diff --git a/crates/iroha/tests/integration/transfer_domain.rs b/crates/iroha/tests/integration/transfer_domain.rs index 4f006b2081..41a5b4185d 100644 --- a/crates/iroha/tests/integration/transfer_domain.rs +++ b/crates/iroha/tests/integration/transfer_domain.rs @@ -8,8 +8,8 @@ use iroha::{ use iroha_executor_data_model::permission::{ account::CanUnregisterAccount, asset::CanUnregisterUserAsset, - asset_definition::CanUnregisterAssetDefinition, - domain::{CanRegisterAssetDefinitionInDomain, CanUnregisterDomain}, + asset_definition::{CanRegisterAssetDefinition, CanUnregisterAssetDefinition}, + domain::CanUnregisterDomain, trigger::CanUnregisterUserTrigger, }; use iroha_genesis::GenesisBlock; @@ -59,7 +59,7 @@ fn domain_owner_domain_permissions() -> Result<()> { test_client.submit_blocking(Unregister::asset_definition(coin_id))?; // Granting a respective permission also allows "bob@kingdom" to do so - let permission = CanRegisterAssetDefinitionInDomain { + let permission = CanRegisterAssetDefinition { domain: kingdom_id.clone(), }; test_client.submit_blocking(Grant::account_permission( @@ -158,7 +158,7 @@ fn domain_owner_asset_definition_permissions() -> Result<()> { test_client.submit_blocking(Register::account(rabbit))?; // Grant permission to register asset definitions to "bob@kingdom" - let permission = CanRegisterAssetDefinitionInDomain { domain: kingdom_id }; + let permission = CanRegisterAssetDefinition { domain: kingdom_id }; test_client.submit_blocking(Grant::account_permission(permission, bob_id.clone()))?; // register asset definitions by "bob@kingdom" so he is owner of it @@ -222,7 +222,7 @@ fn domain_owner_asset_permissions() -> Result<()> { test_client.submit_blocking(Register::account(bob))?; // Grant permission to register asset definitions to "bob@kingdom" - let permission = CanRegisterAssetDefinitionInDomain { domain: kingdom_id }; + let permission = CanRegisterAssetDefinition { domain: kingdom_id }; test_client.submit_blocking(Grant::account_permission(permission, bob_id.clone()))?; // register asset definitions by "bob@kingdom" so he is owner of it diff --git a/crates/iroha_executor/src/default.rs b/crates/iroha_executor/src/default.rs index 56a8d5f3a4..e671d059d2 100644 --- a/crates/iroha_executor/src/default.rs +++ b/crates/iroha_executor/src/default.rs @@ -129,19 +129,25 @@ pub fn visit_instruction( } pub mod peer { - use iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer; + use iroha_executor_data_model::permission::peer::CanManagePeers; use super::*; pub fn visit_register_peer( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { - execute!(executor, isi) + if is_genesis(executor) { + execute!(executor, isi); + } + if CanManagePeers.is_owned_by(authority) { + execute!(executor, isi); + } + + deny!(executor, "Can't unregister peer"); } - #[allow(clippy::needless_pass_by_value)] pub fn visit_unregister_peer( executor: &mut V, authority: &AccountId, @@ -150,7 +156,7 @@ pub mod peer { if is_genesis(executor) { execute!(executor, isi); } - if CanUnregisterAnyPeer.is_owned_by(authority) { + if CanManagePeers.is_owned_by(authority) { execute!(executor, isi); } @@ -160,7 +166,7 @@ pub mod peer { pub mod domain { use iroha_executor_data_model::permission::domain::{ - CanRemoveKeyValueInDomain, CanSetKeyValueInDomain, CanUnregisterDomain, + CanRegisterDomain, CanRemoveKeyValueInDomain, CanSetKeyValueInDomain, CanUnregisterDomain, }; use iroha_smart_contract::data_model::domain::DomainId; @@ -171,10 +177,17 @@ pub mod domain { pub fn visit_register_domain( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { - execute!(executor, isi) + if is_genesis(executor) { + execute!(executor, isi); + } + if CanRegisterDomain.is_owned_by(authority) { + execute!(executor, isi); + } + + deny!(executor, "Can't unregister peer"); } pub fn visit_unregister_domain( @@ -303,10 +316,8 @@ pub mod domain { AnyPermission::CanUnregisterDomain(permission) => &permission.domain == domain_id, AnyPermission::CanSetKeyValueInDomain(permission) => &permission.domain == domain_id, AnyPermission::CanRemoveKeyValueInDomain(permission) => &permission.domain == domain_id, - AnyPermission::CanRegisterAccountInDomain(permission) => { - &permission.domain == domain_id - } - AnyPermission::CanRegisterAssetDefinitionInDomain(permission) => { + AnyPermission::CanRegisterAccount(permission) => &permission.domain == domain_id, + AnyPermission::CanRegisterAssetDefinition(permission) => { &permission.domain == domain_id } AnyPermission::CanUnregisterAssetDefinition(permission) => { @@ -377,18 +388,19 @@ pub mod domain { | AnyPermission::CanMintUserTrigger(_) | AnyPermission::CanSetKeyValueInTrigger(_) | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } } pub mod account { - use iroha_executor_data_model::permission::{ - account::{CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, CanUnregisterAccount}, - domain::CanRegisterAccountInDomain, + use iroha_executor_data_model::permission::account::{ + CanRegisterAccount, CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, + CanUnregisterAccount, }; use super::*; @@ -407,7 +419,7 @@ pub mod account { Ok(false) => {} } - let can_register_account_in_domain = CanRegisterAccountInDomain { + let can_register_account_in_domain = CanRegisterAccount { domain: domain_id.clone(), }; if can_register_account_in_domain.is_owned_by(authority) { @@ -551,12 +563,13 @@ pub mod account { | AnyPermission::CanMintUserTrigger(_) | AnyPermission::CanSetKeyValueInTrigger(_) | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) | AnyPermission::CanSetKeyValueInDomain(_) | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanUnregisterAssetDefinition(_) | AnyPermission::CanSetKeyValueInAssetDefinition(_) | AnyPermission::CanRemoveKeyValueInAssetDefinition(_) @@ -566,19 +579,16 @@ pub mod account { | AnyPermission::CanMintAssetWithDefinition(_) | AnyPermission::CanTransferAssetWithDefinition(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } } pub mod asset_definition { - use iroha_executor_data_model::permission::{ - asset_definition::{ - CanRemoveKeyValueInAssetDefinition, CanSetKeyValueInAssetDefinition, - CanUnregisterAssetDefinition, - }, - domain::CanRegisterAssetDefinitionInDomain, + use iroha_executor_data_model::permission::asset_definition::{ + CanRegisterAssetDefinition, CanRemoveKeyValueInAssetDefinition, + CanSetKeyValueInAssetDefinition, CanUnregisterAssetDefinition, }; use iroha_smart_contract::data_model::asset::AssetDefinitionId; @@ -601,7 +611,7 @@ pub mod asset_definition { Ok(false) => {} } - let can_register_asset_definition_in_domain_token = CanRegisterAssetDefinitionInDomain { + let can_register_asset_definition_in_domain_token = CanRegisterAssetDefinition { domain: domain_id.clone(), }; if can_register_asset_definition_in_domain_token.is_owned_by(authority) { @@ -803,14 +813,15 @@ pub mod asset_definition { | AnyPermission::CanMintUserTrigger(_) | AnyPermission::CanSetKeyValueInTrigger(_) | AnyPermission::CanRemoveKeyValueInTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) | AnyPermission::CanSetKeyValueInDomain(_) | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } @@ -1099,7 +1110,6 @@ pub mod parameter { use super::*; - #[allow(clippy::needless_pass_by_value)] pub fn visit_set_parameter( executor: &mut V, authority: &AccountId, @@ -1120,7 +1130,7 @@ pub mod parameter { } pub mod role { - use iroha_executor_data_model::permission::role::CanUnregisterAnyRole; + use iroha_executor_data_model::permission::role::CanManageRoles; use iroha_smart_contract::data_model::role::Role; use super::*; @@ -1129,55 +1139,47 @@ pub mod role { ($executor:ident, $isi:ident, $authority:ident, $method:ident) => { let role_id = $isi.object(); - let find_role_query_res = - match crate::data_model::query::builder::QueryBuilderExt::execute_single( - iroha_smart_contract::query(FindRoles) - .filter_with(|role| role.id.eq(role_id.clone())), - ) { - Ok(res) => res, - Err(crate::data_model::query::builder::SingleQueryError::QueryError(error)) => { - deny!($executor, error); - } - Err( - crate::data_model::query::builder::SingleQueryError::ExpectedOneGotNone, - ) => { - // assuming that only a "not found" case is possible here - $executor.deny($crate::data_model::ValidationFail::QueryFailed( - $crate::data_model::query::error::QueryExecutionFail::Find( - $crate::data_model::query::error::FindError::Role(role_id.clone()), - ), - )); - return; - } - Err(_) => { - unreachable!(); - } - }; - let role = Role::try_from(find_role_query_res).unwrap(); - - let mut unknown_tokens = alloc::vec::Vec::new(); - for permission in role.permissions() { - if let Ok(permission) = AnyPermission::try_from(permission) { - if !is_genesis($executor) { - if let Err(error) = crate::permission::ValidateGrantRevoke::$method( - &permission, - $authority, - $executor.block_height(), - ) { - deny!($executor, error); - } - } + let role = match crate::data_model::query::builder::QueryBuilderExt::execute_single( + iroha_smart_contract::query(FindRoles) + .filter_with(|role| role.id.eq(role_id.clone())), + ) { + Ok(res) => res, + Err(crate::data_model::query::builder::SingleQueryError::QueryError(error)) => { + deny!($executor, error); + } + Err(crate::data_model::query::builder::SingleQueryError::ExpectedOneGotNone) => { + // assuming that only a "not found" case is possible here + $executor.deny($crate::data_model::ValidationFail::QueryFailed( + $crate::data_model::query::error::QueryExecutionFail::Find( + $crate::data_model::query::error::FindError::Role(role_id.clone()), + ), + )); + return; + } + Err(_) => { + unreachable!(); + } + }; - continue; + if !is_genesis($executor) { + if !CanManageRoles.is_owned_by($authority) { + deny!($executor, "Can't modify role"); } - unknown_tokens.push(permission); + for permission in role.permissions() { + let permission = AnyPermission::try_from(permission) + .expect("INTERNAL ERROR: Unknown permission"); + + if let Err(error) = crate::permission::ValidateGrantRevoke::$method( + &permission, + $authority, + $executor.block_height(), + ) { + deny!($executor, error); + } + } } - assert!( - unknown_tokens.is_empty(), - "Role contains unknown permission tokens: {unknown_tokens:?}" - ); execute!($executor, $isi) }; } @@ -1189,6 +1191,10 @@ pub mod role { if let Ok(any_permission) = AnyPermission::try_from(permission) { if !is_genesis($executor) { + if !CanManageRoles.is_owned_by($authority) { + deny!($executor, "Can't modify role"); + } + if let Err(error) = crate::permission::ValidateGrantRevoke::$method( &any_permission, $authority, @@ -1204,17 +1210,14 @@ pub mod role { deny!( $executor, - ValidationFail::NotPermitted(format!( - "{permission:?}: Unknown permission permission" - )) + ValidationFail::NotPermitted(format!("{permission:?}: Unknown permission")) ); }; } - #[allow(clippy::needless_pass_by_value)] pub fn visit_register_role( executor: &mut V, - _authority: &AccountId, + authority: &AccountId, isi: &Register, ) { let role = isi.object().inner(); @@ -1243,10 +1246,17 @@ pub mod role { } let isi = Register::role(new_role); - execute!(executor, isi); + + if is_genesis(executor) { + execute!(executor, isi); + } + if CanManageRoles.is_owned_by(authority) { + execute!(executor, isi); + } + + deny!(executor, "Can't unregister role"); } - #[allow(clippy::needless_pass_by_value)] pub fn visit_unregister_role( executor: &mut V, authority: &AccountId, @@ -1255,7 +1265,7 @@ pub mod role { if is_genesis(executor) { execute!(executor, isi); } - if CanUnregisterAnyRole.is_owned_by(authority) { + if CanManageRoles.is_owned_by(authority) { execute!(executor, isi); } @@ -1536,12 +1546,13 @@ pub mod trigger { } AnyPermission::CanRegisterUserTrigger(_) | AnyPermission::CanUnregisterUserTrigger(_) - | AnyPermission::CanUnregisterAnyPeer(_) + | AnyPermission::CanManagePeers(_) + | AnyPermission::CanRegisterDomain(_) | AnyPermission::CanUnregisterDomain(_) | AnyPermission::CanSetKeyValueInDomain(_) | AnyPermission::CanRemoveKeyValueInDomain(_) - | AnyPermission::CanRegisterAccountInDomain(_) - | AnyPermission::CanRegisterAssetDefinitionInDomain(_) + | AnyPermission::CanRegisterAccount(_) + | AnyPermission::CanRegisterAssetDefinition(_) | AnyPermission::CanUnregisterAccount(_) | AnyPermission::CanSetKeyValueInAccount(_) | AnyPermission::CanRemoveKeyValueInAccount(_) @@ -1560,7 +1571,7 @@ pub mod trigger { | AnyPermission::CanRemoveKeyValueInUserAsset(_) | AnyPermission::CanMintUserAsset(_) | AnyPermission::CanSetParameters(_) - | AnyPermission::CanUnregisterAnyRole(_) + | AnyPermission::CanManageRoles(_) | AnyPermission::CanUpgradeExecutor(_) => false, } } @@ -1630,7 +1641,6 @@ pub mod executor { use super::*; - #[allow(clippy::needless_pass_by_value)] pub fn visit_upgrade( executor: &mut V, authority: &AccountId, diff --git a/crates/iroha_executor/src/permission.rs b/crates/iroha_executor/src/permission.rs index 64f663bcb5..2f92985eb6 100644 --- a/crates/iroha_executor/src/permission.rs +++ b/crates/iroha_executor/src/permission.rs @@ -84,18 +84,19 @@ macro_rules! declare_permissions { } declare_permissions! { - iroha_executor_data_model::permission::peer::{CanUnregisterAnyPeer}, + iroha_executor_data_model::permission::peer::{CanManagePeers}, + iroha_executor_data_model::permission::domain::{CanRegisterDomain}, iroha_executor_data_model::permission::domain::{CanUnregisterDomain}, iroha_executor_data_model::permission::domain::{CanSetKeyValueInDomain}, iroha_executor_data_model::permission::domain::{CanRemoveKeyValueInDomain}, - iroha_executor_data_model::permission::domain::{CanRegisterAccountInDomain}, - iroha_executor_data_model::permission::domain::{CanRegisterAssetDefinitionInDomain}, + iroha_executor_data_model::permission::account::{CanRegisterAccount}, iroha_executor_data_model::permission::account::{CanUnregisterAccount}, iroha_executor_data_model::permission::account::{CanSetKeyValueInAccount}, iroha_executor_data_model::permission::account::{CanRemoveKeyValueInAccount}, + iroha_executor_data_model::permission::asset_definition::{CanRegisterAssetDefinition}, iroha_executor_data_model::permission::asset_definition::{CanUnregisterAssetDefinition}, iroha_executor_data_model::permission::asset_definition::{CanSetKeyValueInAssetDefinition}, iroha_executor_data_model::permission::asset_definition::{CanRemoveKeyValueInAssetDefinition}, @@ -113,7 +114,7 @@ declare_permissions! { iroha_executor_data_model::permission::asset::{CanRemoveKeyValueInUserAsset}, iroha_executor_data_model::permission::parameter::{CanSetParameters}, - iroha_executor_data_model::permission::role::{CanUnregisterAnyRole}, + iroha_executor_data_model::permission::role::{CanManageRoles}, iroha_executor_data_model::permission::trigger::{CanRegisterUserTrigger}, iroha_executor_data_model::permission::trigger::{CanExecuteUserTrigger}, @@ -177,11 +178,11 @@ mod executor { } mod peer { - use iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer; + use iroha_executor_data_model::permission::peer::CanManagePeers; use super::*; - impl ValidateGrantRevoke for CanUnregisterAnyPeer { + impl ValidateGrantRevoke for CanManagePeers { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { OnlyGenesis::from(self).validate(authority, block_height) } @@ -192,11 +193,11 @@ mod peer { } mod role { - use iroha_executor_data_model::permission::role::CanUnregisterAnyRole; + use iroha_executor_data_model::permission::role::CanManageRoles; use super::*; - impl ValidateGrantRevoke for CanUnregisterAnyRole { + impl ValidateGrantRevoke for CanManageRoles { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { OnlyGenesis::from(self).validate(authority, block_height) } @@ -403,8 +404,8 @@ pub mod asset_definition { //! Module with pass conditions for asset definition related tokens use iroha_executor_data_model::permission::asset_definition::{ - CanRemoveKeyValueInAssetDefinition, CanSetKeyValueInAssetDefinition, - CanUnregisterAssetDefinition, + CanRegisterAssetDefinition, CanRemoveKeyValueInAssetDefinition, + CanSetKeyValueInAssetDefinition, CanUnregisterAssetDefinition, }; use iroha_smart_contract::data_model::{ isi::error::InstructionExecutionError, @@ -468,6 +469,15 @@ pub mod asset_definition { } } + impl ValidateGrantRevoke for CanRegisterAssetDefinition { + fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { + super::domain::Owner::from(self).validate(authority, block_height) + } + fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { + super::domain::Owner::from(self).validate(authority, block_height) + } + } + impl ValidateGrantRevoke for CanUnregisterAssetDefinition { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) @@ -521,7 +531,8 @@ pub mod account { //! Module with pass conditions for asset related tokens use iroha_executor_data_model::permission::account::{ - CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, CanUnregisterAccount, + CanRegisterAccount, CanRemoveKeyValueInAccount, CanSetKeyValueInAccount, + CanUnregisterAccount, }; use super::*; @@ -562,6 +573,15 @@ pub mod account { } } + impl ValidateGrantRevoke for CanRegisterAccount { + fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { + super::domain::Owner::from(self).validate(authority, block_height) + } + fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { + super::domain::Owner::from(self).validate(authority, block_height) + } + } + impl ValidateGrantRevoke for CanUnregisterAccount { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) @@ -756,8 +776,7 @@ pub mod trigger { pub mod domain { //! Module with pass conditions for domain related tokens use iroha_executor_data_model::permission::domain::{ - CanRegisterAccountInDomain, CanRegisterAssetDefinitionInDomain, CanRemoveKeyValueInDomain, - CanSetKeyValueInDomain, CanUnregisterDomain, + CanRegisterDomain, CanRemoveKeyValueInDomain, CanSetKeyValueInDomain, CanUnregisterDomain, }; use iroha_smart_contract::data_model::{ isi::error::InstructionExecutionError, @@ -809,25 +828,16 @@ pub mod domain { } } - impl ValidateGrantRevoke for CanUnregisterDomain { - fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) - } - } - - impl ValidateGrantRevoke for CanSetKeyValueInDomain { + impl ValidateGrantRevoke for CanRegisterDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + OnlyGenesis::from(self).validate(authority, block_height) } fn validate_revoke(&self, authority: &AccountId, block_height: u64) -> Result { - Owner::from(self).validate(authority, block_height) + OnlyGenesis::from(self).validate(authority, block_height) } } - impl ValidateGrantRevoke for CanRemoveKeyValueInDomain { + impl ValidateGrantRevoke for CanUnregisterDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -836,7 +846,7 @@ pub mod domain { } } - impl ValidateGrantRevoke for CanRegisterAccountInDomain { + impl ValidateGrantRevoke for CanSetKeyValueInDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -845,7 +855,7 @@ pub mod domain { } } - impl ValidateGrantRevoke for CanRegisterAssetDefinitionInDomain { + impl ValidateGrantRevoke for CanRemoveKeyValueInDomain { fn validate_grant(&self, authority: &AccountId, block_height: u64) -> Result { Owner::from(self).validate(authority, block_height) } @@ -868,8 +878,8 @@ pub mod domain { CanUnregisterDomain, CanSetKeyValueInDomain, CanRemoveKeyValueInDomain, - CanRegisterAccountInDomain, - CanRegisterAssetDefinitionInDomain, + iroha_executor_data_model::permission::account::CanRegisterAccount, + iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition, ); } diff --git a/crates/iroha_executor_data_model/src/permission.rs b/crates/iroha_executor_data_model/src/permission.rs index 64b2f97dde..9c9f35998e 100644 --- a/crates/iroha_executor_data_model/src/permission.rs +++ b/crates/iroha_executor_data_model/src/permission.rs @@ -36,14 +36,20 @@ pub mod peer { use super::*; permission! { + /// Allows register/unregister of a peer #[derive(Copy)] - pub struct CanUnregisterAnyPeer; + pub struct CanManagePeers; } } pub mod domain { use super::*; + permission! { + #[derive(Copy)] + pub struct CanRegisterDomain; + } + permission! { pub struct CanUnregisterDomain { pub domain: DomainId, @@ -61,22 +67,16 @@ pub mod domain { pub domain: DomainId, } } +} - permission! { - pub struct CanRegisterAccountInDomain { - pub domain: DomainId, - } - } +pub mod asset_definition { + use super::*; permission! { - pub struct CanRegisterAssetDefinitionInDomain { + pub struct CanRegisterAssetDefinition { pub domain: DomainId, } } -} - -pub mod asset_definition { - use super::*; permission! { pub struct CanUnregisterAssetDefinition { @@ -100,6 +100,12 @@ pub mod asset_definition { pub mod account { use super::*; + permission! { + pub struct CanRegisterAccount { + pub domain: DomainId, + } + } + permission! { pub struct CanUnregisterAccount { pub account: AccountId, @@ -201,7 +207,7 @@ pub mod role { permission! { #[derive(Copy)] - pub struct CanUnregisterAnyRole; + pub struct CanManageRoles; } } diff --git a/crates/iroha_schema_gen/src/lib.rs b/crates/iroha_schema_gen/src/lib.rs index 91b450e131..b33c1ab1bd 100644 --- a/crates/iroha_schema_gen/src/lib.rs +++ b/crates/iroha_schema_gen/src/lib.rs @@ -64,15 +64,15 @@ pub fn build_schemas() -> MetaMap { MerkleTree, // Default permissions - permission::peer::CanUnregisterAnyPeer, + permission::peer::CanManagePeers, permission::domain::CanUnregisterDomain, permission::domain::CanSetKeyValueInDomain, permission::domain::CanRemoveKeyValueInDomain, - permission::domain::CanRegisterAccountInDomain, - permission::domain::CanRegisterAssetDefinitionInDomain, + permission::account::CanRegisterAccount, permission::account::CanUnregisterAccount, permission::account::CanSetKeyValueInAccount, permission::account::CanRemoveKeyValueInAccount, + permission::asset_definition::CanRegisterAssetDefinition, permission::asset_definition::CanUnregisterAssetDefinition, permission::asset_definition::CanSetKeyValueInAssetDefinition, permission::asset_definition::CanRemoveKeyValueInAssetDefinition, @@ -88,7 +88,7 @@ pub fn build_schemas() -> MetaMap { permission::asset::CanSetKeyValueInUserAsset, permission::asset::CanRemoveKeyValueInUserAsset, permission::parameter::CanSetParameters, - permission::role::CanUnregisterAnyRole, + permission::role::CanManageRoles, permission::trigger::CanRegisterUserTrigger, permission::trigger::CanExecuteUserTrigger, permission::trigger::CanUnregisterUserTrigger, @@ -594,7 +594,7 @@ mod tests { insert_into_test_map!(Compact); insert_into_test_map!(Compact); - insert_into_test_map!(iroha_executor_data_model::permission::peer::CanUnregisterAnyPeer); + insert_into_test_map!(iroha_executor_data_model::permission::peer::CanManagePeers); insert_into_test_map!(iroha_executor_data_model::permission::domain::CanUnregisterDomain); insert_into_test_map!( iroha_executor_data_model::permission::domain::CanSetKeyValueInDomain @@ -602,12 +602,7 @@ mod tests { insert_into_test_map!( iroha_executor_data_model::permission::domain::CanRemoveKeyValueInDomain ); - insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanRegisterAccountInDomain - ); - insert_into_test_map!( - iroha_executor_data_model::permission::domain::CanRegisterAssetDefinitionInDomain - ); + insert_into_test_map!(iroha_executor_data_model::permission::account::CanRegisterAccount); insert_into_test_map!(iroha_executor_data_model::permission::account::CanUnregisterAccount); insert_into_test_map!( iroha_executor_data_model::permission::account::CanSetKeyValueInAccount @@ -615,6 +610,9 @@ mod tests { insert_into_test_map!( iroha_executor_data_model::permission::account::CanRemoveKeyValueInAccount ); + insert_into_test_map!( + iroha_executor_data_model::permission::asset_definition::CanRegisterAssetDefinition + ); insert_into_test_map!( iroha_executor_data_model::permission::asset_definition::CanUnregisterAssetDefinition ); @@ -646,7 +644,7 @@ mod tests { iroha_executor_data_model::permission::asset::CanRemoveKeyValueInUserAsset ); insert_into_test_map!(iroha_executor_data_model::permission::parameter::CanSetParameters); - insert_into_test_map!(iroha_executor_data_model::permission::role::CanUnregisterAnyRole); + insert_into_test_map!(iroha_executor_data_model::permission::role::CanManageRoles); insert_into_test_map!( iroha_executor_data_model::permission::trigger::CanRegisterUserTrigger ); diff --git a/crates/iroha_test_network/src/lib.rs b/crates/iroha_test_network/src/lib.rs index 3720fbc621..1136953c75 100644 --- a/crates/iroha_test_network/src/lib.rs +++ b/crates/iroha_test_network/src/lib.rs @@ -17,8 +17,8 @@ use iroha_executor_data_model::permission::{ asset::{CanBurnAssetWithDefinition, CanMintAssetWithDefinition}, domain::CanUnregisterDomain, executor::CanUpgradeExecutor, - peer::CanUnregisterAnyPeer, - role::CanUnregisterAnyRole, + peer::CanManagePeers, + role::CanManageRoles, }; use iroha_futures::supervisor::ShutdownSignal; use iroha_genesis::{GenesisBlock, RawGenesisTransaction}; @@ -112,9 +112,9 @@ impl TestGenesis for GenesisBlock { ALICE_ID.clone(), ); let grant_unregister_any_peer_permission = - Grant::account_permission(CanUnregisterAnyPeer, ALICE_ID.clone()); + Grant::account_permission(CanManagePeers, ALICE_ID.clone()); let grant_unregister_any_role_permission = - Grant::account_permission(CanUnregisterAnyRole, ALICE_ID.clone()); + Grant::account_permission(CanManageRoles, ALICE_ID.clone()); let grant_unregister_wonderland_domain = Grant::account_permission( CanUnregisterDomain { domain: "wonderland".parse().unwrap(),