From cd94357a39f74e51fdaa0bfc4627af6da99c80bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marin=20Ver=C5=A1i=C4=87?= Date: Fri, 13 Sep 2024 15:46:06 +0900 Subject: [PATCH] refactor(permissions): define default permission set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marin Veršić --- crates/iroha/tests/integration/asset.rs | 4 +- crates/iroha/tests/integration/events/data.rs | 19 +- crates/iroha/tests/integration/permissions.rs | 26 +- .../iroha/tests/integration/queries/role.rs | 4 +- crates/iroha/tests/integration/roles.rs | 29 +- .../tests/integration/transfer_domain.rs | 20 +- .../integration/triggers/by_call_trigger.rs | 9 +- crates/iroha_core/src/kura.rs | 2 +- crates/iroha_executor/src/default.rs | 504 +++++++----------- crates/iroha_executor/src/permission.rs | 242 +++------ .../src/permission.rs | 126 ++--- crates/iroha_kagami/src/genesis/generate.rs | 25 +- crates/iroha_schema_gen/src/lib.rs | 108 ++-- crates/iroha_test_network/src/lib.rs | 32 +- defaults/genesis.json | 24 +- docs/source/references/schema.json | 146 ++--- wasm_samples/multisig_register/src/lib.rs | 4 +- 17 files changed, 478 insertions(+), 846 deletions(-) diff --git a/crates/iroha/tests/integration/asset.rs b/crates/iroha/tests/integration/asset.rs index 41c3216b51f..23e73d71748 100644 --- a/crates/iroha/tests/integration/asset.rs +++ b/crates/iroha/tests/integration/asset.rs @@ -12,7 +12,7 @@ use iroha::{ }, }; use iroha_config::parameters::actual::Root as Config; -use iroha_executor_data_model::permission::asset::CanTransferUserAsset; +use iroha_executor_data_model::permission::asset::CanModifyAsset; use iroha_test_network::*; use iroha_test_samples::{gen_account_in, ALICE_ID, BOB_ID}; @@ -328,7 +328,7 @@ fn find_rate_and_make_exchange_isi_should_succeed() { let alice_id = ALICE_ID.clone(); let alice_can_transfer_asset = |asset_id: AssetId, owner_key_pair: KeyPair| { - let permission = CanTransferUserAsset { + let permission = CanModifyAsset { asset: asset_id.clone(), }; let instruction = Grant::account_permission(permission, alice_id.clone()); diff --git a/crates/iroha/tests/integration/events/data.rs b/crates/iroha/tests/integration/events/data.rs index e42e119518a..cea42c49edd 100644 --- a/crates/iroha/tests/integration/events/data.rs +++ b/crates/iroha/tests/integration/events/data.rs @@ -2,8 +2,8 @@ use std::{fmt::Write as _, sync::mpsc, thread}; use eyre::Result; use iroha::data_model::{prelude::*, transaction::WasmSmartContract}; -use iroha_executor_data_model::permission::account::{ - CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, +use iroha_executor_data_model::permission::{ + account::CanModifyAccountMetadata, domain::CanModifyDomainMetadata, }; use iroha_test_network::*; use iroha_test_samples::{ALICE_ID, BOB_ID}; @@ -201,15 +201,18 @@ fn produce_multiple_events() -> Result<()> { // Registering role let alice_id = ALICE_ID.clone(); let role_id = "TEST_ROLE".parse::()?; - let permission_1 = CanRemoveKeyValueInAccount { + let permission_1 = CanModifyAccountMetadata { account: alice_id.clone(), }; - let permission_2 = CanSetKeyValueInAccount { account: alice_id }; + let permission_2 = CanModifyDomainMetadata { + domain: alice_id.domain().clone(), + }; let role = iroha::data_model::role::Role::new(role_id.clone()) .add_permission(permission_1.clone()) .add_permission(permission_2.clone()); let instructions = [Register::role(role.clone())]; client.submit_all_blocking(instructions)?; + println!("KIT"); // Grants role to Bob let bob_id = BOB_ID.clone(); @@ -241,7 +244,7 @@ fn produce_multiple_events() -> Result<()> { { assert_eq!(*event.account(), bob_id); assert_eq!( - CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(), + CanModifyAccountMetadata::try_from(event.permission()).unwrap(), permission_1 ); } else { @@ -252,7 +255,7 @@ fn produce_multiple_events() -> Result<()> { { assert_eq!(*event.account(), bob_id); assert_eq!( - CanSetKeyValueInAccount::try_from(event.permission()).unwrap(), + CanModifyDomainMetadata::try_from(event.permission()).unwrap(), permission_2 ); } else { @@ -272,7 +275,7 @@ fn produce_multiple_events() -> Result<()> { { assert_eq!(*event.account(), bob_id); assert_eq!( - CanRemoveKeyValueInAccount::try_from(event.permission()).unwrap(), + CanModifyAccountMetadata::try_from(event.permission()).unwrap(), permission_1 ); } else { @@ -283,7 +286,7 @@ fn produce_multiple_events() -> Result<()> { { assert_eq!(*event.account(), bob_id); assert_eq!( - CanSetKeyValueInAccount::try_from(event.permission()).unwrap(), + CanModifyDomainMetadata::try_from(event.permission()).unwrap(), permission_2 ); } else { diff --git a/crates/iroha/tests/integration/permissions.rs b/crates/iroha/tests/integration/permissions.rs index 66c79041a0b..706453fa491 100644 --- a/crates/iroha/tests/integration/permissions.rs +++ b/crates/iroha/tests/integration/permissions.rs @@ -10,8 +10,8 @@ use iroha::{ }, }; use iroha_executor_data_model::permission::{ - asset::{CanSetKeyValueInUserAsset, CanTransferUserAsset}, - domain::CanSetKeyValueInDomain, + asset::{CanModifyAsset, CanModifyAssetMetadata}, + domain::CanModifyDomainMetadata, }; use iroha_genesis::GenesisBlock; use iroha_test_network::{PeerBuilder, *}; @@ -243,7 +243,7 @@ fn permissions_differ_not_only_by_names() { // Granting permission to Alice to modify metadata in Mouse's hats let mouse_hat_id = AssetId::new(hat_definition_id, mouse_id.clone()); - let mouse_hat_permission = CanSetKeyValueInUserAsset { + let mouse_hat_permission = CanModifyAssetMetadata { asset: mouse_hat_id.clone(), }; let allow_alice_to_set_key_value_in_hats = @@ -276,7 +276,7 @@ fn permissions_differ_not_only_by_names() { .submit_blocking(set_shoes_color.clone()) .expect_err("Expected Alice to fail to modify Mouse's shoes"); - let mouse_shoes_permission = CanSetKeyValueInUserAsset { + let mouse_shoes_permission = CanModifyAssetMetadata { asset: mouse_shoes_id, }; let allow_alice_to_set_key_value_in_shoes = @@ -326,7 +326,7 @@ fn stored_vs_granted_permission_payload() -> Result<()> { let mouse_asset = AssetId::new(asset_definition_id, mouse_id.clone()); let allow_alice_to_set_key_value_in_mouse_asset = Grant::account_permission( - Permission::new("CanSetKeyValueInUserAsset".parse().unwrap(), value_json), + Permission::new("CanModifyAssetMetadata".parse().unwrap(), value_json), alice_id, ); @@ -359,12 +359,12 @@ fn permissions_are_unified() { // Given let alice_id = ALICE_ID.clone(); - let permission1 = CanTransferUserAsset { + let permission1 = CanModifyAsset { asset: format!("rose#wonderland#{alice_id}").parse().unwrap(), }; let allow_alice_to_transfer_rose_1 = Grant::account_permission(permission1, alice_id.clone()); - let permission2 = CanTransferUserAsset { + let permission2 = CanModifyAsset { asset: format!("rose##{alice_id}").parse().unwrap(), }; let allow_alice_to_transfer_rose_2 = Grant::account_permission(permission2, alice_id); @@ -389,7 +389,7 @@ fn associated_permissions_removed_on_unregister() { // register kingdom and give bob permissions in this domain let register_domain = Register::domain(kingdom); - let bob_to_set_kv_in_domain = CanSetKeyValueInDomain { + let bob_to_set_kv_in_domain = CanModifyDomainMetadata { domain: kingdom_id.clone(), }; let allow_bob_to_set_kv_in_domain = @@ -409,7 +409,7 @@ fn associated_permissions_removed_on_unregister() { .expect("failed to get permissions for bob") .into_iter() .any(|permission| { - CanSetKeyValueInDomain::try_from(&permission) + CanModifyDomainMetadata::try_from(&permission) .is_ok_and(|permission| permission == bob_to_set_kv_in_domain) })); @@ -425,7 +425,7 @@ fn associated_permissions_removed_on_unregister() { .expect("failed to get permissions for bob") .into_iter() .any(|permission| { - CanSetKeyValueInDomain::try_from(&permission) + CanModifyDomainMetadata::try_from(&permission) .is_ok_and(|permission| permission == bob_to_set_kv_in_domain) })); } @@ -441,7 +441,7 @@ fn associated_permissions_removed_from_role_on_unregister() { // register kingdom and give bob permissions in this domain let register_domain = Register::domain(kingdom); - let set_kv_in_domain = CanSetKeyValueInDomain { + let set_kv_in_domain = CanModifyDomainMetadata { domain: kingdom_id.clone(), }; let role = Role::new(role_id.clone()).add_permission(set_kv_in_domain.clone()); @@ -459,7 +459,7 @@ fn associated_permissions_removed_from_role_on_unregister() { .expect("failed to get role") .permissions() .any(|permission| { - CanSetKeyValueInDomain::try_from(permission) + CanModifyDomainMetadata::try_from(permission) .is_ok_and(|permission| permission == set_kv_in_domain) })); @@ -476,7 +476,7 @@ fn associated_permissions_removed_from_role_on_unregister() { .expect("failed to get role") .permissions() .any(|permission| { - CanSetKeyValueInDomain::try_from(permission) + CanModifyDomainMetadata::try_from(permission) .is_ok_and(|permission| permission == set_kv_in_domain) })); } diff --git a/crates/iroha/tests/integration/queries/role.rs b/crates/iroha/tests/integration/queries/role.rs index bd88e982302..33b74d8fc3f 100644 --- a/crates/iroha/tests/integration/queries/role.rs +++ b/crates/iroha/tests/integration/queries/role.rs @@ -5,7 +5,7 @@ use iroha::{ client, data_model::{prelude::*, query::builder::SingleQueryError}, }; -use iroha_executor_data_model::permission::account::CanSetKeyValueInAccount; +use iroha_executor_data_model::permission::account::CanModifyAccountMetadata; use iroha_test_network::*; use iroha_test_samples::ALICE_ID; @@ -133,7 +133,7 @@ fn find_roles_by_account_id() -> Result<()> { .iter() .cloned() .map(|role_id| { - Register::role(Role::new(role_id).add_permission(CanSetKeyValueInAccount { + Register::role(Role::new(role_id).add_permission(CanModifyAccountMetadata { account: alice_id.clone(), })) }) diff --git a/crates/iroha/tests/integration/roles.rs b/crates/iroha/tests/integration/roles.rs index 1430c8a6a4e..14768733dd1 100644 --- a/crates/iroha/tests/integration/roles.rs +++ b/crates/iroha/tests/integration/roles.rs @@ -4,9 +4,7 @@ use iroha::{ client, data_model::{prelude::*, transaction::error::TransactionRejectionReason}, }; -use iroha_executor_data_model::permission::account::{ - CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, -}; +use iroha_executor_data_model::permission::account::CanModifyAccountMetadata; use iroha_test_network::*; use iroha_test_samples::{gen_account_in, ALICE_ID}; use serde_json::json; @@ -49,13 +47,9 @@ fn register_and_grant_role_for_metadata_access() -> Result<()> { // Registering role let role_id = "ACCESS_TO_MOUSE_METADATA".parse::()?; - let role = Role::new(role_id.clone()) - .add_permission(CanSetKeyValueInAccount { - account: mouse_id.clone(), - }) - .add_permission(CanRemoveKeyValueInAccount { - account: mouse_id.clone(), - }); + let role = Role::new(role_id.clone()).add_permission(CanModifyAccountMetadata { + account: mouse_id.clone(), + }); let register_role = Register::role(role); test_client.submit_blocking(register_role)?; @@ -98,7 +92,7 @@ fn unregistered_role_removed_from_account() -> Result<()> { // Register root role let register_role = Register::role( - Role::new(role_id.clone()).add_permission(CanSetKeyValueInAccount { account: alice_id }), + Role::new(role_id.clone()).add_permission(CanModifyAccountMetadata { account: alice_id }), ); test_client.submit_blocking(register_role)?; @@ -150,7 +144,6 @@ fn role_with_invalid_permissions_is_not_accepted() -> Result<()> { } #[test] -#[allow(deprecated)] // NOTE: Permissions in this test are created explicitly as json strings // so that they don't get deduplicated eagerly but rather in the executor // This way, if the executor compares permissions just as JSON strings, the test will fail @@ -159,13 +152,13 @@ fn role_permissions_are_deduplicated() { wait_for_genesis_committed(&vec![test_client.clone()], 0); let allow_alice_to_transfer_rose_1 = Permission::new( - "CanTransferUserAsset".parse().unwrap(), + "CanModifyAsset".parse().unwrap(), json!({ "asset": "rose#wonderland#ed0120CE7FA46C9DCE7EA4B125E2E36BDB63EA33073E7590AC92816AE1E861B7048B03@wonderland" }), ); // Different content, but same meaning let allow_alice_to_transfer_rose_2 = Permission::new( - "CanTransferUserAsset".parse().unwrap(), + "CanTModifysset".parse().unwrap(), json!({ "asset": "rose##ed0120CE7FA46C9DCE7EA4B125E2E36BDB63EA33073E7590AC92816AE1E861B7048B03@wonderland" }), ); @@ -229,7 +222,7 @@ fn grant_revoke_role_permissions() -> Result<()> { "key".parse()?, "value".parse::()?, ); - let can_set_key_value_in_mouse = CanSetKeyValueInAccount { + let can_set_key_value_in_mouse = CanModifyAccountMetadata { account: mouse_id.clone(), }; let grant_role_permission = @@ -243,7 +236,7 @@ fn grant_revoke_role_permissions() -> Result<()> { .execute_all()? .iter() .any(|permission| { - CanSetKeyValueInAccount::try_from(permission) + CanModifyAccountMetadata::try_from(permission) .is_ok_and(|permission| permission == can_set_key_value_in_mouse) })); let _ = test_client @@ -260,7 +253,7 @@ fn grant_revoke_role_permissions() -> Result<()> { .execute_all()? .iter() .any(|permission| { - CanSetKeyValueInAccount::try_from(permission) + CanModifyAccountMetadata::try_from(permission) .is_ok_and(|permission| permission == can_set_key_value_in_mouse) })); test_client.submit_blocking(set_key_value.clone())?; @@ -275,7 +268,7 @@ fn grant_revoke_role_permissions() -> Result<()> { .execute_all()? .iter() .any(|permission| { - CanSetKeyValueInAccount::try_from(permission) + CanModifyAccountMetadata::try_from(permission) .is_ok_and(|permission| permission == can_set_key_value_in_mouse) })); let _ = test_client diff --git a/crates/iroha/tests/integration/transfer_domain.rs b/crates/iroha/tests/integration/transfer_domain.rs index 4f006b20818..8854b6a627b 100644 --- a/crates/iroha/tests/integration/transfer_domain.rs +++ b/crates/iroha/tests/integration/transfer_domain.rs @@ -7,10 +7,10 @@ use iroha::{ }; use iroha_executor_data_model::permission::{ account::CanUnregisterAccount, - asset::CanUnregisterUserAsset, - asset_definition::CanUnregisterAssetDefinition, - domain::{CanRegisterAssetDefinitionInDomain, CanUnregisterDomain}, - trigger::CanUnregisterUserTrigger, + asset::CanUnregisterAsset, + asset_definition::{CanRegisterAssetDefinition, CanUnregisterAssetDefinition}, + domain::CanUnregisterDomain, + trigger::CanUnregisterTrigger, }; use iroha_genesis::GenesisBlock; use iroha_primitives::json::JsonString; @@ -59,7 +59,7 @@ fn domain_owner_domain_permissions() -> Result<()> { test_client.submit_blocking(Unregister::asset_definition(coin_id))?; // Granting a respective permission also allows "bob@kingdom" to do so - let permission = CanRegisterAssetDefinitionInDomain { + let permission = CanRegisterAssetDefinition { domain: kingdom_id.clone(), }; test_client.submit_blocking(Grant::account_permission( @@ -158,7 +158,7 @@ fn domain_owner_asset_definition_permissions() -> Result<()> { test_client.submit_blocking(Register::account(rabbit))?; // Grant permission to register asset definitions to "bob@kingdom" - let permission = CanRegisterAssetDefinitionInDomain { domain: kingdom_id }; + let permission = CanRegisterAssetDefinition { domain: kingdom_id }; test_client.submit_blocking(Grant::account_permission(permission, bob_id.clone()))?; // register asset definitions by "bob@kingdom" so he is owner of it @@ -222,7 +222,7 @@ fn domain_owner_asset_permissions() -> Result<()> { test_client.submit_blocking(Register::account(bob))?; // Grant permission to register asset definitions to "bob@kingdom" - let permission = CanRegisterAssetDefinitionInDomain { domain: kingdom_id }; + let permission = CanRegisterAssetDefinition { domain: kingdom_id }; test_client.submit_blocking(Grant::account_permission(permission, bob_id.clone()))?; // register asset definitions by "bob@kingdom" so he is owner of it @@ -255,7 +255,7 @@ fn domain_owner_asset_permissions() -> Result<()> { test_client.submit_blocking(RemoveKeyValue::asset(bob_store_id.clone(), key))?; // check that "alice@wonderland" as owner of domain can grant and revoke asset related permissions in her domain - let permission = CanUnregisterUserAsset { + let permission = CanUnregisterAsset { asset: bob_store_id, }; test_client.submit_blocking(Grant::account_permission( @@ -308,8 +308,8 @@ fn domain_owner_trigger_permissions() -> Result<()> { let _result = test_client.submit_blocking(execute_trigger)?; // check that "alice@wonderland" as owner of domain can grant and revoke trigger related permissions in her domain - let permission = CanUnregisterUserTrigger { - account: bob_id.clone(), + let permission = CanUnregisterTrigger { + trigger: trigger_id.clone(), }; test_client.submit_blocking(Grant::account_permission( permission.clone(), diff --git a/crates/iroha/tests/integration/triggers/by_call_trigger.rs b/crates/iroha/tests/integration/triggers/by_call_trigger.rs index eb11b0c9b3f..063a96e05eb 100644 --- a/crates/iroha/tests/integration/triggers/by_call_trigger.rs +++ b/crates/iroha/tests/integration/triggers/by_call_trigger.rs @@ -12,7 +12,7 @@ use iroha::{ }, }; use iroha_data_model::query::{builder::SingleQueryError, trigger::FindTriggers}; -use iroha_executor_data_model::permission::trigger::CanRegisterUserTrigger; +use iroha_executor_data_model::permission::trigger::CanRegisterTrigger; use iroha_genesis::GenesisBlock; use iroha_logger::info; use iroha_test_network::{Peer as TestPeer, *}; @@ -217,8 +217,7 @@ fn trigger_should_not_be_executed_with_zero_repeats_count() -> Result<()> { downcasted_error, Some(FindError::Trigger(id)) if *id == trigger_id ), - "Unexpected error received: {:?}", - error + "Unexpected error received: {error:?}", ); // Checking results @@ -295,8 +294,8 @@ fn only_account_with_permission_can_register_trigger() -> Result<()> { rabbit_client.key_pair = rabbit_keys; // Permission for the trigger registration on behalf of alice - let permission_on_registration = CanRegisterUserTrigger { - account: ALICE_ID.clone(), + let permission_on_registration = CanRegisterTrigger { + authority: ALICE_ID.clone(), }; // Trigger with 'alice' as authority diff --git a/crates/iroha_core/src/kura.rs b/crates/iroha_core/src/kura.rs index d4c8761e6c2..a5656b2fd62 100644 --- a/crates/iroha_core/src/kura.rs +++ b/crates/iroha_core/src/kura.rs @@ -1030,6 +1030,7 @@ mod tests { #[allow(clippy::too_many_lines)] fn create_blocks(rt: &tokio::runtime::Runtime, temp_dir: &TempDir) -> Vec { + const BLOCK_FLUSH_TIMEOUT: Duration = Duration::from_secs(1); let mut blocks = Vec::new(); let (leader_public_key, leader_private_key) = KeyPair::random().into_parts(); @@ -1136,7 +1137,6 @@ mod tests { blocks.push(block.clone()); kura.store_block(block); } - const BLOCK_FLUSH_TIMEOUT: Duration = Duration::from_secs(1); thread::sleep(BLOCK_FLUSH_TIMEOUT); { diff --git a/crates/iroha_executor/src/default.rs b/crates/iroha_executor/src/default.rs index 56a8d5f3a41..1a6e0818760 100644 --- a/crates/iroha_executor/src/default.rs +++ b/crates/iroha_executor/src/default.rs @@ -129,19 +129,25 @@ pub fn visit_instruction( } pub mod peer { - use iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer; + use iroha_executor_data_model::permission::peer::CanManagePeers; use super::*; pub fn visit_register_peer( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { - execute!(executor, isi) + if is_genesis(executor) { + execute!(executor, isi); + } + if CanManagePeers.is_owned_by(authority) { + execute!(executor, isi); + } + + deny!(executor, "Can't register peer"); } - #[allow(clippy::needless_pass_by_value)] pub fn visit_unregister_peer( executor: &mut V, authority: &AccountId, @@ -150,7 +156,7 @@ pub mod peer { if is_genesis(executor) { execute!(executor, isi); } - if CanUnregisterAnyPeer.is_owned_by(authority) { + if CanManagePeers.is_owned_by(authority) { execute!(executor, isi); } @@ -160,7 +166,7 @@ pub mod peer { pub mod domain { use iroha_executor_data_model::permission::domain::{ - CanRemoveKeyValueInDomain, CanSetKeyValueInDomain, CanUnregisterDomain, + CanModifyDomainMetadata, CanRegisterDomain, CanUnregisterDomain, }; use iroha_smart_contract::data_model::domain::DomainId; @@ -171,10 +177,17 @@ pub mod domain { pub fn visit_register_domain( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { - execute!(executor, isi) + if is_genesis(executor) { + execute!(executor, isi); + } + if CanRegisterDomain.is_owned_by(authority) { + execute!(executor, isi); + } + + deny!(executor, "Can't register domaon"); } pub fn visit_unregister_domain( @@ -199,7 +212,7 @@ pub mod domain { use iroha_smart_contract::ExecuteOnHost as _; for (owner_id, permission) in accounts_permissions() { - if is_token_domain_associated(&permission, domain_id) { + if is_permission_domain_associated(&permission, domain_id) { let isi = Revoke::account_permission(permission, owner_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -207,7 +220,7 @@ pub mod domain { } } for (role_id, permission) in roles_permissions() { - if is_token_domain_associated(&permission, domain_id) { + if is_permission_domain_associated(&permission, domain_id) { let isi = Revoke::role_permission(permission, role_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -259,7 +272,7 @@ pub mod domain { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_set_key_value_in_domain_token = CanSetKeyValueInDomain { + let can_set_key_value_in_domain_token = CanModifyDomainMetadata { domain: domain_id.clone(), }; if can_set_key_value_in_domain_token.is_owned_by(authority) { @@ -284,7 +297,7 @@ pub mod domain { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_remove_key_value_in_domain_token = CanRemoveKeyValueInDomain { + let can_remove_key_value_in_domain_token = CanModifyDomainMetadata { domain: domain_id.clone(), }; if can_remove_key_value_in_domain_token.is_owned_by(authority) { @@ -295,27 +308,21 @@ pub mod domain { } #[allow(clippy::too_many_lines)] - fn is_token_domain_associated(permission: &Permission, domain_id: &DomainId) -> bool { + fn is_permission_domain_associated(permission: &Permission, domain_id: &DomainId) -> bool { let Ok(permission) = AnyPermission::try_from(permission) else { return false; }; match permission { AnyPermission::CanUnregisterDomain(permission) => &permission.domain == domain_id, - AnyPermission::CanSetKeyValueInDomain(permission) => &permission.domain == domain_id, - AnyPermission::CanRemoveKeyValueInDomain(permission) => &permission.domain == domain_id, - AnyPermission::CanRegisterAccountInDomain(permission) => { - &permission.domain == domain_id - } - AnyPermission::CanRegisterAssetDefinitionInDomain(permission) => { + AnyPermission::CanModifyDomainMetadata(permission) => &permission.domain == domain_id, + AnyPermission::CanRegisterAccount(permission) => &permission.domain == domain_id, + AnyPermission::CanRegisterAssetDefinition(permission) => { &permission.domain == domain_id } AnyPermission::CanUnregisterAssetDefinition(permission) => { permission.asset_definition.domain() == domain_id } - AnyPermission::CanSetKeyValueInAssetDefinition(permission) => { - permission.asset_definition.domain() == domain_id - } - AnyPermission::CanRemoveKeyValueInAssetDefinition(permission) => { + AnyPermission::CanModifyAssetDefinitionMetadata(permission) => { permission.asset_definition.domain() == domain_id } AnyPermission::CanRegisterAssetWithDefinition(permission) => { @@ -324,71 +331,47 @@ pub mod domain { AnyPermission::CanUnregisterAssetWithDefinition(permission) => { permission.asset_definition.domain() == domain_id } - AnyPermission::CanBurnAssetWithDefinition(permission) => { - permission.asset_definition.domain() == domain_id - } - AnyPermission::CanMintAssetWithDefinition(permission) => { - permission.asset_definition.domain() == domain_id - } - AnyPermission::CanTransferAssetWithDefinition(permission) => { + AnyPermission::CanModifyAssetsWithDefinition(permission) => { permission.asset_definition.domain() == domain_id } - AnyPermission::CanBurnUserAsset(permission) => { - permission.asset.definition().domain() == domain_id - || permission.asset.account().domain() == domain_id - } - AnyPermission::CanTransferUserAsset(permission) => { - permission.asset.definition().domain() == domain_id - || permission.asset.account().domain() == domain_id - } - AnyPermission::CanUnregisterUserAsset(permission) => { + AnyPermission::CanRegisterAsset(permission) => permission.owner.domain() == domain_id, + AnyPermission::CanUnregisterAsset(permission) => { permission.asset.definition().domain() == domain_id || permission.asset.account().domain() == domain_id } - AnyPermission::CanSetKeyValueInUserAsset(permission) => { + AnyPermission::CanModifyAssetMetadata(permission) => { permission.asset.definition().domain() == domain_id || permission.asset.account().domain() == domain_id } - AnyPermission::CanRemoveKeyValueInUserAsset(permission) => { - permission.asset.definition().domain() == domain_id - || permission.asset.account().domain() == domain_id - } - AnyPermission::CanMintUserAsset(permission) => { + AnyPermission::CanModifyAsset(permission) => { permission.asset.definition().domain() == domain_id || permission.asset.account().domain() == domain_id } AnyPermission::CanUnregisterAccount(permission) => { permission.account.domain() == domain_id } - AnyPermission::CanSetKeyValueInAccount(permission) => { + AnyPermission::CanModifyAccountMetadata(permission) => { permission.account.domain() == domain_id } - AnyPermission::CanRemoveKeyValueInAccount(permission) => { - permission.account.domain() == domain_id - } - AnyPermission::CanRegisterUserTrigger(permission) => { - permission.account.domain() == domain_id + AnyPermission::CanRegisterTrigger(permission) => { + permission.authority.domain() == domain_id } - AnyPermission::CanUnregisterUserTrigger(permission) => { - permission.account.domain() == domain_id - } - AnyPermission::CanExecuteUserTrigger(_) - | AnyPermission::CanBurnUserTrigger(_) - | AnyPermission::CanMintUserTrigger(_) - | AnyPermission::CanSetKeyValueInTrigger(_) - | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + AnyPermission::CanUnregisterTrigger(_) + | AnyPermission::CanExecuteTrigger(_) + | AnyPermission::CanModifyTrigger(_) + | AnyPermission::CanModifyTriggerMetadata(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } } pub mod account { - use iroha_executor_data_model::permission::{ - account::{CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, CanUnregisterAccount}, - domain::CanRegisterAccountInDomain, + use iroha_executor_data_model::permission::account::{ + CanModifyAccountMetadata, CanRegisterAccount, CanUnregisterAccount, }; use super::*; @@ -407,7 +390,7 @@ pub mod account { Ok(false) => {} } - let can_register_account_in_domain = CanRegisterAccountInDomain { + let can_register_account_in_domain = CanRegisterAccount { domain: domain_id.clone(), }; if can_register_account_in_domain.is_owned_by(authority) { @@ -442,7 +425,7 @@ pub mod account { use iroha_smart_contract::ExecuteOnHost as _; for (owner_id, permission) in accounts_permissions() { - if is_token_account_associated(&permission, account_id) { + if is_permission_account_associated(&permission, account_id) { let isi = Revoke::account_permission(permission, owner_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -450,7 +433,7 @@ pub mod account { } } for (role_id, permission) in roles_permissions() { - if is_token_account_associated(&permission, account_id) { + if is_permission_account_associated(&permission, account_id) { let isi = Revoke::role_permission(permission, role_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -477,7 +460,7 @@ pub mod account { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_set_key_value_in_user_account_token = CanSetKeyValueInAccount { + let can_set_key_value_in_user_account_token = CanModifyAccountMetadata { account: account_id.clone(), }; if can_set_key_value_in_user_account_token.is_owned_by(authority) { @@ -505,7 +488,7 @@ pub mod account { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_remove_key_value_in_user_account_token = CanRemoveKeyValueInAccount { + let can_remove_key_value_in_user_account_token = CanModifyAccountMetadata { account: account_id.clone(), }; if can_remove_key_value_in_user_account_token.is_owned_by(authority) { @@ -518,67 +501,49 @@ pub mod account { ); } - fn is_token_account_associated(permission: &Permission, account_id: &AccountId) -> bool { + fn is_permission_account_associated(permission: &Permission, account_id: &AccountId) -> bool { let Ok(permission) = AnyPermission::try_from(permission) else { return false; }; match permission { - AnyPermission::CanUnregisterAccount(permission) => &permission.account == account_id, - AnyPermission::CanSetKeyValueInAccount(permission) => &permission.account == account_id, - AnyPermission::CanRemoveKeyValueInAccount(permission) => { - &permission.account == account_id - } - AnyPermission::CanBurnUserAsset(permission) => permission.asset.account() == account_id, - AnyPermission::CanTransferUserAsset(permission) => { - permission.asset.account() == account_id - } - AnyPermission::CanUnregisterUserAsset(permission) => { - permission.asset.account() == account_id + AnyPermission::CanUnregisterAccount(permission) => permission.account == *account_id, + AnyPermission::CanModifyAccountMetadata(permission) => { + permission.account == *account_id } - AnyPermission::CanSetKeyValueInUserAsset(permission) => { + AnyPermission::CanRegisterAsset(permission) => permission.owner == *account_id, + AnyPermission::CanUnregisterAsset(permission) => { permission.asset.account() == account_id } - AnyPermission::CanRemoveKeyValueInUserAsset(permission) => { + AnyPermission::CanModifyAssetMetadata(permission) => { permission.asset.account() == account_id } - AnyPermission::CanMintUserAsset(permission) => permission.asset.account() == account_id, - AnyPermission::CanRegisterUserTrigger(permission) => &permission.account == account_id, - AnyPermission::CanUnregisterUserTrigger(permission) => { - &permission.account == account_id - } - AnyPermission::CanExecuteUserTrigger(_) - | AnyPermission::CanBurnUserTrigger(_) - | AnyPermission::CanMintUserTrigger(_) - | AnyPermission::CanSetKeyValueInTrigger(_) - | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + AnyPermission::CanModifyAsset(permission) => permission.asset.account() == account_id, + AnyPermission::CanRegisterTrigger(permission) => permission.authority == *account_id, + AnyPermission::CanUnregisterTrigger(_) + | AnyPermission::CanExecuteTrigger(_) + | AnyPermission::CanModifyTrigger(_) + | AnyPermission::CanModifyTriggerMetadata(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) - | AnyPermission::CanSetKeyValueInDomain(_) - | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanModifyDomainMetadata(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanUnregisterAssetDefinition(_) - | AnyPermission::CanSetKeyValueInAssetDefinition(_) - | AnyPermission::CanRemoveKeyValueInAssetDefinition(_) + | AnyPermission::CanModifyAssetDefinitionMetadata(_) | AnyPermission::CanRegisterAssetWithDefinition(_) | AnyPermission::CanUnregisterAssetWithDefinition(_) - | AnyPermission::CanBurnAssetWithDefinition(_) - | AnyPermission::CanMintAssetWithDefinition(_) - | AnyPermission::CanTransferAssetWithDefinition(_) + | AnyPermission::CanModifyAssetsWithDefinition(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } } pub mod asset_definition { - use iroha_executor_data_model::permission::{ - asset_definition::{ - CanRemoveKeyValueInAssetDefinition, CanSetKeyValueInAssetDefinition, - CanUnregisterAssetDefinition, - }, - domain::CanRegisterAssetDefinitionInDomain, + use iroha_executor_data_model::permission::asset_definition::{ + CanModifyAssetDefinitionMetadata, CanRegisterAssetDefinition, CanUnregisterAssetDefinition, }; use iroha_smart_contract::data_model::asset::AssetDefinitionId; @@ -601,7 +566,7 @@ pub mod asset_definition { Ok(false) => {} } - let can_register_asset_definition_in_domain_token = CanRegisterAssetDefinitionInDomain { + let can_register_asset_definition_in_domain_token = CanRegisterAssetDefinition { domain: domain_id.clone(), }; if can_register_asset_definition_in_domain_token.is_owned_by(authority) { @@ -636,7 +601,7 @@ pub mod asset_definition { use iroha_smart_contract::ExecuteOnHost as _; for (owner_id, permission) in accounts_permissions() { - if is_token_asset_definition_associated(&permission, asset_definition_id) { + if is_permission_asset_definition_associated(&permission, asset_definition_id) { let isi = Revoke::account_permission(permission, owner_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -644,7 +609,7 @@ pub mod asset_definition { } } for (role_id, permission) in roles_permissions() { - if is_token_asset_definition_associated(&permission, asset_definition_id) { + if is_permission_asset_definition_associated(&permission, asset_definition_id) { let isi = Revoke::role_permission(permission, role_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -702,7 +667,7 @@ pub mod asset_definition { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_set_key_value_in_asset_definition_token = CanSetKeyValueInAssetDefinition { + let can_set_key_value_in_asset_definition_token = CanModifyAssetDefinitionMetadata { asset_definition: asset_definition_id.clone(), }; if can_set_key_value_in_asset_definition_token.is_owned_by(authority) { @@ -730,7 +695,7 @@ pub mod asset_definition { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_remove_key_value_in_asset_definition_token = CanRemoveKeyValueInAssetDefinition { + let can_remove_key_value_in_asset_definition_token = CanModifyAssetDefinitionMetadata { asset_definition: asset_definition_id.clone(), }; if can_remove_key_value_in_asset_definition_token.is_owned_by(authority) { @@ -743,7 +708,7 @@ pub mod asset_definition { ); } - fn is_token_asset_definition_associated( + fn is_permission_asset_definition_associated( permission: &Permission, asset_definition_id: &AssetDefinitionId, ) -> bool { @@ -754,10 +719,7 @@ pub mod asset_definition { AnyPermission::CanUnregisterAssetDefinition(permission) => { &permission.asset_definition == asset_definition_id } - AnyPermission::CanSetKeyValueInAssetDefinition(permission) => { - &permission.asset_definition == asset_definition_id - } - AnyPermission::CanRemoveKeyValueInAssetDefinition(permission) => { + AnyPermission::CanModifyAssetDefinitionMetadata(permission) => { &permission.asset_definition == asset_definition_id } AnyPermission::CanRegisterAssetWithDefinition(permission) => { @@ -766,51 +728,34 @@ pub mod asset_definition { AnyPermission::CanUnregisterAssetWithDefinition(permission) => { &permission.asset_definition == asset_definition_id } - AnyPermission::CanBurnAssetWithDefinition(permission) => { + AnyPermission::CanModifyAssetsWithDefinition(permission) => { &permission.asset_definition == asset_definition_id } - AnyPermission::CanMintAssetWithDefinition(permission) => { - &permission.asset_definition == asset_definition_id - } - AnyPermission::CanTransferAssetWithDefinition(permission) => { - &permission.asset_definition == asset_definition_id - } - AnyPermission::CanBurnUserAsset(permission) => { - permission.asset.definition() == asset_definition_id - } - AnyPermission::CanTransferUserAsset(permission) => { - permission.asset.definition() == asset_definition_id - } - AnyPermission::CanUnregisterUserAsset(permission) => { - permission.asset.definition() == asset_definition_id - } - AnyPermission::CanSetKeyValueInUserAsset(permission) => { + AnyPermission::CanUnregisterAsset(permission) => { permission.asset.definition() == asset_definition_id } - AnyPermission::CanRemoveKeyValueInUserAsset(permission) => { + AnyPermission::CanModifyAssetMetadata(permission) => { permission.asset.definition() == asset_definition_id } - AnyPermission::CanMintUserAsset(permission) => { + AnyPermission::CanModifyAsset(permission) => { permission.asset.definition() == asset_definition_id } AnyPermission::CanUnregisterAccount(_) - | AnyPermission::CanSetKeyValueInAccount(_) - | AnyPermission::CanRemoveKeyValueInAccount(_) - | AnyPermission::CanRegisterUserTrigger(_) - | AnyPermission::CanUnregisterUserTrigger(_) - | AnyPermission::CanExecuteUserTrigger(_) - | AnyPermission::CanBurnUserTrigger(_) - | AnyPermission::CanMintUserTrigger(_) - | AnyPermission::CanSetKeyValueInTrigger(_) - | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + | AnyPermission::CanRegisterAsset(_) + | AnyPermission::CanModifyAccountMetadata(_) + | AnyPermission::CanRegisterTrigger(_) + | AnyPermission::CanUnregisterTrigger(_) + | AnyPermission::CanExecuteTrigger(_) + | AnyPermission::CanModifyTrigger(_) + | AnyPermission::CanModifyTriggerMetadata(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) - | AnyPermission::CanSetKeyValueInDomain(_) - | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanModifyDomainMetadata(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } @@ -818,10 +763,8 @@ pub mod asset_definition { pub mod asset { use iroha_executor_data_model::permission::asset::{ - CanBurnAssetWithDefinition, CanBurnUserAsset, CanMintAssetWithDefinition, CanMintUserAsset, - CanRegisterAssetWithDefinition, CanRemoveKeyValueInUserAsset, CanSetKeyValueInUserAsset, - CanTransferAssetWithDefinition, CanTransferUserAsset, CanUnregisterAssetWithDefinition, - CanUnregisterUserAsset, + CanModifyAsset, CanModifyAssetMetadata, CanModifyAssetsWithDefinition, CanRegisterAsset, + CanRegisterAssetWithDefinition, CanUnregisterAsset, CanUnregisterAssetWithDefinition, }; use iroha_smart_contract::data_model::{ asset::AssetValue, isi::BuiltInInstruction, metadata::Metadata, @@ -852,6 +795,12 @@ pub mod asset { if can_register_assets_with_definition_token.is_owned_by(authority) { execute!(executor, isi); } + let can_register_user_asset_token = CanRegisterAsset { + owner: asset.id().account().clone(), + }; + if can_register_user_asset_token.is_owned_by(authority) { + execute!(executor, isi); + } deny!( executor, @@ -885,7 +834,7 @@ pub mod asset { if can_unregister_assets_with_definition_token.is_owned_by(authority) { execute!(executor, isi); } - let can_unregister_user_asset_token = CanUnregisterUserAsset { + let can_unregister_user_asset_token = CanUnregisterAsset { asset: asset_id.clone(), }; if can_unregister_user_asset_token.is_owned_by(authority) { @@ -910,13 +859,13 @@ pub mod asset { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_mint_assets_with_definition_token = CanMintAssetWithDefinition { + let can_mint_assets_with_definition_token = CanModifyAssetsWithDefinition { asset_definition: asset_id.definition().clone(), }; if can_mint_assets_with_definition_token.is_owned_by(authority) { execute!(executor, isi); } - let can_mint_user_asset_token = CanMintUserAsset { + let can_mint_user_asset_token = CanModifyAsset { asset: asset_id.clone(), }; if can_mint_user_asset_token.is_owned_by(authority) { @@ -947,23 +896,18 @@ pub mod asset { if is_genesis(executor) { execute!(executor, isi); } - match is_asset_owner(asset_id, authority) { - Err(err) => deny!(executor, err), - Ok(true) => execute!(executor, isi), - Ok(false) => {} - } match is_asset_definition_owner(asset_id.definition(), authority) { Err(err) => deny!(executor, err), Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_burn_assets_with_definition_token = CanBurnAssetWithDefinition { + let can_burn_assets_with_definition_token = CanModifyAssetsWithDefinition { asset_definition: asset_id.definition().clone(), }; if can_burn_assets_with_definition_token.is_owned_by(authority) { execute!(executor, isi); } - let can_burn_user_asset_token = CanBurnUserAsset { + let can_burn_user_asset_token = CanModifyAsset { asset: asset_id.clone(), }; if can_burn_user_asset_token.is_owned_by(authority) { @@ -1004,13 +948,13 @@ pub mod asset { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_transfer_assets_with_definition_token = CanTransferAssetWithDefinition { + let can_transfer_assets_with_definition_token = CanModifyAssetsWithDefinition { asset_definition: asset_id.definition().clone(), }; if can_transfer_assets_with_definition_token.is_owned_by(authority) { execute!(executor, isi); } - let can_transfer_user_asset_token = CanTransferUserAsset { + let can_transfer_user_asset_token = CanModifyAsset { asset: asset_id.clone(), }; if can_transfer_user_asset_token.is_owned_by(authority) { @@ -1052,7 +996,7 @@ pub mod asset { Ok(false) => {} } - let can_set_key_value_in_user_asset_token = CanSetKeyValueInUserAsset { + let can_set_key_value_in_user_asset_token = CanModifyAssetMetadata { asset: asset_id.clone(), }; if can_set_key_value_in_user_asset_token.is_owned_by(authority) { @@ -1080,7 +1024,7 @@ pub mod asset { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_remove_key_value_in_user_asset_token = CanRemoveKeyValueInUserAsset { + let can_remove_key_value_in_user_asset_token = CanModifyAssetMetadata { asset: asset_id.clone(), }; if can_remove_key_value_in_user_asset_token.is_owned_by(authority) { @@ -1099,7 +1043,6 @@ pub mod parameter { use super::*; - #[allow(clippy::needless_pass_by_value)] pub fn visit_set_parameter( executor: &mut V, authority: &AccountId, @@ -1120,7 +1063,7 @@ pub mod parameter { } pub mod role { - use iroha_executor_data_model::permission::role::CanUnregisterAnyRole; + use iroha_executor_data_model::permission::role::CanManageRoles; use iroha_smart_contract::data_model::role::Role; use super::*; @@ -1129,56 +1072,15 @@ pub mod role { ($executor:ident, $isi:ident, $authority:ident, $method:ident) => { let role_id = $isi.object(); - let find_role_query_res = - match crate::data_model::query::builder::QueryBuilderExt::execute_single( - iroha_smart_contract::query(FindRoles) - .filter_with(|role| role.id.eq(role_id.clone())), - ) { - Ok(res) => res, - Err(crate::data_model::query::builder::SingleQueryError::QueryError(error)) => { - deny!($executor, error); - } - Err( - crate::data_model::query::builder::SingleQueryError::ExpectedOneGotNone, - ) => { - // assuming that only a "not found" case is possible here - $executor.deny($crate::data_model::ValidationFail::QueryFailed( - $crate::data_model::query::error::QueryExecutionFail::Find( - $crate::data_model::query::error::FindError::Role(role_id.clone()), - ), - )); - return; - } - Err(_) => { - unreachable!(); - } - }; - let role = Role::try_from(find_role_query_res).unwrap(); - - let mut unknown_tokens = alloc::vec::Vec::new(); - for permission in role.permissions() { - if let Ok(permission) = AnyPermission::try_from(permission) { - if !is_genesis($executor) { - if let Err(error) = crate::permission::ValidateGrantRevoke::$method( - &permission, - $authority, - $executor.block_height(), - ) { - deny!($executor, error); - } - } - - continue; - } - - unknown_tokens.push(permission); + if is_genesis($executor) + || CanManageRoles.is_owned_by($authority) + || find_account_roles($authority.clone()) + .any(|authority_role_id| authority_role_id == *role_id) + { + execute!($executor, $isi) } - assert!( - unknown_tokens.is_empty(), - "Role contains unknown permission tokens: {unknown_tokens:?}" - ); - execute!($executor, $isi) + deny!($executor, "Can't grant or revoke role to another account"); }; } @@ -1204,49 +1106,73 @@ pub mod role { deny!( $executor, - ValidationFail::NotPermitted(format!( - "{permission:?}: Unknown permission permission" - )) + ValidationFail::NotPermitted(format!("{permission:?}: Unknown permission")) ); }; } - #[allow(clippy::needless_pass_by_value)] + /// Returns the trigger. + fn find_account_roles(account_id: AccountId) -> impl Iterator { + use iroha_smart_contract_utils::debug::DebugExpectExt as _; + + iroha_smart_contract::query(FindRolesByAccountId::new(account_id)) + .execute() + .dbg_expect("INTERNAL BUG: `FindRolesByAccountId` must never fail") + .map(|role| role.dbg_expect("Failed to get role from cursor")) + } pub fn visit_register_role( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { - let role = isi.object().inner(); + /// Unify permissions inside a role and deduplicate them + /// + /// # Errors + /// + /// - if the role contains unknown permissions + fn validate(role: &Role) -> Result, alloc::vec::Vec<&Permission>> { + let mut new_role = Role::new(role.id().clone()); + let mut unknown_tokens = alloc::vec::Vec::new(); - // Unify permission tokens inside role and deduplicate them - let mut new_role = Role::new(role.id().clone()); - let mut unknown_tokens = alloc::vec::Vec::new(); - for permission in role.permissions() { - iroha_smart_contract::debug!(&format!("Checking `{permission:?}`")); + for permission in role.permissions() { + iroha_smart_contract::debug!(&format!("Checking `{permission:?}`")); - if let Ok(any_permission) = AnyPermission::try_from(permission) { - new_role = new_role.add_permission(any_permission); - continue; + if let Ok(any_permission) = AnyPermission::try_from(permission) { + new_role = new_role.add_permission(any_permission); + } else { + unknown_tokens.push(permission); + } } - unknown_tokens.push(permission); + if !unknown_tokens.is_empty() { + return Err(unknown_tokens); + } + + Ok(Register::role(new_role)) } - if !unknown_tokens.is_empty() { - deny!( - executor, - ValidationFail::NotPermitted(format!( - "{unknown_tokens:?}: Unrecognised permission tokens" - )) - ); + let isi = match validate(isi.object().inner()) { + Ok(isi) => isi, + Err(unknown_permissions) => { + deny!( + executor, + ValidationFail::NotPermitted(format!( + "{unknown_permissions:?}: Unrecognised permissions" + )) + ); + } + }; + + if is_genesis(executor) { + execute!(executor, isi); + } + if CanManageRoles.is_owned_by(authority) { + execute!(executor, isi); } - let isi = Register::role(new_role); - execute!(executor, isi); + deny!(executor, "Can't unregister role"); } - #[allow(clippy::needless_pass_by_value)] pub fn visit_unregister_role( executor: &mut V, authority: &AccountId, @@ -1255,7 +1181,7 @@ pub mod role { if is_genesis(executor) { execute!(executor, isi); } - if CanUnregisterAnyRole.is_owned_by(authority) { + if CanManageRoles.is_owned_by(authority) { execute!(executor, isi); } @@ -1297,17 +1223,14 @@ pub mod role { pub mod trigger { use iroha_executor_data_model::permission::trigger::{ - CanBurnUserTrigger, CanExecuteUserTrigger, CanMintUserTrigger, CanRegisterUserTrigger, - CanRemoveKeyValueInTrigger, CanSetKeyValueInTrigger, CanUnregisterUserTrigger, + CanExecuteTrigger, CanModifyTrigger, CanModifyTriggerMetadata, CanRegisterTrigger, + CanUnregisterTrigger, }; use iroha_smart_contract::data_model::trigger::Trigger; use super::*; use crate::permission::{ - accounts_permissions, - domain::is_domain_owner, - roles_permissions, - trigger::{find_trigger, is_trigger_owner}, + accounts_permissions, domain::is_domain_owner, roles_permissions, trigger::is_trigger_owner, }; pub fn visit_register_trigger( @@ -1325,8 +1248,8 @@ pub mod trigger { } } || { - let can_register_user_trigger_token = CanRegisterUserTrigger { - account: isi.object().action().authority().clone(), + let can_register_user_trigger_token = CanRegisterTrigger { + authority: isi.object().action().authority().clone(), }; can_register_user_trigger_token.is_owned_by(authority) } @@ -1349,12 +1272,8 @@ pub mod trigger { Ok(is_trigger_owner) => is_trigger_owner, } || { - let can_unregister_user_trigger_token = CanUnregisterUserTrigger { - account: find_trigger(trigger_id) - .unwrap() - .action() - .authority() - .clone(), + let can_unregister_user_trigger_token = CanUnregisterTrigger { + trigger: trigger_id.clone(), }; can_unregister_user_trigger_token.is_owned_by(authority) } @@ -1362,7 +1281,7 @@ pub mod trigger { use iroha_smart_contract::ExecuteOnHost as _; for (owner_id, permission) in accounts_permissions() { - if is_token_trigger_associated(&permission, trigger_id) { + if is_permission_trigger_associated(&permission, trigger_id) { let isi = Revoke::account_permission(permission, owner_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -1370,7 +1289,7 @@ pub mod trigger { } } for (role_id, permission) in roles_permissions() { - if is_token_trigger_associated(&permission, trigger_id) { + if is_permission_trigger_associated(&permission, trigger_id) { let isi = Revoke::role_permission(permission, role_id.clone()); if let Err(_err) = isi.execute() { deny!(executor, "Can't revoke associated permission"); @@ -1400,7 +1319,7 @@ pub mod trigger { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_mint_user_trigger_token = CanMintUserTrigger { + let can_mint_user_trigger_token = CanModifyTrigger { trigger: trigger_id.clone(), }; if can_mint_user_trigger_token.is_owned_by(authority) { @@ -1428,7 +1347,7 @@ pub mod trigger { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_mint_user_trigger_token = CanBurnUserTrigger { + let can_mint_user_trigger_token = CanModifyTrigger { trigger: trigger_id.clone(), }; if can_mint_user_trigger_token.is_owned_by(authority) { @@ -1456,7 +1375,7 @@ pub mod trigger { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_execute_trigger_token = CanExecuteUserTrigger { + let can_execute_trigger_token = CanExecuteTrigger { trigger: trigger_id.clone(), }; if can_execute_trigger_token.is_owned_by(authority) { @@ -1481,7 +1400,7 @@ pub mod trigger { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_set_key_value_in_user_trigger_token = CanSetKeyValueInTrigger { + let can_set_key_value_in_user_trigger_token = CanModifyTriggerMetadata { trigger: trigger_id.clone(), }; if can_set_key_value_in_user_trigger_token.is_owned_by(authority) { @@ -1509,7 +1428,7 @@ pub mod trigger { Ok(true) => execute!(executor, isi), Ok(false) => {} } - let can_remove_key_value_in_trigger_token = CanRemoveKeyValueInTrigger { + let can_remove_key_value_in_trigger_token = CanModifyTriggerMetadata { trigger: trigger_id.clone(), }; if can_remove_key_value_in_trigger_token.is_owned_by(authority) { @@ -1522,45 +1441,37 @@ pub mod trigger { ); } - fn is_token_trigger_associated(permission: &Permission, trigger_id: &TriggerId) -> bool { + fn is_permission_trigger_associated(permission: &Permission, trigger_id: &TriggerId) -> bool { let Ok(permission) = AnyPermission::try_from(permission) else { return false; }; match permission { - AnyPermission::CanExecuteUserTrigger(permission) => &permission.trigger == trigger_id, - AnyPermission::CanBurnUserTrigger(permission) => &permission.trigger == trigger_id, - AnyPermission::CanMintUserTrigger(permission) => &permission.trigger == trigger_id, - AnyPermission::CanSetKeyValueInTrigger(permission) => &permission.trigger == trigger_id, - AnyPermission::CanRemoveKeyValueInTrigger(permission) => { + AnyPermission::CanUnregisterTrigger(permission) => &permission.trigger == trigger_id, + AnyPermission::CanExecuteTrigger(permission) => &permission.trigger == trigger_id, + AnyPermission::CanModifyTrigger(permission) => &permission.trigger == trigger_id, + AnyPermission::CanModifyTriggerMetadata(permission) => { &permission.trigger == trigger_id } - AnyPermission::CanRegisterUserTrigger(_) - | AnyPermission::CanUnregisterUserTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + AnyPermission::CanRegisterTrigger(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) - | AnyPermission::CanSetKeyValueInDomain(_) - | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanModifyDomainMetadata(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanUnregisterAccount(_) - | AnyPermission::CanSetKeyValueInAccount(_) - | AnyPermission::CanRemoveKeyValueInAccount(_) + | AnyPermission::CanModifyAccountMetadata(_) | AnyPermission::CanUnregisterAssetDefinition(_) - | AnyPermission::CanSetKeyValueInAssetDefinition(_) - | AnyPermission::CanRemoveKeyValueInAssetDefinition(_) + | AnyPermission::CanModifyAssetDefinitionMetadata(_) | AnyPermission::CanRegisterAssetWithDefinition(_) | AnyPermission::CanUnregisterAssetWithDefinition(_) - | AnyPermission::CanUnregisterUserAsset(_) - | AnyPermission::CanBurnAssetWithDefinition(_) - | AnyPermission::CanBurnUserAsset(_) - | AnyPermission::CanMintAssetWithDefinition(_) - | AnyPermission::CanTransferAssetWithDefinition(_) - | AnyPermission::CanTransferUserAsset(_) - | AnyPermission::CanSetKeyValueInUserAsset(_) - | AnyPermission::CanRemoveKeyValueInUserAsset(_) - | AnyPermission::CanMintUserAsset(_) + | AnyPermission::CanRegisterAsset(_) + | AnyPermission::CanUnregisterAsset(_) + | AnyPermission::CanModifyAssetsWithDefinition(_) + | AnyPermission::CanModifyAssetMetadata(_) + | AnyPermission::CanModifyAsset(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } @@ -1630,7 +1541,6 @@ pub mod executor { use super::*; - #[allow(clippy::needless_pass_by_value)] pub fn visit_upgrade( executor: &mut V, authority: &AccountId, diff --git a/crates/iroha_executor/src/permission.rs b/crates/iroha_executor/src/permission.rs index 64f663bcb57..b6371f27ed0 100644 --- a/crates/iroha_executor/src/permission.rs +++ b/crates/iroha_executor/src/permission.rs @@ -84,44 +84,36 @@ macro_rules! declare_permissions { } declare_permissions! { - iroha_executor_data_model::permission::peer::{CanUnregisterAnyPeer}, + iroha_executor_data_model::permission::peer::{CanManagePeers}, + iroha_executor_data_model::permission::domain::{CanRegisterDomain}, iroha_executor_data_model::permission::domain::{CanUnregisterDomain}, - iroha_executor_data_model::permission::domain::{CanSetKeyValueInDomain}, - iroha_executor_data_model::permission::domain::{CanRemoveKeyValueInDomain}, - iroha_executor_data_model::permission::domain::{CanRegisterAccountInDomain}, - iroha_executor_data_model::permission::domain::{CanRegisterAssetDefinitionInDomain}, + iroha_executor_data_model::permission::domain::{CanModifyDomainMetadata}, + iroha_executor_data_model::permission::account::{CanRegisterAccount}, iroha_executor_data_model::permission::account::{CanUnregisterAccount}, - iroha_executor_data_model::permission::account::{CanSetKeyValueInAccount}, - iroha_executor_data_model::permission::account::{CanRemoveKeyValueInAccount}, + iroha_executor_data_model::permission::account::{CanModifyAccountMetadata}, + iroha_executor_data_model::permission::asset_definition::{CanRegisterAssetDefinition}, iroha_executor_data_model::permission::asset_definition::{CanUnregisterAssetDefinition}, - iroha_executor_data_model::permission::asset_definition::{CanSetKeyValueInAssetDefinition}, - iroha_executor_data_model::permission::asset_definition::{CanRemoveKeyValueInAssetDefinition}, + iroha_executor_data_model::permission::asset_definition::{CanModifyAssetDefinitionMetadata}, iroha_executor_data_model::permission::asset::{CanRegisterAssetWithDefinition}, iroha_executor_data_model::permission::asset::{CanUnregisterAssetWithDefinition}, - iroha_executor_data_model::permission::asset::{CanUnregisterUserAsset}, - iroha_executor_data_model::permission::asset::{CanBurnAssetWithDefinition}, - iroha_executor_data_model::permission::asset::{CanMintAssetWithDefinition}, - iroha_executor_data_model::permission::asset::{CanMintUserAsset}, - iroha_executor_data_model::permission::asset::{CanBurnUserAsset}, - iroha_executor_data_model::permission::asset::{CanTransferAssetWithDefinition}, - iroha_executor_data_model::permission::asset::{CanTransferUserAsset}, - iroha_executor_data_model::permission::asset::{CanSetKeyValueInUserAsset}, - iroha_executor_data_model::permission::asset::{CanRemoveKeyValueInUserAsset}, + iroha_executor_data_model::permission::asset::{CanModifyAssetsWithDefinition}, + iroha_executor_data_model::permission::asset::{CanRegisterAsset}, + iroha_executor_data_model::permission::asset::{CanUnregisterAsset}, + iroha_executor_data_model::permission::asset::{CanModifyAsset}, + iroha_executor_data_model::permission::asset::{CanModifyAssetMetadata}, iroha_executor_data_model::permission::parameter::{CanSetParameters}, - iroha_executor_data_model::permission::role::{CanUnregisterAnyRole}, + iroha_executor_data_model::permission::role::{CanManageRoles}, - iroha_executor_data_model::permission::trigger::{CanRegisterUserTrigger}, - iroha_executor_data_model::permission::trigger::{CanExecuteUserTrigger}, - iroha_executor_data_model::permission::trigger::{CanUnregisterUserTrigger}, - iroha_executor_data_model::permission::trigger::{CanMintUserTrigger}, - iroha_executor_data_model::permission::trigger::{CanBurnUserTrigger}, - iroha_executor_data_model::permission::trigger::{CanSetKeyValueInTrigger}, - iroha_executor_data_model::permission::trigger::{CanRemoveKeyValueInTrigger}, + iroha_executor_data_model::permission::trigger::{CanRegisterTrigger}, + iroha_executor_data_model::permission::trigger::{CanUnregisterTrigger}, + iroha_executor_data_model::permission::trigger::{CanModifyTrigger}, + iroha_executor_data_model::permission::trigger::{CanExecuteTrigger}, + iroha_executor_data_model::permission::trigger::{CanModifyTriggerMetadata}, iroha_executor_data_model::permission::executor::{CanUpgradeExecutor}, } @@ -177,11 +169,11 @@ mod executor { } mod peer { - use iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer; + use iroha_executor_data_model::permission::peer::CanManagePeers; use super::*; - impl ValidateGrantRevoke for CanUnregisterAnyPeer { + impl ValidateGrantRevoke for CanManagePeers { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { OnlyGenesis::from(self).validate(authority, block_height) } @@ -192,11 +184,11 @@ mod peer { } mod role { - use iroha_executor_data_model::permission::role::CanUnregisterAnyRole; + use iroha_executor_data_model::permission::role::CanManageRoles; use super::*; - impl ValidateGrantRevoke for CanUnregisterAnyRole { + impl ValidateGrantRevoke for CanManageRoles { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { OnlyGenesis::from(self).validate(authority, block_height) } @@ -241,10 +233,8 @@ pub mod asset { //! Module with pass conditions for asset related tokens use iroha_executor_data_model::permission::asset::{ - CanBurnAssetWithDefinition, CanBurnUserAsset, CanMintAssetWithDefinition, CanMintUserAsset, - CanRegisterAssetWithDefinition, CanRemoveKeyValueInUserAsset, CanSetKeyValueInUserAsset, - CanTransferAssetWithDefinition, CanTransferUserAsset, CanUnregisterAssetWithDefinition, - CanUnregisterUserAsset, + CanModifyAsset, CanModifyAssetMetadata, CanModifyAssetsWithDefinition, CanRegisterAsset, + CanRegisterAssetWithDefinition, CanUnregisterAsset, CanUnregisterAssetWithDefinition, }; use super::*; @@ -299,7 +289,7 @@ pub mod asset { } } - impl ValidateGrantRevoke for CanBurnAssetWithDefinition { + impl ValidateGrantRevoke for CanModifyAssetsWithDefinition { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { super::asset_definition::Owner::from(self).validate(authority, block_height) } @@ -308,34 +298,16 @@ pub mod asset { } } - impl ValidateGrantRevoke for CanMintAssetWithDefinition { + impl ValidateGrantRevoke for CanRegisterAsset { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - super::asset_definition::Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - super::asset_definition::Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanTransferAssetWithDefinition { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - super::asset_definition::Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - super::asset_definition::Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanUnregisterUserAsset { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::account::Owner::from(self).validate(authority, block_height) } fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::account::Owner::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanMintUserAsset { + impl ValidateGrantRevoke for CanUnregisterAsset { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -344,7 +316,7 @@ pub mod asset { } } - impl ValidateGrantRevoke for CanBurnUserAsset { + impl ValidateGrantRevoke for CanModifyAsset { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -353,7 +325,7 @@ pub mod asset { } } - impl ValidateGrantRevoke for CanTransferUserAsset { + impl ValidateGrantRevoke for CanModifyAssetMetadata { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -362,20 +334,11 @@ pub mod asset { } } - impl ValidateGrantRevoke for CanSetKeyValueInUserAsset { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - } - impl ValidateGrantRevoke for CanRemoveKeyValueInUserAsset { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + impl<'t> From<&'t CanRegisterAsset> for super::account::Owner<'t> { + fn from(value: &'t CanRegisterAsset) -> Self { + Self { + account: &value.owner, + } } } @@ -389,22 +352,14 @@ pub mod asset { }; } - impl_froms!( - CanUnregisterUserAsset, - CanMintUserAsset, - CanBurnUserAsset, - CanTransferUserAsset, - CanSetKeyValueInUserAsset, - CanRemoveKeyValueInUserAsset, - ); + impl_froms!(CanUnregisterAsset, CanModifyAsset, CanModifyAssetMetadata,); } pub mod asset_definition { //! Module with pass conditions for asset definition related tokens use iroha_executor_data_model::permission::asset_definition::{ - CanRemoveKeyValueInAssetDefinition, CanSetKeyValueInAssetDefinition, - CanUnregisterAssetDefinition, + CanModifyAssetDefinitionMetadata, CanRegisterAssetDefinition, CanUnregisterAssetDefinition, }; use iroha_smart_contract::data_model::{ isi::error::InstructionExecutionError, @@ -468,16 +423,16 @@ pub mod asset_definition { } } - impl ValidateGrantRevoke for CanUnregisterAssetDefinition { + impl ValidateGrantRevoke for CanRegisterAssetDefinition { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::domain::Owner::from(self).validate(authority, block_height) } fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::domain::Owner::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanSetKeyValueInAssetDefinition { + impl ValidateGrantRevoke for CanUnregisterAssetDefinition { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -486,7 +441,7 @@ pub mod asset_definition { } } - impl ValidateGrantRevoke for CanRemoveKeyValueInAssetDefinition { + impl ValidateGrantRevoke for CanModifyAssetDefinitionMetadata { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -507,13 +462,10 @@ pub mod asset_definition { impl_froms!( CanUnregisterAssetDefinition, - CanSetKeyValueInAssetDefinition, - CanRemoveKeyValueInAssetDefinition, + CanModifyAssetDefinitionMetadata, iroha_executor_data_model::permission::asset::CanRegisterAssetWithDefinition, iroha_executor_data_model::permission::asset::CanUnregisterAssetWithDefinition, - iroha_executor_data_model::permission::asset::CanBurnAssetWithDefinition, - iroha_executor_data_model::permission::asset::CanMintAssetWithDefinition, - iroha_executor_data_model::permission::asset::CanTransferAssetWithDefinition, + iroha_executor_data_model::permission::asset::CanModifyAssetsWithDefinition, ); } @@ -521,7 +473,7 @@ pub mod account { //! Module with pass conditions for asset related tokens use iroha_executor_data_model::permission::account::{ - CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, CanUnregisterAccount, + CanModifyAccountMetadata, CanRegisterAccount, CanUnregisterAccount, }; use super::*; @@ -562,16 +514,16 @@ pub mod account { } } - impl ValidateGrantRevoke for CanUnregisterAccount { + impl ValidateGrantRevoke for CanRegisterAccount { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::domain::Owner::from(self).validate(authority, block_height) } fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + super::domain::Owner::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanSetKeyValueInAccount { + impl ValidateGrantRevoke for CanUnregisterAccount { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -580,7 +532,7 @@ pub mod account { } } - impl ValidateGrantRevoke for CanRemoveKeyValueInAccount { + impl ValidateGrantRevoke for CanModifyAccountMetadata { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -599,20 +551,14 @@ pub mod account { }; } - impl_froms!( - CanUnregisterAccount, - CanSetKeyValueInAccount, - CanRemoveKeyValueInAccount, - iroha_executor_data_model::permission::trigger::CanRegisterUserTrigger, - iroha_executor_data_model::permission::trigger::CanUnregisterUserTrigger, - ); + impl_froms!(CanUnregisterAccount, CanModifyAccountMetadata,); } pub mod trigger { //! Module with pass conditions for trigger related tokens use iroha_executor_data_model::permission::trigger::{ - CanBurnUserTrigger, CanExecuteUserTrigger, CanMintUserTrigger, CanRegisterUserTrigger, - CanRemoveKeyValueInTrigger, CanSetKeyValueInTrigger, CanUnregisterUserTrigger, + CanExecuteTrigger, CanModifyTrigger, CanModifyTriggerMetadata, CanRegisterTrigger, + CanUnregisterTrigger, }; use super::*; @@ -640,7 +586,7 @@ pub mod trigger { || is_domain_owner(trigger.action().authority().domain(), authority)?) } /// Returns the trigger. - pub(crate) fn find_trigger(trigger_id: &TriggerId) -> Result { + fn find_trigger(trigger_id: &TriggerId) -> Result { query(FindTriggers::new()) .filter_with(|trigger| trigger.id.eq(trigger_id.clone())) .execute_single() @@ -672,7 +618,7 @@ pub mod trigger { } } - impl ValidateGrantRevoke for CanRegisterUserTrigger { + impl ValidateGrantRevoke for CanRegisterTrigger { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { super::account::Owner::from(self).validate(authority, block_height) } @@ -681,7 +627,7 @@ pub mod trigger { } } - impl ValidateGrantRevoke for CanExecuteUserTrigger { + impl ValidateGrantRevoke for CanExecuteTrigger { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -690,16 +636,7 @@ pub mod trigger { } } - impl ValidateGrantRevoke for CanUnregisterUserTrigger { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - super::account::Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - super::account::Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanMintUserTrigger { + impl ValidateGrantRevoke for CanUnregisterTrigger { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -708,7 +645,7 @@ pub mod trigger { } } - impl ValidateGrantRevoke for CanBurnUserTrigger { + impl ValidateGrantRevoke for CanModifyTrigger { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -716,7 +653,8 @@ pub mod trigger { Owner::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanSetKeyValueInTrigger { + + impl ValidateGrantRevoke for CanModifyTriggerMetadata { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -725,12 +663,11 @@ pub mod trigger { } } - impl ValidateGrantRevoke for CanRemoveKeyValueInTrigger { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + impl<'t> From<&'t CanRegisterTrigger> for super::account::Owner<'t> { + fn from(value: &'t CanRegisterTrigger) -> Self { + Self { + account: &value.authority, + } } } @@ -745,19 +682,17 @@ pub mod trigger { } impl_froms!( - CanMintUserTrigger, - CanBurnUserTrigger, - CanExecuteUserTrigger, - CanSetKeyValueInTrigger, - CanRemoveKeyValueInTrigger, + CanUnregisterTrigger, + CanModifyTrigger, + CanExecuteTrigger, + CanModifyTriggerMetadata, ); } pub mod domain { //! Module with pass conditions for domain related tokens use iroha_executor_data_model::permission::domain::{ - CanRegisterAccountInDomain, CanRegisterAssetDefinitionInDomain, CanRemoveKeyValueInDomain, - CanSetKeyValueInDomain, CanUnregisterDomain, + CanModifyDomainMetadata, CanRegisterDomain, CanUnregisterDomain, }; use iroha_smart_contract::data_model::{ isi::error::InstructionExecutionError, @@ -809,34 +744,16 @@ pub mod domain { } } - impl ValidateGrantRevoke for CanUnregisterDomain { + impl ValidateGrantRevoke for CanRegisterDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanSetKeyValueInDomain { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanRemoveKeyValueInDomain { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + OnlyGenesis::from(self).validate(authority, block_height) } fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + OnlyGenesis::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanRegisterAccountInDomain { + impl ValidateGrantRevoke for CanUnregisterDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -845,7 +762,7 @@ pub mod domain { } } - impl ValidateGrantRevoke for CanRegisterAssetDefinitionInDomain { + impl ValidateGrantRevoke for CanModifyDomainMetadata { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -866,10 +783,9 @@ pub mod domain { impl_froms!( CanUnregisterDomain, - CanSetKeyValueInDomain, - CanRemoveKeyValueInDomain, - CanRegisterAccountInDomain, - CanRegisterAssetDefinitionInDomain, + CanModifyDomainMetadata, + iroha_executor_data_model::permission::account::CanRegisterAccount, + iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition, ); } diff --git a/crates/iroha_executor_data_model/src/permission.rs b/crates/iroha_executor_data_model/src/permission.rs index 64b2f97dde9..7c100eb9824 100644 --- a/crates/iroha_executor_data_model/src/permission.rs +++ b/crates/iroha_executor_data_model/src/permission.rs @@ -37,7 +37,7 @@ pub mod peer { permission! { #[derive(Copy)] - pub struct CanUnregisterAnyPeer; + pub struct CanManagePeers; } } @@ -45,31 +45,18 @@ pub mod domain { use super::*; permission! { - pub struct CanUnregisterDomain { - pub domain: DomainId, - } - } - - permission! { - pub struct CanSetKeyValueInDomain { - pub domain: DomainId, - } - } - - permission! { - pub struct CanRemoveKeyValueInDomain { - pub domain: DomainId, - } + #[derive(Copy)] + pub struct CanRegisterDomain; } permission! { - pub struct CanRegisterAccountInDomain { + pub struct CanUnregisterDomain { pub domain: DomainId, } } permission! { - pub struct CanRegisterAssetDefinitionInDomain { + pub struct CanModifyDomainMetadata { pub domain: DomainId, } } @@ -79,19 +66,19 @@ pub mod asset_definition { use super::*; permission! { - pub struct CanUnregisterAssetDefinition { - pub asset_definition: AssetDefinitionId, + pub struct CanRegisterAssetDefinition { + pub domain: DomainId, } } permission! { - pub struct CanSetKeyValueInAssetDefinition { + pub struct CanUnregisterAssetDefinition { pub asset_definition: AssetDefinitionId, } } permission! { - pub struct CanRemoveKeyValueInAssetDefinition { + pub struct CanModifyAssetDefinitionMetadata { pub asset_definition: AssetDefinitionId, } } @@ -101,17 +88,18 @@ pub mod account { use super::*; permission! { - pub struct CanUnregisterAccount { - pub account: AccountId, + pub struct CanRegisterAccount { + pub domain: DomainId, } } + permission! { - pub struct CanSetKeyValueInAccount { + pub struct CanUnregisterAccount { pub account: AccountId, } } permission! { - pub struct CanRemoveKeyValueInAccount { + pub struct CanModifyAccountMetadata { pub account: AccountId, } } @@ -133,121 +121,85 @@ pub mod asset { } permission! { - pub struct CanUnregisterUserAsset { - pub asset: AssetId, - } - } - - permission! { - pub struct CanBurnAssetWithDefinition { - pub asset_definition: AssetDefinitionId, - } - } - - permission! { - pub struct CanBurnUserAsset { - pub asset: AssetId, - } - } - - permission! { - pub struct CanMintAssetWithDefinition { + pub struct CanModifyAssetsWithDefinition { pub asset_definition: AssetDefinitionId, } } permission! { - pub struct CanMintUserAsset { - pub asset: AssetId, - } - } - - permission! { - pub struct CanTransferAssetWithDefinition { - pub asset_definition: AssetDefinitionId, + pub struct CanRegisterAsset { + pub owner: AccountId, } } permission! { - pub struct CanTransferUserAsset { + pub struct CanUnregisterAsset { pub asset: AssetId, } } permission! { - pub struct CanSetKeyValueInUserAsset { + pub struct CanModifyAsset { pub asset: AssetId, } } permission! { - pub struct CanRemoveKeyValueInUserAsset { + pub struct CanModifyAssetMetadata { pub asset: AssetId, } } } -pub mod parameter { - use super::*; - - permission! { - #[derive(Copy)] - pub struct CanSetParameters; - } -} - -pub mod role { - use super::*; - - permission! { - #[derive(Copy)] - pub struct CanUnregisterAnyRole; - } -} - pub mod trigger { use super::*; permission! { - pub struct CanRegisterUserTrigger { - pub account: AccountId, + pub struct CanRegisterTrigger { + pub authority: AccountId, } } permission! { - pub struct CanExecuteUserTrigger { + pub struct CanUnregisterTrigger { pub trigger: TriggerId, } } permission! { - pub struct CanUnregisterUserTrigger { - pub account: AccountId, + pub struct CanModifyTrigger { + pub trigger: TriggerId, } } permission! { - pub struct CanMintUserTrigger { + pub struct CanExecuteTrigger { pub trigger: TriggerId, } } permission! { - pub struct CanBurnUserTrigger { + pub struct CanModifyTriggerMetadata { pub trigger: TriggerId, } } +} + +pub mod parameter { + use super::*; permission! { - pub struct CanSetKeyValueInTrigger { - pub trigger: TriggerId, - } + #[derive(Copy)] + pub struct CanSetParameters; } +} + +pub mod role { + use super::*; permission! { - pub struct CanRemoveKeyValueInTrigger { - pub trigger: TriggerId, - } + #[derive(Copy)] + pub struct CanManageRoles; } } diff --git a/crates/iroha_kagami/src/genesis/generate.rs b/crates/iroha_kagami/src/genesis/generate.rs index 3bc572f78b7..54edb6e4a7b 100644 --- a/crates/iroha_kagami/src/genesis/generate.rs +++ b/crates/iroha_kagami/src/genesis/generate.rs @@ -7,8 +7,7 @@ use clap::{Parser, Subcommand}; use color_eyre::eyre::WrapErr as _; use iroha_data_model::{isi::InstructionBox, parameter::Parameters, prelude::*}; use iroha_executor_data_model::permission::{ - account::{CanRemoveKeyValueInAccount, CanSetKeyValueInAccount}, - parameter::CanSetParameters, + domain::CanRegisterDomain, parameter::CanSetParameters, }; use iroha_genesis::{GenesisBuilder, RawGenesisTransaction, GENESIS_DOMAIN_ID}; use iroha_test_samples::{gen_account_in, ALICE_ID, BOB_ID, CARPENTER_ID}; @@ -117,6 +116,8 @@ pub fn generate_default( ); let grant_permission_to_set_parameters = Grant::account_permission(CanSetParameters, ALICE_ID.clone()); + let grant_permission_to_register_domains = + Grant::account_permission(CanRegisterDomain, ALICE_ID.clone()); let transfer_rose_ownership = Transfer::asset_definition( genesis_account_id.clone(), "rose#wonderland".parse()?, @@ -127,16 +128,6 @@ pub fn generate_default( "wonderland".parse()?, ALICE_ID.clone(), ); - let register_user_metadata_access: InstructionBox = Register::role( - Role::new("ALICE_METADATA_ACCESS".parse()?) - .add_permission(CanSetKeyValueInAccount { - account: ALICE_ID.clone(), - }) - .add_permission(CanRemoveKeyValueInAccount { - account: ALICE_ID.clone(), - }), - ) - .into(); let parameters = Parameters::default(); let parameters = parameters.parameters(); @@ -145,16 +136,16 @@ pub fn generate_default( builder = builder.append_parameter(parameter); } - for isi in [ + let instructions: [InstructionBox; 6] = [ mint.into(), mint_cabbage.into(), transfer_rose_ownership.into(), transfer_wonderland_ownership.into(), grant_permission_to_set_parameters.into(), - ] - .into_iter() - .chain(std::iter::once(register_user_metadata_access)) - { + grant_permission_to_register_domains.into(), + ]; + + for isi in instructions { builder = builder.append_instruction(isi); } diff --git a/crates/iroha_schema_gen/src/lib.rs b/crates/iroha_schema_gen/src/lib.rs index 91b450e1316..1be226e3132 100644 --- a/crates/iroha_schema_gen/src/lib.rs +++ b/crates/iroha_schema_gen/src/lib.rs @@ -64,38 +64,29 @@ pub fn build_schemas() -> MetaMap { MerkleTree, // Default permissions - permission::peer::CanUnregisterAnyPeer, + permission::peer::CanManagePeers, permission::domain::CanUnregisterDomain, - permission::domain::CanSetKeyValueInDomain, - permission::domain::CanRemoveKeyValueInDomain, - permission::domain::CanRegisterAccountInDomain, - permission::domain::CanRegisterAssetDefinitionInDomain, + permission::domain::CanModifyDomainMetadata, + permission::account::CanRegisterAccount, permission::account::CanUnregisterAccount, - permission::account::CanSetKeyValueInAccount, - permission::account::CanRemoveKeyValueInAccount, + permission::account::CanModifyAccountMetadata, + permission::asset_definition::CanRegisterAssetDefinition, permission::asset_definition::CanUnregisterAssetDefinition, - permission::asset_definition::CanSetKeyValueInAssetDefinition, - permission::asset_definition::CanRemoveKeyValueInAssetDefinition, + permission::asset_definition::CanModifyAssetDefinitionMetadata, permission::asset::CanRegisterAssetWithDefinition, permission::asset::CanUnregisterAssetWithDefinition, - permission::asset::CanUnregisterUserAsset, - permission::asset::CanBurnAssetWithDefinition, - permission::asset::CanMintAssetWithDefinition, - permission::asset::CanMintUserAsset, - permission::asset::CanBurnUserAsset, - permission::asset::CanTransferAssetWithDefinition, - permission::asset::CanTransferUserAsset, - permission::asset::CanSetKeyValueInUserAsset, - permission::asset::CanRemoveKeyValueInUserAsset, + permission::asset::CanModifyAssetsWithDefinition, + permission::asset::CanRegisterAsset, + permission::asset::CanUnregisterAsset, + permission::asset::CanModifyAsset, + permission::asset::CanModifyAssetMetadata, permission::parameter::CanSetParameters, - permission::role::CanUnregisterAnyRole, - permission::trigger::CanRegisterUserTrigger, - permission::trigger::CanExecuteUserTrigger, - permission::trigger::CanUnregisterUserTrigger, - permission::trigger::CanMintUserTrigger, - permission::trigger::CanBurnUserTrigger, - permission::trigger::CanSetKeyValueInTrigger, - permission::trigger::CanRemoveKeyValueInTrigger, + permission::role::CanManageRoles, + permission::trigger::CanRegisterTrigger, + permission::trigger::CanExecuteTrigger, + permission::trigger::CanUnregisterTrigger, + permission::trigger::CanModifyTrigger, + permission::trigger::CanModifyTriggerMetadata, permission::executor::CanUpgradeExecutor, // Genesis file - used by SDKs to generate the genesis block @@ -594,75 +585,44 @@ mod tests { insert_into_test_map!(Compact); insert_into_test_map!(Compact); - insert_into_test_map!(iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer); + insert_into_test_map!(iroha_executor_data_model::permission::peer::CanManagePeers); insert_into_test_map!(iroha_executor_data_model::permission::domain::CanUnregisterDomain); insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanSetKeyValueInDomain - ); - insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanRemoveKeyValueInDomain - ); - insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanRegisterAccountInDomain - ); - insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanRegisterAssetDefinitionInDomain + iroha_executor_data_model::permission::domain::CanModifyDomainMetadata ); + insert_into_test_map!(iroha_executor_data_model::permission::account::CanRegisterAccount); insert_into_test_map!(iroha_executor_data_model::permission::account::CanUnregisterAccount); insert_into_test_map!( - iroha_executor_data_model::permission::account::CanSetKeyValueInAccount + iroha_executor_data_model::permission::account::CanModifyAccountMetadata ); insert_into_test_map!( - iroha_executor_data_model::permission::account::CanRemoveKeyValueInAccount + iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition ); insert_into_test_map!( iroha_executor_data_model::permission::asset_definition::CanUnregisterAssetDefinition ); - insert_into_test_map!(iroha_executor_data_model::permission::asset_definition::CanSetKeyValueInAssetDefinition); - insert_into_test_map!(iroha_executor_data_model::permission::asset_definition::CanRemoveKeyValueInAssetDefinition); + insert_into_test_map!(iroha_executor_data_model::permission::asset_definition::CanModifyAssetDefinitionMetadata); insert_into_test_map!( iroha_executor_data_model::permission::asset::CanRegisterAssetWithDefinition ); insert_into_test_map!( iroha_executor_data_model::permission::asset::CanUnregisterAssetWithDefinition ); - insert_into_test_map!(iroha_executor_data_model::permission::asset::CanUnregisterUserAsset); - insert_into_test_map!( - iroha_executor_data_model::permission::asset::CanBurnAssetWithDefinition - ); - insert_into_test_map!( - iroha_executor_data_model::permission::asset::CanMintAssetWithDefinition - ); - insert_into_test_map!(iroha_executor_data_model::permission::asset::CanMintUserAsset); - insert_into_test_map!(iroha_executor_data_model::permission::asset::CanBurnUserAsset); - insert_into_test_map!( - iroha_executor_data_model::permission::asset::CanTransferAssetWithDefinition - ); - insert_into_test_map!(iroha_executor_data_model::permission::asset::CanTransferUserAsset); - insert_into_test_map!( - iroha_executor_data_model::permission::asset::CanSetKeyValueInUserAsset - ); insert_into_test_map!( - iroha_executor_data_model::permission::asset::CanRemoveKeyValueInUserAsset + iroha_executor_data_model::permission::asset::CanModifyAssetsWithDefinition ); + insert_into_test_map!(iroha_executor_data_model::permission::asset::CanRegisterAsset); + insert_into_test_map!(iroha_executor_data_model::permission::asset::CanUnregisterAsset); + insert_into_test_map!(iroha_executor_data_model::permission::asset::CanModifyAsset); + insert_into_test_map!(iroha_executor_data_model::permission::asset::CanModifyAssetMetadata); insert_into_test_map!(iroha_executor_data_model::permission::parameter::CanSetParameters); - insert_into_test_map!(iroha_executor_data_model::permission::role::CanUnregisterAnyRole); - insert_into_test_map!( - iroha_executor_data_model::permission::trigger::CanRegisterUserTrigger - ); - insert_into_test_map!( - iroha_executor_data_model::permission::trigger::CanExecuteUserTrigger - ); - insert_into_test_map!( - iroha_executor_data_model::permission::trigger::CanUnregisterUserTrigger - ); - insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanMintUserTrigger); - insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanBurnUserTrigger); - insert_into_test_map!( - iroha_executor_data_model::permission::trigger::CanSetKeyValueInTrigger - ); + insert_into_test_map!(iroha_executor_data_model::permission::role::CanManageRoles); + insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanRegisterTrigger); + insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanExecuteTrigger); + insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanUnregisterTrigger); + insert_into_test_map!(iroha_executor_data_model::permission::trigger::CanModifyTrigger); insert_into_test_map!( - iroha_executor_data_model::permission::trigger::CanRemoveKeyValueInTrigger + iroha_executor_data_model::permission::trigger::CanModifyTriggerMetadata ); insert_into_test_map!(iroha_executor_data_model::permission::executor::CanUpgradeExecutor); diff --git a/crates/iroha_test_network/src/lib.rs b/crates/iroha_test_network/src/lib.rs index 3720fbc621b..8c435a49d7f 100644 --- a/crates/iroha_test_network/src/lib.rs +++ b/crates/iroha_test_network/src/lib.rs @@ -14,11 +14,8 @@ pub use iroha_core::state::StateReadOnly; use iroha_crypto::{ExposedPrivateKey, KeyPair}; use iroha_data_model::{asset::AssetDefinitionId, isi::InstructionBox, ChainId}; use iroha_executor_data_model::permission::{ - asset::{CanBurnAssetWithDefinition, CanMintAssetWithDefinition}, - domain::CanUnregisterDomain, - executor::CanUpgradeExecutor, - peer::CanUnregisterAnyPeer, - role::CanUnregisterAnyRole, + asset::CanModifyAssetsWithDefinition, domain::CanUnregisterDomain, + executor::CanUpgradeExecutor, peer::CanManagePeers, role::CanManageRoles, }; use iroha_futures::supervisor::ShutdownSignal; use iroha_genesis::{GenesisBlock, RawGenesisTransaction}; @@ -99,22 +96,16 @@ impl TestGenesis for GenesisBlock { let rose_definition_id = "rose#wonderland".parse::().unwrap(); - let grant_mint_rose_permission = Grant::account_permission( - CanMintAssetWithDefinition { + let grant_modify_rose_permission = Grant::account_permission( + CanModifyAssetsWithDefinition { asset_definition: rose_definition_id.clone(), }, ALICE_ID.clone(), ); - let grant_burn_rose_permission = Grant::account_permission( - CanBurnAssetWithDefinition { - asset_definition: rose_definition_id, - }, - ALICE_ID.clone(), - ); - let grant_unregister_any_peer_permission = - Grant::account_permission(CanUnregisterAnyPeer, ALICE_ID.clone()); - let grant_unregister_any_role_permission = - Grant::account_permission(CanUnregisterAnyRole, ALICE_ID.clone()); + let grant_manage_peers_permission = + Grant::account_permission(CanManagePeers, ALICE_ID.clone()); + let grant_manage_roles_permission = + Grant::account_permission(CanManageRoles, ALICE_ID.clone()); let grant_unregister_wonderland_domain = Grant::account_permission( CanUnregisterDomain { domain: "wonderland".parse().unwrap(), @@ -124,10 +115,9 @@ impl TestGenesis for GenesisBlock { let grant_upgrade_executor_permission = Grant::account_permission(CanUpgradeExecutor, ALICE_ID.clone()); for isi in [ - grant_mint_rose_permission, - grant_burn_rose_permission, - grant_unregister_any_peer_permission, - grant_unregister_any_role_permission, + grant_modify_rose_permission, + grant_manage_peers_permission, + grant_manage_roles_permission, grant_unregister_wonderland_domain, grant_upgrade_executor_permission, ] { diff --git a/defaults/genesis.json b/defaults/genesis.json index 0144f0eea7e..ad3aff497fe 100644 --- a/defaults/genesis.json +++ b/defaults/genesis.json @@ -140,23 +140,13 @@ } }, { - "Register": { - "Role": { - "id": "ALICE_METADATA_ACCESS", - "permissions": [ - { - "name": "CanRemoveKeyValueInAccount", - "payload": { - "account": "ed0120CE7FA46C9DCE7EA4B125E2E36BDB63EA33073E7590AC92816AE1E861B7048B03@wonderland" - } - }, - { - "name": "CanSetKeyValueInAccount", - "payload": { - "account": "ed0120CE7FA46C9DCE7EA4B125E2E36BDB63EA33073E7590AC92816AE1E861B7048B03@wonderland" - } - } - ] + "Grant": { + "Permission": { + "object": { + "name": "CanRegisterDomain", + "payload": null + }, + "destination": "ed0120CE7FA46C9DCE7EA4B125E2E36BDB63EA33073E7590AC92816AE1E861B7048B03@wonderland" } } } diff --git a/docs/source/references/schema.json b/docs/source/references/schema.json index 6088c45dd7d..3d0e65817c6 100644 --- a/docs/source/references/schema.json +++ b/docs/source/references/schema.json @@ -802,23 +802,7 @@ } ] }, - "CanBurnAssetWithDefinition": { - "Struct": [ - { - "name": "asset_definition", - "type": "AssetDefinitionId" - } - ] - }, - "CanBurnUserAsset": { - "Struct": [ - { - "name": "asset", - "type": "AssetId" - } - ] - }, - "CanBurnUserTrigger": { + "CanExecuteTrigger": { "Struct": [ { "name": "trigger", @@ -826,23 +810,17 @@ } ] }, - "CanExecuteUserTrigger": { + "CanManagePeers": null, + "CanManageRoles": null, + "CanModifyAccountMetadata": { "Struct": [ { - "name": "trigger", - "type": "TriggerId" - } - ] - }, - "CanMintAssetWithDefinition": { - "Struct": [ - { - "name": "asset_definition", - "type": "AssetDefinitionId" + "name": "account", + "type": "AccountId" } ] }, - "CanMintUserAsset": { + "CanModifyAsset": { "Struct": [ { "name": "asset", @@ -850,31 +828,7 @@ } ] }, - "CanMintUserTrigger": { - "Struct": [ - { - "name": "trigger", - "type": "TriggerId" - } - ] - }, - "CanRegisterAccountInDomain": { - "Struct": [ - { - "name": "domain", - "type": "DomainId" - } - ] - }, - "CanRegisterAssetDefinitionInDomain": { - "Struct": [ - { - "name": "domain", - "type": "DomainId" - } - ] - }, - "CanRegisterAssetWithDefinition": { + "CanModifyAssetDefinitionMetadata": { "Struct": [ { "name": "asset_definition", @@ -882,23 +836,15 @@ } ] }, - "CanRegisterUserTrigger": { - "Struct": [ - { - "name": "account", - "type": "AccountId" - } - ] - }, - "CanRemoveKeyValueInAccount": { + "CanModifyAssetMetadata": { "Struct": [ { - "name": "account", - "type": "AccountId" + "name": "asset", + "type": "AssetId" } ] }, - "CanRemoveKeyValueInAssetDefinition": { + "CanModifyAssetsWithDefinition": { "Struct": [ { "name": "asset_definition", @@ -906,7 +852,7 @@ } ] }, - "CanRemoveKeyValueInDomain": { + "CanModifyDomainMetadata": { "Struct": [ { "name": "domain", @@ -914,7 +860,7 @@ } ] }, - "CanRemoveKeyValueInTrigger": { + "CanModifyTrigger": { "Struct": [ { "name": "trigger", @@ -922,31 +868,31 @@ } ] }, - "CanRemoveKeyValueInUserAsset": { + "CanModifyTriggerMetadata": { "Struct": [ { - "name": "asset", - "type": "AssetId" + "name": "trigger", + "type": "TriggerId" } ] }, - "CanSetKeyValueInAccount": { + "CanRegisterAccount": { "Struct": [ { - "name": "account", - "type": "AccountId" + "name": "domain", + "type": "DomainId" } ] }, - "CanSetKeyValueInAssetDefinition": { + "CanRegisterAsset": { "Struct": [ { - "name": "asset_definition", - "type": "AssetDefinitionId" + "name": "owner", + "type": "AccountId" } ] }, - "CanSetKeyValueInDomain": { + "CanRegisterAssetDefinition": { "Struct": [ { "name": "domain", @@ -954,32 +900,32 @@ } ] }, - "CanSetKeyValueInTrigger": { + "CanRegisterAssetWithDefinition": { "Struct": [ { - "name": "trigger", - "type": "TriggerId" + "name": "asset_definition", + "type": "AssetDefinitionId" } ] }, - "CanSetKeyValueInUserAsset": { + "CanRegisterTrigger": { "Struct": [ { - "name": "asset", - "type": "AssetId" + "name": "authority", + "type": "AccountId" } ] }, "CanSetParameters": null, - "CanTransferAssetWithDefinition": { + "CanUnregisterAccount": { "Struct": [ { - "name": "asset_definition", - "type": "AssetDefinitionId" + "name": "account", + "type": "AccountId" } ] }, - "CanTransferUserAsset": { + "CanUnregisterAsset": { "Struct": [ { "name": "asset", @@ -987,16 +933,6 @@ } ] }, - "CanUnregisterAccount": { - "Struct": [ - { - "name": "account", - "type": "AccountId" - } - ] - }, - "CanUnregisterAnyPeer": null, - "CanUnregisterAnyRole": null, "CanUnregisterAssetDefinition": { "Struct": [ { @@ -1021,19 +957,11 @@ } ] }, - "CanUnregisterUserAsset": { - "Struct": [ - { - "name": "asset", - "type": "AssetId" - } - ] - }, - "CanUnregisterUserTrigger": { + "CanUnregisterTrigger": { "Struct": [ { - "name": "account", - "type": "AccountId" + "name": "trigger", + "type": "TriggerId" } ] }, diff --git a/wasm_samples/multisig_register/src/lib.rs b/wasm_samples/multisig_register/src/lib.rs index e1f1a7c0488..5cd4c50bd4a 100644 --- a/wasm_samples/multisig_register/src/lib.rs +++ b/wasm_samples/multisig_register/src/lib.rs @@ -10,7 +10,7 @@ use alloc::format; use dlmalloc::GlobalDlmalloc; use executor_custom_data_model::multisig::MultisigRegisterArgs; -use iroha_executor_data_model::permission::trigger::CanExecuteUserTrigger; +use iroha_executor_data_model::permission::trigger::CanExecuteTrigger; use iroha_trigger::{debug::dbg_panic, prelude::*}; #[global_allocator] @@ -69,7 +69,7 @@ fn main(_id: TriggerId, _owner: AccountId, event: EventBox) { .parse() .dbg_expect("failed to parse role"); - let can_execute_multisig_trigger = CanExecuteUserTrigger { + let can_execute_multisig_trigger = CanExecuteTrigger { trigger: trigger_id.clone(), }; let role = Role::new(role_id.clone()).add_permission(can_execute_multisig_trigger);