github.com/muhammedhassanm/blockchain@v0.0.0-20200120143007-697261defd4d/sawtooth-core-master/validator/tests/test_permission_verifier/tests.py (about) 1 # Copyright 2017 Intel Corporation 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 # ------------------------------------------------------------------------------ 15 16 # pylint: disable=invalid-name 17 18 import unittest 19 import hashlib 20 21 import cbor 22 23 from sawtooth_signing import create_context 24 from sawtooth_signing import CryptoFactory 25 from sawtooth_validator.protobuf.transaction_pb2 import TransactionHeader 26 from sawtooth_validator.protobuf.transaction_pb2 import Transaction 27 from sawtooth_validator.protobuf.batch_pb2 import BatchHeader 28 from sawtooth_validator.protobuf.batch_pb2 import Batch 29 from sawtooth_validator.protobuf.block_pb2 import BlockHeader 30 from sawtooth_validator.protobuf.block_pb2 import Block 31 from sawtooth_validator.protobuf.events_pb2 import Event 32 from sawtooth_validator.protobuf.transaction_receipt_pb2 import \ 33 TransactionReceipt 34 from sawtooth_validator.journal.block_wrapper import BlockWrapper 35 from sawtooth_validator.gossip.permission_verifier import PermissionVerifier 36 from sawtooth_validator.gossip.permission_verifier import IdentityCache 37 from sawtooth_validator.gossip.identity_observer import IdentityObserver 38 from test_permission_verifier.mocks import MockIdentityViewFactory 39 from test_permission_verifier.mocks import make_policy 40 41 42 class TestPermissionVerifier(unittest.TestCase): 43 def setUp(self): 44 context = create_context('secp256k1') 45 crypto_factory = CryptoFactory(context) 46 private_key = context.new_random_private_key() 47 self.signer = crypto_factory.new_signer(private_key) 48 self._identity_view_factory = MockIdentityViewFactory() 49 self.permissions = {} 50 self._identity_cache = IdentityCache( 51 self._identity_view_factory) 52 self.permission_verifier = \ 53 PermissionVerifier( 54 permissions=self.permissions, 55 current_root_func=self._current_root_func, 56 identity_cache=self._identity_cache) 57 58 @property 59 def public_key(self): 60 return self.signer.get_public_key().as_hex() 61 62 def _current_root_func(self): 63 return "0000000000000000000000" 64 65 def _create_transactions(self, count): 66 txn_list = [] 67 68 for _ in range(count): 69 payload = { 70 'Verb': 'set', 71 'Name': 'name', 72 'Value': 1, 73 } 74 75 intkey_prefix = \ 76 hashlib.sha512('intkey'.encode('utf-8')).hexdigest()[0:6] 77 78 addr = intkey_prefix + \ 79 hashlib.sha512(payload["Name"].encode('utf-8')).hexdigest() 80 81 payload_encode = hashlib.sha512(cbor.dumps(payload)).hexdigest() 82 83 header = TransactionHeader( 84 signer_public_key=self.public_key, 85 family_name='intkey', 86 family_version='1.0', 87 inputs=[addr], 88 outputs=[addr], 89 dependencies=[], 90 payload_sha512=payload_encode) 91 92 header.batcher_public_key = self.public_key 93 94 header_bytes = header.SerializeToString() 95 96 signature = self.signer.sign(header_bytes) 97 98 transaction = Transaction( 99 header=header_bytes, 100 payload=cbor.dumps(payload), 101 header_signature=signature) 102 103 txn_list.append(transaction) 104 105 return txn_list 106 107 def _create_batches(self, batch_count, txn_count): 108 109 batch_list = [] 110 111 for _ in range(batch_count): 112 txn_list = self._create_transactions(txn_count) 113 txn_sig_list = [txn.header_signature for txn in txn_list] 114 115 batch_header = BatchHeader( 116 signer_public_key=self.signer.get_public_key().as_hex()) 117 batch_header.transaction_ids.extend(txn_sig_list) 118 119 header_bytes = batch_header.SerializeToString() 120 121 signature = self.signer.sign(header_bytes) 122 123 batch = Batch( 124 header=header_bytes, 125 transactions=txn_list, 126 header_signature=signature) 127 128 batch_list.append(batch) 129 130 return batch_list 131 132 def test_permission(self): 133 """ 134 Test that if no roles are set and no default policy is set, 135 permit all is used. 136 """ 137 batch = self._create_batches(1, 1)[0] 138 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 139 self.assertTrue(allowed) 140 141 def test_default_policy_permission(self): 142 """ 143 Test that if no roles are set, the default policy is used. 144 1. Set default policy to permit all. Batch should be allowed. 145 2. Set default policy to deny all. Batch should be rejected. 146 """ 147 self._identity_view_factory.add_policy("default", ["PERMIT_KEY *"]) 148 batch = self._create_batches(1, 1)[0] 149 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 150 self.assertTrue(allowed) 151 152 self._identity_cache.forked() 153 self._identity_view_factory.add_policy("default", ["DENY_KEY *"]) 154 batch = self._create_batches(1, 1)[0] 155 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 156 self.assertFalse(allowed) 157 158 def test_transactor_role(self): 159 """ 160 Test that role:"transactor" is checked properly. 161 1. Set policy to permit signing key. Batch should be allowed. 162 2. Set policy to permit some other key. Batch should be rejected. 163 """ 164 self._identity_view_factory.add_policy( 165 "policy1", ["PERMIT_KEY " + self.public_key]) 166 self._identity_view_factory.add_role("transactor", "policy1") 167 batch = self._create_batches(1, 1)[0] 168 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 169 self.assertTrue(allowed) 170 171 self._identity_cache.forked() 172 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY other"]) 173 self._identity_view_factory.add_role("transactor", "policy1") 174 batch = self._create_batches(1, 1)[0] 175 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 176 self.assertFalse(allowed) 177 178 def test_transactor_batch_signer(self): 179 """ 180 Test that role: "transactor.batch_signer" is checked properly. 181 1. Set policy to permit signing key. Batch should be allowed. 182 2. Set policy to permit some other key. Batch should be rejected. 183 """ 184 self._identity_view_factory.add_policy( 185 "policy1", ["PERMIT_KEY " + self.public_key]) 186 self._identity_view_factory.add_role("transactor.batch_signer", 187 "policy1") 188 batch = self._create_batches(1, 1)[0] 189 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 190 self.assertTrue(allowed) 191 192 self._identity_cache.forked() 193 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY other"]) 194 self._identity_view_factory.add_role("transactor.batch_signer", 195 "policy1") 196 batch = self._create_batches(1, 1)[0] 197 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 198 self.assertFalse(allowed) 199 200 def test_transactor_transaction_signer(self): 201 """ 202 Test that role: "transactor.transaction_signer" is checked properly. 203 1. Set policy to permit signing key. Batch should be allowed. 204 2. Set policy to permit some other key. Batch should be rejected. 205 """ 206 self._identity_view_factory.add_policy( 207 "policy1", ["PERMIT_KEY " + self.public_key]) 208 self._identity_view_factory.add_role("transactor.transaction_signer", 209 "policy1") 210 batch = self._create_batches(1, 1)[0] 211 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 212 self.assertTrue(allowed) 213 214 self._identity_cache.forked() 215 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY other"]) 216 self._identity_view_factory.add_role("transactor.transaction_signer", 217 "policy1") 218 batch = self._create_batches(1, 1)[0] 219 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 220 self.assertFalse(allowed) 221 222 def test_transactor_transaction_siger_transaction_family(self): 223 """ 224 Test that role: "transactor.transaction_signer.intkey" is checked 225 properly. 226 1. Set policy to permit signing key. Batch should be allowed. 227 2. Set policy to permit some other key. Batch should be rejected. 228 """ 229 self._identity_view_factory.add_policy( 230 "policy1", ["PERMIT_KEY " + self.public_key]) 231 self._identity_view_factory.add_role( 232 "transactor.transaction_signer.intkey", 233 "policy1") 234 batch = self._create_batches(1, 1)[0] 235 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 236 self.assertTrue(allowed) 237 238 self._identity_cache.forked() 239 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY other"]) 240 self._identity_view_factory.add_role( 241 "transactor.transaction_signer.intkey", 242 "policy1") 243 batch = self._create_batches(1, 1)[0] 244 allowed = self.permission_verifier.is_batch_signer_authorized(batch) 245 self.assertFalse(allowed) 246 247 def test_off_chain_permissions(self): 248 """ 249 Test that if permissions are empty all signers are permitted. 250 """ 251 batch = self._create_batches(1, 1)[0] 252 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 253 self.assertTrue(allowed) 254 255 def test_off_chain_transactor(self): 256 """ 257 Test that role:"transactor" is checked properly if in permissions. 258 1. Set policy to permit signing key. Batch should be allowed. 259 2. Set policy to permit some other key. Batch should be rejected. 260 """ 261 policy = make_policy("policy1", ["PERMIT_KEY " + self.public_key]) 262 self.permissions["transactor"] = policy 263 batch = self._create_batches(1, 1)[0] 264 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 265 self.assertTrue(allowed) 266 267 policy = make_policy("policy1", ["PERMIT_KEY other"]) 268 self.permissions["transactor"] = policy 269 batch = self._create_batches(1, 1)[0] 270 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 271 self.assertFalse(allowed) 272 273 def test_off_chain_transactor_batch_signer(self): 274 """ 275 Test that role:"transactor.batch_signer" is checked properly if in 276 permissions. 277 1. Set policy to permit signing key. Batch should be allowed. 278 2. Set policy to permit some other key. Batch should be rejected. 279 """ 280 policy = make_policy("policy1", ["PERMIT_KEY " + self.public_key]) 281 self.permissions["transactor.batch_signer"] = policy 282 batch = self._create_batches(1, 1)[0] 283 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 284 self.assertTrue(allowed) 285 286 policy = make_policy("policy1", ["PERMIT_KEY other"]) 287 self.permissions["transactor.batch_signer"] = policy 288 batch = self._create_batches(1, 1)[0] 289 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 290 self.assertFalse(allowed) 291 292 def test_off_chain_transactor_transaction_signer(self): 293 """ 294 Test that role:"transactor.transaction_signer" is checked 295 properly if in permissions. 296 1. Set policy to permit signing key. Batch should be allowed. 297 2. Set policy to permit some other key. Batch should be rejected. 298 299 """ 300 policy = make_policy("policy1", ["PERMIT_KEY " + self.public_key]) 301 self.permissions["transactor.transaction_signer"] = policy 302 batch = self._create_batches(1, 1)[0] 303 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 304 self.assertTrue(allowed) 305 306 policy = make_policy("policy1", ["PERMIT_KEY other"]) 307 self.permissions["transactor.transaction_signer"] = policy 308 batch = self._create_batches(1, 1)[0] 309 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 310 self.assertFalse(allowed) 311 312 def test_off_chain_transactor_transaction_signer_family(self): 313 """ 314 Test that role:"transactor.transaction_signer.intkey" is checked 315 properly if in permissions. 316 1. Set policy to permit signing key. Batch should be allowed. 317 2. Set policy to permit some other key. Batch should be rejected. 318 """ 319 policy = make_policy("policy1", ["PERMIT_KEY " + self.public_key]) 320 self.permissions["transactor.transaction_signer.intkey"] = policy 321 batch = self._create_batches(1, 1)[0] 322 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 323 self.assertTrue(allowed) 324 325 policy = make_policy("policy1", ["PERMIT_KEY other"]) 326 self.permissions["transactor.transaction_signer.intkey"] = policy 327 batch = self._create_batches(1, 1)[0] 328 allowed = self.permission_verifier.check_off_chain_batch_roles(batch) 329 self.assertFalse(allowed) 330 331 def test_network(self): 332 """ 333 Test that if no roles are set and no default policy is set, 334 permit all is used. 335 """ 336 allowed = self.permission_verifier.check_network_role(self.public_key) 337 self.assertTrue(allowed) 338 339 def test_network_default(self): 340 """ 341 Test that if no roles are set, the default policy is used. 342 1. Set default policy to permit all. Public key should be allowed. 343 2. Set default policy to deny all. Public key should be rejected. 344 """ 345 self._identity_view_factory.add_policy("default", ["PERMIT_KEY *"]) 346 allowed = self.permission_verifier.check_network_role(self.public_key) 347 self.assertTrue(allowed) 348 349 self._identity_cache.forked() 350 self._identity_view_factory.add_policy("default", ["DENY_KEY *"]) 351 allowed = self.permission_verifier.check_network_role(self.public_key) 352 self.assertFalse(allowed) 353 354 def test_network_role(self): 355 """ 356 Test that role:"network" is checked properly. 357 1. Set policy to permit signing key. Public key should be allowed. 358 2. Set policy to permit some other key. Public key should be 359 rejected. 360 """ 361 self._identity_view_factory.add_policy( 362 "policy1", ["PERMIT_KEY " + self.public_key]) 363 364 self._identity_view_factory.add_role( 365 "network", 366 "policy1") 367 368 allowed = self.permission_verifier.check_network_role(self.public_key) 369 self.assertTrue(allowed) 370 371 self._identity_cache.forked() 372 self._identity_view_factory.add_policy("policy2", ["PERMIT_KEY other"]) 373 self._identity_view_factory.add_role( 374 "network", 375 "policy2") 376 allowed = self.permission_verifier.check_network_role(self.public_key) 377 self.assertFalse(allowed) 378 379 def test_network_consensus(self): 380 """ 381 Test that if no roles are set and no default policy is set, 382 permit all is used. 383 """ 384 allowed = self.permission_verifier.check_network_consensus_role( 385 self.public_key) 386 self.assertTrue(allowed) 387 388 def test_network_consensus_default(self): 389 """ 390 Test that if no roles are set, the default policy is used. 391 1. Set default policy to permit all. Public key should be allowed. 392 2. Set default policy to deny all. Public key should be rejected. 393 """ 394 self._identity_view_factory.add_policy("default", ["PERMIT_KEY *"]) 395 allowed = self.permission_verifier.check_network_consensus_role( 396 self.public_key) 397 self.assertTrue(allowed) 398 399 self._identity_cache.forked() 400 self._identity_view_factory.add_policy("default", ["DENY_KEY *"]) 401 allowed = self.permission_verifier.check_network_consensus_role( 402 self.public_key) 403 self.assertFalse(allowed) 404 405 def test_network_consensus_role(self): 406 """ 407 Test that role:"network.consensus" is checked properly. 408 1. Set policy to permit signing key. Public key should be allowed. 409 2. Set policy to permit some other key. Public key should be 410 rejected. 411 """ 412 self._identity_view_factory.add_policy( 413 "policy1", ["PERMIT_KEY " + self.public_key]) 414 415 self._identity_view_factory.add_role( 416 "network.consensus", 417 "policy1") 418 419 allowed = self.permission_verifier.check_network_consensus_role( 420 self.public_key) 421 self.assertTrue(allowed) 422 423 self._identity_cache.forked() 424 self._identity_view_factory.add_policy("policy2", ["PERMIT_KEY other"]) 425 self._identity_view_factory.add_role( 426 "network.consensus", 427 "policy2") 428 allowed = self.permission_verifier.check_network_consensus_role( 429 self.public_key) 430 self.assertFalse(allowed) 431 432 433 class TestIdentityObserver(unittest.TestCase): 434 def setUp(self): 435 self._identity_view_factory = MockIdentityViewFactory() 436 self._identity_cache = IdentityCache( 437 self._identity_view_factory) 438 self._identity_obsever = IdentityObserver( 439 to_update=self._identity_cache.invalidate, 440 forked=self._identity_cache.forked 441 ) 442 443 # Make sure IdentityCache has populated roles and policy 444 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 445 self._identity_view_factory.add_role( 446 "network", 447 "policy1") 448 self._identity_cache.get_role("network", "state_root") 449 self._identity_cache.get_policy("policy1", "state_root") 450 451 def _current_root_func(self): 452 return "0000000000000000000000" 453 454 def create_block(self, previous_block_id="0000000000000000"): 455 block_header = BlockHeader( 456 block_num=85, 457 state_root_hash="0987654321fedcba", 458 previous_block_id=previous_block_id) 459 block = BlockWrapper( 460 Block( 461 header_signature="abcdef1234567890", 462 header=block_header.SerializeToString())) 463 return block 464 465 def test_chain_update(self): 466 """ 467 Test that if there is no fork and only one value is udpated, only 468 that value is in validated in the catch. 469 """ 470 # Set up cache so it does not fork 471 block1 = self.create_block() 472 self._identity_obsever.chain_update(block1, []) 473 self._identity_cache.get_role("network", "state_root") 474 self._identity_cache.get_policy("policy1", "state_root") 475 self.assertNotEqual(self._identity_cache["network"], None) 476 self.assertNotEqual(self._identity_cache["policy1"], None) 477 478 # Add next block and event that says network was updated. 479 block2 = self.create_block("abcdef1234567890") 480 event = Event( 481 event_type="identity/update", 482 attributes=[Event.Attribute(key="updated", value="network")]) 483 receipts = TransactionReceipt(events=[event]) 484 self._identity_obsever.chain_update(block2, [receipts]) 485 # Check that only "network" was invalidated 486 self.assertEqual(self._identity_cache["network"], None) 487 self.assertNotEqual(self._identity_cache["policy1"], None) 488 489 # check that the correct values can be fetched from state. 490 identity_view = \ 491 self._identity_view_factory.create_identity_view("state_root") 492 493 self.assertEqual( 494 self._identity_cache.get_role("network", "state_root"), 495 identity_view.get_role("network")) 496 497 self.assertEqual( 498 self._identity_cache.get_policy("policy1", "state_root"), 499 identity_view.get_policy("policy1")) 500 501 def test_fork(self): 502 """ 503 Test that if there is a fork, all values in the cache will be 504 invalidated and fetched from state. 505 """ 506 block = self.create_block() 507 self._identity_obsever.chain_update(block, []) 508 # Check that all items are invalid 509 for key in self._identity_cache: 510 self.assertEqual(self._identity_cache[key], None) 511 512 # Check that the items can be fetched from state. 513 identity_view = \ 514 self._identity_view_factory.create_identity_view("state_root") 515 516 self.assertEqual( 517 self._identity_cache.get_role("network", "state_root"), 518 identity_view.get_role("network")) 519 520 self.assertEqual( 521 self._identity_cache.get_policy("policy1", "state_root"), 522 identity_view.get_policy("policy1")) 523 524 525 class TestIdentityCache(unittest.TestCase): 526 def setUp(self): 527 self._identity_view_factory = MockIdentityViewFactory() 528 self._identity_cache = IdentityCache( 529 self._identity_view_factory) 530 531 def test_get_role(self): 532 """ 533 Test that a role can be fetched from the state. 534 """ 535 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 536 self._identity_view_factory.add_role( 537 "network", 538 "policy1") 539 self.assertIsNone(self._identity_cache["network"]) 540 541 identity_view = \ 542 self._identity_view_factory.create_identity_view("state_root") 543 self.assertEqual( 544 self._identity_cache.get_role("network", "state_root"), 545 identity_view.get_role("network")) 546 547 def test_get_policy(self): 548 """ 549 Test that a policy can be fetched from the state. 550 """ 551 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 552 self._identity_view_factory.add_role( 553 "network", 554 "policy1") 555 self.assertIsNone(self._identity_cache["policy1"]) 556 557 identity_view = \ 558 self._identity_view_factory.create_identity_view("state_root") 559 self.assertEqual( 560 self._identity_cache.get_policy("policy1", "state_root"), 561 identity_view.get_policy("policy1")) 562 563 def test_role_invalidate(self): 564 """ 565 Test that a role can be invalidated. 566 """ 567 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 568 self._identity_view_factory.add_role( 569 "network", 570 "policy1") 571 self._identity_cache.invalidate("network") 572 self.assertEqual(self._identity_cache["network"], None) 573 574 identity_view = \ 575 self._identity_view_factory.create_identity_view("state_root") 576 self.assertEqual( 577 self._identity_cache.get_role("network", "state_root"), 578 identity_view.get_role("network")) 579 580 def test_policy_invalidate(self): 581 """ 582 Test that a policy can be invalidated. 583 """ 584 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 585 self._identity_view_factory.add_role( 586 "network", 587 "policy1") 588 self._identity_cache.invalidate("policy1") 589 self.assertEqual(self._identity_cache["policy1"], None) 590 591 identity_view = \ 592 self._identity_view_factory.create_identity_view("state_root") 593 self.assertEqual( 594 self._identity_cache.get_policy("policy1", "state_root"), 595 identity_view.get_policy("policy1")) 596 597 def test_forked(self): 598 """ 599 Test that forked() invalidates all items in the cache, and they can 600 be fetched from state. 601 """ 602 self._identity_view_factory.add_policy("policy1", ["PERMIT_KEY key"]) 603 self._identity_view_factory.add_role( 604 "network", 605 "policy1") 606 607 identity_view = \ 608 self._identity_view_factory.create_identity_view("state_root") 609 610 self._identity_cache.get_policy("policy1", "state_root") 611 self._identity_cache.get_role("network", "state_root") 612 613 self.assertEqual(len(self._identity_cache), 2) 614 self._identity_cache.forked() 615 616 self.assertEqual(self._identity_cache["network"], None) 617 self.assertEqual(self._identity_cache["policy1"], None) 618 619 self.assertEqual( 620 self._identity_cache.get_policy("policy1", "state_root"), 621 identity_view.get_policy("policy1")) 622 623 self.assertEqual( 624 self._identity_cache.get_role("network", "state_root"), 625 identity_view.get_role("network"))