Skip to content

Commit

Permalink
refactor: Simplify revoking permission in default executor
Browse files Browse the repository at this point in the history
Signed-off-by: Dmitry Murzin <[email protected]>
  • Loading branch information
dima74 committed Nov 18, 2024
1 parent 8c80c83 commit cad6402
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 93 deletions.
117 changes: 24 additions & 93 deletions crates/iroha_executor/src/default/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ pub mod domain {

use super::*;
use crate::permission::{
account::is_account_owner, accounts_permissions, domain::is_domain_owner, roles_permissions,
account::is_account_owner, domain::is_domain_owner, revoke_permissions,
};

pub fn visit_register_domain<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -202,30 +202,13 @@ pub mod domain {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_domain_associated(&permission, domain_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
deny!(executor, err);
revoke_permissions(executor, |permission| {
is_permission_domain_associated(permission, domain_id)
});
if executor.verdict().is_err() {
return;
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_domain_associated(&permission, domain_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(executor, "Can't unregister domain");
Expand Down Expand Up @@ -389,7 +372,7 @@ pub mod account {
};

use super::*;
use crate::permission::{account::is_account_owner, accounts_permissions, roles_permissions};
use crate::permission::{account::is_account_owner, revoke_permissions};

pub fn visit_register_account<V: Execute + Visit + ?Sized>(
executor: &mut V,
Expand Down Expand Up @@ -441,30 +424,13 @@ pub mod account {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_account_associated(&permission, account_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
deny!(executor, err);
revoke_permissions(executor, |permission| {
is_permission_account_associated(permission, account_id)
});
if executor.verdict().is_err() {
return;
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_account_associated(&permission, account_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(executor, "Can't unregister another account");
Expand Down Expand Up @@ -580,8 +546,7 @@ pub mod asset_definition {

use super::*;
use crate::permission::{
account::is_account_owner, accounts_permissions,
asset_definition::is_asset_definition_owner, roles_permissions,
account::is_account_owner, asset_definition::is_asset_definition_owner, revoke_permissions,
};

pub fn visit_register_asset_definition<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -638,30 +603,13 @@ pub mod asset_definition {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_asset_definition_associated(&permission, asset_definition_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
deny!(executor, err);
revoke_permissions(executor, |permission| {
is_permission_asset_definition_associated(permission, asset_definition_id)
});
if executor.verdict().is_err() {
return;
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_asset_definition_associated(&permission, asset_definition_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
}
execute!(executor, isi);
}
deny!(
Expand Down Expand Up @@ -1367,7 +1315,7 @@ pub mod trigger {

use super::*;
use crate::permission::{
accounts_permissions, domain::is_domain_owner, roles_permissions, trigger::is_trigger_owner,
domain::is_domain_owner, revoke_permissions, trigger::is_trigger_owner,
};

pub fn visit_register_trigger<V: Execute + Visit + ?Sized>(
Expand Down Expand Up @@ -1420,28 +1368,11 @@ pub mod trigger {
.is_owned_by(&executor.context().authority, executor.host())
}
{
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if is_permission_trigger_associated(&permission, trigger_id) {
let isi = &Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if is_permission_trigger_associated(&permission, trigger_id) {
let isi = &Revoke::role_permission(permission, role_id.clone());
if let Err(err) = executor.host().submit(isi) {
deny!(executor, err);
}
}
revoke_permissions(executor, |permission| {
is_permission_trigger_associated(permission, trigger_id)
});
if executor.verdict().is_err() {
return;
}

execute!(executor, isi);
Expand Down
36 changes: 36 additions & 0 deletions crates/iroha_executor/src/permission.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,13 @@ use alloc::{borrow::ToOwned as _, vec::Vec};
use iroha_executor_data_model::permission::Permission;

use crate::{
deny,
prelude::Context,
smart_contract::{
data_model::{executor::Result, permission::Permission as PermissionObject, prelude::*},
prelude::*,
},
Execute,
};

/// Declare permission types of current module. Use it with a full path to the permission.
Expand Down Expand Up @@ -1084,3 +1086,37 @@ pub(crate) fn roles_permissions(host: &Iroha) -> impl Iterator<Item = (RoleId, P
.map(move |permission| (role.id().clone(), permission))
})
}

/// Revoked all permissions satisfied given [condition].
///
/// Note: you must manually check after this function:
/// `if executor.verdict().is_err() { return; }`
pub(crate) fn revoke_permissions<V: Execute + ?Sized>(
executor: &mut V,
condition: impl Fn(&PermissionObject) -> bool,
) {
let mut err = None;
for (owner_id, permission) in accounts_permissions(executor.host()) {
if condition(&permission) {
let isi = Revoke::account_permission(permission, owner_id.clone());

if let Err(error) = executor.host().submit(&isi) {
err = Some(error);
break;
}
}
}
if let Some(err) = err {
deny!(executor, err);
}

for (role_id, permission) in roles_permissions(executor.host()) {
if condition(&permission) {
let isi = Revoke::role_permission(permission, role_id.clone());

if let Err(err) = executor.host().submit(&isi) {
deny!(executor, err);
}
}
}
}

0 comments on commit cad6402

Please sign in to comment.