Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(permissions): define default permission set #5075

Merged
merged 1 commit into from
Sep 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions crates/iroha/tests/integration/asset.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use iroha::{
},
};
use iroha_config::parameters::actual::Root as Config;
use iroha_executor_data_model::permission::asset::CanTransferUserAsset;
use iroha_executor_data_model::permission::asset::CanTransferAsset;
use iroha_test_network::*;
use iroha_test_samples::{gen_account_in, ALICE_ID, BOB_ID};

Expand Down Expand Up @@ -328,7 +328,7 @@ fn find_rate_and_make_exchange_isi_should_succeed() {

let alice_id = ALICE_ID.clone();
let alice_can_transfer_asset = |asset_id: AssetId, owner_key_pair: KeyPair| {
let permission = CanTransferUserAsset {
let permission = CanTransferAsset {
asset: asset_id.clone(),
};
let instruction = Grant::account_permission(permission, alice_id.clone());
Expand Down
61 changes: 18 additions & 43 deletions crates/iroha/tests/integration/events/data.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ use std::{fmt::Write as _, sync::mpsc, thread};

use eyre::Result;
use iroha::data_model::{prelude::*, transaction::WasmSmartContract};
use iroha_executor_data_model::permission::account::{
CanRemoveKeyValueInAccount, CanSetKeyValueInAccount,
use iroha_executor_data_model::permission::{
account::CanModifyAccountMetadata, domain::CanModifyDomainMetadata,
};
use iroha_test_network::*;
use iroha_test_samples::{ALICE_ID, BOB_ID};
Expand Down Expand Up @@ -176,7 +176,6 @@ fn transaction_execution_should_produce_events(
}

#[test]
#[allow(clippy::too_many_lines)]
fn produce_multiple_events() -> Result<()> {
let (_rt, _peer, client) = <PeerBuilder>::new().with_port(10_645).start_with_runtime();
wait_for_genesis_committed(&[client.clone()], 0);
Expand All @@ -201,19 +200,21 @@ fn produce_multiple_events() -> Result<()> {
// Registering role
let alice_id = ALICE_ID.clone();
let role_id = "TEST_ROLE".parse::<RoleId>()?;
let permission_1 = CanRemoveKeyValueInAccount {
let permission_1 = CanModifyAccountMetadata {
account: alice_id.clone(),
};
let permission_2 = CanSetKeyValueInAccount { account: alice_id };
let role = iroha::data_model::role::Role::new(role_id.clone())
let permission_2 = CanModifyDomainMetadata {
domain: alice_id.domain().clone(),
};
let role = iroha::data_model::role::Role::new(role_id.clone(), alice_id.clone())
.add_permission(permission_1.clone())
.add_permission(permission_2.clone());
let instructions = [Register::role(role.clone())];
client.submit_all_blocking(instructions)?;

// Grants role to Bob
let bob_id = BOB_ID.clone();
let grant_role = Grant::role(role_id.clone(), bob_id.clone());
let grant_role = Grant::account_role(role_id.clone(), bob_id.clone());
client.submit_blocking(grant_role)?;

// Unregister role
Expand All @@ -236,63 +237,37 @@ fn produce_multiple_events() -> Result<()> {
}
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionAdded(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_1
);
} else {
panic!("Expected event is not an AccountEvent::PermissionAdded")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionAdded(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanSetKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_2
);
} else {
panic!("Expected event is not an AccountEvent::PermissionAdded")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleGranted(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(*event.account(), alice_id);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::RoleGranted")
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionRemoved(event))) =
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleGranted(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_1
);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::PermissionRemoved")
panic!("Expected event is not an AccountEvent::RoleGranted")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionRemoved(event))) =

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleRevoked(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanSetKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_2
);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::PermissionRemoved")
panic!("Expected event is not an AccountEvent::RoleRevoked")
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleRevoked(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(*event.account(), alice_id);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::RoleRevoked")
Expand Down
46 changes: 28 additions & 18 deletions crates/iroha/tests/integration/multisig.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,14 @@ use iroha::{
transaction::{TransactionBuilder, WasmSmartContract},
},
};
use iroha_data_model::asset::{AssetDefinition, AssetDefinitionId};
use iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition;
use iroha_test_network::*;
use iroha_test_samples::{gen_account_in, ALICE_ID};
use nonzero_ext::nonzero;

#[test]
#[expect(clippy::too_many_lines)]
fn mutlisig() -> Result<()> {
let (_rt, _peer, test_client) = <PeerBuilder>::new().with_port(11_400).start_with_runtime();
wait_for_genesis_committed(&vec![test_client.clone()], 0);
Expand Down Expand Up @@ -85,14 +88,15 @@ fn mutlisig() -> Result<()> {
test_client.submit_blocking(call_trigger)?;

// Check that multisig account exist
let account = test_client
.query(client::account::all())
.filter_with(|account| account.id.eq(multisig_account_id.clone()))
.execute_single()
test_client
.submit_blocking(Grant::account_permission(
CanRegisterAssetDefinition {
domain: "wonderland".parse().unwrap(),
},
multisig_account_id.clone(),
))
.expect("multisig account should be created after the call to register multisig trigger");

assert_eq!(account.id(), &multisig_account_id);

// Check that multisig trigger exist
let trigger = test_client
.query(FindTriggers::new())
Expand All @@ -102,8 +106,14 @@ fn mutlisig() -> Result<()> {

assert_eq!(trigger.id(), &multisig_trigger_id);

let domain_id: DomainId = "domain_controlled_by_multisig".parse().unwrap();
let isi = vec![Register::domain(Domain::new(domain_id.clone())).into()];
let asset_definition_id = "asset_definition_controlled_by_multisig#wonderland"
.parse::<AssetDefinitionId>()
.unwrap();
let isi =
vec![
Register::asset_definition(AssetDefinition::numeric(asset_definition_id.clone()))
.into(),
];
let isi_hash = HashOf::new(&isi);

let mut signatories_iter = signatories.into_iter();
Expand All @@ -118,12 +128,12 @@ fn mutlisig() -> Result<()> {
)?;
}

// Check that domain isn't created yet
// Check that asset definition isn't created yet
let err = test_client
.query(client::domain::all())
.filter_with(|domain| domain.id.eq(domain_id.clone()))
.query(client::asset::all_definitions())
.filter_with(|asset_definition| asset_definition.id.eq(asset_definition_id.clone()))
.execute_single()
.expect_err("domain shouldn't be created before enough votes are collected");
.expect_err("asset definition shouldn't be created before enough votes are collected");
assert!(matches!(err, SingleQueryError::ExpectedOneGotNone));

for (signatory, key_pair) in signatories_iter {
Expand All @@ -136,14 +146,14 @@ fn mutlisig() -> Result<()> {
)?;
}

// Check that new domain was created and multisig account is owner
let domain = test_client
.query(client::domain::all())
.filter_with(|domain| domain.id.eq(domain_id.clone()))
// Check that new asset definition was created and multisig account is owner
let asset_definition = test_client
.query(client::asset::all_definitions())
.filter_with(|asset_definition| asset_definition.id.eq(asset_definition_id.clone()))
.execute_single()
.expect("domain should be created after enough votes are collected");
.expect("asset definition should be created after enough votes are collected");

assert_eq!(domain.owned_by(), &multisig_account_id);
assert_eq!(asset_definition.owned_by(), &multisig_account_id);

Ok(())
}
31 changes: 16 additions & 15 deletions crates/iroha/tests/integration/permissions.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ use iroha::{
},
};
use iroha_executor_data_model::permission::{
asset::{CanSetKeyValueInUserAsset, CanTransferUserAsset},
domain::CanSetKeyValueInDomain,
asset::{CanModifyAssetMetadata, CanTransferAsset},
domain::CanModifyDomainMetadata,
};
use iroha_genesis::GenesisBlock;
use iroha_test_network::{PeerBuilder, *};
Expand Down Expand Up @@ -243,7 +243,7 @@ fn permissions_differ_not_only_by_names() {

// Granting permission to Alice to modify metadata in Mouse's hats
let mouse_hat_id = AssetId::new(hat_definition_id, mouse_id.clone());
let mouse_hat_permission = CanSetKeyValueInUserAsset {
let mouse_hat_permission = CanModifyAssetMetadata {
asset: mouse_hat_id.clone(),
};
let allow_alice_to_set_key_value_in_hats =
Expand Down Expand Up @@ -276,7 +276,7 @@ fn permissions_differ_not_only_by_names() {
.submit_blocking(set_shoes_color.clone())
.expect_err("Expected Alice to fail to modify Mouse's shoes");

let mouse_shoes_permission = CanSetKeyValueInUserAsset {
let mouse_shoes_permission = CanModifyAssetMetadata {
asset: mouse_shoes_id,
};
let allow_alice_to_set_key_value_in_shoes =
Expand Down Expand Up @@ -326,7 +326,7 @@ fn stored_vs_granted_permission_payload() -> Result<()> {

let mouse_asset = AssetId::new(asset_definition_id, mouse_id.clone());
let allow_alice_to_set_key_value_in_mouse_asset = Grant::account_permission(
Permission::new("CanSetKeyValueInUserAsset".parse().unwrap(), value_json),
Permission::new("CanModifyAssetMetadata".parse().unwrap(), value_json),
alice_id,
);

Expand Down Expand Up @@ -359,12 +359,12 @@ fn permissions_are_unified() {
// Given
let alice_id = ALICE_ID.clone();

let permission1 = CanTransferUserAsset {
let permission1 = CanTransferAsset {
asset: format!("rose#wonderland#{alice_id}").parse().unwrap(),
};
let allow_alice_to_transfer_rose_1 = Grant::account_permission(permission1, alice_id.clone());

let permission2 = CanTransferUserAsset {
let permission2 = CanTransferAsset {
asset: format!("rose##{alice_id}").parse().unwrap(),
};
let allow_alice_to_transfer_rose_2 = Grant::account_permission(permission2, alice_id);
Expand All @@ -389,7 +389,7 @@ fn associated_permissions_removed_on_unregister() {

// register kingdom and give bob permissions in this domain
let register_domain = Register::domain(kingdom);
let bob_to_set_kv_in_domain = CanSetKeyValueInDomain {
let bob_to_set_kv_in_domain = CanModifyDomainMetadata {
domain: kingdom_id.clone(),
};
let allow_bob_to_set_kv_in_domain =
Expand All @@ -409,7 +409,7 @@ fn associated_permissions_removed_on_unregister() {
.expect("failed to get permissions for bob")
.into_iter()
.any(|permission| {
CanSetKeyValueInDomain::try_from(&permission)
CanModifyDomainMetadata::try_from(&permission)
.is_ok_and(|permission| permission == bob_to_set_kv_in_domain)
}));

Expand All @@ -425,7 +425,7 @@ fn associated_permissions_removed_on_unregister() {
.expect("failed to get permissions for bob")
.into_iter()
.any(|permission| {
CanSetKeyValueInDomain::try_from(&permission)
CanModifyDomainMetadata::try_from(&permission)
.is_ok_and(|permission| permission == bob_to_set_kv_in_domain)
}));
}
Expand All @@ -441,11 +441,12 @@ fn associated_permissions_removed_from_role_on_unregister() {

// register kingdom and give bob permissions in this domain
let register_domain = Register::domain(kingdom);
let set_kv_in_domain = CanSetKeyValueInDomain {
let set_kv_in_domain = CanModifyDomainMetadata {
domain: kingdom_id.clone(),
};
let role = Role::new(role_id.clone()).add_permission(set_kv_in_domain.clone());
let register_role = Register::role(role);
let register_role = Register::role(
Role::new(role_id.clone(), ALICE_ID.clone()).add_permission(set_kv_in_domain.clone()),
);

iroha
.submit_all_blocking::<InstructionBox>([register_domain.into(), register_role.into()])
Expand All @@ -459,7 +460,7 @@ fn associated_permissions_removed_from_role_on_unregister() {
.expect("failed to get role")
.permissions()
.any(|permission| {
CanSetKeyValueInDomain::try_from(permission)
CanModifyDomainMetadata::try_from(permission)
.is_ok_and(|permission| permission == set_kv_in_domain)
}));

Expand All @@ -476,7 +477,7 @@ fn associated_permissions_removed_from_role_on_unregister() {
.expect("failed to get role")
.permissions()
.any(|permission| {
CanSetKeyValueInDomain::try_from(permission)
CanModifyDomainMetadata::try_from(permission)
.is_ok_and(|permission| permission == set_kv_in_domain)
}));
}
Loading
Loading