[BACKPORT] #3962: Revoke associated tokens on entity unregistration (#…

…4334) * [refactor] #3640: place permission tokens in a separate module (#3940) Signed-off-by: Marin Veršić <[email protected]> * [fix] #3962: Revoke associated tokens on entity unregistretration Signed-off-by: Shanin Roman <[email protected]>
hyperledger-iroha · Mar 1, 2024 · 2ffcd00 · 2ffcd00
1 parent 1192347
commit 2ffcd00
Show file tree

Hide file tree

Showing 7 changed files with 1,010 additions and 612 deletions.
diff --git a/client/tests/integration/permissions.rs b/client/tests/integration/permissions.rs
@@ -337,3 +337,50 @@ fn stored_vs_granted_token_payload() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn associated_permission_tokens_removed_on_unregister() {
+    let (_rt, _peer, iroha_client) = <PeerBuilder>::new().with_port(11_240).start_with_runtime();
+    wait_for_genesis_committed(&[iroha_client.clone()], 0);
+
+    let bob_id: AccountId = "bob@wonderland".parse().expect("Valid");
+    let kingdom_id: DomainId = "kingdom".parse().expect("Valid");
+    let kingdom = Domain::new(kingdom_id.clone());
+
+    // register kingdom and give bob permissions in this domain
+    let register_domain = RegisterExpr::new(kingdom);
+    let bob_to_set_kv_in_domain_token = PermissionToken::new(
+        "CanSetKeyValueInDomain".parse().unwrap(),
+        &json!({ "domain_id": kingdom_id }),
+    );
+    let allow_bob_to_set_kv_in_domain =
+        GrantExpr::new(bob_to_set_kv_in_domain_token.clone(), bob_id.clone());
+
+    iroha_client
+        .submit_all_blocking([
+            InstructionExpr::from(register_domain),
+            allow_bob_to_set_kv_in_domain.into(),
+        ])
+        .expect("failed to register domain and grant permission");
+
+    // check that bob indeed have granted permission
+    assert!(iroha_client
+        .request(client::permission::by_account_id(bob_id.clone()))
+        .and_then(std::iter::Iterator::collect::<QueryResult<Vec<PermissionToken>>>)
+        .expect("failed to get permissions for bob")
+        .into_iter()
+        .any(|token| { token == bob_to_set_kv_in_domain_token }));
+
+    // unregister kingdom
+    iroha_client
+        .submit_blocking(UnregisterExpr::new(kingdom_id))
+        .expect("failed to unregister domain");
+
+    // check that permission is removed from bob
+    assert!(iroha_client
+        .request(client::permission::by_account_id(bob_id))
+        .and_then(std::iter::Iterator::collect::<QueryResult<Vec<PermissionToken>>>)
+        .expect("failed to get permissions for bob")
+        .into_iter()
+        .all(|token| { token != bob_to_set_kv_in_domain_token }));
+}
diff --git a/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs b/client/tests/integration/smartcontracts/executor_with_custom_token/src/lib.rs
@@ -3,9 +3,9 @@
 //!
 //! This executor should be applied on top of the blockchain with default validation.
 //!
-//! It also doesn't have [`iroha_executor::default::domain::tokens::CanUnregisterDomain`].
+//! It also doesn't have [`iroha_executor::default::tokens::domain::CanUnregisterDomain`].
 //!
-//! In migration it replaces [`iroha_executor::default::domain::tokens::CanUnregisterDomain`]
+//! In migration it replaces [`iroha_executor::default::tokens::domain::CanUnregisterDomain`]
 //! with [`token::CanControlDomainLives`] for all accounts.
 //! So it doesn't matter which domain user was able to unregister before migration, they will
 //! get access to control all domains. Remember that this is just a test example.
@@ -86,7 +86,7 @@ impl Executor {
 
             for token in permission_tokens {
                 if let Ok(can_unregister_domain_token) =
-                    iroha_executor::default::domain::tokens::CanUnregisterDomain::try_from(token)
+                    iroha_executor::default::tokens::domain::CanUnregisterDomain::try_from(token)
                 {
                     found_accounts.push((account, can_unregister_domain_token.domain_id));
                     break;
@@ -99,7 +99,7 @@ impl Executor {
 
     fn replace_token(accounts: &[(Account, DomainId)]) -> MigrationResult {
         let can_unregister_domain_definition_id = PermissionTokenId::try_from(
-            iroha_executor::default::domain::tokens::CanUnregisterDomain::type_name(),
+            iroha_executor::default::tokens::domain::CanUnregisterDomain::type_name(),
         )
         .unwrap();
 
@@ -194,7 +194,7 @@ pub fn migrate(_block_height: u64) -> MigrationResult {
     let accounts = Executor::get_all_accounts_with_can_unregister_domain_permission()?;
 
     let mut schema = default_permission_token_schema();
-    schema.remove::<iroha_executor::default::domain::tokens::CanUnregisterDomain>();
+    schema.remove::<iroha_executor::default::tokens::domain::CanUnregisterDomain>();
     schema.insert::<token::CanControlDomainLives>();
 
     let (token_ids, schema_str) = schema.serialize();

diff --git a/configs/peer/executor.wasm b/configs/peer/executor.wasm