From 3b5b648c8f823f8d1361536b295e68d12d4da9df Mon Sep 17 00:00:00 2001 From: toktar Date: Thu, 24 May 2018 11:36:36 +0300 Subject: [PATCH 1/2] INDY-1363: change permission to validator_info command Changes: - added check to client role - added tests for auth check role - added test for request with incorrect role - update documentation Signed-off-by: toktar --- design/validator_info.md | 2 +- indy_common/auth.py | 7 +++++-- .../test/auth/test_auth_validator_info.py | 10 ++++++++++ indy_node/server/action_req_handler.py | 17 ++++++++++------ .../pool_restart/test_fail_pool_restart.py | 5 ++--- .../test_validator_info_command.py | 20 +++++++++++++++++-- 6 files changed, 47 insertions(+), 14 deletions(-) create mode 100644 indy_common/test/auth/test_auth_validator_info.py diff --git a/design/validator_info.md b/design/validator_info.md index 8e78e875c..fde14b572 100644 --- a/design/validator_info.md +++ b/design/validator_info.md @@ -65,7 +65,7 @@ This file is updated by node once a minute and contains following information: ``` ## Modification - New Read Command -Validator_info accessible as read command, available for all clients. New command VALIDATOR_INFO provide info from +Validator_info accessible as read command, available for Steward and Trustee. New command VALIDATOR_INFO provide info from all the connected nodes without need of consensus (similar to force=True flag in upgrade cmd). Command allow requesting all parameters or some subset of parameters. diff --git a/indy_common/auth.py b/indy_common/auth.py index 362c865c2..1a3b3b7c8 100644 --- a/indy_common/auth.py +++ b/indy_common/auth.py @@ -1,8 +1,9 @@ from plenum.common.constants import TRUSTEE, STEWARD, NODE from stp_core.common.log import getlogger -from indy_common.constants import OWNER, POOL_UPGRADE, TGB, TRUST_ANCHOR, NYM, POOL_CONFIG, SCHEMA, CLAIM_DEF, \ - POOL_RESTART +from indy_common.constants import OWNER, POOL_UPGRADE, TGB, TRUST_ANCHOR, NYM, \ + POOL_CONFIG, SCHEMA, CLAIM_DEF, \ + POOL_RESTART, VALIDATOR_INFO from indy_common.roles import Roles logger = getlogger() @@ -64,6 +65,8 @@ class Authoriser: {TRUSTEE: []}, '{}_action__'.format(POOL_CONFIG): {TRUSTEE: [], TGB: []}, + '{}___'.format(VALIDATOR_INFO): + {TRUSTEE: [], STEWARD: []}, } @staticmethod diff --git a/indy_common/test/auth/test_auth_validator_info.py b/indy_common/test/auth/test_auth_validator_info.py new file mode 100644 index 000000000..6e2be97bc --- /dev/null +++ b/indy_common/test/auth/test_auth_validator_info.py @@ -0,0 +1,10 @@ +from plenum.common.constants import TRUSTEE, STEWARD + +from indy_common.auth import Authoriser +from indy_common.constants import VALIDATOR_INFO + + +def test_permission_for_validator_info(role): + authorized = role in (TRUSTEE, STEWARD) + assert authorized == Authoriser.authorised(typ=VALIDATOR_INFO, + actorRole=role)[0] diff --git a/indy_node/server/action_req_handler.py b/indy_node/server/action_req_handler.py index eed981d4a..c46fcc25f 100644 --- a/indy_node/server/action_req_handler.py +++ b/indy_node/server/action_req_handler.py @@ -40,7 +40,7 @@ def validate(self, req: Request): status = None operation = req.operation typ = operation.get(TXN_TYPE) - if typ not in [POOL_RESTART]: + if typ not in self.operation_types: return origin = req.identifier try: @@ -50,15 +50,20 @@ def validate(self, req: Request): req.identifier, req.reqId, "Nym {} not added to the ledger yet".format(origin)) - action = "" + r = False if typ == POOL_RESTART: action = operation.get(ACTION) - r, msg = Authoriser.authorised( - typ, origin_role, field=ACTION, oldVal=status, newVal=action) + r, msg = Authoriser.authorised(typ, origin_role, + field=ACTION, + oldVal=status, + newVal=action) + elif typ == VALIDATOR_INFO: + r, msg = Authoriser.authorised(typ, origin_role) if not r: raise UnauthorizedClientRequest( - req.identifier, req.reqId, "{} cannot do restart".format( - Roles.nameFromValue(origin_role))) + req.identifier, req.reqId, "{} cannot do action with type = {}" + .format(Roles.nameFromValue(origin_role), + typ)) def apply(self, req: Request, cons_time: int = None): logger.debug("Transaction {} with type {} started" diff --git a/indy_node/test/pool_restart/test_fail_pool_restart.py b/indy_node/test/pool_restart/test_fail_pool_restart.py index 1e84fa011..1a44a4e81 100644 --- a/indy_node/test/pool_restart/test_fail_pool_restart.py +++ b/indy_node/test/pool_restart/test_fail_pool_restart.py @@ -7,8 +7,6 @@ from plenum.common.constants import TXN_TYPE from plenum.test.helper import sdk_gen_request, sdk_sign_and_submit_req_obj, \ sdk_get_reply, sdk_get_and_check_replies -from indy_node.test.upgrade.helper import NodeControlToolExecutor as NCT, \ - nodeControlGeneralMonkeypatching def test_fail_pool_restart_with_steward_role( @@ -24,7 +22,8 @@ def test_fail_pool_restart_with_steward_role( req_obj) with pytest.raises(RequestRejectedException) as excinfo: sdk_get_and_check_replies(looper, [req], 100) - assert excinfo.match("STEWARD cannot do restart") + assert excinfo.match("STEWARD cannot do action with type = " + + POOL_RESTART) def test_fail_pool_restart_with_invalid_datetime( diff --git a/indy_node/test/validator_info/test_validator_info_command.py b/indy_node/test/validator_info/test_validator_info_command.py index 1a9f223cc..c5fc74b92 100644 --- a/indy_node/test/validator_info/test_validator_info_command.py +++ b/indy_node/test/validator_info/test_validator_info_command.py @@ -11,7 +11,7 @@ from plenum.common.constants import REPLY, TXN_TYPE, DATA from plenum.common.types import f from plenum.test.helper import sdk_gen_request, sdk_sign_and_submit_req_obj, \ - sdk_get_reply + sdk_get_reply, sdk_send_signed_requests, sdk_get_and_check_replies def test_validator_info_command( @@ -24,10 +24,26 @@ def test_validator_info_command( sdk_pool_handle, sdk_wallet_trustee, req_obj) - # req_json, resp = sdk_get_reply(looper, req, 100) + #req_json, resp = sdk_get_reply(looper, req, 100) # _comparison_reply(resp, req_obj) +def test_fail_validator_info_command( + sdk_pool_handle, sdk_wallet_client, looper): + op = { + TXN_TYPE: VALIDATOR_INFO + } + req_obj = sdk_gen_request(op, identifier=sdk_wallet_client[1]) + req = sdk_sign_and_submit_req_obj(looper, + sdk_pool_handle, + sdk_wallet_client, + req_obj) + with pytest.raises(RequestRejectedException) as excinfo: + sdk_get_and_check_replies(looper, [req], 100) + assert excinfo.match("None role cannot do action with type = " + + VALIDATOR_INFO) + + def _comparison_reply(resp, req_obj): assert resp["op"] == REPLY assert resp[f.RESULT.nm][f.IDENTIFIER.nm] == req_obj.identifier From 14b4b240a212835522878dcfbf54a8d6998b530f Mon Sep 17 00:00:00 2001 From: toktar Date: Thu, 24 May 2018 11:40:16 +0300 Subject: [PATCH 2/2] INDY-1363: code style Signed-off-by: toktar --- indy_node/server/action_req_handler.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/indy_node/server/action_req_handler.py b/indy_node/server/action_req_handler.py index c46fcc25f..f8d40ebba 100644 --- a/indy_node/server/action_req_handler.py +++ b/indy_node/server/action_req_handler.py @@ -61,9 +61,10 @@ def validate(self, req: Request): r, msg = Authoriser.authorised(typ, origin_role) if not r: raise UnauthorizedClientRequest( - req.identifier, req.reqId, "{} cannot do action with type = {}" - .format(Roles.nameFromValue(origin_role), - typ)) + req.identifier, req.reqId, + "{} cannot do action with type = {}".format( + Roles.nameFromValue(origin_role), + typ)) def apply(self, req: Request, cons_time: int = None): logger.debug("Transaction {} with type {} started"