From 509f1741da7b4e3da0d1ab3e34ecbc6131ae12e1 Mon Sep 17 00:00:00 2001 From: Daniil Polyakov Date: Tue, 31 Jan 2023 16:30:29 +0300 Subject: [PATCH] [fix] #3210: Fix authority validation Signed-off-by: Daniil Polyakov --- cli/src/torii/routing.rs | 6 +++++- core/src/smartcontracts/isi/permissions.rs | 8 ++++---- core/src/tx.rs | 15 +++++++++------ core/src/validator.rs | 17 +++++++++++++---- 4 files changed, 31 insertions(+), 15 deletions(-) diff --git a/cli/src/torii/routing.rs b/cli/src/torii/routing.rs index e6839e4a6bc..354bcda418f 100644 --- a/cli/src/torii/routing.rs +++ b/cli/src/torii/routing.rs @@ -67,7 +67,11 @@ impl VerifiedQueryRequest { ))); } wsv.validators_view() - .validate(wsv, self.payload.query.clone()) + .validate( + wsv, + self.payload.account_id.clone(), + self.payload.query.clone(), + ) .map_err(|err| QueryError::Permission(err.to_string()))?; Ok(( ValidQueryRequest::new(self.payload.query), diff --git a/core/src/smartcontracts/isi/permissions.rs b/core/src/smartcontracts/isi/permissions.rs index 96dd112360a..18a04ad1cb0 100644 --- a/core/src/smartcontracts/isi/permissions.rs +++ b/core/src/smartcontracts/isi/permissions.rs @@ -74,12 +74,12 @@ fn check_permission_recursively( /// /// If given query is not permitted to execute pub fn check_query_permissions( - _account_id: &AccountId, + account_id: &AccountId, query: &QueryBox, wsv: &WorldStateView, ) -> std::result::Result<(), TransactionRejectionReason> { wsv.validators_view() - .validate(wsv, query.clone()) + .validate(wsv, account_id.clone(), query.clone()) .map_err(|error| NotPermittedFail { reason: error.to_string(), }) @@ -87,13 +87,13 @@ pub fn check_query_permissions( } fn check_permissions_directly( - _account_id: &AccountId, + account_id: &AccountId, instructions: &[Instruction], wsv: &WorldStateView, ) -> std::result::Result<(), TransactionRejectionReason> { for isi in instructions { wsv.validators_view() - .validate(wsv, isi.clone()) + .validate(wsv, account_id.clone(), isi.clone()) .map_err(|error| NotPermittedFail { reason: error.to_string(), }) diff --git a/core/src/tx.rs b/core/src/tx.rs index d1a2cc63064..4d86368e8eb 100644 --- a/core/src/tx.rs +++ b/core/src/tx.rs @@ -157,10 +157,11 @@ impl TransactionValidator { signatures, }; + let account_id = signed_tx.payload.account_id.clone(); debug!(?signed_tx, "Validating transaction"); // Validating the transaction it-self wsv.validators_view() - .validate(wsv, signed_tx.clone()) + .validate(wsv, account_id.clone(), signed_tx.clone()) .map_err(|err| { TransactionRejectionReason::NotPermitted(NotPermittedFail { reason: err.to_string(), @@ -171,11 +172,13 @@ impl TransactionValidator { // Validating the transaction instructions if let Executable::Instructions(instructions) = signed_tx.payload.instructions { for isi in instructions { - wsv.validators_view().validate(wsv, isi).map_err(|err| { - TransactionRejectionReason::NotPermitted(NotPermittedFail { - reason: err.to_string(), - }) - })?; + wsv.validators_view() + .validate(wsv, account_id.clone(), isi) + .map_err(|err| { + TransactionRejectionReason::NotPermitted(NotPermittedFail { + reason: err.to_string(), + }) + })?; } } diff --git a/core/src/validator.rs b/core/src/validator.rs index 72def5179b5..709c3c7e3d6 100644 --- a/core/src/validator.rs +++ b/core/src/validator.rs @@ -7,6 +7,7 @@ use iroha_data_model::{ permission::validator::{ DenialReason, Id, NeedsPermission as _, NeedsPermissionBox, Type, Validator, }, + prelude::Account, Identifiable, }; use iroha_logger::trace; @@ -167,6 +168,7 @@ impl Chain { pub fn validate( &self, wsv: &WorldStateView, + authority: ::Id, operation: impl Into, ) -> Result<()> { let operation = operation.into(); @@ -188,8 +190,13 @@ impl Chain { "Validator chain internal collections inconsistency error \ when validating an operation. This is a bug", ); - let res = - Self::execute_validator(&runtime, loaded_validator.value(), wsv, operation.clone()); + let res = Self::execute_validator( + &runtime, + loaded_validator.value(), + wsv, + authority.clone(), + operation.clone(), + ); trace!(%validator_id, "Validator Executed"); res?; } @@ -206,13 +213,14 @@ impl Chain { runtime: &wasm::Runtime, loaded_validator: &LoadedValidator, wsv: &WorldStateView, + authority: ::Id, operation: NeedsPermissionBox, ) -> Result<()> { let validator_id = loaded_validator.validator.id(); let verdict = runtime.execute_permission_validator_module( wsv, - validator_id.account_id.clone(), + authority, &loaded_validator.module, operation.clone(), )?; @@ -240,8 +248,9 @@ impl ChainView<'_> { pub fn validate( self, wsv: &WorldStateView, + authority: ::Id, operation: impl Into, ) -> Result<()> { - self.chain.validate(wsv, operation) + self.chain.validate(wsv, authority, operation) } }