diff --git a/indy_common/authorize/auth_map.py b/indy_common/authorize/auth_map.py index 1506d3945..67594f022 100644 --- a/indy_common/authorize/auth_map.py +++ b/indy_common/authorize/auth_map.py @@ -62,6 +62,11 @@ old_value=TRUST_ANCHOR, new_value=TRUST_ANCHOR) +sameRoleNetworkMonitor = AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value=NETWORK_MONITOR, + new_value=NETWORK_MONITOR) + sameRoleNone = AuthActionEdit(txn_type=NYM, field=ROLE, old_value='', @@ -206,6 +211,9 @@ sameRoleNone.get_action_id(): AuthConstraint(role='*', sig_count=1, need_to_be_owner=True), + sameRoleNetworkMonitor.get_action_id(): AuthConstraint(role="*", + sig_count=1, + need_to_be_owner=True), keyRotation.get_action_id(): AuthConstraint(role='*', sig_count=1, need_to_be_owner=True), diff --git a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py index 65b970769..f77383df6 100644 --- a/indy_common/test/auth/test_auth_nym_with_new_auth_map.py +++ b/indy_common/test/auth/test_auth_nym_with_new_auth_map.py @@ -94,3 +94,43 @@ def test_change_verkey(write_request_validation, req, is_owner): old_value="_verkey".format(req.identifier), new_value='new_value', is_owner=is_owner)]) + + +def test_same_role_trustee(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value=TRUSTEE, + new_value=TRUSTEE, + is_owner=is_owner)]) + + +def test_same_role_steward(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value=STEWARD, + new_value=STEWARD, + is_owner=is_owner)]) + + +def test_same_role_trust_acnhor(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value=TRUST_ANCHOR, + new_value=TRUST_ANCHOR, + is_owner=is_owner)]) + + +def test_same_role_network_monitor(write_request_validation, req, is_owner): + authorized = is_owner + assert authorized == write_request_validation(req, + [AuthActionEdit(txn_type=NYM, + field=ROLE, + old_value=NETWORK_MONITOR, + new_value=NETWORK_MONITOR, + is_owner=is_owner)]) diff --git a/indy_node/test/conftest.py b/indy_node/test/conftest.py index 33bde3a0e..55fd594ea 100644 --- a/indy_node/test/conftest.py +++ b/indy_node/test/conftest.py @@ -35,7 +35,7 @@ from plenum.test.conftest import sdk_pool_handle as plenum_pool_handle, sdk_pool_data, sdk_wallet_steward, \ sdk_wallet_handle, sdk_wallet_data, sdk_steward_seed, sdk_wallet_client, sdk_wallet_trustee, \ sdk_trustee_seed, trustee_data, sdk_client_seed, poolTxnClientData, poolTxnClientNames, \ - sdk_wallet_stewards, create_node_and_not_start + sdk_wallet_stewards, create_node_and_not_start, sdk_wallet_handle Logger.setLogLevel(logging.NOTSET) diff --git a/indy_node/test/nym_txn/conftest.py b/indy_node/test/nym_txn/conftest.py new file mode 100644 index 000000000..549a54307 --- /dev/null +++ b/indy_node/test/nym_txn/conftest.py @@ -0,0 +1,6 @@ +import pytest + + +@pytest.fixture(scope="function", params=[False, True]) +def with_verkey(request): + return request.param diff --git a/indy_node/test/nym_txn/test_demote_network_monitor.py b/indy_node/test/nym_txn/test_demote_network_monitor.py new file mode 100644 index 000000000..19e2c6018 --- /dev/null +++ b/indy_node/test/nym_txn/test_demote_network_monitor.py @@ -0,0 +1,78 @@ +import pytest +from indy import did + +from indy_common.constants import NETWORK_MONITOR +from indy_node.test.validator_info.helper import sdk_get_validator_info +from plenum.common.constants import STEWARD_STRING +from plenum.common.exceptions import RequestRejectedException +from plenum.test.helper import sdk_sign_and_submit_op, sdk_get_and_check_replies +from plenum.test.pool_transactions.helper import sdk_add_new_nym + + +def test_network_monitor_suspension_by_another_steward(looper, + sdk_pool_handle, + sdk_wallet_steward, + sdk_wallet_trustee, + sdk_wallet_handle, + with_verkey): + new_steward_did, new_steward_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + new_network_monitor_did, new_network_monitor_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_steward[0], "{}")) + + """Adding new steward""" + sdk_add_new_nym(looper, sdk_pool_handle, + sdk_wallet_trustee, 'newSteward', STEWARD_STRING, verkey=new_steward_verkey, dest=new_steward_did) + + """Adding NETWORK_MONITOR role by first steward""" + op = {'type': '1', + 'dest': new_network_monitor_did, + 'role': NETWORK_MONITOR, + 'verkey': new_network_monitor_verkey} + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_steward_did), op) + sdk_get_and_check_replies(looper, [req]) + + """Check that get_validator_info command works for NETWORK_MONITOR role""" + sdk_get_validator_info(looper, (sdk_wallet_handle, new_network_monitor_did), sdk_pool_handle) + + """Blacklisting network_monitor by new steward""" + op = {'type': '1', + 'dest': new_network_monitor_did, + 'role': None} + if with_verkey: + op['verkey'] = new_network_monitor_verkey + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_steward_did), op) + if with_verkey: + with pytest.raises(RequestRejectedException): + sdk_get_and_check_replies(looper, [req]) + else: + sdk_get_and_check_replies(looper, [req]) + with pytest.raises(RequestRejectedException): + sdk_get_validator_info(looper, (sdk_wallet_handle, new_network_monitor_did), sdk_pool_handle) + + +def test_network_monitor_suspension_by_itself(looper, + sdk_pool_handle, + sdk_wallet_steward, + sdk_wallet_handle, + with_verkey): + new_network_monitor_did, new_network_monitor_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_steward[0], "{}")) + + """Adding NETWORK_MONITOR role by steward""" + op = {'type': '1', + 'dest': new_network_monitor_did, + 'role': NETWORK_MONITOR, + 'verkey': new_network_monitor_verkey} + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, sdk_wallet_steward[1]), op) + sdk_get_and_check_replies(looper, [req]) + + """Blacklisting network_monitor by itself""" + op = {'type': '1', + 'dest': new_network_monitor_did, + 'role': None} + if with_verkey: + op['verkey'] = new_network_monitor_verkey + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_network_monitor_did), op) + with pytest.raises(RequestRejectedException): + sdk_get_and_check_replies(looper, [req]) \ No newline at end of file diff --git a/indy_node/test/nym_txn/test_nym_blacklisting.py b/indy_node/test/nym_txn/test_nym_blacklisting.py new file mode 100644 index 000000000..3491112a6 --- /dev/null +++ b/indy_node/test/nym_txn/test_nym_blacklisting.py @@ -0,0 +1,82 @@ +import pytest +from indy import did + +from indy_common.constants import TRUST_ANCHOR_STRING +from plenum.common.constants import TRUSTEE_STRING, STEWARD_STRING +from plenum.common.exceptions import RequestRejectedException +from plenum.test.helper import sdk_get_and_check_replies, sdk_sign_and_submit_op +from plenum.test.pool_transactions.helper import sdk_add_new_nym + + +def test_steward_suspension_by_another_trustee(looper, + sdk_pool_handle, + sdk_wallet_trustee, + sdk_wallet_handle, + with_verkey): + new_trustee_did, new_trustee_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + new_steward_did, new_steward_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + + """Adding new steward""" + sdk_add_new_nym(looper, sdk_pool_handle, + sdk_wallet_trustee, 'newSteward', STEWARD_STRING, verkey=new_steward_verkey, dest=new_steward_did) + + """Adding new trustee""" + sdk_add_new_nym(looper, sdk_pool_handle, + sdk_wallet_trustee, 'newTrustee', TRUSTEE_STRING, verkey=new_trustee_verkey, dest=new_trustee_did) + + """Blacklisting new steward by new trustee""" + op = {'type': '1', + 'dest': new_steward_did, + 'role': None} + if with_verkey: + op['verkey'] = new_steward_verkey + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, (sdk_wallet_handle, new_trustee_did), op) + if with_verkey: + with pytest.raises(RequestRejectedException): + sdk_get_and_check_replies(looper, [req]) + else: + sdk_get_and_check_replies(looper, [req]) + + +def test_steward_cannot_create_trust_anchors_after_demote (looper, + sdk_pool_handle, + sdk_wallet_trustee, + sdk_wallet_handle): + new_steward_did, new_steward_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + new_ta_did, new_ta_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + new_ta_2_did, new_ta_2_verkey = looper.loop.run_until_complete( + did.create_and_store_my_did(sdk_wallet_trustee[0], "{}")) + + """Adding new steward""" + sdk_add_new_nym(looper, sdk_pool_handle, + sdk_wallet_trustee, + 'newSteward', + STEWARD_STRING, + verkey=new_steward_verkey, dest=new_steward_did) + + """Adding new TA""" + sdk_add_new_nym(looper, sdk_pool_handle, + (sdk_wallet_handle, new_steward_did), + 'newSteward', + TRUST_ANCHOR_STRING, + verkey=new_ta_verkey, dest=new_ta_did) + + """Blacklisting new steward by trustee""" + op = {'type': '1', + 'dest': new_steward_did, + 'role': None} + req = sdk_sign_and_submit_op(looper, sdk_pool_handle, sdk_wallet_trustee, op) + sdk_get_and_check_replies(looper, [req]) + + """Try to add new TA by previous demoted steward""" + with pytest.raises(RequestRejectedException): + sdk_add_new_nym(looper, sdk_pool_handle, + (sdk_wallet_handle, new_steward_did), + 'newSteward', + TRUST_ANCHOR_STRING, + verkey=new_ta_2_verkey, dest=new_ta_2_did) +