dkirillov/frostfs-contract
1
0
Fork 0
forked from TrueCloudLab/frostfs-contract
Code Pull requests Activity

[#150] container: allow only alphabet calls in SetEACL

Browse source 
Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
This commit is contained in:
Evgenii Stratonikov 2021-10-19 11:23:35 +03:00 committed by Alex Vanin
parent 0ef906fb03
commit 7fe7188e7d
2 changed files with 65 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
container/container_contract.go
View file

@ -392,24 +392,28 @@ func SetEACL(eACL []byte, signature interop.Signature, publicKey interop.PublicK
panic("container does not exist") panic("container does not exist")
} }
var ( // for invocation collection without notary
alphabet []common.IRNode
nodeKey []byte
alphabetCall bool
)
if notaryDisabled { if notaryDisabled {
alphabet = common.AlphabetNodes() alphabet := common.AlphabetNodes()
nodeKey = common.InnerRingInvoker(alphabet) nodeKey := common.InnerRingInvoker(alphabet)
alphabetCall = len(nodeKey) != 0 if len(nodeKey) == 0 {
runtime.Notify("setEACL", eACL, signature, publicKey, token)
return
}
threshold := len(alphabet)*2/3 + 1
id := common.InvokeID([]interface{}{eACL}, []byte("setEACL"))
n := common.Vote(ctx, id, nodeKey)
if n < threshold {
return
}
common.RemoveVotes(ctx, id)
} else { } else {
multiaddr := common.AlphabetAddress() multiaddr := common.AlphabetAddress()
alphabetCall = runtime.CheckWitness(multiaddr) if !runtime.CheckWitness(multiaddr) {
} panic("setEACL: alphabet witness check failed")
}
if !alphabetCall {
runtime.Notify("setEACL", eACL, signature, publicKey, token)
return
} }
rule := ExtendedACL{ rule := ExtendedACL{
@ -421,18 +425,6 @@ func SetEACL(eACL []byte, signature interop.Signature, publicKey interop.PublicK
key := append(eACLPrefix, containerID...) key := append(eACLPrefix, containerID...)
if notaryDisabled {
threshold := len(alphabet)*2/3 + 1
id := common.InvokeID([]interface{}{eACL}, []byte("setEACL"))
n := common.Vote(ctx, id, nodeKey)
if n < threshold {
return
}
common.RemoveVotes(ctx, id)
}
common.SetSerialized(ctx, key, rule) common.SetSerialized(ctx, key, rule)
runtime.Log("setEACL: success") runtime.Log("setEACL: success")

46
tests/container_test.go
View file

@ -172,3 +172,49 @@ func TestContainerDelete(t *testing.T) {
stackitem.NewBuffer([]byte{}), stackitem.NewBuffer([]byte{}),
})) }))
} }
type eacl struct {
value []byte
sig []byte
pub []byte
token []byte
}
func dummyEACL(containerID [32]byte) eacl {
e := make([]byte, 50)
copy(e[6:], containerID[:])
return eacl{
value: e,
sig: randomBytes(64),
pub: randomBytes(33),
token: randomBytes(42),
}
}
func TestContainerSetEACL(t *testing.T) {
bc := NewChain(t)
h, balanceHash := prepareContainerContract(t, bc)
acc := NewAccount(t, bc)
balanceMint(t, bc, acc, balanceHash, containerFee*1, []byte{})
c := dummyContainer(acc)
tx := PrepareInvoke(t, bc, CommitteeAcc, h, "put", c.value, c.sig, c.pub, c.token)
AddBlockCheckHalt(t, bc, tx)
e := dummyEACL(c.id)
tx = PrepareInvoke(t, bc, acc, h, "setEACL", e.value, e.sig, e.pub, e.token)
AddBlock(t, bc, tx)
CheckFault(t, bc, tx.Hash(), "setEACL: alphabet witness check failed")
tx = PrepareInvoke(t, bc, CommitteeAcc, h, "setEACL", e.value, e.sig, e.pub, e.token)
AddBlockCheckHalt(t, bc, tx)
tx = PrepareInvoke(t, bc, CommitteeAcc, h, "eACL", c.id[:])
CheckTestInvoke(t, bc, tx, stackitem.NewStruct([]stackitem.Item{
stackitem.NewByteArray(e.value),
stackitem.NewByteArray(e.sig),
stackitem.NewByteArray(e.pub),
stackitem.NewByteArray(e.token),
}))
}