Skip to content

Commit

Permalink
Merge branch 'main' into listen_timeouts
Browse files Browse the repository at this point in the history
  • Loading branch information
@aoyako
aoyako authored Nov 19, 2024
2 parents 1f0f7c4 + 6df8a84 commit ac02c69
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 89 deletions.
109 changes: 20 additions & 89 deletions crates/iroha_executor/src/default/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ pub mod domain {

use super::*;
use crate::permission::{
account::is_account_owner, accounts_permissions, domain::is_domain_owner, roles_permissions,
account::is_account_owner, domain::is_domain_owner, revoke_permissions,
};

pub fn visit_register_domain<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -202,30 +202,13 @@ pub mod domain {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_domain_associated(&permission, domain_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
let err = revoke_permissions(executor, |permission| {
is_permission_domain_associated(permission, domain_id)
});
if let Err(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_domain_associated(&permission, domain_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(executor, "Can't unregister domain");
Expand Down Expand Up @@ -389,7 +372,7 @@ pub mod account {
};

use super::*;
use crate::permission::{account::is_account_owner, accounts_permissions, roles_permissions};
use crate::permission::{account::is_account_owner, revoke_permissions};

pub fn visit_register_account<V: Execute + Visit + ?Sized>(
executor: &mut V,
Expand Down Expand Up @@ -441,30 +424,13 @@ pub mod account {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_account_associated(&permission, account_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
let err = revoke_permissions(executor, |permission| {
is_permission_account_associated(permission, account_id)
});
if let Err(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_account_associated(&permission, account_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(executor, "Can't unregister another account");
Expand Down Expand Up @@ -580,8 +546,7 @@ pub mod asset_definition {

use super::*;
use crate::permission::{
account::is_account_owner, accounts_permissions,
asset_definition::is_asset_definition_owner, roles_permissions,
account::is_account_owner, asset_definition::is_asset_definition_owner, revoke_permissions,
};

pub fn visit_register_asset_definition<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -638,30 +603,13 @@ pub mod asset_definition {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_asset_definition_associated(&permission, asset_definition_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
let err = revoke_permissions(executor, |permission| {
is_permission_asset_definition_associated(permission, asset_definition_id)
});
if let Err(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_asset_definition_associated(&permission, asset_definition_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(
Expand Down Expand Up @@ -1367,7 +1315,7 @@ pub mod trigger {

use super::*;
use crate::permission::{
accounts_permissions, domain::is_domain_owner, roles_permissions, trigger::is_trigger_owner,
domain::is_domain_owner, revoke_permissions, trigger::is_trigger_owner,
};

pub fn visit_register_trigger<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -1420,30 +1368,13 @@ pub mod trigger {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_trigger_associated(&permission, trigger_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
let err = revoke_permissions(executor, |permission| {
is_permission_trigger_associated(permission, trigger_id)
});
if let Err(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_trigger_associated(&permission, trigger_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());
if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}

execute!(executor, isi);
}
deny!(
Expand Down
27 changes: 27 additions & 0 deletions crates/iroha_executor/src/permission.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ use crate::{
data_model::{executor::Result, permission::Permission as PermissionObject, prelude::*},
prelude::*,
},
Execute,
};

/// Declare permission types of current module. Use it with a full path to the permission.
Expand Down Expand Up @@ -1084,3 +1085,29 @@ pub(crate) fn roles_permissions(host: &Iroha) -> impl Iterator<Item = (RoleId, P
.map(move |permission| (role.id().clone(), permission))
})
}

/// Revoked all permissions satisfied given [condition].
///
/// Note: you must manually call `deny!` if this function returns error.
pub(crate) fn revoke_permissions<V: Execute + ?Sized>(
executor: &mut V,
condition: impl Fn(&PermissionObject) -> bool,
) -> Result<(), ValidationFail> {
for (owner_id, permission) in accounts_permissions(executor.host()) {
if condition(&permission) {
let isi = Revoke::account_permission(permission, owner_id.clone());

executor.host().submit(&isi)?;
}
}

for (role_id, permission) in roles_permissions(executor.host()) {
if condition(&permission) {
let isi = Revoke::role_permission(permission, role_id.clone());

executor.host().submit(&isi)?;
}
}

Ok(())
}

0 comments on commit ac02c69

Please sign in to comment.