fix: Check if the requested_subnet is enabled to sign with given ECDS…

…A key in route_ecdsa_message
dfinity · Apr 4, 2023 · ba03fd1 · ba03fd1
1 parent 02a1ffa
commit ba03fd1
Showing 1 changed file with 53 additions and 1 deletion.
diff --git a/rs/system_api/src/routing.rs b/rs/system_api/src/routing.rs
@@ -228,7 +228,22 @@ fn route_ecdsa_message(
             ))),
             Some(subnet_topology) => {
                 if subnet_topology.ecdsa_keys_held.contains(key_id) {
-                    Ok((*subnet_id).get())
+                    match signing_must_be_enabled {
+                        EcdsaSubnetKind::HoldsAndSignWithKey => {
+                            if network_topology
+                                .ecdsa_signing_subnets(key_id)
+                                .contains(subnet_id)
+                            {
+                                Ok((*subnet_id).get())
+                            } else {
+                                Err(ResolveDestinationError::EcdsaKeyError(format!(
+                                    "Subnet {} is not enabled to sign with ECDSA key {}",
+                                    subnet_id, key_id,
+                                )))
+                            }
+                        }
+                        EcdsaSubnetKind::OnlyHoldsKey => Ok((*subnet_id).get()),
+                    }
                 } else {
                     Err(ResolveDestinationError::EcdsaKeyError(format!(
                         "Requested ECDSA key {} on subnet {}, subnet has keys: {}",
@@ -530,4 +545,41 @@ mod tests {
             PrincipalId::new_subnet_test_id(0)
         )
     }
+
+    #[test]
+    fn route_ecdsa_message_subnet_can_sign() {
+        // subnet_test_id(0) is enabled to sign with key_id1()
+        assert_eq!(
+            route_ecdsa_message(
+                &key_id1(),
+                &network_with_ecdsa_subnets(),
+                &Some(subnet_test_id(0)),
+                EcdsaSubnetKind::HoldsAndSignWithKey
+            )
+            .unwrap(),
+            subnet_test_id(0).get()
+        );
+    }
+
+    #[test]
+    fn route_ecdsa_message_subnet_cannot_sign() {
+        // subnet_test_id(1) is not enabled to sign with key_id1()
+        let key_id = key_id1();
+        let subnet_id = subnet_test_id(1);
+        match route_ecdsa_message(
+            &key_id,
+            &network_with_ecdsa_subnets(),
+            &Some(subnet_id),
+            EcdsaSubnetKind::HoldsAndSignWithKey,
+        ) {
+            Err(ResolveDestinationError::EcdsaKeyError(msg)) => assert_eq!(
+                msg,
+                format!(
+                    "Subnet {} is not enabled to sign with ECDSA key {}",
+                    subnet_id, key_id,
+                )
+            ),
+            _ => panic!("Unexpected result."),
+        };
+    }
 }