Skip to content

Commit

Permalink
refactor(permissions): define default permission set
Browse files Browse the repository at this point in the history 
Signed-off-by: Marin Veršić <[email protected]>
  • Loading branch information
@mversic
mversic committed Sep 16, 2024
1 parent cdf7dd7 commit 45edafa
Show file tree
Hide file tree
Showing 26 changed files with 666 additions and 1,048 deletions.
4 changes: 2 additions & 2 deletions crates/iroha/tests/integration/asset.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use iroha::{
},
};
use iroha_config::parameters::actual::Root as Config;
use iroha_executor_data_model::permission::asset::CanTransferUserAsset;
use iroha_executor_data_model::permission::asset::CanModifyAsset;
use iroha_test_network::*;
use iroha_test_samples::{gen_account_in, ALICE_ID, BOB_ID};

Expand Down Expand Up @@ -328,7 +328,7 @@ fn find_rate_and_make_exchange_isi_should_succeed() {

let alice_id = ALICE_ID.clone();
let alice_can_transfer_asset = |asset_id: AssetId, owner_key_pair: KeyPair| {
let permission = CanTransferUserAsset {
let permission = CanModifyAsset {
asset: asset_id.clone(),
};
let instruction = Grant::account_permission(permission, alice_id.clone());
Expand Down
61 changes: 18 additions & 43 deletions crates/iroha/tests/integration/events/data.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ use std::{fmt::Write as _, sync::mpsc, thread};

use eyre::Result;
use iroha::data_model::{prelude::*, transaction::WasmSmartContract};
use iroha_executor_data_model::permission::account::{
CanRemoveKeyValueInAccount, CanSetKeyValueInAccount,
use iroha_executor_data_model::permission::{
account::CanModifyAccountMetadata, domain::CanModifyDomainMetadata,
};
use iroha_test_network::*;
use iroha_test_samples::{ALICE_ID, BOB_ID};
Expand Down Expand Up @@ -176,7 +176,6 @@ fn transaction_execution_should_produce_events(
}

#[test]
#[allow(clippy::too_many_lines)]
fn produce_multiple_events() -> Result<()> {
let (_rt, _peer, client) = <PeerBuilder>::new().with_port(10_645).start_with_runtime();
wait_for_genesis_committed(&[client.clone()], 0);
Expand All @@ -201,19 +200,21 @@ fn produce_multiple_events() -> Result<()> {
// Registering role
let alice_id = ALICE_ID.clone();
let role_id = "TEST_ROLE".parse::<RoleId>()?;
let permission_1 = CanRemoveKeyValueInAccount {
let permission_1 = CanModifyAccountMetadata {
account: alice_id.clone(),
};
let permission_2 = CanSetKeyValueInAccount { account: alice_id };
let role = iroha::data_model::role::Role::new(role_id.clone())
let permission_2 = CanModifyDomainMetadata {
domain: alice_id.domain().clone(),
};
let role = iroha::data_model::role::Role::new(role_id.clone(), alice_id.clone())
.add_permission(permission_1.clone())
.add_permission(permission_2.clone());
let instructions = [Register::role(role.clone())];
client.submit_all_blocking(instructions)?;

// Grants role to Bob
let bob_id = BOB_ID.clone();
let grant_role = Grant::role(role_id.clone(), bob_id.clone());
let grant_role = Grant::account_role(role_id.clone(), bob_id.clone());
client.submit_blocking(grant_role)?;

// Unregister role
Expand All @@ -236,63 +237,37 @@ fn produce_multiple_events() -> Result<()> {
}
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionAdded(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_1
);
} else {
panic!("Expected event is not an AccountEvent::PermissionAdded")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionAdded(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanSetKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_2
);
} else {
panic!("Expected event is not an AccountEvent::PermissionAdded")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleGranted(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(*event.account(), alice_id);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::RoleGranted")
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionRemoved(event))) =
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleGranted(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_1
);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::PermissionRemoved")
panic!("Expected event is not an AccountEvent::RoleGranted")
}
if let DataEvent::Domain(DomainEvent::Account(AccountEvent::PermissionRemoved(event))) =

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleRevoked(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(
CanSetKeyValueInAccount::try_from(event.permission()).unwrap(),
permission_2
);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::PermissionRemoved")
panic!("Expected event is not an AccountEvent::RoleRevoked")
}

if let DataEvent::Domain(DomainEvent::Account(AccountEvent::RoleRevoked(event))) =
event_receiver.recv()??.try_into()?
{
assert_eq!(*event.account(), bob_id);
assert_eq!(*event.account(), alice_id);
assert_eq!(*event.role(), role_id);
} else {
panic!("Expected event is not an AccountEvent::RoleRevoked")
Expand Down
46 changes: 28 additions & 18 deletions crates/iroha/tests/integration/multisig.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,14 @@ use iroha::{
transaction::{TransactionBuilder, WasmSmartContract},
},
};
use iroha_data_model::asset::{AssetDefinition, AssetDefinitionId};
use iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition;
use iroha_test_network::*;
use iroha_test_samples::{gen_account_in, ALICE_ID};
use nonzero_ext::nonzero;

#[test]
#[expect(clippy::too_many_lines)]
fn mutlisig() -> Result<()> {
let (_rt, _peer, test_client) = <PeerBuilder>::new().with_port(11_400).start_with_runtime();
wait_for_genesis_committed(&vec![test_client.clone()], 0);
Expand Down Expand Up @@ -85,14 +88,15 @@ fn mutlisig() -> Result<()> {
test_client.submit_blocking(call_trigger)?;

// Check that multisig account exist
let account = test_client
.query(client::account::all())
.filter_with(|account| account.id.eq(multisig_account_id.clone()))
.execute_single()
test_client
.submit_blocking(Grant::account_permission(
CanRegisterAssetDefinition {
domain: "wonderland".parse().unwrap(),
},
multisig_account_id.clone(),
))
.expect("multisig account should be created after the call to register multisig trigger");

assert_eq!(account.id(), &multisig_account_id);

// Check that multisig trigger exist
let trigger = test_client
.query(FindTriggers::new())
Expand All @@ -102,8 +106,14 @@ fn mutlisig() -> Result<()> {

assert_eq!(trigger.id(), &multisig_trigger_id);

let domain_id: DomainId = "domain_controlled_by_multisig".parse().unwrap();
let isi = vec![Register::domain(Domain::new(domain_id.clone())).into()];
let asset_definition_id = "asset_definition_controlled_by_multisig#wonderland"
.parse::<AssetDefinitionId>()
.unwrap();
let isi =
vec![
Register::asset_definition(AssetDefinition::numeric(asset_definition_id.clone()))
.into(),
];
let isi_hash = HashOf::new(&isi);

let mut signatories_iter = signatories.into_iter();
Expand All @@ -118,12 +128,12 @@ fn mutlisig() -> Result<()> {
)?;
}

// Check that domain isn't created yet
// Check that asset definition isn't created yet
let err = test_client
.query(client::domain::all())
.filter_with(|domain| domain.id.eq(domain_id.clone()))
.query(client::asset::all_definitions())
.filter_with(|asset_definition| asset_definition.id.eq(asset_definition_id.clone()))
.execute_single()
.expect_err("domain shouldn't be created before enough votes are collected");
.expect_err("asset definition shouldn't be created before enough votes are collected");
assert!(matches!(err, SingleQueryError::ExpectedOneGotNone));

for (signatory, key_pair) in signatories_iter {
Expand All @@ -136,14 +146,14 @@ fn mutlisig() -> Result<()> {
)?;
}

// Check that new domain was created and multisig account is owner
let domain = test_client
.query(client::domain::all())
.filter_with(|domain| domain.id.eq(domain_id.clone()))
// Check that new asset definition was created and multisig account is owner
let asset_definition = test_client
.query(client::asset::all_definitions())
.filter_with(|asset_definition| asset_definition.id.eq(asset_definition_id.clone()))
.execute_single()
.expect("domain should be created after enough votes are collected");
.expect("asset definition should be created after enough votes are collected");

assert_eq!(domain.owned_by(), &multisig_account_id);
assert_eq!(asset_definition.owned_by(), &multisig_account_id);

Ok(())
}
31 changes: 16 additions & 15 deletions crates/iroha/tests/integration/permissions.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ use iroha::{
},
};
use iroha_executor_data_model::permission::{
asset::{CanSetKeyValueInUserAsset, CanTransferUserAsset},
domain::CanSetKeyValueInDomain,
asset::{CanModifyAsset, CanModifyAssetMetadata},
domain::CanModifyDomainMetadata,
};
use iroha_genesis::GenesisBlock;
use iroha_test_network::{PeerBuilder, *};
Expand Down Expand Up @@ -243,7 +243,7 @@ fn permissions_differ_not_only_by_names() {

// Granting permission to Alice to modify metadata in Mouse's hats
let mouse_hat_id = AssetId::new(hat_definition_id, mouse_id.clone());
let mouse_hat_permission = CanSetKeyValueInUserAsset {
let mouse_hat_permission = CanModifyAssetMetadata {
asset: mouse_hat_id.clone(),
};
let allow_alice_to_set_key_value_in_hats =
Expand Down Expand Up @@ -276,7 +276,7 @@ fn permissions_differ_not_only_by_names() {
.submit_blocking(set_shoes_color.clone())
.expect_err("Expected Alice to fail to modify Mouse's shoes");

let mouse_shoes_permission = CanSetKeyValueInUserAsset {
let mouse_shoes_permission = CanModifyAssetMetadata {
asset: mouse_shoes_id,
};
let allow_alice_to_set_key_value_in_shoes =
Expand Down Expand Up @@ -326,7 +326,7 @@ fn stored_vs_granted_permission_payload() -> Result<()> {

let mouse_asset = AssetId::new(asset_definition_id, mouse_id.clone());
let allow_alice_to_set_key_value_in_mouse_asset = Grant::account_permission(
Permission::new("CanSetKeyValueInUserAsset".parse().unwrap(), value_json),
Permission::new("CanModifyAssetMetadata".parse().unwrap(), value_json),
alice_id,
);

Expand Down Expand Up @@ -359,12 +359,12 @@ fn permissions_are_unified() {
// Given
let alice_id = ALICE_ID.clone();

let permission1 = CanTransferUserAsset {
let permission1 = CanModifyAsset {
asset: format!("rose#wonderland#{alice_id}").parse().unwrap(),
};
let allow_alice_to_transfer_rose_1 = Grant::account_permission(permission1, alice_id.clone());

let permission2 = CanTransferUserAsset {
let permission2 = CanModifyAsset {
asset: format!("rose##{alice_id}").parse().unwrap(),
};
let allow_alice_to_transfer_rose_2 = Grant::account_permission(permission2, alice_id);
Expand All @@ -389,7 +389,7 @@ fn associated_permissions_removed_on_unregister() {

// register kingdom and give bob permissions in this domain
let register_domain = Register::domain(kingdom);
let bob_to_set_kv_in_domain = CanSetKeyValueInDomain {
let bob_to_set_kv_in_domain = CanModifyDomainMetadata {
domain: kingdom_id.clone(),
};
let allow_bob_to_set_kv_in_domain =
Expand All @@ -409,7 +409,7 @@ fn associated_permissions_removed_on_unregister() {
.expect("failed to get permissions for bob")
.into_iter()
.any(|permission| {
CanSetKeyValueInDomain::try_from(&permission)
CanModifyDomainMetadata::try_from(&permission)
.is_ok_and(|permission| permission == bob_to_set_kv_in_domain)
}));

Expand All @@ -425,7 +425,7 @@ fn associated_permissions_removed_on_unregister() {
.expect("failed to get permissions for bob")
.into_iter()
.any(|permission| {
CanSetKeyValueInDomain::try_from(&permission)
CanModifyDomainMetadata::try_from(&permission)
.is_ok_and(|permission| permission == bob_to_set_kv_in_domain)
}));
}
Expand All @@ -441,11 +441,12 @@ fn associated_permissions_removed_from_role_on_unregister() {

// register kingdom and give bob permissions in this domain
let register_domain = Register::domain(kingdom);
let set_kv_in_domain = CanSetKeyValueInDomain {
let set_kv_in_domain = CanModifyDomainMetadata {
domain: kingdom_id.clone(),
};
let role = Role::new(role_id.clone()).add_permission(set_kv_in_domain.clone());
let register_role = Register::role(role);
let register_role = Register::role(
Role::new(role_id.clone(), ALICE_ID.clone()).add_permission(set_kv_in_domain.clone()),
);

iroha
.submit_all_blocking::<InstructionBox>([register_domain.into(), register_role.into()])
Expand All @@ -459,7 +460,7 @@ fn associated_permissions_removed_from_role_on_unregister() {
.expect("failed to get role")
.permissions()
.any(|permission| {
CanSetKeyValueInDomain::try_from(permission)
CanModifyDomainMetadata::try_from(permission)
.is_ok_and(|permission| permission == set_kv_in_domain)
}));

Expand All @@ -476,7 +477,7 @@ fn associated_permissions_removed_from_role_on_unregister() {
.expect("failed to get role")
.permissions()
.any(|permission| {
CanSetKeyValueInDomain::try_from(permission)
CanModifyDomainMetadata::try_from(permission)
.is_ok_and(|permission| permission == set_kv_in_domain)
}));
}
Loading

0 comments on commit 45edafa

Please sign in to comment.