keetanetwork-block 0.2.0

Block structure and operations for Keetanetwork blockchain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

//! MODIFY_PERMISSIONS operation: adjust permissions for a principal.

use alloc::collections::BTreeMap;
use alloc::format;
use alloc::string::{String, ToString};

use crate::error::BlockError;
use crate::permissions::{BaseFlag, GroupKind, Permissions};
use crate::signer::AccountRef;

use super::{AdjustMethod, BlockOperation, OperationContext, OperationType};

/// The principal of a MODIFY_PERMISSIONS operation.
#[derive(Debug, Clone)]
pub enum ModifyPermissionsPrincipal {
	/// A direct account principal
	Account(AccountRef),
	/// A certificate-based principal
	Certificate {
		/// Hash of the certificate
		hash: [u8; 32],
		/// Account the certificate was issued to
		account: AccountRef,
	},
}

impl ModifyPermissionsPrincipal {
	fn dedup_key(&self) -> String {
		match self {
			ModifyPermissionsPrincipal::Account(account) => account.to_string(),
			ModifyPermissionsPrincipal::Certificate { hash, account } => {
				format!("cert:{}:{}", hex::encode_upper(hash), account)
			}
		}
	}
}

impl From<AccountRef> for ModifyPermissionsPrincipal {
	fn from(account: AccountRef) -> Self {
		ModifyPermissionsPrincipal::Account(account)
	}
}

/// MODIFY_PERMISSIONS: adjust permissions for a principal.
#[derive(Debug, Clone)]
pub struct ModifyPermissions {
	/// Who receives the permission change
	pub principal: ModifyPermissionsPrincipal,
	/// How the permissions are applied
	pub method: AdjustMethod,
	/// The permissions to apply (`None` clears, requiring SET)
	pub permissions: Option<Permissions>,
	/// Optional target account the permissions are scoped to
	pub target: Option<AccountRef>,
}

impl ModifyPermissions {
	/// Validate a non-empty permission payload against the issuing account,
	/// principal, and target.
	fn validate_payload(&self, ctx: &OperationContext<'_>, permissions: &Permissions) -> Result<(), BlockError> {
		permissions.validate(ctx.config()?.max_external_offset)?;

		if !ctx.account.to_keypair_type().is_identifier() && permissions.has(&[BaseFlag::Owner], &[]) {
			return Err(BlockError::IdentifierAccountRequired);
		}

		let base = permissions.base();

		match &self.principal {
			ModifyPermissionsPrincipal::Account(principal) => {
				if !base.check_account_matches_group(GroupKind::Principal, Some(principal)) {
					return Err(BlockError::PermissionsInvalidPrincipal);
				}
			}
			ModifyPermissionsPrincipal::Certificate { .. } => {
				if !base.is_valid_for_default() {
					return Err(BlockError::PermissionsInvalidDefault);
				}
			}
		}

		if let Some(target) = &self.target {
			if !base.check_account_matches_group(GroupKind::Target, Some(target)) {
				return Err(BlockError::PermissionsInvalidTarget);
			}
		}

		if !base.check_account_matches_group(GroupKind::Entity, Some(ctx.account)) {
			return Err(BlockError::PermissionsInvalidEntity);
		}

		if self.target.is_some() && permissions.has(&[BaseFlag::Admin], &[]) {
			return Err(BlockError::AdminWithTarget);
		}
		if self.method != AdjustMethod::Set && !permissions.can_use_delegation() {
			return Err(BlockError::DelegationForbidden);
		}

		Ok(())
	}

	/// Reject a SET that follows an earlier modification for the same
	/// principal/target pair within the same block.
	fn reject_duplicate_set(&self, ctx: &OperationContext<'_>) -> Result<(), BlockError> {
		let mut found: BTreeMap<String, BTreeMap<String, AdjustMethod>> = BTreeMap::new();
		for other in ctx.iter_type::<ModifyPermissions>() {
			let principal_key = other.principal.dedup_key();
			let target_key = match &other.target {
				Some(target) => target.to_string(),
				None => ctx.account.to_string(),
			};

			let targets = found.entry(principal_key).or_default();
			let previous = targets.insert(target_key, other.method);

			if previous.is_some() && other.method == AdjustMethod::Set {
				return Err(BlockError::DuplicatePermissionModification);
			}
		}

		Ok(())
	}
}

impl BlockOperation for ModifyPermissions {
	const TYPE: OperationType = OperationType::ModifyPermissions;

	fn validate(&self, ctx: &OperationContext<'_>) -> Result<(), BlockError> {
		match &self.permissions {
			None if self.method != AdjustMethod::Set => return Err(BlockError::PermissionsRequireSet),
			None => {}
			Some(permissions) => self.validate_payload(ctx, permissions)?,
		}

		self.reject_duplicate_set(ctx)
	}
}

#[cfg(test)]
mod tests {
	use alloc::vec;

	use super::*;
	use crate::operation::harness::{assert_validation, modify_permissions, permissions, token, Harness};
	use crate::operation::Operation;
	use crate::testing::generate_ed25519_ref;

	#[test]
	fn test_principal_from_account() {
		let principal = ModifyPermissionsPrincipal::from(generate_ed25519_ref(1));
		assert!(matches!(principal, ModifyPermissionsPrincipal::Account(_)));
	}

	#[test]
	fn test_modify_permissions_validation() {
		assert_validation! {
			"clear_requires_set": {
				let mut operation = modify_permissions(None);
				operation.method = AdjustMethod::Add;
				(Harness::new(generate_ed25519_ref(1)), operation.into())
			} => Err(BlockError::PermissionsRequireSet),
			"rejects_target_for_targetless_flags": {
				let mut operation =
					modify_permissions(Some(permissions(&[BaseFlag::Admin], &[])));
				operation.target = Some(token(0));
				(Harness::new(generate_ed25519_ref(1)), operation.into())
			} => Err(BlockError::PermissionsInvalidTarget),
			"rejects_delegated_adjust": {
				let mut operation = modify_permissions(Some(permissions(
					&[BaseFlag::PermissionDelegateAdd],
					&[],
				)));
				operation.method = AdjustMethod::Add;
				(Harness::new(generate_ed25519_ref(1)), operation.into())
			} => Err(BlockError::DelegationForbidden),
			"rejects_duplicate_set": {
				let mut harness = Harness::new(generate_ed25519_ref(1));
				let operation: Operation =
					modify_permissions(Some(permissions(&[BaseFlag::Access], &[]))).into();
				harness.operations = vec![operation.clone(), operation.clone()];
				(harness, operation)
			} => Err(BlockError::DuplicatePermissionModification),
			"accepts_valid_set": {
				let operation = modify_permissions(Some(permissions(
					&[BaseFlag::Access, BaseFlag::UpdateInfo],
					&[],
				)));
				(Harness::new(generate_ed25519_ref(1)), operation.into())
			} => Ok(()),
		}
	}
}