github.com/flashbots/go-ethereum@v1.9.7/signer/rules/rules_test.go (about)

     1  // Copyright 2018 The go-ethereum Authors
     2  // This file is part of the go-ethereum library.
     3  //
     4  // The go-ethereum library is free software: you can redistribute it and/or modify
     5  // it under the terms of the GNU Lesser General Public License as published by
     6  // the Free Software Foundation, either version 3 of the License, or
     7  // (at your option) any later version.
     8  //
     9  // The go-ethereum library is distributed in the hope that it will be useful,
    10  // but WITHOUT ANY WARRANTY; without even the implied warranty of
    11  // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    12  // GNU Lesser General Public License for more details.
    13  //
    14  // You should have received a copy of the GNU Lesser General Public License
    15  // along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
    16  
    17  package rules
    18  
    19  import (
    20  	"fmt"
    21  	"math/big"
    22  	"strings"
    23  	"testing"
    24  
    25  	"github.com/ethereum/go-ethereum/accounts"
    26  	"github.com/ethereum/go-ethereum/common"
    27  	"github.com/ethereum/go-ethereum/common/hexutil"
    28  	"github.com/ethereum/go-ethereum/core/types"
    29  	"github.com/ethereum/go-ethereum/internal/ethapi"
    30  	"github.com/ethereum/go-ethereum/signer/core"
    31  	"github.com/ethereum/go-ethereum/signer/storage"
    32  )
    33  
    34  const JS = `
    35  /**
    36  This is an example implementation of a Javascript rule file.
    37  
    38  When the signer receives a request over the external API, the corresponding method is evaluated.
    39  Three things can happen:
    40  
    41  1. The method returns "Approve". This means the operation is permitted.
    42  2. The method returns "Reject". This means the operation is rejected.
    43  3. Anything else; other return values [*], method not implemented or exception occurred during processing. This means
    44  that the operation will continue to manual processing, via the regular UI method chosen by the user.
    45  
    46  [*] Note: Future version of the ruleset may use more complex json-based returnvalues, making it possible to not
    47  only respond Approve/Reject/Manual, but also modify responses. For example, choose to list only one, but not all
    48  accounts in a list-request. The points above will continue to hold for non-json based responses ("Approve"/"Reject").
    49  
    50  **/
    51  
    52  function ApproveListing(request){
    53  	console.log("In js approve listing");
    54  	console.log(request.accounts[3].Address)
    55  	console.log(request.meta.Remote)
    56  	return "Approve"
    57  }
    58  
    59  function ApproveTx(request){
    60  	console.log("test");
    61  	console.log("from");
    62  	return "Reject";
    63  }
    64  
    65  function test(thing){
    66  	console.log(thing.String())
    67  }
    68  
    69  `
    70  
    71  func mixAddr(a string) (*common.MixedcaseAddress, error) {
    72  	return common.NewMixedcaseAddressFromString(a)
    73  }
    74  
    75  type alwaysDenyUI struct{}
    76  
    77  func (alwaysDenyUI) OnInputRequired(info core.UserInputRequest) (core.UserInputResponse, error) {
    78  	return core.UserInputResponse{}, nil
    79  }
    80  func (alwaysDenyUI) RegisterUIServer(api *core.UIServerAPI) {
    81  }
    82  
    83  func (alwaysDenyUI) OnSignerStartup(info core.StartupInfo) {
    84  }
    85  
    86  func (alwaysDenyUI) ApproveTx(request *core.SignTxRequest) (core.SignTxResponse, error) {
    87  	return core.SignTxResponse{Transaction: request.Transaction, Approved: false}, nil
    88  }
    89  
    90  func (alwaysDenyUI) ApproveSignData(request *core.SignDataRequest) (core.SignDataResponse, error) {
    91  	return core.SignDataResponse{Approved: false}, nil
    92  }
    93  
    94  func (alwaysDenyUI) ApproveListing(request *core.ListRequest) (core.ListResponse, error) {
    95  	return core.ListResponse{Accounts: nil}, nil
    96  }
    97  
    98  func (alwaysDenyUI) ApproveNewAccount(request *core.NewAccountRequest) (core.NewAccountResponse, error) {
    99  	return core.NewAccountResponse{Approved: false}, nil
   100  }
   101  
   102  func (alwaysDenyUI) ShowError(message string) {
   103  	panic("implement me")
   104  }
   105  
   106  func (alwaysDenyUI) ShowInfo(message string) {
   107  	panic("implement me")
   108  }
   109  
   110  func (alwaysDenyUI) OnApprovedTx(tx ethapi.SignTransactionResult) {
   111  	panic("implement me")
   112  }
   113  
   114  func initRuleEngine(js string) (*rulesetUI, error) {
   115  	r, err := NewRuleEvaluator(&alwaysDenyUI{}, storage.NewEphemeralStorage())
   116  	if err != nil {
   117  		return nil, fmt.Errorf("failed to create js engine: %v", err)
   118  	}
   119  	if err = r.Init(js); err != nil {
   120  		return nil, fmt.Errorf("failed to load bootstrap js: %v", err)
   121  	}
   122  	return r, nil
   123  }
   124  
   125  func TestListRequest(t *testing.T) {
   126  	accs := make([]accounts.Account, 5)
   127  
   128  	for i := range accs {
   129  		addr := fmt.Sprintf("000000000000000000000000000000000000000%x", i)
   130  		acc := accounts.Account{
   131  			Address: common.BytesToAddress(common.Hex2Bytes(addr)),
   132  			URL:     accounts.URL{Scheme: "test", Path: fmt.Sprintf("acc-%d", i)},
   133  		}
   134  		accs[i] = acc
   135  	}
   136  
   137  	js := `function ApproveListing(){ return "Approve" }`
   138  
   139  	r, err := initRuleEngine(js)
   140  	if err != nil {
   141  		t.Errorf("Couldn't create evaluator %v", err)
   142  		return
   143  	}
   144  	resp, _ := r.ApproveListing(&core.ListRequest{
   145  		Accounts: accs,
   146  		Meta:     core.Metadata{Remote: "remoteip", Local: "localip", Scheme: "inproc"},
   147  	})
   148  	if len(resp.Accounts) != len(accs) {
   149  		t.Errorf("Expected check to resolve to 'Approve'")
   150  	}
   151  }
   152  
   153  func TestSignTxRequest(t *testing.T) {
   154  
   155  	js := `
   156  	function ApproveTx(r){
   157  		console.log("transaction.from", r.transaction.from);
   158  		console.log("transaction.to", r.transaction.to);
   159  		console.log("transaction.value", r.transaction.value);
   160  		console.log("transaction.nonce", r.transaction.nonce);
   161  		if(r.transaction.from.toLowerCase()=="0x0000000000000000000000000000000000001337"){ return "Approve"}
   162  		if(r.transaction.from.toLowerCase()=="0x000000000000000000000000000000000000dead"){ return "Reject"}
   163  	}`
   164  
   165  	r, err := initRuleEngine(js)
   166  	if err != nil {
   167  		t.Errorf("Couldn't create evaluator %v", err)
   168  		return
   169  	}
   170  	to, err := mixAddr("000000000000000000000000000000000000dead")
   171  	if err != nil {
   172  		t.Error(err)
   173  		return
   174  	}
   175  	from, err := mixAddr("0000000000000000000000000000000000001337")
   176  
   177  	if err != nil {
   178  		t.Error(err)
   179  		return
   180  	}
   181  	t.Logf("to %v", to.Address().String())
   182  	resp, err := r.ApproveTx(&core.SignTxRequest{
   183  		Transaction: core.SendTxArgs{
   184  			From: *from,
   185  			To:   to},
   186  		Callinfo: nil,
   187  		Meta:     core.Metadata{Remote: "remoteip", Local: "localip", Scheme: "inproc"},
   188  	})
   189  	if err != nil {
   190  		t.Errorf("Unexpected error %v", err)
   191  	}
   192  	if !resp.Approved {
   193  		t.Errorf("Expected check to resolve to 'Approve'")
   194  	}
   195  }
   196  
   197  type dummyUI struct {
   198  	calls []string
   199  }
   200  
   201  func (d *dummyUI) RegisterUIServer(api *core.UIServerAPI) {
   202  	panic("implement me")
   203  }
   204  
   205  func (d *dummyUI) OnInputRequired(info core.UserInputRequest) (core.UserInputResponse, error) {
   206  	d.calls = append(d.calls, "OnInputRequired")
   207  	return core.UserInputResponse{}, nil
   208  }
   209  
   210  func (d *dummyUI) ApproveTx(request *core.SignTxRequest) (core.SignTxResponse, error) {
   211  	d.calls = append(d.calls, "ApproveTx")
   212  	return core.SignTxResponse{}, core.ErrRequestDenied
   213  }
   214  
   215  func (d *dummyUI) ApproveSignData(request *core.SignDataRequest) (core.SignDataResponse, error) {
   216  	d.calls = append(d.calls, "ApproveSignData")
   217  	return core.SignDataResponse{}, core.ErrRequestDenied
   218  }
   219  
   220  func (d *dummyUI) ApproveListing(request *core.ListRequest) (core.ListResponse, error) {
   221  	d.calls = append(d.calls, "ApproveListing")
   222  	return core.ListResponse{}, core.ErrRequestDenied
   223  }
   224  
   225  func (d *dummyUI) ApproveNewAccount(request *core.NewAccountRequest) (core.NewAccountResponse, error) {
   226  	d.calls = append(d.calls, "ApproveNewAccount")
   227  	return core.NewAccountResponse{}, core.ErrRequestDenied
   228  }
   229  
   230  func (d *dummyUI) ShowError(message string) {
   231  	d.calls = append(d.calls, "ShowError")
   232  }
   233  
   234  func (d *dummyUI) ShowInfo(message string) {
   235  	d.calls = append(d.calls, "ShowInfo")
   236  }
   237  
   238  func (d *dummyUI) OnApprovedTx(tx ethapi.SignTransactionResult) {
   239  	d.calls = append(d.calls, "OnApprovedTx")
   240  }
   241  
   242  func (d *dummyUI) OnSignerStartup(info core.StartupInfo) {
   243  }
   244  
   245  //TestForwarding tests that the rule-engine correctly dispatches requests to the next caller
   246  func TestForwarding(t *testing.T) {
   247  
   248  	js := ""
   249  	ui := &dummyUI{make([]string, 0)}
   250  	jsBackend := storage.NewEphemeralStorage()
   251  	r, err := NewRuleEvaluator(ui, jsBackend)
   252  	if err != nil {
   253  		t.Fatalf("Failed to create js engine: %v", err)
   254  	}
   255  	if err = r.Init(js); err != nil {
   256  		t.Fatalf("Failed to load bootstrap js: %v", err)
   257  	}
   258  	r.ApproveSignData(nil)
   259  	r.ApproveTx(nil)
   260  	r.ApproveNewAccount(nil)
   261  	r.ApproveListing(nil)
   262  	r.ShowError("test")
   263  	r.ShowInfo("test")
   264  
   265  	//This one is not forwarded
   266  	r.OnApprovedTx(ethapi.SignTransactionResult{})
   267  
   268  	expCalls := 6
   269  	if len(ui.calls) != expCalls {
   270  
   271  		t.Errorf("Expected %d forwarded calls, got %d: %s", expCalls, len(ui.calls), strings.Join(ui.calls, ","))
   272  
   273  	}
   274  
   275  }
   276  
   277  func TestMissingFunc(t *testing.T) {
   278  	r, err := initRuleEngine(JS)
   279  	if err != nil {
   280  		t.Errorf("Couldn't create evaluator %v", err)
   281  		return
   282  	}
   283  
   284  	_, err = r.execute("MissingMethod", "test")
   285  
   286  	if err == nil {
   287  		t.Error("Expected error")
   288  	}
   289  
   290  	approved, err := r.checkApproval("MissingMethod", nil, nil)
   291  	if err == nil {
   292  		t.Errorf("Expected missing method to yield error'")
   293  	}
   294  	if approved {
   295  		t.Errorf("Expected missing method to cause non-approval")
   296  	}
   297  	t.Logf("Err %v", err)
   298  
   299  }
   300  func TestStorage(t *testing.T) {
   301  
   302  	js := `
   303  	function testStorage(){
   304  		storage.put("mykey", "myvalue")
   305  		a = storage.get("mykey")
   306  
   307  		storage.put("mykey", ["a", "list"])  	// Should result in "a,list"
   308  		a += storage.get("mykey")
   309  
   310  
   311  		storage.put("mykey", {"an": "object"}) 	// Should result in "[object Object]"
   312  		a += storage.get("mykey")
   313  
   314  
   315  		storage.put("mykey", JSON.stringify({"an": "object"})) // Should result in '{"an":"object"}'
   316  		a += storage.get("mykey")
   317  
   318  		a += storage.get("missingkey")		//Missing keys should result in empty string
   319  		storage.put("","missing key==noop") // Can't store with 0-length key
   320  		a += storage.get("")				// Should result in ''
   321  
   322  		var b = new BigNumber(2)
   323  		var c = new BigNumber(16)//"0xf0",16)
   324  		var d = b.plus(c)
   325  		console.log(d)
   326  		return a
   327  	}
   328  `
   329  	r, err := initRuleEngine(js)
   330  	if err != nil {
   331  		t.Errorf("Couldn't create evaluator %v", err)
   332  		return
   333  	}
   334  
   335  	v, err := r.execute("testStorage", nil)
   336  
   337  	if err != nil {
   338  		t.Errorf("Unexpected error %v", err)
   339  	}
   340  	retval, err := v.ToString()
   341  
   342  	if err != nil {
   343  		t.Errorf("Unexpected error %v", err)
   344  	}
   345  	exp := `myvaluea,list[object Object]{"an":"object"}`
   346  	if retval != exp {
   347  		t.Errorf("Unexpected data, expected '%v', got '%v'", exp, retval)
   348  	}
   349  	t.Logf("Err %v", err)
   350  
   351  }
   352  
   353  const ExampleTxWindow = `
   354  	function big(str){
   355  		if(str.slice(0,2) == "0x"){ return new BigNumber(str.slice(2),16)}
   356  		return new BigNumber(str)
   357  	}
   358  
   359  	// Time window: 1 week
   360  	var window = 1000* 3600*24*7;
   361  
   362  	// Limit : 1 ether
   363  	var limit = new BigNumber("1e18");
   364  
   365  	function isLimitOk(transaction){
   366  		var value = big(transaction.value)
   367  		// Start of our window function
   368  		var windowstart = new Date().getTime() - window;
   369  
   370  		var txs = [];
   371  		var stored = storage.get('txs');
   372  
   373  		if(stored != ""){
   374  			txs = JSON.parse(stored)
   375  		}
   376  		// First, remove all that have passed out of the time-window
   377  		var newtxs = txs.filter(function(tx){return tx.tstamp > windowstart});
   378  		console.log(txs, newtxs.length);
   379  
   380  		// Secondly, aggregate the current sum
   381  		sum = new BigNumber(0)
   382  
   383  		sum = newtxs.reduce(function(agg, tx){ return big(tx.value).plus(agg)}, sum);
   384  		console.log("ApproveTx > Sum so far", sum);
   385  		console.log("ApproveTx > Requested", value.toNumber());
   386  
   387  		// Would we exceed weekly limit ?
   388  		return sum.plus(value).lt(limit)
   389  
   390  	}
   391  	function ApproveTx(r){
   392  		console.log(r)
   393  		console.log(typeof(r))
   394  		if (isLimitOk(r.transaction)){
   395  			return "Approve"
   396  		}
   397  		return "Nope"
   398  	}
   399  
   400  	/**
   401  	* OnApprovedTx(str) is called when a transaction has been approved and signed. The parameter
   402   	* 'response_str' contains the return value that will be sent to the external caller.
   403  	* The return value from this method is ignore - the reason for having this callback is to allow the
   404  	* ruleset to keep track of approved transactions.
   405  	*
   406  	* When implementing rate-limited rules, this callback should be used.
   407  	* If a rule responds with neither 'Approve' nor 'Reject' - the tx goes to manual processing. If the user
   408  	* then accepts the transaction, this method will be called.
   409  	*
   410  	* TLDR; Use this method to keep track of signed transactions, instead of using the data in ApproveTx.
   411  	*/
   412   	function OnApprovedTx(resp){
   413  		var value = big(resp.tx.value)
   414  		var txs = []
   415  		// Load stored transactions
   416  		var stored = storage.get('txs');
   417  		if(stored != ""){
   418  			txs = JSON.parse(stored)
   419  		}
   420  		// Add this to the storage
   421  		txs.push({tstamp: new Date().getTime(), value: value});
   422  		storage.put("txs", JSON.stringify(txs));
   423  	}
   424  
   425  `
   426  
   427  func dummyTx(value hexutil.Big) *core.SignTxRequest {
   428  	to, _ := mixAddr("000000000000000000000000000000000000dead")
   429  	from, _ := mixAddr("000000000000000000000000000000000000dead")
   430  	n := hexutil.Uint64(3)
   431  	gas := hexutil.Uint64(21000)
   432  	gasPrice := hexutil.Big(*big.NewInt(2000000))
   433  
   434  	return &core.SignTxRequest{
   435  		Transaction: core.SendTxArgs{
   436  			From:     *from,
   437  			To:       to,
   438  			Value:    value,
   439  			Nonce:    n,
   440  			GasPrice: gasPrice,
   441  			Gas:      gas,
   442  		},
   443  		Callinfo: []core.ValidationInfo{
   444  			{Typ: "Warning", Message: "All your base are bellong to us"},
   445  		},
   446  		Meta: core.Metadata{Remote: "remoteip", Local: "localip", Scheme: "inproc"},
   447  	}
   448  }
   449  
   450  func dummyTxWithV(value uint64) *core.SignTxRequest {
   451  	v := big.NewInt(0).SetUint64(value)
   452  	h := hexutil.Big(*v)
   453  	return dummyTx(h)
   454  }
   455  
   456  func dummySigned(value *big.Int) *types.Transaction {
   457  	to := common.HexToAddress("000000000000000000000000000000000000dead")
   458  	gas := uint64(21000)
   459  	gasPrice := big.NewInt(2000000)
   460  	data := make([]byte, 0)
   461  	return types.NewTransaction(3, to, value, gas, gasPrice, data)
   462  }
   463  
   464  func TestLimitWindow(t *testing.T) {
   465  	r, err := initRuleEngine(ExampleTxWindow)
   466  	if err != nil {
   467  		t.Errorf("Couldn't create evaluator %v", err)
   468  		return
   469  	}
   470  	// 0.3 ether: 429D069189E0000 wei
   471  	v := big.NewInt(0).SetBytes(common.Hex2Bytes("0429D069189E0000"))
   472  	h := hexutil.Big(*v)
   473  	// The first three should succeed
   474  	for i := 0; i < 3; i++ {
   475  		unsigned := dummyTx(h)
   476  		resp, err := r.ApproveTx(unsigned)
   477  		if err != nil {
   478  			t.Errorf("Unexpected error %v", err)
   479  		}
   480  		if !resp.Approved {
   481  			t.Errorf("Expected check to resolve to 'Approve'")
   482  		}
   483  		// Create a dummy signed transaction
   484  
   485  		response := ethapi.SignTransactionResult{
   486  			Tx:  dummySigned(v),
   487  			Raw: common.Hex2Bytes("deadbeef"),
   488  		}
   489  		r.OnApprovedTx(response)
   490  	}
   491  	// Fourth should fail
   492  	resp, _ := r.ApproveTx(dummyTx(h))
   493  	if resp.Approved {
   494  		t.Errorf("Expected check to resolve to 'Reject'")
   495  	}
   496  }
   497  
   498  // dontCallMe is used as a next-handler that does not want to be called - it invokes test failure
   499  type dontCallMe struct {
   500  	t *testing.T
   501  }
   502  
   503  func (d *dontCallMe) OnInputRequired(info core.UserInputRequest) (core.UserInputResponse, error) {
   504  	d.t.Fatalf("Did not expect next-handler to be called")
   505  	return core.UserInputResponse{}, nil
   506  }
   507  
   508  func (d *dontCallMe) RegisterUIServer(api *core.UIServerAPI) {
   509  }
   510  
   511  func (d *dontCallMe) OnSignerStartup(info core.StartupInfo) {
   512  }
   513  
   514  func (d *dontCallMe) ApproveTx(request *core.SignTxRequest) (core.SignTxResponse, error) {
   515  	d.t.Fatalf("Did not expect next-handler to be called")
   516  	return core.SignTxResponse{}, core.ErrRequestDenied
   517  }
   518  
   519  func (d *dontCallMe) ApproveSignData(request *core.SignDataRequest) (core.SignDataResponse, error) {
   520  	d.t.Fatalf("Did not expect next-handler to be called")
   521  	return core.SignDataResponse{}, core.ErrRequestDenied
   522  }
   523  
   524  func (d *dontCallMe) ApproveListing(request *core.ListRequest) (core.ListResponse, error) {
   525  	d.t.Fatalf("Did not expect next-handler to be called")
   526  	return core.ListResponse{}, core.ErrRequestDenied
   527  }
   528  
   529  func (d *dontCallMe) ApproveNewAccount(request *core.NewAccountRequest) (core.NewAccountResponse, error) {
   530  	d.t.Fatalf("Did not expect next-handler to be called")
   531  	return core.NewAccountResponse{}, core.ErrRequestDenied
   532  }
   533  
   534  func (d *dontCallMe) ShowError(message string) {
   535  	d.t.Fatalf("Did not expect next-handler to be called")
   536  }
   537  
   538  func (d *dontCallMe) ShowInfo(message string) {
   539  	d.t.Fatalf("Did not expect next-handler to be called")
   540  }
   541  
   542  func (d *dontCallMe) OnApprovedTx(tx ethapi.SignTransactionResult) {
   543  	d.t.Fatalf("Did not expect next-handler to be called")
   544  }
   545  
   546  //TestContextIsCleared tests that the rule-engine does not retain variables over several requests.
   547  // if it does, that would be bad since developers may rely on that to store data,
   548  // instead of using the disk-based data storage
   549  func TestContextIsCleared(t *testing.T) {
   550  
   551  	js := `
   552  	function ApproveTx(){
   553  		if (typeof foobar == 'undefined') {
   554  			foobar = "Approve"
   555   		}
   556  		console.log(foobar)
   557  		if (foobar == "Approve"){
   558  			foobar = "Reject"
   559  		}else{
   560  			foobar = "Approve"
   561  		}
   562  		return foobar
   563  	}
   564  	`
   565  	ui := &dontCallMe{t}
   566  	r, err := NewRuleEvaluator(ui, storage.NewEphemeralStorage())
   567  	if err != nil {
   568  		t.Fatalf("Failed to create js engine: %v", err)
   569  	}
   570  	if err = r.Init(js); err != nil {
   571  		t.Fatalf("Failed to load bootstrap js: %v", err)
   572  	}
   573  	tx := dummyTxWithV(0)
   574  	r1, _ := r.ApproveTx(tx)
   575  	r2, _ := r.ApproveTx(tx)
   576  	if r1.Approved != r2.Approved {
   577  		t.Errorf("Expected execution context to be cleared between executions")
   578  	}
   579  }
   580  
   581  func TestSignData(t *testing.T) {
   582  
   583  	js := `function ApproveListing(){
   584      return "Approve"
   585  }
   586  function ApproveSignData(r){
   587      if( r.address.toLowerCase() == "0x694267f14675d7e1b9494fd8d72fefe1755710fa")
   588      {
   589          if(r.messages[0].value.indexOf("bazonk") >= 0){
   590              return "Approve"
   591          }
   592          return "Reject"
   593      }
   594      // Otherwise goes to manual processing
   595  }`
   596  	r, err := initRuleEngine(js)
   597  	if err != nil {
   598  		t.Errorf("Couldn't create evaluator %v", err)
   599  		return
   600  	}
   601  	message := "baz bazonk foo"
   602  	hash, rawdata := accounts.TextAndHash([]byte(message))
   603  	addr, _ := mixAddr("0x694267f14675d7e1b9494fd8d72fefe1755710fa")
   604  
   605  	t.Logf("address %v %v\n", addr.String(), addr.Original())
   606  
   607  	nvt := []*core.NameValueType{
   608  		{
   609  			Name:  "message",
   610  			Typ:   "text/plain",
   611  			Value: message,
   612  		},
   613  	}
   614  	resp, err := r.ApproveSignData(&core.SignDataRequest{
   615  		Address:  *addr,
   616  		Messages: nvt,
   617  		Hash:     hash,
   618  		Meta:     core.Metadata{Remote: "remoteip", Local: "localip", Scheme: "inproc"},
   619  		Rawdata:  []byte(rawdata),
   620  	})
   621  	if err != nil {
   622  		t.Fatalf("Unexpected error %v", err)
   623  	}
   624  	if !resp.Approved {
   625  		t.Fatalf("Expected approved")
   626  	}
   627  }