] renames CLIENT to IDENTITY_OWNER Signed-off-by: Andrey Kononykhin --- indy_common/constants.py | 4 ++-- indy_common/roles.py | 2 +- indy_node/test/nym_txn/test_nym_auth_rules.py | 20 ++++++++++--------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/indy_common/constants.py b/indy_common/constants.py index 94c41f346..9c2a6a91f 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -126,8 +126,8 @@ # FIXME can be automated by iteration through Roles # but it would be less self-descriptive -CLIENT = Roles.CLIENT.value -CLIENT_STRING = None +IDENTITY_OWNER = Roles.IDENTITY_OWNER.value +IDENTITY_OWNER_STRING = None TRUST_ANCHOR = Roles.TRUST_ANCHOR.value TRUST_ANCHOR_STRING = 'TRUST_ANCHOR' diff --git a/indy_common/roles.py b/indy_common/roles.py index 5f133c60d..cfd79ed92 100644 --- a/indy_common/roles.py +++ b/indy_common/roles.py @@ -8,7 +8,7 @@ class Roles(Enum): # These numeric constants CANNOT be changed once they have been used, # because that would break backwards compatibility with the ledger # Also the numeric constants CANNOT collide with the roles in plenum - CLIENT = None # FIXME might makes sense to move to plenum + IDENTITY_OWNER = None # FIXME might makes sense to move to plenum TRUSTEE = Roles.TRUSTEE.value STEWARD = Roles.STEWARD.value TRUST_ANCHOR = "101" diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 3c1998fde..8eda213e6 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -10,7 +10,7 @@ from plenum.test.helper import sdk_sign_and_submit_op, sdk_get_and_check_replies from plenum.test.pool_transactions.helper import sdk_add_new_nym -from indy_common.constants import CLIENT, TRUST_ANCHOR, NETWORK_MONITOR +from indy_common.constants import IDENTITY_OWNER, TRUST_ANCHOR, NETWORK_MONITOR from indy_common.roles import Roles from indy_node.test.helper import createHalfKeyIdentifierAndAbbrevVerkey @@ -65,7 +65,7 @@ class Rotator(EnumBase): # FIXME class name class DIDWallet(object): - def __init__(self, did=None, role=Roles.CLIENT, verkey=None, creator=None, wallet_handle=None): + def __init__(self, did=None, role=Roles.IDENTITY_OWNER, verkey=None, creator=None, wallet_handle=None): self.did = did self.role = role self.verkey = verkey @@ -87,7 +87,7 @@ def auth_check(action_id, signer, dest): return signer.role == Roles.TRUSTEE elif dest.role in (Roles.TRUST_ANCHOR, Roles.NETWORK_MONITOR): return signer.role in (Roles.TRUSTEE, Roles.STEWARD) - elif dest.role == Roles.CLIENT: + elif dest.role == Roles.IDENTITY_OWNER: return signer.role in (Roles.TRUSTEE, Roles.STEWARD, Roles.TRUST_ANCHOR) elif action_id == ActionIds.demote: @@ -102,7 +102,7 @@ def auth_check(action_id, signer, dest): elif dest.role == Roles.NETWORK_MONITOR: return signer.role in (Roles.TRUSTEE, Roles.STEWARD) # FIXME INDY-1969: remove when the task is addressed - elif dest.role == Roles.CLIENT: + elif dest.role == Roles.IDENTITY_OWNER: return is_owner elif action_id == ActionIds.rotate: @@ -138,7 +138,7 @@ def create_new_did(looper, sdk_pool_handle, creator, role, skipverkey=False): @pytest.fixture(scope="module") def client(sdk_wallet_client): - return DIDWallet(did=sdk_wallet_client[1], role=Roles.CLIENT, wallet_handle=sdk_wallet_client[0]) + return DIDWallet(did=sdk_wallet_client[1], role=Roles.IDENTITY_OWNER, wallet_handle=sdk_wallet_client[0]) @pytest.fixture(scope="module") @@ -185,10 +185,12 @@ def provisioned_role(request): @pytest.fixture(scope="module") def provisioned(provisioned_role): did, verkey = createHalfKeyIdentifierAndAbbrevVerkey() - return (DIDWallet(did=did, - role=provisioned_role if provisioned_role else Roles.CLIENT, - verkey=verkey), - provisioned_role is None) + return ( + DIDWallet( + did=did, + role=provisioned_role if provisioned_role else Roles.IDENTITY_OWNER, + verkey=verkey), + provisioned_role is None) # scope is 'function' since demoter demotes From 07876c3913606efe2089432d8c6b24a3c0ed45ef Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 13:13:54 +0300 Subject: [PATCH 13/34] makes pytest a bit more verbose Signed-off-by: Andrey Kononykhin --- Jenkinsfile.ci | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 9041bf0ba..7e75dbb20 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -97,9 +97,9 @@ def test(options=[:]) { try { if (options.useRunner) { - sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" + sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest -v\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" } else { - sh "$options.python -m pytest --junitxml=$options.resFile $options.testDir" + sh "$options.python -m pytest -v --junitxml=$options.resFile $options.testDir" } } finally { From de22a3731d600c56476c665d72b314f46cd4bf53 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 13:15:34 +0300 Subject: [PATCH 14/34] turns on pytest-xdist Signed-off-by: Andrey Kononykhin --- Jenkinsfile.ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 7e75dbb20..54e9a68ac 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -99,7 +99,7 @@ def test(options=[:]) { if (options.useRunner) { sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest -v\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" } else { - sh "$options.python -m pytest -v --junitxml=$options.resFile $options.testDir" + sh "$options.python -m pytest -v -n auto --junitxml=$options.resFile $options.testDir" } } finally { From dfe2267fef5138b53b6542a122a26bcef0604928 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 13:15:58 +0300 Subject: [PATCH 15/34] switches node testing to native pytest Signed-off-by: Andrey Kononykhin --- Jenkinsfile.ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 54e9a68ac..72efd3f78 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -147,7 +147,7 @@ def tests = [ resFile: "test-result-node.${NODE_NAME}.txt", testDir: 'indy_node', python: python, - useRunner: true + useRunner: false ) }, ].collect {k, v -> [k, v]} From c4f1e02abc4b821cbe0586775e155c81709c8d9e Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 14:20:18 +0300 Subject: [PATCH 16/34] replaces md tables with html ones in docs for auth rules Signed-off-by: Andrey Kononykhin --- docs/auth_rules.md | 416 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 369 insertions(+), 47 deletions(-) diff --git a/docs/auth_rules.md b/docs/auth_rules.md index 5d640cf21..ba19a4fbd 100644 --- a/docs/auth_rules.md +++ b/docs/auth_rules.md @@ -1,56 +1,378 @@ # Current implemented rules in auth_map -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -| NYM |`role` |`` | TRUSTEE | TRUSTEE|Adding new TRUSTEE| -| NYM |`role` |`` | STEWARD | TRUSTEE|Adding new STEWARD| -| NYM |`role` |`` | TRUST_ANCHOR| TRUSTEE, STEWARD|Adding new TRUST_ANCHOR| -| NYM |`role` |`` | NETWORK_MONITOR| TRUSTEE, STEWARD|Adding new NETWORK_MONITOR| -| NYM |`role` |`` |`` | TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new Identity Owner| -| NYM |`role` | TRUSTEE |`` | TRUSTEE | Blacklisting Trustee| -| NYM |`role` | STEWARD |`` | TRUSTEE | Blacklisting Steward| -| NYM |`role` | TRUST_ANCHOR |`` | TRUSTEE | Blacklisting Trust anchor| -| NYM |`role` | NETWORK_MONITOR|`` | TRUSTEE, STEWARD | Blacklisting user with NETWORK_MONITOR role| -| NYM |`verkey`|`*`|`*`| Owner of this nym | Key Rotation| -| SCHEMA |`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR | Adding new Schema| -| SCHEMA |`*`|`*`|`*`| No one can edit existing Schema | Editing Schema| -| CLAIM_DEF |`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new CLAIM_DEF transaction| -| CLAIM_DEF |`*`|`*`|`*`| Owner of claim_def txn| Editing CLAIM_DEF transaction| -| NODE |`services`|``|`[VALIDATOR]`| STEWARD if it doesn't own NODE transaction yet| Adding new node to pool| -| NODE |`services`|`[VALIDATOR]`|`[]`| TRUSTEE, STEWARD if it is owner of this transaction| Demotion of node| -| NODE |`services`|`[]`|`[VALIDATOR]`| TRUSTEE, STEWARD if it is owner of this transaction| Promotion of node| -| NODE |`node_ip`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's ip address| -| NODE |`node_port`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's port| -| NODE |`client_ip`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Client's ip address| -| NODE |`client_port`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Client's port| -| NODE |`blskey`|`*`|`*`| STEWARD if it is owner of this transaction| Changing Node's blskey| -| POOL_UPGRADE |`action`|``|`start`|TRUSTEE| Starting upgrade procedure| -| POOL_UPGRADE |`action`|`start`|`cancel`|TRUSTEE| Canceling upgrade procedure| -| POOL_RESTART |`action`|`*`|`*`|TRUSTEE| Restarting pool command| -| POOL_CONFIG |`action`|`*`|`*`|TRUSTEE| Pool config command (like a `read only` option)| -| VALIDATOR_INFO |`*`|`*`|`*`| TRUSTEE, STEWARD, NETWORK_MONITOR| Getting validator_info from pool| - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Transaction type + Field + Previous value + New value + Who can + Description +
NYM`role```TRUSTEETRUSTEEAdding new TRUSTEE
NYM`role```STEWARDTRUSTEEAdding new STEWARD
NYM`role```TRUST_ANCHORTRUSTEE, STEWARDAdding new TRUST_ANCHOR
NYM`role```NETWORK_MONITORTRUSTEE, STEWARDAdding new NETWORK_MONITOR
NYM`role`````TRUSTEE, STEWARD, TRUST_ANCHORAdding new Identity Owner
NYM`role`TRUSTEE``TRUSTEEBlacklisting Trustee
NYM`role`STEWARD``TRUSTEEBlacklisting Steward
NYM`role`TRUST_ANCHOR``TRUSTEEBlacklisting Trust anchor
NYM`role`NETWORK_MONITOR``TRUSTEE, STEWARDBlacklisting user with NETWORK_MONITOR role
NYM`verkey``*``*`Owner of this nymKey Rotation
SCHEMA`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new Schema
SCHEMA`*``*``*`No one can edit existing SchemaEditing Schema
CLAIM_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new CLAIM_DEF transaction
CLAIM_DEF`*``*``*`Owner of claim_def txnEditing CLAIM_DEF transaction
NODE`services````[VALIDATOR]`STEWARD if it doesn't own NODE transaction yetAdding new node to pool
NODE`services``[VALIDATOR]``[]`TRUSTEE, STEWARD if it is owner of this transactionDemotion of node
NODE`services``[]``[VALIDATOR]`TRUSTEE, STEWARD if it is owner of this transactionPromotion of node
NODE`node_ip``*``*`STEWARD if it is owner of this transactionChanging Node's ip address
NODE`node_port``*``*`STEWARD if it is owner of this transactionChanging Node's port
NODE`client_ip``*``*`STEWARD if it is owner of this transactionChanging Client's ip address
NODE`client_port``*``*`STEWARD if it is owner of this transactionChanging Client's port
NODE`blskey``*``*`STEWARD if it is owner of this transactionChanging Node's blskey
POOL_UPGRADE`action````start`TRUSTEEStarting upgrade procedure
POOL_UPGRADE`action``start``cancel`TRUSTEECanceling upgrade procedure
POOL_RESTART`action``*``*`TRUSTEERestarting pool command
POOL_CONFIG`action``*``*`TRUSTEEPool config command (like a `read only` option)
VALIDATOR_INFO`*``*``*`TRUSTEE, STEWARD, NETWORK_MONITORGetting validator_info from pool
### Also, there is a some optional rules for case if in config option ANYONE_CAN_WRITE is set to True: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|NYM |`role`|``|``| Anyone| Adding new nym| -|SCHEMA |`*`|`*`|`*`| Anyone| Any operations with SCHEMA transaction| -|CLAIM_DEF |`*`|`*`|`*`| Anyone| Any operations with CLAIM_DEF transaction| + + + + + + + + + + + <\/tr> + + + + + + + + <\/tr> + + + + + + + + <\/tr> +
Transaction type + Field + Previous value + New value + Who can + Description + <\/tr> +
NYM`role`````AnyoneAdding new nym
SCHEMA`*``*``*`AnyoneAny operations with SCHEMA transaction
CLAIM_DEF`*``*``*`AnyoneAny operations with CLAIM_DEF transaction
### As of now it's not implemented yet, but the next rules for Revocation feature are needed: #### If ANYONE_CAN_WRITE is set to False: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|REVOC_REG_DEF|`*`|`*`|`*`| TRUSTEE, STEWARD, TRUST_ANCHOR| Adding new REVOC_REG_DEF| -|REVOC_REG_DEF|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_DEF| Editing REVOC_REG_DEF| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_ENTRY| Editing REVOC_REG_ENTRY| + + + + + + + + + + + <\/tr> + + + + + + + + <\/tr> + + + + + + + + <\/tr> + + + + + + + + <\/tr> +
Transaction type + Field + Previous value + New value + Who can + Description + <\/tr> +
REVOC_REG_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new REVOC_REG_DEF
REVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYEditing REVOC_REG_ENTRY
+ #### If ANYONE_CAN_WRITE is set to True: -| Transaction type | Field | Previous value | New value | Who can| Description | -|------------------|-------|----------------|-----------|--------|-------------| -|REVOC_REG_DEF|`*`|`*`|`*`| Anyone can create new REVOC_REG_DEF| Adding new REVOC_REG_DEF| -|REVOC_REG_DEF|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_DEF| Editing REVOC_REG_DEF| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| -|REVOC_REG_ENTRY|`*`|`*`|`*`| Only owners can edit existing REVOC_REG_ENTRY| Adding new REVOC_REG_ENTRY| + + + + + + + + + + + <\/tr> + + + + + + + + <\/tr> + + + + + + + + <\/tr> + + + + + + + + <\/tr> +
Transaction type + Field + Previous value + New value + Who can + Description + <\/tr> +
REVOC_REG_DEF`*``*``*`Anyone can create new REVOC_REG_DEFAdding new REVOC_REG_DEF
REVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
From 08c040f125ef4dad3ee8170eae82de3ac914f729 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 14:34:01 +0300 Subject: [PATCH 17/34] improves html in markdown docs Signed-off-by: Andrey Kononykhin --- docs/auth_rules.md | 528 ++++++++++++++++++++++----------------------- 1 file changed, 252 insertions(+), 276 deletions(-) diff --git a/docs/auth_rules.md b/docs/auth_rules.md index ba19a4fbd..d06b87e11 100644 --- a/docs/auth_rules.md +++ b/docs/auth_rules.md @@ -1,378 +1,354 @@ # Current implemented rules in auth_map - - + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + +
Transaction type - Field - Previous value - New value - Who can - Description + Transaction typeFieldPrevious valueNew valueWho canDescription
NYM`role```TRUSTEETRUSTEEAdding new TRUSTEENYM`role```TRUSTEETRUSTEEAdding new TRUSTEE
NYM`role```STEWARDTRUSTEEAdding new STEWARDNYM`role```STEWARDTRUSTEEAdding new STEWARD
NYM`role```TRUST_ANCHORTRUSTEE, STEWARDAdding new TRUST_ANCHORNYM`role```TRUST_ANCHORTRUSTEE, STEWARDAdding new TRUST_ANCHOR
NYM`role```NETWORK_MONITORTRUSTEE, STEWARDAdding new NETWORK_MONITORNYM`role```NETWORK_MONITORTRUSTEE, STEWARDAdding new NETWORK_MONITOR
NYM`role`````TRUSTEE, STEWARD, TRUST_ANCHORAdding new Identity OwnerNYM`role`````TRUSTEE, STEWARD, TRUST_ANCHORAdding new Identity Owner
NYM`role`TRUSTEE``TRUSTEEBlacklisting TrusteeNYM`role`TRUSTEE``TRUSTEEBlacklisting Trustee
NYM`role`STEWARD``TRUSTEEBlacklisting StewardNYM`role`STEWARD``TRUSTEEBlacklisting Steward
NYM`role`TRUST_ANCHOR``TRUSTEEBlacklisting Trust anchorNYM`role`TRUST_ANCHOR``TRUSTEEBlacklisting Trust anchor
NYM`role`NETWORK_MONITOR``TRUSTEE, STEWARDBlacklisting user with NETWORK_MONITOR roleNYM`role`NETWORK_MONITOR``TRUSTEE, STEWARDBlacklisting user with NETWORK_MONITOR role
NYM`verkey``*``*`Owner of this nymKey RotationNYM`verkey``*``*`Owner of this nymKey Rotation
SCHEMA`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new SchemaSCHEMA`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new Schema
SCHEMA`*``*``*`No one can edit existing SchemaEditing SchemaSCHEMA`*``*``*`No one can edit existing SchemaEditing Schema
CLAIM_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new CLAIM_DEF transactionCLAIM_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new CLAIM_DEF transaction
CLAIM_DEF`*``*``*`Owner of claim_def txnEditing CLAIM_DEF transactionCLAIM_DEF`*``*``*`Owner of claim_def txnEditing CLAIM_DEF transaction
NODE`services````[VALIDATOR]`STEWARD if it doesn't own NODE transaction yetAdding new node to poolNODE`services````[VALIDATOR]`STEWARD if it doesn't own NODE transaction yetAdding new node to pool
NODE`services``[VALIDATOR]``[]`TRUSTEE, STEWARD if it is owner of this transactionDemotion of nodeNODE`services``[VALIDATOR]``[]`TRUSTEE, STEWARD if it is owner of this transactionDemotion of node
NODE`services``[]``[VALIDATOR]`TRUSTEE, STEWARD if it is owner of this transactionPromotion of nodeNODE`services``[]``[VALIDATOR]`TRUSTEE, STEWARD if it is owner of this transactionPromotion of node
NODE`node_ip``*``*`STEWARD if it is owner of this transactionChanging Node's ip addressNODE`node_ip``*``*`STEWARD if it is owner of this transactionChanging Node's ip address
NODE`node_port``*``*`STEWARD if it is owner of this transactionChanging Node's portNODE`node_port``*``*`STEWARD if it is owner of this transactionChanging Node's port
NODE`client_ip``*``*`STEWARD if it is owner of this transactionChanging Client's ip addressNODE`client_ip``*``*`STEWARD if it is owner of this transactionChanging Client's ip address
NODE`client_port``*``*`STEWARD if it is owner of this transactionChanging Client's portNODE`client_port``*``*`STEWARD if it is owner of this transactionChanging Client's port
NODE`blskey``*``*`STEWARD if it is owner of this transactionChanging Node's blskeyNODE`blskey``*``*`STEWARD if it is owner of this transactionChanging Node's blskey
POOL_UPGRADE`action````start`TRUSTEEStarting upgrade procedurePOOL_UPGRADE`action````start`TRUSTEEStarting upgrade procedure
POOL_UPGRADE`action``start``cancel`TRUSTEECanceling upgrade procedurePOOL_UPGRADE`action``start``cancel`TRUSTEECanceling upgrade procedure
POOL_RESTART`action``*``*`TRUSTEERestarting pool commandPOOL_RESTART`action``*``*`TRUSTEERestarting pool command
POOL_CONFIG`action``*``*`TRUSTEEPool config command (like a `read only` option)POOL_CONFIG`action``*``*`TRUSTEEPool config command (like a `read only` option)
VALIDATOR_INFO`*``*``*`TRUSTEE, STEWARD, NETWORK_MONITORGetting validator_info from poolVALIDATOR_INFO`*``*``*`TRUSTEE, STEWARD, NETWORK_MONITORGetting validator_info from pool
### Also, there is a some optional rules for case if in config option ANYONE_CAN_WRITE is set to True: - - + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr>
Transaction type - Field - Previous value - New value - Who can - Description + Transaction typeFieldPrevious valueNew valueWho canDescription
NYM`role`````AnyoneAdding new nymNYM`role`````AnyoneAdding new nym
SCHEMA`*``*``*`AnyoneAny operations with SCHEMA transactionSCHEMA`*``*``*`AnyoneAny operations with SCHEMA transaction
CLAIM_DEF`*``*``*`AnyoneAny operations with CLAIM_DEF transactionCLAIM_DEF`*``*``*`AnyoneAny operations with CLAIM_DEF transaction
### As of now it's not implemented yet, but the next rules for Revocation feature are needed: #### If ANYONE_CAN_WRITE is set to False: - - + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr>
Transaction type - Field - Previous value - New value - Who can - Description + Transaction typeFieldPrevious valueNew valueWho canDescription
REVOC_REG_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new REVOC_REG_DEFREVOC_REG_DEF`*``*``*`TRUSTEE, STEWARD, TRUST_ANCHORAdding new REVOC_REG_DEF
REVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEFREVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRYREVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYEditing REVOC_REG_ENTRYREVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYEditing REVOC_REG_ENTRY
#### If ANYONE_CAN_WRITE is set to True: - - + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr> - - - - - - + + + + + + <\/tr>
Transaction type - Field - Previous value - New value - Who can - Description + Transaction typeFieldPrevious valueNew valueWho canDescription
REVOC_REG_DEF`*``*``*`Anyone can create new REVOC_REG_DEFAdding new REVOC_REG_DEFREVOC_REG_DEF`*``*``*`Anyone can create new REVOC_REG_DEFAdding new REVOC_REG_DEF
REVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEFREVOC_REG_DEF`*``*``*`Only owners can edit existing REVOC_REG_DEFEditing REVOC_REG_DEF
REVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRYREVOC_REG_ENTRY`*``*``*`Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
REVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYAdding new REVOC_REG_ENTRYREVOC_REG_ENTRY`*``*``*`Only owners can edit existing REVOC_REG_ENTRYAdding new REVOC_REG_ENTRY
From 0d981a993a6fe2cbfa6dde0ceda3da2fe52e280b Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 14:35:25 +0300 Subject: [PATCH 18/34] fixes html in markdown docs Signed-off-by: Andrey Kononykhin --- docs/auth_rules.md | 242 ++++++++++++++++++++++----------------------- 1 file changed, 121 insertions(+), 121 deletions(-) diff --git a/docs/auth_rules.md b/docs/auth_rules.md index d06b87e11..0e162f58d 100644 --- a/docs/auth_rules.md +++ b/docs/auth_rules.md @@ -10,217 +10,217 @@ NYM - `role` - `` + role + <empty> TRUSTEE TRUSTEE Adding new TRUSTEE NYM - `role` - `` + role + <empty> STEWARD TRUSTEE Adding new STEWARD NYM - `role` - `` + role + <empty> TRUST_ANCHOR TRUSTEE, STEWARD Adding new TRUST_ANCHOR NYM - `role` - `` + role + <empty> NETWORK_MONITOR TRUSTEE, STEWARD Adding new NETWORK_MONITOR NYM - `role` - `` - `` + role + <empty> + <empty> TRUSTEE, STEWARD, TRUST_ANCHOR Adding new Identity Owner NYM - `role` + role TRUSTEE - `` + <empty> TRUSTEE Blacklisting Trustee NYM - `role` + role STEWARD - `` + <empty> TRUSTEE Blacklisting Steward NYM - `role` + role TRUST_ANCHOR - `` + <empty> TRUSTEE Blacklisting Trust anchor NYM - `role` + role NETWORK_MONITOR - `` + <empty> TRUSTEE, STEWARD Blacklisting user with NETWORK_MONITOR role NYM - `verkey` - `*` - `*` + verkey + * + * Owner of this nym Key Rotation SCHEMA - `*` - `*` - `*` + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new Schema SCHEMA - `*` - `*` - `*` + * + * + * No one can edit existing Schema Editing Schema CLAIM_DEF - `*` - `*` - `*` + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new CLAIM_DEF transaction CLAIM_DEF - `*` - `*` - `*` + * + * + * Owner of claim_def txn Editing CLAIM_DEF transaction NODE - `services` - `` - `[VALIDATOR]` + services + <empty> + [VALIDATOR] STEWARD if it doesn't own NODE transaction yet Adding new node to pool NODE - `services` - `[VALIDATOR]` - `[]` + services + [VALIDATOR] + [] TRUSTEE, STEWARD if it is owner of this transaction Demotion of node NODE - `services` - `[]` - `[VALIDATOR]` + services + [] + [VALIDATOR] TRUSTEE, STEWARD if it is owner of this transaction Promotion of node NODE - `node_ip` - `*` - `*` + node_ip + * + * STEWARD if it is owner of this transaction Changing Node's ip address NODE - `node_port` - `*` - `*` + node_port + * + * STEWARD if it is owner of this transaction Changing Node's port NODE - `client_ip` - `*` - `*` + client_ip + * + * STEWARD if it is owner of this transaction Changing Client's ip address NODE - `client_port` - `*` - `*` + client_port + * + * STEWARD if it is owner of this transaction Changing Client's port NODE - `blskey` - `*` - `*` + blskey + * + * STEWARD if it is owner of this transaction Changing Node's blskey POOL_UPGRADE - `action` - `` - `start` + action + <empty> + start TRUSTEE Starting upgrade procedure POOL_UPGRADE - `action` - `start` - `cancel` + action + start + cancel TRUSTEE Canceling upgrade procedure POOL_RESTART - `action` - `*` - `*` + action + * + * TRUSTEE Restarting pool command POOL_CONFIG - `action` - `*` - `*` + action + * + * TRUSTEE - Pool config command (like a `read only` option) + Pool config command (like a read only option) VALIDATOR_INFO - `*` - `*` - `*` + * + * + * TRUSTEE, STEWARD, NETWORK_MONITOR Getting validator_info from pool @@ -235,31 +235,31 @@ New value Who can Description - <\/tr> + NYM - `role` - `` - `` + role + <empty> + <empty> Anyone Adding new nym - <\/tr> + SCHEMA - `*` - `*` - `*` + * + * + * Anyone Any operations with SCHEMA transaction - <\/tr> + CLAIM_DEF - `*` - `*` - `*` + * + * + * Anyone Any operations with CLAIM_DEF transaction - <\/tr> + @@ -273,39 +273,39 @@ New value Who can Description - <\/tr> + REVOC_REG_DEF - `*` - `*` - `*` + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new REVOC_REG_DEF - <\/tr> + REVOC_REG_DEF - `*` - `*` - `*` + * + * + * Only owners can edit existing REVOC_REG_DEF Editing REVOC_REG_DEF - <\/tr> + REVOC_REG_ENTRY - `*` - `*` - `*` + * + * + * Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY - <\/tr> + REVOC_REG_ENTRY - `*` - `*` - `*` + * + * + * Only owners can edit existing REVOC_REG_ENTRY Editing REVOC_REG_ENTRY - <\/tr> + @@ -318,37 +318,37 @@ New value Who can Description - <\/tr> + REVOC_REG_DEF - `*` - `*` - `*` + * + * + * Anyone can create new REVOC_REG_DEF Adding new REVOC_REG_DEF - <\/tr> + REVOC_REG_DEF - `*` - `*` - `*` + * + * + * Only owners can edit existing REVOC_REG_DEF Editing REVOC_REG_DEF - <\/tr> + REVOC_REG_ENTRY - `*` - `*` - `*` + * + * + * Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY - <\/tr> + REVOC_REG_ENTRY - `*` - `*` - `*` + * + * + * Only owners can edit existing REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY - <\/tr> + From a349af1c411d7702a27d47d728ae1b5c0aada543 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 14:58:15 +0300 Subject: [PATCH 19/34] improves docs formatting Signed-off-by: Andrey Kononykhin --- docs/auth_rules.md | 214 ++++++++++++++++++++++----------------------- 1 file changed, 107 insertions(+), 107 deletions(-) diff --git a/docs/auth_rules.md b/docs/auth_rules.md index 0e162f58d..5101e2bd5 100644 --- a/docs/auth_rules.md +++ b/docs/auth_rules.md @@ -10,217 +10,217 @@ NYM - role - <empty> + role + <empty> TRUSTEE TRUSTEE Adding new TRUSTEE NYM - role - <empty> + role + <empty> STEWARD TRUSTEE Adding new STEWARD NYM - role - <empty> + role + <empty> TRUST_ANCHOR TRUSTEE, STEWARD Adding new TRUST_ANCHOR NYM - role - <empty> + role + <empty> NETWORK_MONITOR TRUSTEE, STEWARD Adding new NETWORK_MONITOR NYM - role - <empty> - <empty> + role + <empty> + <empty> TRUSTEE, STEWARD, TRUST_ANCHOR Adding new Identity Owner NYM - role + role TRUSTEE - <empty> + <empty> TRUSTEE Blacklisting Trustee NYM - role + role STEWARD - <empty> + <empty> TRUSTEE Blacklisting Steward NYM - role + role TRUST_ANCHOR - <empty> + <empty> TRUSTEE Blacklisting Trust anchor NYM - role + role NETWORK_MONITOR - <empty> + <empty> TRUSTEE, STEWARD Blacklisting user with NETWORK_MONITOR role NYM - verkey - * - * + verkey + * + * Owner of this nym Key Rotation SCHEMA - * - * - * + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new Schema SCHEMA - * - * - * + * + * + * No one can edit existing Schema Editing Schema CLAIM_DEF - * - * - * + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new CLAIM_DEF transaction CLAIM_DEF - * - * - * + * + * + * Owner of claim_def txn Editing CLAIM_DEF transaction NODE - services - <empty> - [VALIDATOR] + services + <empty> + [VALIDATOR] STEWARD if it doesn't own NODE transaction yet Adding new node to pool NODE - services - [VALIDATOR] - [] + services + [VALIDATOR] + [] TRUSTEE, STEWARD if it is owner of this transaction Demotion of node NODE - services - [] - [VALIDATOR] + services + [] + [VALIDATOR] TRUSTEE, STEWARD if it is owner of this transaction Promotion of node NODE - node_ip - * - * + node_ip + * + * STEWARD if it is owner of this transaction Changing Node's ip address NODE - node_port - * - * + node_port + * + * STEWARD if it is owner of this transaction Changing Node's port NODE - client_ip - * - * + client_ip + * + * STEWARD if it is owner of this transaction Changing Client's ip address NODE - client_port - * - * + client_port + * + * STEWARD if it is owner of this transaction Changing Client's port NODE - blskey - * - * + blskey + * + * STEWARD if it is owner of this transaction Changing Node's blskey POOL_UPGRADE - action - <empty> - start + action + <empty> + start TRUSTEE Starting upgrade procedure POOL_UPGRADE - action - start - cancel + action + start + cancel TRUSTEE Canceling upgrade procedure POOL_RESTART - action - * - * + action + * + * TRUSTEE Restarting pool command POOL_CONFIG - action - * - * + action + * + * TRUSTEE - Pool config command (like a read only option) + Pool config command (like a read only option) VALIDATOR_INFO - * - * - * + * + * + * TRUSTEE, STEWARD, NETWORK_MONITOR Getting validator_info from pool @@ -238,25 +238,25 @@ NYM - role - <empty> - <empty> + role + <empty> + <empty> Anyone Adding new nym SCHEMA - * - * - * + * + * + * Anyone Any operations with SCHEMA transaction CLAIM_DEF - * - * - * + * + * + * Anyone Any operations with CLAIM_DEF transaction @@ -276,33 +276,33 @@ REVOC_REG_DEF - * - * - * + * + * + * TRUSTEE, STEWARD, TRUST_ANCHOR Adding new REVOC_REG_DEF REVOC_REG_DEF - * - * - * + * + * + * Only owners can edit existing REVOC_REG_DEF Editing REVOC_REG_DEF REVOC_REG_ENTRY - * - * - * + * + * + * Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY REVOC_REG_ENTRY - * - * - * + * + * + * Only owners can edit existing REVOC_REG_ENTRY Editing REVOC_REG_ENTRY @@ -321,33 +321,33 @@ REVOC_REG_DEF - * - * - * + * + * + * Anyone can create new REVOC_REG_DEF Adding new REVOC_REG_DEF REVOC_REG_DEF - * - * - * + * + * + * Only owners can edit existing REVOC_REG_DEF Editing REVOC_REG_DEF REVOC_REG_ENTRY - * - * - * + * + * + * Only the owner of the corresponding REVOC_REG_DEF can create new REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY REVOC_REG_ENTRY - * - * - * + * + * + * Only owners can edit existing REVOC_REG_ENTRY Adding new REVOC_REG_ENTRY From dcb6b8a3bc832b915f51d03318783a0687db0c8c Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 15:14:33 +0300 Subject: [PATCH 20/34] updates docs Signed-off-by: Andrey Kononykhin --- docs/transactions.md | 227 ++++++++++++++++++++++--------------------- 1 file changed, 114 insertions(+), 113 deletions(-) diff --git a/docs/transactions.md b/docs/transactions.md index de48af699..6ee85bf59 100644 --- a/docs/transactions.md +++ b/docs/transactions.md @@ -5,15 +5,15 @@ * [Common Structure](#common-structure) * [Domain Ledger](#domain-ledger) - * [NYM](#nym) - * [ATTRIB](#attrib) + * [NYM](#nym) + * [ATTRIB](#attrib) * [SCHEMA](#schema) * [CLAIM_DEF](#claim_def) - -* [Pool Ledger](#pool-ledger) + +* [Pool Ledger](#pool-ledger) * [NODE](#node) - -* [Config Ledger](#config-ledger) + +* [Config Ledger](#config-ledger) * [POOL_UPGRADE](#pool_upgrade) * [NODE_UPGRADE](#node_upgrade) * [POOL_CONFIG](#pool_config) @@ -23,10 +23,10 @@ This doc is about supported transactions and their representation on the Ledger (that is, the internal one). If you are interested in the format of a client's request (both write and read), then have a look at [requests](requests.md). -- All transactions are stored in a distributed ledger (replicated on all nodes) +- All transactions are stored in a distributed ledger (replicated on all nodes) - The ledger is based on a [Merkle Tree](https://en.wikipedia.org/wiki/Merkle_tree) - The ledger consists of two things: - - transactions log as a sequence of key-value pairs + - transactions log as a sequence of key-value pairs where key is a sequence number of the transaction and value is the serialized transaction - merkle tree (where hashes for leaves and nodes are persisted) - Each transaction has a sequence number (no gaps) - keys in transactions log @@ -43,13 +43,13 @@ where key is a sequence number of the transaction and value is the serialized tr Below you can find the format and description of all supported transactions. ## Genesis Transactions -As Indy is a public **permissioned** blockchain, each ledger may have a number of pre-defined +As Indy is a public **permissioned** blockchain, each ledger may have a number of pre-defined transactions defining the initial pool and network. - pool genesis transactions define initial trusted nodes in the pool - domain genesis transactions define initial trusted trustees and stewards ## Common Structure -Each transaction has the following structure consisting of metadata values (common for all transaction types) and +Each transaction has the following structure consisting of metadata values (common for all transaction types) and transaction specific data: ``` { @@ -57,12 +57,12 @@ transaction specific data: "txn": { "type": <...>, "protocolVersion": <...>, - + "data": { "ver": <...>, }, - + "metadata": { "reqId": <...>, "from": <...> @@ -70,7 +70,7 @@ transaction specific data: }, "txnMetadata": { "txnTime": <...>, - "seqNo": <...>, + "seqNo": <...>, "txnId": <...> }, "reqSignature": { @@ -85,16 +85,16 @@ transaction specific data: - `ver` (string): Transaction version to be able to evolve content. - The content of all sub-fields may depend on this version. + The content of all sub-fields may depend on this version. - `txn` (dict): - + Transaction-specific payload (data) - `type` (enum number as string): - + Supported transaction types: - + - NODE = 0 - NYM = 1 - ATTRIB = 100 @@ -104,63 +104,63 @@ transaction specific data: - NODE_UPGRADE = 110 - POOL_CONFIG = 111 - - `protocolVersion` (integer; optional): - + - `protocolVersion` (integer; optional): + The version of client-to-node or node-to-node protocol. Each new version may introduce a new feature in requests/replies/data. Since clients and different nodes may be at different versions, we need this field to support backward compatibility - between clients and nodes. - + between clients and nodes. + - `data` (dict): - Transaction-specific data fields (see following sections for each transaction's description). - + Transaction-specific data fields (see following sections for each transaction's description). + - `metadata` (dict): - + Metadata as came from the request. - `from` (base58-encoded string): Identifier (DID) of the transaction submitter (client who sent the transaction) as base58-encoded string for 16 or 32 byte DID value. - It may differ from `did` field for some of transaction (for example NYM), where `did` is a + It may differ from `did` field for some of transaction (for example NYM), where `did` is a target identifier (for example, a newly created DID identifier). - + *Example*: `from` is a DID of a Trust Anchor creating a new DID, and `did` is a newly created DID. - - - `reqId` (integer): + + - `reqId` (integer): Unique ID number of the request with transaction. - + - `txnMetadata` (dict): - - Metadata attached to the transaction. - + + Metadata attached to the transaction. + - `version` (integer): Transaction version to be able to evolve `txnMetadata`. - The content of `txnMetadata` may depend on the version. - - - `txnTime` (integer as POSIX timestamp): + The content of `txnMetadata` may depend on the version. + + - `txnTime` (integer as POSIX timestamp): The time when transaction was written to the Ledger as POSIX timestamp. - + - `seqNo` (integer): A unique sequence number of the transaction on Ledger - + - `txnId` (string): Txn ID as State Trie key (address or descriptive data). It must be unique within the ledger. - - + + - `reqSignature` (dict): Submitter's signature over request with transaction (`txn` field). - + - `type` (string enum): - + - ED25519: ed25519 signature - ED25519_MULTI: ed25519 signature in multisig case. - - - `values` (list): - + + - `values` (list): + - `from` (base58-encoded string): Identifier (DID) of signer as base58-encoded string for 16 or 32 byte DID value. - + - `value` (base58-encoded string): signature value @@ -172,27 +172,27 @@ Please note that all these metadata fields may be absent for genesis transaction Creates a new NYM record for a specific user, trust anchor, steward or trustee. Note that only trustees and stewards can create new trust anchors and a trustee can be created only by other trustees (see [roles](https://github.com/hyperledger/indy-node/blob/master/docs/auth_rules.md)). -The transaction can be used for +The transaction can be used for creation of new DIDs, setting and rotation of verification key, setting and changing of roles. - `dest` (base58-encoded string): Target DID as base58-encoded string for 16 or 32 byte DID value. It differs from the `from` metadata field, where `from` is the DID of the submitter. - + *Example*: `from` is a DID of a Trust Anchor creating a new DID, and `dest` is a newly created DID. - -- `role` (enum number as integer; optional): + +- `role` (enum number as integer; optional): Role of a user that the NYM record is being created for. One of the following values - + - None (common USER) - 0 (TRUSTEE) - 2 (STEWARD) - 101 (TRUST_ANCHOR) - + A TRUSTEE can change any Nym's role to None, thus stopping it from making any further writes (see [roles](https://github.com/hyperledger/indy-node/blob/master/docs/auth_rules.md)). - + - `verkey` (base58-encoded string, possibly starting with "~"; optional): Target verification key as base58-encoded string. It can start with "~", which means that @@ -202,14 +202,15 @@ creation of new DIDs, setting and rotation of verification key, setting and chan (doesn't own the identifier yet). Verkey can be changed to "None" by owner, it means that this user goes back under guardianship. -- `alias` (string; optional): +- `alias` (string; optional): NYM's alias. If there is no NYM transaction for the specified DID (`did`) yet, then this can be considered as the creation of a new DID. If there is already a NYM transaction with the specified DID (`did`), then this is is considered an update of that DID. -In this case we can specify only the values we would like to update. All unspecified values remain unchanged. +In this case **only the values that need to be updated should be specified** since any specified one is treated as an update even if it matches the current value in ledger. All unspecified values remain unchanged. + So, if key rotation needs to be performed, the owner of the DID needs to send a NYM request with `did` and `verkey` only. `role` and `alias` will stay the same. @@ -221,14 +222,14 @@ So, if key rotation needs to be performed, the owner of the DID needs to send a "txn": { "type":"1", "protocolVersion":1, - + "data": { "ver": 1, "dest":"GEzcdDLhCpGCYRHW82kjHd", "verkey":"~HmUWn928bnFT6Ephf65YXv", "role":101, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -258,14 +259,14 @@ Adds an attribute to a NYM record Target DID we set an attribute for as base58-encoded string for 16 or 32 byte DID value. It differs from `from` metadata field, where `from` is the DID of the submitter. - + *Example*: `from` is a DID of a Trust Anchor setting an attribute for a DID, and `dest` is the DID we set an attribute for. - + - `raw` (sha256 hash string; mutually exclusive with `hash` and `enc`): - Hash of the raw attribute data. + Hash of the raw attribute data. Raw data is represented as JSON, where the key is the attribute name and the value is the attribute value. - The ledger only stores a hash of the raw data; the real (unhashed) raw data is stored in a separate + The ledger only stores a hash of the raw data; the real (unhashed) raw data is stored in a separate attribute store. - `hash` (sha256 hash string; mutually exclusive with `raw` and `enc`): @@ -276,8 +277,8 @@ Adds an attribute to a NYM record - `enc` (sha256 hash string; mutually exclusive with `raw` and `hash`): Hash of encrypted attribute data. - The ledger contains the hash only; the real encrypted data is stored in a separate - attribute store. + The ledger contains the hash only; the real encrypted data is stored in a separate + attribute store. **Example**: ``` @@ -286,13 +287,13 @@ Adds an attribute to a NYM record "txn": { "type":"100", "protocolVersion":1, - + "data": { "ver":1, "dest":"GEzcdDLhCpGCYRHW82kjHd", "raw":"3cba1e3cf23c8ce24b7e08171d823fbd9a4929aafd9f27516e30699d3a42026a", }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -300,7 +301,7 @@ Adds an attribute to a NYM record }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId": "N22KY2Dyvmuu2PyyqSFKue|02" }, "reqSignature": { @@ -321,13 +322,13 @@ It's not possible to update an existing schema. So, if the Schema needs to be evolved, a new Schema with a new version or new name needs to be created. - `data` (dict): - + Dictionary with Schema's data: - + - `attr_names`: array of attribute name strings - `name`: Schema's name string - `version`: Schema's version string - + **Example**: ``` @@ -336,7 +337,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "txn": { "type":101, "protocolVersion":1, - + "data": { "ver":1, "data": { @@ -345,7 +346,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "version":"1.0" }, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -353,7 +354,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"L5AD5g65TDQr1PPHHRoiGf1|Degree|1.0", }, "reqSignature": { @@ -363,7 +364,7 @@ So, if the Schema needs to be evolved, a new Schema with a new version or new na "value": "4X3skpoEK2DRgZxQ9PwuEvCJpL8JHdQ8X4HDDFyztgqE15DM2ZnkvrAh9bQY16egVinZTzwHqznmnkaFM4jjyDgd" }] } - + } ``` @@ -374,14 +375,14 @@ It's not possible to update `data` in an existing claim definition. Therefore if an existing claim defintion needs to be evolved (for example, a key needs to be rotated), a new claim definition needs to be created for a new Issuer DID (`did`). - `data` (dict): - + Dictionary with claim definition's data: - + - `primary` (dict): primary claim public key - `revocation` (dict): revocation claim public key - + - `ref` (string): - + Sequence number of a schema transaction the claim definition is created for. - `signature_type` (string): @@ -391,8 +392,8 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key - `tag` (string, optional): A unique tag to have multiple public keys for the same Schema and type issued by the same DID. - A default tag `tag` will be used if not specified. - + A default tag `tag` will be used if not specified. + **Example**: ``` { @@ -400,7 +401,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key "txn": { "type":102, "protocolVersion":1, - + "data": { "ver":1, "data": { @@ -415,7 +416,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key "signature_type":"CL", 'tag': 'some_tag' }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -423,7 +424,7 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"HHAD5g65TDQr1PPHHRoiGf2L5AD5g65TDQr1PPHHRoiGf1|Degree1|CL|key1", }, "reqSignature": { @@ -443,29 +444,29 @@ Therefore if an existing claim defintion needs to be evolved (for example, a key Adds a new node to the pool or updates an existing node in the pool - `data` (dict): - + Data associated with the Node: - + - `alias` (string): Node's alias - `blskey` (base58-encoded string; optional): BLS multi-signature key as base58-encoded string (it's needed for BLS signatures and state proofs support) - - `client_ip` (string; optional): Node's client listener IP address, that is the IP clients use to connect to the node when sending read and write requests (ZMQ with TCP) + - `client_ip` (string; optional): Node's client listener IP address, that is the IP clients use to connect to the node when sending read and write requests (ZMQ with TCP) - `client_port` (string; optional): Node's client listener port, that is the port clients use to connect to the node when sending read and write requests (ZMQ with TCP) - `node_ip` (string; optional): The IP address other Nodes use to communicate with this Node; no clients are allowed here (ZMQ with TCP) - `node_port` (string; optional): The port other Nodes use to communicate with this Node; no clients are allowed here (ZMQ with TCP) - - `services` (array of strings; optional): the service of the Node. `VALIDATOR` is the only supported one now. + - `services` (array of strings; optional): the service of the Node. `VALIDATOR` is the only supported one now. - `dest` (base58-encoded string): Target Node's DID as base58-encoded string for 16 or 32 byte DID value. It differs from `identifier` metadata field, where `identifier` is the DID of the transaction submitter (Steward's DID). - + *Example*: `identifier` is a DID of a Steward creating a new Node, and `dest` is the DID of this Node. - + - `verkey` (base58-encoded string, possibly starting with "~"; optional): Target Node verification key as base58-encoded string. - It may absent if `dest` is 32-bit cryptonym CID. - + It may absent if `dest` is 32-bit cryptonym CID. + If there is no NODE transaction with the specified Node ID (`dest`), then it can be considered as creation of a new NODE. @@ -482,7 +483,7 @@ There is no need to specify all other fields, and they will remain the same. "txn": { "type":0, "protocolVersion":1, - + "data": { "data": { "alias":"Delta", @@ -495,7 +496,7 @@ There is no need to specify all other fields, and they will remain the same. }, "dest":"4yC546FFzorLPgTNTc6V43DnpFrR8uHvtunBxb2Suaa2", }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -503,7 +504,7 @@ There is no need to specify all other fields, and they will remain the same. }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"Delta", }, "reqSignature": { @@ -530,29 +531,29 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( - `action` (enum: `start` or `cancel`): Starts or cancels the Upgrade. - + - `version` (string): The version of indy-node package we perform upgrade to. Must be greater than existing one (or equal if `reinstall` flag is True). - + - `schedule` (dict of node DIDs to timestamps): Schedule of when to perform upgrade on each node. This is a map where Node DIDs are keys, and upgrade time is a value (see example below). If `force` flag is False, then it's required that time difference between each Upgrade must be not less than 5 minutes (to give each Node enough time and not make the whole Pool go down during Upgrade). - + - `sha256` (sha256 hash string): sha256 hash of the package - + - `force` (boolean; optional): Whether we should apply transaction (schedule Upgrade) without waiting for consensus of this transaction. If false, then transaction is applied only after it's written to the ledger. Otherwise it's applied regardless of result of consensus, and there are no restrictions on the Upgrade `schedule` for each Node. - So, we can Upgrade the whole Pool at the same time when it's set to True. + So, we can Upgrade the whole Pool at the same time when it's set to True. False by default. Avoid setting to True without good reason. - `reinstall` (boolean; optional): @@ -575,7 +576,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( "txn": { "type":109, "protocolVersion":1, - + "data": { "ver":1, "name":"upgrade-13", @@ -588,7 +589,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( "timeout":1, "justification":null, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -597,7 +598,7 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, }, "reqSignature": { "type": "ED25519", @@ -612,14 +613,14 @@ Command to upgrade the Pool (sent by Trustee). It upgrades the specified Nodes ( #### NODE_UPGRADE Status of each Node's upgrade (sent by each upgraded Node) -- `action` (enum string): +- `action` (enum string): One of `in_progress`, `complete` or `fail`. - -- `version` (string): - + +- `version` (string): + The version of indy-node the node was upgraded to. - + **Example:** ``` @@ -628,13 +629,13 @@ Status of each Node's upgrade (sent by each upgraded Node) "txn": { "type":110, "protocolVersion":1, - + "data": { "ver":1, "action":"complete", "version":"1.2" }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -642,7 +643,7 @@ Status of each Node's upgrade (sent by each upgraded Node) }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"upgrade-13", }, "reqSignature": { @@ -670,9 +671,9 @@ Command to change Pool's configuration Whether we should apply transaction (for example, move pool to read-only state) without waiting for consensus of this transaction. If false, then transaction is applied only after it's written to the ledger. - Otherwise it's applied regardless of result of consensus. + Otherwise it's applied regardless of result of consensus. False by default. Avoid setting to True without good reason. - + **Example:** ``` @@ -681,13 +682,13 @@ Command to change Pool's configuration "txn": { "type":111, "protocolVersion":1, - + "data": { "ver":1, "writes":false, "force":true, }, - + "metadata": { "reqId":1513945121191691, "from":"L5AD5g65TDQr1PPHHRoiGf", @@ -695,7 +696,7 @@ Command to change Pool's configuration }, "txnMetadata": { "txnTime":1513945121, - "seqNo": 10, + "seqNo": 10, "txnId":"1111", }, "reqSignature": { From 2fe9cba721aadf0fbf2977c9483092c32822d7ca Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 15:25:47 +0300 Subject: [PATCH 21/34] adds TODO comment Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 1 + 1 file changed, 1 insertion(+) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 8eda213e6..d8662a091 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -20,6 +20,7 @@ # - mixed cases: both verkey and role are presented in NYM txn # ??? possibly not necessary for now since role and verkey related constrains # are composed like logical AND validation fails if any of them fails +# - ANYONE_CAN_WRITE=True case # FIXTURES From 2b0284487e9bbd6cbd518b7359d2ecda0b3e85b8 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 15:28:35 +0300 Subject: [PATCH 22/34] reverts to use runner.py for node part Signed-off-by: Andrey Kononykhin --- Jenkinsfile.ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 72efd3f78..54e9a68ac 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -147,7 +147,7 @@ def tests = [ resFile: "test-result-node.${NODE_NAME}.txt", testDir: 'indy_node', python: python, - useRunner: false + useRunner: true ) }, ].collect {k, v -> [k, v]} From 815c71079f78b88c099a71c8db3b5f60bde61699 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 15:35:35 +0300 Subject: [PATCH 23/34] reverts pytest-xdist usage Signed-off-by: Andrey Kononykhin --- Jenkinsfile.ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile.ci b/Jenkinsfile.ci index 54e9a68ac..7e75dbb20 100644 --- a/Jenkinsfile.ci +++ b/Jenkinsfile.ci @@ -99,7 +99,7 @@ def test(options=[:]) { if (options.useRunner) { sh "PYTHONASYNCIODEBUG='0' $options.python runner.py --pytest \"$options.python -m pytest -v\" --dir $options.testDir --output \"$options.resFile\" --test-only-slice \"$options.testOnlySlice\"" } else { - sh "$options.python -m pytest -v -n auto --junitxml=$options.resFile $options.testDir" + sh "$options.python -m pytest -v --junitxml=$options.resFile $options.testDir" } } finally { From 01a79dae4432d4f2127bb4f81557ec31cde8e935 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 16:01:23 +0300 Subject: [PATCH 24/34] bumps plenum version Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 1 - 1 file changed, 1 deletion(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index d8662a091..3caa7a5b2 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -10,7 +10,6 @@ from plenum.test.helper import sdk_sign_and_submit_op, sdk_get_and_check_replies from plenum.test.pool_transactions.helper import sdk_add_new_nym -from indy_common.constants import IDENTITY_OWNER, TRUST_ANCHOR, NETWORK_MONITOR from indy_common.roles import Roles from indy_node.test.helper import createHalfKeyIdentifierAndAbbrevVerkey From 9d61eb636f3a311fdf23dbc5b1a1e6ad27d07997 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 16:01:48 +0300 Subject: [PATCH 25/34] updates indy-node roles for DIDs Signed-off-by: Andrey Kononykhin --- indy_common/constants.py | 3 --- indy_common/roles.py | 2 +- setup.py | 2 +- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/indy_common/constants.py b/indy_common/constants.py index 9c2a6a91f..fb65c4c85 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -126,9 +126,6 @@ # FIXME can be automated by iteration through Roles # but it would be less self-descriptive -IDENTITY_OWNER = Roles.IDENTITY_OWNER.value -IDENTITY_OWNER_STRING = None - TRUST_ANCHOR = Roles.TRUST_ANCHOR.value TRUST_ANCHOR_STRING = 'TRUST_ANCHOR' diff --git a/indy_common/roles.py b/indy_common/roles.py index cfd79ed92..d09a374de 100644 --- a/indy_common/roles.py +++ b/indy_common/roles.py @@ -8,7 +8,7 @@ class Roles(Enum): # These numeric constants CANNOT be changed once they have been used, # because that would break backwards compatibility with the ledger # Also the numeric constants CANNOT collide with the roles in plenum - IDENTITY_OWNER = None # FIXME might makes sense to move to plenum + IDENTITY_OWNER = Roles.IDENTITY_OWNER.value TRUSTEE = Roles.TRUSTEE.value STEWARD = Roles.STEWARD.value TRUST_ANCHOR = "101" diff --git a/setup.py b/setup.py index 88b35881d..a0bdc2cc8 100644 --- a/setup.py +++ b/setup.py @@ -56,7 +56,7 @@ data_files=[( (BASE_DIR, ['data/nssm_original.exe']) )], - install_requires=['indy-plenum-dev==1.6.665', + install_requires=['indy-plenum-dev==1.6.666', 'python-dateutil', 'timeout-decorator==0.4.0', 'distro==1.3.0'], From f5d8ed0b85ee021b448be17bb17ac72568e73f4d Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Wed, 30 Jan 2019 17:19:56 +0300 Subject: [PATCH 26/34] fixes fixture scope Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 3caa7a5b2..7677e0aad 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -182,7 +182,7 @@ def provisioned_role(request): return request.param -@pytest.fixture(scope="module") +@pytest.fixture(scope="function") def provisioned(provisioned_role): did, verkey = createHalfKeyIdentifierAndAbbrevVerkey() return ( From ec01697bf6b35bff6b1c3711ef0c7e39c16080fc Mon Sep 17 00:00:00 2001 From: "olga.zheregelya" Date: Wed, 30 Jan 2019 14:36:11 +0000 Subject: [PATCH 27/34] add NETWORK_MONITOR to acceptance batches Signed-off-by: olga.zheregelya --- ...3-01-identity-owner-anyone-can-write.batch | 32 +++++++++++++++-- .../AS-03-01-identity-owner.batch | 30 +++++++++++++++- .../indy-cli-batches/AS-03-01-steward.batch | 26 ++++++++++++-- .../AS-03-01-trust-anchor.batch | 35 +++++++++++++++++-- .../indy-cli-batches/AS-03-01-trustee.batch | 24 ++++++++++++- 5 files changed, 138 insertions(+), 9 deletions(-) diff --git a/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch b/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch index 723f1d9f6..8e37518a0 100644 --- a/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch +++ b/acceptance/indy-cli-batches/AS-03-01-identity-owner-anyone-can-write.batch @@ -18,10 +18,22 @@ did new seed=TestTrustAnchor30000000000000003 metadata="test trust anchor 3" did new seed=RandomUser1000000000000000000003 metadata="test identity 1" did new seed=RandomUser2000000000000000000003 metadata="test identity 2" did new seed=RandomUser3000000000000000000003 metadata="test identity 3" +did new seed=NetworkMonitor000000000000000001 metadata="network monitor 1" +did new seed=NetworkMonitor000000000000000002 metadata="network monitor 2" +did new seed=NetworkMonitor000000000000000003 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=AhqUV2zHYdNaWLFCCe7xCn role=STEWARD verkey=~YUY2ChUGWJovtU6XTn61D8 - ledger get-nym did=AhqUV2zHYdNaWLFCCe7xCn +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=GSoagH52cX69hnn7npUTWy role=NETWORK_MONITOR verkey=~5JEp1pUJbzD1YqimvA6hk6 +- ledger get-nym did=GSoagH52cX69hnn7npUTWy +# AS Trustee CREATE NetworkMonitor (network monitor 2) and blacklist it +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role=NETWORK_MONITOR verkey=~MnEdozF43zQFRdZLN25mya +ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role= +- ledger get-nym did=CjPA39BhAVG5d3mV2ZEAYE # AS Trustee CREATE TrustAnchor (anchor1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=DriVwCMbtEgkmoEHKin6Ah role=TRUST_ANCHOR verkey=~YPZot1kM4DLwvsX6mtcKd9 @@ -71,11 +83,21 @@ did use LBbKEeczA9iL21p4Kgxcuf did use LBbKEeczA9iL21p4Kgxcuf ledger nym did=Fk9ENxnz1ztDgdivQBJTCZ verkey=~NT9ANFeDhCLKDg5PNKZXKK - ledger get-nym did=Fk9ENxnz1ztDgdivQBJTCZ -# #8 check that can't add roles back when don't have necessary permissions +# #8 AS IdentityOwner CREATE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=Nd4dUF85aa1JmDFScLfk7o role=NETWORK_MONITOR verkey=~5aJLqtphR3tqymWUwg98Sz +# #9.1 AS IdentityOwner REMOVE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=GSoagH52cX69hnn7npUTWy role= +# #9.2 CHECK NetworkMonitor IS VALID +did use GSoagH52cX69hnn7npUTWy +ledger get-validator-info nodes=Node1 +# #10 check that can't add roles back when don't have necessary permissions did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUST_ANCHOR - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=STEWARD - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUSTEE +- ledger nym did=CjPA39BhAVG5d3mV2ZEAYE role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000003 @@ -102,4 +124,10 @@ did use UffJCJngTXc1o84dQ7aEUb # Identity Owner can create SCHEMA: (PASS with ANYONE_CAN_WRITE=True) ledger schema name=IdentityOwnerSchema version=1.0 attr_names=name,age # Identity Owner can create CLAIM_DEF: (PASS with ANYONE_CAN_WRITE=True, but will fail because of wrong schema id) -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 +# Identity Owner can't RESTART POOL +did use LBbKEeczA9iL21p4Kgxcuf +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use LBbKEeczA9iL21p4Kgxcuf +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch b/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch index d70d58da7..89af84b6d 100644 --- a/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch +++ b/acceptance/indy-cli-batches/AS-03-01-identity-owner.batch @@ -18,10 +18,22 @@ did new seed=TestTrustAnchor30000000000000003 metadata="test trust anchor 3" did new seed=RandomUser1000000000000000000003 metadata="test identity 1" did new seed=RandomUser2000000000000000000003 metadata="test identity 2" did new seed=RandomUser3000000000000000000003 metadata="test identity 3" +did new seed=NetworkMonitor100000000000000003 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000003 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000003 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=AhqUV2zHYdNaWLFCCe7xCn role=STEWARD verkey=~YUY2ChUGWJovtU6XTn61D8 - ledger get-nym did=AhqUV2zHYdNaWLFCCe7xCn +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=zsFQSgcs9GdmHr6nYgJfj role=NETWORK_MONITOR verkey=~Y2gktifxXw9J85GXFKpZQ6 +- ledger get-nym did=zsFQSgcs9GdmHr6nYgJfj +# AS Trustee CREATE NetworkMonitor (network monitor 2) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role=NETWORK_MONITOR verkey=~usAvjM7QfLR9Qf2bZSBZU +ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role= +- ledger get-nym did=Pn1rJGNmmcKi88B2qo2Emn # AS Trustee CREATE TrustAnchor (anchor1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=DriVwCMbtEgkmoEHKin6Ah role=TRUST_ANCHOR verkey=~YPZot1kM4DLwvsX6mtcKd9 @@ -71,11 +83,21 @@ did use LBbKEeczA9iL21p4Kgxcuf did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Fk9ENxnz1ztDgdivQBJTCZ verkey=~NT9ANFeDhCLKDg5PNKZXKK - ledger get-nym did=Fk9ENxnz1ztDgdivQBJTCZ +# #8 AS IdentityOwner CREATE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=NGMUrRk7EDTRunXLgY7KWn role=NETWORK_MONITOR verkey=~NGMUrRk7EDTRunXLgY7KWn +# #9.1 AS IdentityOwner REMOVE NetworkMonitor (FAIL) +did use LBbKEeczA9iL21p4Kgxcuf +- ledger nym did=zsFQSgcs9GdmHr6nYgJfj role= +# #9.2 CHECK NetworkMonitor IS VALID +did use zsFQSgcs9GdmHr6nYgJfj +ledger get-validator-info nodes=Node1 # #8 check that can't add roles back when don't have necessary permissions did use LBbKEeczA9iL21p4Kgxcuf - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUST_ANCHOR - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=STEWARD - ledger nym did=Q8uxmCGdXgLHHtaTwYtVJG role=TRUSTEE +- ledger nym did=Pn1rJGNmmcKi88B2qo2Emn role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000003 @@ -102,4 +124,10 @@ did use UffJCJngTXc1o84dQ7aEUb # Identity Owner can't create SCHEMA: (FAIL) - ledger schema name=IdentityOwnerSchema version=1.0 attr_names=name,age # Identity Owner can't create CLAIM_DEF: (FAIL) -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=3 +# Identity Owner can't RESTART POOL +did use LBbKEeczA9iL21p4Kgxcuf +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use LBbKEeczA9iL21p4Kgxcuf +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-steward.batch b/acceptance/indy-cli-batches/AS-03-01-steward.batch index 6700e3cc0..a193d39ee 100644 --- a/acceptance/indy-cli-batches/AS-03-01-steward.batch +++ b/acceptance/indy-cli-batches/AS-03-01-steward.batch @@ -18,6 +18,9 @@ did new seed=RandomUser2000000000000000000001 metadata="test identity 2" did new seed=RandomUser4000000000000000000001 metadata="test identity 4" did new seed=RandomUser5000000000000000000001 metadata="test identity 5" did new seed=000000000000000000000000Trustee1 metadata="default trustee" +did new seed=NetworkMonitor100000000000000001 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000001 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000001 metadata="network monitor 3" did use V4SGRU86Z58d6TV7PBUe6f # AS Trustee CREATE Steward (steward1) ledger nym did=7qFmEyYCXcmUFVied5Sp3b role=STEWARD verkey=~Mj3PFUSi6qmrTRonFXHx9n @@ -80,8 +83,21 @@ ledger nym did=Xm3b3LtJ3UoL5KeYT7ti7j verkey=~GmTyyvE4eHWeSWuiAtmE19 did use 7qFmEyYCXcmUFVied5Sp3b - ledger nym did=7qFmEyYCXcmUFVied5Sp3b role= # #9.2 CHECK Steward IS VALID -ledger nym did=Jt7aMnw77aoaBMyhXUNjtt verkey=~DT5pLP1wcvsgAzM78sqiRJ +ledger nym did=Jt7aMnw77aoaBMyhXUNjt1 verkey=~DT5pLP1wcvsgAzM78sqiR1 role=TRUST_ANCHOR - ledger get-nym did=Jt7aMnw77aoaBMyhXUNjtt +# #10 AS Steward (steward1) CREATE NetworkMonitor (PASS) +did use 7qFmEyYCXcmUFVied5Sp3b +ledger nym did=7e6ttq44HKVSHitCE3BLXv role=NETWORK_MONITOR verkey=~9NGbkySmcB9d6rZ7pPxwtY +# #11.1 AS Steward (steward1) REMOVE NetworkMonitor (PASS) +ledger nym did=7e6ttq44HKVSHitCE3BLXv role= +# #11.2 CHECK NetworkMonitor IS INVALID +did use 7e6ttq44HKVSHitCE3BLXv +- ledger get-validator-info nodes=Node1 +# #12.1 AS Steward (steward1) RESTORE NetworkMonitor (PASS) +ledger nym did=7e6ttq44HKVSHitCE3BLXv role=NETWORK_MONITOR +# #12.2 CHECK NetworkMonitor IS VALID +did use 7e6ttq44HKVSHitCE3BLXv +ledger get-validator-info nodes=Node1 ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000001 @@ -108,4 +124,10 @@ did use 6LKnRH6hWPSpoWu824s5JH # Steward can create SCHEMA: ledger schema name=StewardSchema version=1.0 attr_names=name,age # Steward can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=1 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=1 +# Steward can't RESTART POOL +did use SvXt2QGwZF1kXTcpd2pJ37 +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Steward can get validator-info +did use SvXt2QGwZF1kXTcpd2pJ37 +ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch b/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch index da2eb4d10..ed9334e8f 100644 --- a/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch +++ b/acceptance/indy-cli-batches/AS-03-01-trust-anchor.batch @@ -17,6 +17,9 @@ did new seed=TestTrustAnchorCreateTrustAncho4 metadata="Trust Anchor 4" did new seed=TestTrustAnchorRandomUser1000002 metadata="Random User 1" did new seed=TestTrustAnchorRandomUser2000002 metadata="Random User 2" did new seed=TestTrustAnchorRandomUser3000002 metadata="Random User 3" +did new seed=NetworkMonitor100000000000000002 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000002 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000002 metadata="network monitor 3" # AS Trustee CREATE Steward (steward1) did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=23LxaWGVajU7vMn7zcrHGK role=STEWARD verkey=~UgkZ1ktZV2DQg1sJn3tjdP @@ -29,7 +32,17 @@ ledger nym did=T6XTs3nSU3J7ptAcxSnaVo role=TRUST_ANCHOR verkey=~5izgZjWpw3gxeDB9 did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=TPrMRHHSunP3cEtpkY8gi7 role=TRUST_ANCHOR verkey=~ANMdNhQ3uuyXDmn7cxi8df - ledger get-nym did=TPrMRHHSunP3cEtpkY8gi7 -# test section +# AS Trustee CREATE NetworkMonitor (network monitor 1) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=E26xPPB4bhNkq5Dg4VDjca role=NETWORK_MONITOR verkey=~5tog9W8jT14rWCEyhgSoTP +- ledger get-nym did=E26xPPB4bhNkq5Dg4VDjca +# AS Trustee CREATE NetworkMonitor (network monitor 2) and blacklist it +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=UR1jYsBfADbYK5FZoF76Mh role=NETWORK_MONITOR verkey=~TBtVAJCA6BwVyQSmCanRQy +ledger nym did=UR1jYsBfADbYK5FZoF76Mh role= +################ +# test section # +################ # #1 AS TrustAnchor CREATE IdentityOwner (user1) (PASS) did use T6XTs3nSU3J7ptAcxSnaVo ledger nym did=MXYSvpB5e549z6nqa1nTEh verkey=~PR7BXc75UwtiPvKjtDn26N @@ -73,11 +86,21 @@ did use T6XTs3nSU3J7ptAcxSnaVo # #8.2 CHECK TrustAnchor IS VALID ledger nym did=WDLETDtBugFiJvtkghHoH verkey=~QdAhvFaZ81ZZ1DxwqZ5i8i - ledger get-nym did=WDLETDtBugFiJvtkghHoH -# #9 check that can't add roles back when don't have necessary permissions +# #9 AS TrustAnchor CREATE NetworkMonitor (FAIL) +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger nym did=CUH8zNzehDNhpsGAnXJauU role=NETWORK_MONITOR verkey=~CgMAueZVNZRUsCrjgHsKs4 +# #10.1 AS TrustAnchor REMOVE NetworkMonitor (FAIL) +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger nym did=E26xPPB4bhNkq5Dg4VDjca role= +# #10.2 CHECK NetworkMonitor IS VALID +did use E26xPPB4bhNkq5Dg4VDjca +ledger get-validator-info nodes=Node1 +# #11 check that can't add roles back when don't have necessary permissions did use T6XTs3nSU3J7ptAcxSnaVo - ledger nym did=WDLETDtBugFiJvtkghHoH role=TRUST_ANCHOR - ledger nym did=WDLETDtBugFiJvtkghHoH role=STEWARD - ledger nym did=WDLETDtBugFiJvtkghHoH role=TRUSTEE +- ledger nym did=UR1jYsBfADbYK5FZoF76Mh role=NETWORK_MONITOR ### Additional cases ### did use V4SGRU86Z58d6TV7PBUe6f did new seed=RandomAttribOwner000000000000002 @@ -104,4 +127,10 @@ did use ETcbLj612u9oXr7adZSWZV # TrustAnchor can create SCHEMA: ledger schema name=TrustAnchorSchema version=1.0 attr_names=name,age # TrustAnchor can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=2 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=2 +# Identity Owner can't RESTART POOL +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Identity Owner can't get validator-info +did use T6XTs3nSU3J7ptAcxSnaVo +- ledger get-validator-info nodes=Node1 \ No newline at end of file diff --git a/acceptance/indy-cli-batches/AS-03-01-trustee.batch b/acceptance/indy-cli-batches/AS-03-01-trustee.batch index e6d9cab36..5c42812e2 100644 --- a/acceptance/indy-cli-batches/AS-03-01-trustee.batch +++ b/acceptance/indy-cli-batches/AS-03-01-trustee.batch @@ -17,6 +17,9 @@ did new seed=RandomUser2000000000000000000000 metadata="test identity 2" did new seed=RandomUser4000000000000000000000 metadata="test identity 4" did new seed=RandomUser5000000000000000000000 metadata="test identity 5" did new seed=000000000000000000000000Trustee1 metadata="default trustee" +did new seed=NetworkMonitor100000000000000000 metadata="network monitor 1" +did new seed=NetworkMonitor200000000000000000 metadata="network monitor 2" +did new seed=NetworkMonitor300000000000000000 metadata="network monitor 3" did use V4SGRU86Z58d6TV7PBUe6f # AS Trustee (default) CREATE Trustee (trustee2) ledger nym did=QQMQmb1mrBRJR3vx6GP4kg role=TRUSTEE verkey=~7Cj2MTAjyAbHdAiuafgCUW @@ -86,6 +89,19 @@ ledger nym did=NhF3hPZyV715sfmvsjhj1h verkey=~EjjPJGQcnFGhuyS35bVMGA did use V4SGRU86Z58d6TV7PBUe6f ledger nym did=6nnZTxQ18EkVEjVV6hBMeT verkey=~2TBdyJLgAhkbogxjpUfPJD - ledger get-nym did=6nnZTxQ18EkVEjVV6hBMeT +# #10 AS Trustee (default) CREATE NetworkMonitor (PASS) +did use V4SGRU86Z58d6TV7PBUe6f +ledger nym did=5JNBLdovQap28Ncm8haqH4 role=NETWORK_MONITOR verkey=~VvRtNwrsLbgikyzAz3vohj +# #11.1 AS Trustee (default) REMOVE NetworkMonitor (PASS) +ledger nym did=5JNBLdovQap28Ncm8haqH4 role= +# #11.2 CHECK NetworkMonitor IS INVALID +did use V4SGRU86Z58d6TV7PBUe6f +- ledger get-validator-info nodes=Node1 +# #12.1 AS Trustee (default) RESTORE NetworkMonitor (PASS) +ledger nym did=5JNBLdovQap28Ncm8haqH4 role=NETWORK_MONITOR +# #12.2 CHECK NetworkMonitor IS VALID +did use 5JNBLdovQap28Ncm8haqH4 +ledger get-validator-info nodes=Node1 # #11 AS Trustee (trustee2) REMOVE self (trustee2) (PASS) did use QQMQmb1mrBRJR3vx6GP4kg ledger nym did=QQMQmb1mrBRJR3vx6GP4kg role= @@ -117,4 +133,10 @@ did use 484PvcK1gUqwWEWCkumDzA # Trustee can create SCHEMA: ledger schema name=TrusteeSchema version=1.0 attr_names=name,age # Trustee can create CLAIM_DEF (will fail because of wrong schema id): -- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=10 \ No newline at end of file +- ledger cred-def schema_id=1 signature_type=CL primary={"n":"1","s":"2","rms":"3","r":{"age":"4","name":"5"},"rctxt":"6","z":"7"} tag=10 +# Steward can RESTART POOL +did use 484PvcK1gUqwWEWCkumDzA +ledger pool-restart action=start datetime=2020-01-25T12:49:05.258870+00:00 nodes=Node4 +# Steward can get validator-info +did use 484PvcK1gUqwWEWCkumDzA +ledger get-validator-info nodes=Node1 \ No newline at end of file From 8fdad5900fe52d35610703bdfcdb60402bdbba15 Mon Sep 17 00:00:00 2001 From: toktar Date: Thu, 31 Jan 2019 00:28:15 +0300 Subject: [PATCH 28/34] Bump plenum 1.6.667 Signed-off-by: toktar --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 88b35881d..fda14da00 100644 --- a/setup.py +++ b/setup.py @@ -56,7 +56,7 @@ data_files=[( (BASE_DIR, ['data/nssm_original.exe']) )], - install_requires=['indy-plenum-dev==1.6.665', + install_requires=['indy-plenum-dev==1.6.667', 'python-dateutil', 'timeout-decorator==0.4.0', 'distro==1.3.0'], From 20198115bb5a26df1b90fdc1a4eb2f24817eaee0 Mon Sep 17 00:00:00 2001 From: Andrey Kononykhin Date: Thu, 31 Jan 2019 11:36:29 +0300 Subject: [PATCH 29/34] removes unnecessary fixtures Signed-off-by: Andrey Kononykhin --- indy_node/test/nym_txn/test_nym_auth_rules.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/indy_node/test/nym_txn/test_nym_auth_rules.py b/indy_node/test/nym_txn/test_nym_auth_rules.py index 7677e0aad..54ff8236e 100644 --- a/indy_node/test/nym_txn/test_nym_auth_rules.py +++ b/indy_node/test/nym_txn/test_nym_auth_rules.py @@ -136,26 +136,11 @@ def create_new_did(looper, sdk_pool_handle, creator, role, skipverkey=False): creator=creator, wallet_handle=creator.wallet_handle) -@pytest.fixture(scope="module") -def client(sdk_wallet_client): - return DIDWallet(did=sdk_wallet_client[1], role=Roles.IDENTITY_OWNER, wallet_handle=sdk_wallet_client[0]) - - @pytest.fixture(scope="module") def trustee(sdk_wallet_trustee): return DIDWallet(did=sdk_wallet_trustee[1], role=Roles.TRUSTEE, wallet_handle=sdk_wallet_trustee[0]) -@pytest.fixture(scope="module") -def steward(sdk_wallet_steward): - return DIDWallet(did=sdk_wallet_steward[1], role=Roles.STEWARD, wallet_handle=sdk_wallet_steward[0]) - - -@pytest.fixture(scope="module", params=list(Roles)) -def role(request): - return request.param - - def did_fixture_wrapper(): def _fixture(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): marker = request.node.get_marker('skip_did_verkey') @@ -164,6 +149,7 @@ def _fixture(looper, sdk_pool_handle, txnPoolNodeSet, trustee, request): return _fixture +# adds did_per_module and did_per_function fixtures for scope in ('module', 'function'): setattr( sys.modules[__name__], From 140df7b063814e8ec9cf7032c096b94e138e1ec8 Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Thu, 31 Jan 2019 13:57:25 +0300 Subject: [PATCH 30/34] [INDY-1963] make some in error format Signed-off-by: Andrew Nikitin --- indy_common/authorize/auth_constraints.py | 20 +++++- indy_common/authorize/authorizer.py | 2 +- indy_common/test/auth/test_auth_constraint.py | 61 +++++++++++++++++-- 3 files changed, 73 insertions(+), 10 deletions(-) diff --git a/indy_common/authorize/auth_constraints.py b/indy_common/authorize/auth_constraints.py index 5df2eed8e..26bc3af58 100644 --- a/indy_common/authorize/auth_constraints.py +++ b/indy_common/authorize/auth_constraints.py @@ -26,9 +26,23 @@ def __init__(self, role, sig_count, need_to_be_owner=False, metadata={}): def __str__(self): role = get_named_role(self.role) if self.role != '*' else 'ALL' - return "Required role: {}, Count of signatures: {}, Need to be owner: {}".format(role, - self.sig_count, - self.need_to_be_owner) + if role != 'ALL' and self.need_to_be_owner and self.sig_count > 1: + return "{} {} signatures are required and needs to be owner".format(self.sig_count, role) + elif role != 'ALL' and not self.need_to_be_owner and self.sig_count > 1: + return "{} {} signatures are required".format(self.sig_count, role) + elif role != 'ALL' and not self.need_to_be_owner and self.sig_count == 1: + return "1 {} signature is required".format(role) + elif role != 'ALL' and self.need_to_be_owner and self.sig_count == 1: + return "1 {} signature is required and needs to be owner".format(role) + + elif role == "ALL" and self.need_to_be_owner and self.sig_count == 1: + return "1 signature of any role is required and needs to be owner" + elif role == 'ALL' and not self.need_to_be_owner and self.sig_count == 1: + return "1 signature of any role is required".format(role) + elif role == 'ALL' and not self.need_to_be_owner and self.sig_count > 1: + return "{} signatures of any role are required".format(self.sig_count) + elif role == "ALL" and self.need_to_be_owner and self.sig_count > 1: + return "{} signatures of any role are required and needs to be owner".format(self.sig_count) class AuthConstraintAnd(AbstractAuthConstraint): diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index 06bd43234..0715459c3 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -79,7 +79,7 @@ def authorize(self, if not is_role_accepted: return False, "{} can not do this action".format(self.get_named_role_from_req(request)) if not self.is_sig_count_accepted(request, auth_constraint): - return False, "Count of signatures is not accepted" + return False, "Not enough signatures" if not self.is_owner_accepted(auth_constraint, auth_action): return False, "{} can not touch verkey field since only the owner can modify it".\ format(self.get_named_role_from_req(request)) diff --git a/indy_common/test/auth/test_auth_constraint.py b/indy_common/test/auth/test_auth_constraint.py index f0c3d3d79..e5d4004dd 100644 --- a/indy_common/test/auth/test_auth_constraint.py +++ b/indy_common/test/auth/test_auth_constraint.py @@ -2,11 +2,60 @@ from plenum.common.constants import TRUSTEE, STEWARD -def test_str_for_auth_constraint(): +def test_str_not_any_7_sig_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=7, + need_to_be_owner=True) + assert str(constraint) == '7 TRUSTEE signatures are required and needs to be owner' + + +def test_str_not_any_7_sig_not_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=7, + need_to_be_owner=False) + assert str(constraint) == '7 TRUSTEE signatures are required' + + +def test_str_not_any_1_sig_not_owner(): + constraint = AuthConstraint(role=TRUSTEE, + sig_count=1, + need_to_be_owner=False) + assert str(constraint) == '1 TRUSTEE signature is required' + + +def test_str_not_any_1_sig_owner(): constraint = AuthConstraint(role=TRUSTEE, sig_count=1, need_to_be_owner=True) - assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True' + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner' + + +def test_str_any_1_sig_owner(): + constraint = AuthConstraint(role="*", + sig_count=1, + need_to_be_owner=True) + assert str(constraint) == '1 signature of any role is required and needs to be owner' + + +def test_str_any_1_sig_not_owner(): + constraint = AuthConstraint(role='*', + sig_count=1, + need_to_be_owner=False) + assert str(constraint) == '1 signature of any role is required' + + +def test_str_any_several_sig_not_owner(): + constraint = AuthConstraint(role='*', + sig_count=7, + need_to_be_owner=False) + assert str(constraint) == '7 signatures of any role are required' + + +def test_str_any_several_sig_owner(): + constraint = AuthConstraint(role='*', + sig_count=7, + need_to_be_owner=True) + assert str(constraint) == '7 signatures of any role are required and needs to be owner' def test_str_for_auth_constraint_or(): @@ -16,9 +65,9 @@ def test_str_for_auth_constraint_or(): AuthConstraint(role=STEWARD, sig_count=1, need_to_be_owner=True)]) - assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True ' \ + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner ' \ 'OR ' \ - 'Required role: STEWARD, Count of signatures: 1, Need to be owner: True' + '1 STEWARD signature is required and needs to be owner' def test_str_for_auth_constraint_and(): @@ -28,6 +77,6 @@ def test_str_for_auth_constraint_and(): AuthConstraint(role=STEWARD, sig_count=1, need_to_be_owner=True)]) - assert str(constraint) == 'Required role: TRUSTEE, Count of signatures: 1, Need to be owner: True ' \ + assert str(constraint) == '1 TRUSTEE signature is required and needs to be owner ' \ 'AND ' \ - 'Required role: STEWARD, Count of signatures: 1, Need to be owner: True' + '1 STEWARD signature is required and needs to be owner' From d011d58f0164268084391474818c3642737de48d Mon Sep 17 00:00:00 2001 From: toktar Date: Thu, 31 Jan 2019 18:03:45 +0300 Subject: [PATCH 31/34] Bump plenum 1.6.669 Signed-off-by: toktar --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index fda14da00..a433d80f6 100644 --- a/setup.py +++ b/setup.py @@ -56,7 +56,7 @@ data_files=[( (BASE_DIR, ['data/nssm_original.exe']) )], - install_requires=['indy-plenum-dev==1.6.667', + install_requires=['indy-plenum-dev==1.6.669', 'python-dateutil', 'timeout-decorator==0.4.0', 'distro==1.3.0'], From bc4d77917a321f357b1ed6454ab35c1faad59866 Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Fri, 1 Feb 2019 12:05:05 +0300 Subject: [PATCH 32/34] [INDY-1963] devide owner erros by txn type Signed-off-by: Andrew Nikitin --- indy_common/authorize/authorizer.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index 0715459c3..b02e60e32 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -4,6 +4,7 @@ from indy_common.authorize.auth_constraints import AbstractAuthConstraint, AuthConstraint, ROLE_CONSTRAINT_ID, \ AuthConstraintAnd from indy_common.authorize.helper import get_named_role +from indy_common.constants import NYM, CLAIM_DEF from indy_common.types import Request from indy_node.persistence.idr_cache import IdrCache @@ -81,8 +82,13 @@ def authorize(self, if not self.is_sig_count_accepted(request, auth_constraint): return False, "Not enough signatures" if not self.is_owner_accepted(auth_constraint, auth_action): - return False, "{} can not touch verkey field since only the owner can modify it".\ - format(self.get_named_role_from_req(request)) + if auth_action.txn_type == NYM: + return False, "{} can not touch verkey field since only the owner can modify it".\ + format(self.get_named_role_from_req(request)) + if auth_action.txn_type == CLAIM_DEF: + return False, "{} can not edit CLAIM_DEF txn since only owner can modify it".\ + format(self.get_named_role_from_req(request)) + return "Actor must be owner" return True, "" From f53f1bf87c3ea1f0e6132c98ef9d0a1182e6fbec Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Fri, 1 Feb 2019 15:01:41 +0300 Subject: [PATCH 33/34] [INDY-1963] create get_name_from_code for error strings and add some tests Signed-off-by: Andrew Nikitin --- indy_common/authorize/authorizer.py | 9 ++-- indy_common/constants.py | 1 + indy_common/test/test_transactions.py | 61 ++++++++++++++++++++++++++- indy_common/transactions.py | 7 +++ 4 files changed, 73 insertions(+), 5 deletions(-) diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index b02e60e32..ad216bcb4 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -5,6 +5,7 @@ AuthConstraintAnd from indy_common.authorize.helper import get_named_role from indy_common.constants import NYM, CLAIM_DEF +from indy_common.transactions import IndyTransactions from indy_common.types import Request from indy_node.persistence.idr_cache import IdrCache @@ -85,10 +86,10 @@ def authorize(self, if auth_action.txn_type == NYM: return False, "{} can not touch verkey field since only the owner can modify it".\ format(self.get_named_role_from_req(request)) - if auth_action.txn_type == CLAIM_DEF: - return False, "{} can not edit CLAIM_DEF txn since only owner can modify it".\ - format(self.get_named_role_from_req(request)) - return "Actor must be owner" + else: + return False, "{} can not edit {} txn since only owner can modify it".\ + format(self.get_named_role_from_req(request), + IndyTransactions.get_name_from_code(auth_action.txn_type)) return True, "" diff --git a/indy_common/constants.py b/indy_common/constants.py index 559ebda75..e7e6ec557 100644 --- a/indy_common/constants.py +++ b/indy_common/constants.py @@ -146,6 +146,7 @@ GET_REVOC_REG_DEF = IndyTransactions.GET_REVOC_REG_DEF.value GET_REVOC_REG = IndyTransactions.GET_REVOC_REG.value GET_REVOC_REG_DELTA = IndyTransactions.GET_REVOC_REG_DELTA.value +CHANGE_KEY = IndyTransactions.CHANGE_KEY.value POOL_UPGRADE = IndyTransactions.POOL_UPGRADE.value NODE_UPGRADE = IndyTransactions.NODE_UPGRADE.value diff --git a/indy_common/test/test_transactions.py b/indy_common/test/test_transactions.py index d8c594b36..c598838c6 100644 --- a/indy_common/test/test_transactions.py +++ b/indy_common/test/test_transactions.py @@ -1,5 +1,6 @@ from indy_common.constants import NYM, NODE, ATTRIB, SCHEMA, CLAIM_DEF, DISCLO, GET_ATTR, GET_NYM, GET_TXNS, \ - GET_SCHEMA, GET_CLAIM_DEF, POOL_UPGRADE, NODE_UPGRADE, POOL_CONFIG + GET_SCHEMA, GET_CLAIM_DEF, POOL_UPGRADE, NODE_UPGRADE, POOL_CONFIG, REVOC_REG_DEF, REVOC_REG_ENTRY, \ + GET_REVOC_REG_DEF, GET_REVOC_REG, GET_REVOC_REG_DELTA, POOL_RESTART, VALIDATOR_INFO, CHANGE_KEY from indy_common.transactions import IndyTransactions @@ -18,6 +19,16 @@ def testTransactionsAreEncoded(): assert POOL_UPGRADE == "109" assert NODE_UPGRADE == "110" assert POOL_CONFIG == "111" + assert CHANGE_KEY == "112" + + assert REVOC_REG_DEF == "113" + assert REVOC_REG_ENTRY == "114" + assert GET_REVOC_REG_DEF == "115" + assert GET_REVOC_REG == "116" + assert GET_REVOC_REG_DELTA == "117" + + assert POOL_RESTART == "118" + assert VALIDATOR_INFO == "119" def testTransactionEnumDecoded(): @@ -29,15 +40,26 @@ def testTransactionEnumDecoded(): assert IndyTransactions.CLAIM_DEF.name == "CLAIM_DEF" assert IndyTransactions.DISCLO.name == "DISCLO" + assert IndyTransactions.GET_ATTR.name == "GET_ATTR" assert IndyTransactions.GET_NYM.name == "GET_NYM" assert IndyTransactions.GET_TXNS.name == "GET_TXNS" assert IndyTransactions.GET_SCHEMA.name == "GET_SCHEMA" assert IndyTransactions.GET_CLAIM_DEF.name == "GET_CLAIM_DEF" + assert IndyTransactions.POOL_UPGRADE.name == "POOL_UPGRADE" assert IndyTransactions.NODE_UPGRADE.name == "NODE_UPGRADE" assert IndyTransactions.POOL_CONFIG.name == "POOL_CONFIG" assert IndyTransactions.POOL_RESTART.name == "POOL_RESTART" + assert IndyTransactions.CHANGE_KEY.name == "CHANGE_KEY" + + assert IndyTransactions.REVOC_REG_DEF.name == "REVOC_REG_DEF" + assert IndyTransactions.REVOC_REG_ENTRY.name == "REVOC_REG_ENTRY" + assert IndyTransactions.GET_REVOC_REG_DEF.name == "GET_REVOC_REG_DEF" + assert IndyTransactions.GET_REVOC_REG.name == "GET_REVOC_REG" + assert IndyTransactions.GET_REVOC_REG_DELTA.name == "GET_REVOC_REG_DELTA" + + assert IndyTransactions.VALIDATOR_INFO.name == "VALIDATOR_INFO" def testTransactionEnumEncoded(): @@ -57,4 +79,41 @@ def testTransactionEnumEncoded(): assert IndyTransactions.POOL_UPGRADE.value == "109" assert IndyTransactions.NODE_UPGRADE.value == "110" assert IndyTransactions.POOL_CONFIG.value == "111" + assert IndyTransactions.CHANGE_KEY.value == "112" + assert IndyTransactions.REVOC_REG_DEF.value == "113" + assert IndyTransactions.REVOC_REG_ENTRY.value == "114" + assert IndyTransactions.GET_REVOC_REG_DEF.value == "115" + assert IndyTransactions.GET_REVOC_REG.value == "116" + assert IndyTransactions.GET_REVOC_REG_DELTA.value == "117" assert IndyTransactions.POOL_RESTART.value == "118" + assert IndyTransactions.VALIDATOR_INFO.value == "119" + + +def test_get_name_from_code(): + assert IndyTransactions.get_name_from_code(IndyTransactions.NODE.value) == "NODE" + assert IndyTransactions.get_name_from_code(IndyTransactions.NYM.value) == "NYM" + + assert IndyTransactions.get_name_from_code(IndyTransactions.ATTRIB.value) == "ATTRIB" + assert IndyTransactions.get_name_from_code(IndyTransactions.SCHEMA.value) == "SCHEMA" + assert IndyTransactions.get_name_from_code(IndyTransactions.CLAIM_DEF.value) == "CLAIM_DEF" + + assert IndyTransactions.get_name_from_code(IndyTransactions.DISCLO.value) == "DISCLO" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_ATTR.value) == "GET_ATTR" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_NYM.value) == "GET_NYM" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_TXNS.value) == "GET_TXNS" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_SCHEMA.value) == "GET_SCHEMA" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_CLAIM_DEF.value) == "GET_CLAIM_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_UPGRADE.value) == "POOL_UPGRADE" + assert IndyTransactions.get_name_from_code(IndyTransactions.NODE_UPGRADE.value) == "NODE_UPGRADE" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_CONFIG.value) == "POOL_CONFIG" + assert IndyTransactions.get_name_from_code(IndyTransactions.POOL_RESTART.value) == "POOL_RESTART" + + assert IndyTransactions.get_name_from_code(IndyTransactions.CHANGE_KEY.value) == "CHANGE_KEY" + assert IndyTransactions.get_name_from_code(IndyTransactions.REVOC_REG_DEF.value) == "REVOC_REG_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.REVOC_REG_ENTRY.value) == "REVOC_REG_ENTRY" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG_DEF.value) == "GET_REVOC_REG_DEF" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG.value) == "GET_REVOC_REG" + assert IndyTransactions.get_name_from_code(IndyTransactions.GET_REVOC_REG_DELTA.value) == "GET_REVOC_REG_DELTA" + assert IndyTransactions.get_name_from_code(IndyTransactions.VALIDATOR_INFO.value) == "VALIDATOR_INFO" + + assert IndyTransactions.get_name_from_code("some_unexpected_code") == "Unknown_transaction_type" diff --git a/indy_common/transactions.py b/indy_common/transactions.py index 6b893c555..2982192de 100644 --- a/indy_common/transactions.py +++ b/indy_common/transactions.py @@ -33,3 +33,10 @@ class IndyTransactions(Transactions): POOL_RESTART = "118" VALIDATOR_INFO = "119" + + @staticmethod + def get_name_from_code(code: str): + try: + return IndyTransactions(code).name + except ValueError: + return "Unknown_transaction_type" From 2d030fdb2fc2c31eb563fbb43117e0518f1e4eb4 Mon Sep 17 00:00:00 2001 From: Andrew Nikitin Date: Fri, 1 Feb 2019 15:47:08 +0300 Subject: [PATCH 34/34] [INDY-1963] add field into error string Signed-off-by: Andrew Nikitin --- indy_common/authorize/authorizer.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/indy_common/authorize/authorizer.py b/indy_common/authorize/authorizer.py index ad216bcb4..684f238c2 100644 --- a/indy_common/authorize/authorizer.py +++ b/indy_common/authorize/authorizer.py @@ -83,9 +83,10 @@ def authorize(self, if not self.is_sig_count_accepted(request, auth_constraint): return False, "Not enough signatures" if not self.is_owner_accepted(auth_constraint, auth_action): - if auth_action.txn_type == NYM: - return False, "{} can not touch verkey field since only the owner can modify it".\ - format(self.get_named_role_from_req(request)) + if auth_action.field != '*': + return False, "{} can not touch {} field since only the owner can modify it".\ + format(self.get_named_role_from_req(request), + auth_action.field) else: return False, "{} can not edit {} txn since only owner can modify it".\ format(self.get_named_role_from_req(request),