Skip to content

Commit

Permalink
fix: correct validation for trust relationship request
Browse files Browse the repository at this point in the history
  • Loading branch information
@pranavkparti
pranavkparti committed Jul 30, 2024
1 parent f87c84a commit c8fd5e8
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 8 deletions.
29 changes: 21 additions & 8 deletions server/models/Trust.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,19 +120,19 @@ class Trust {
// targetWallet = requesterWallet;
// }

// check if the orginator can control the actor
const hasControlOverActor = await walletModel.hasControlOver(
// check if the originator can control the actor
const origHasControlOverActor = await walletModel.hasControlOver(
originatorWallet.id,
actorWallet.id,
);

// originating wallet has no permission to send request from actor wallet
if (!hasControlOverActor) {
if (!origHasControlOverActor) {
throw new HttpError(403, 'Have no permission to deal with this actor');
}

// check if originator can control the target
const hasControlOverTarget = await walletModel.hasControlOver(
// check if the originator can control the target
const origHasControlOverTarget = await walletModel.hasControlOver(
originatorWallet.id,
targetWallet.id,
);
Expand All @@ -141,23 +141,36 @@ class Trust {
if (
originatorWallet.id !== actorWallet.id &&
originatorWallet.id !== targetWallet.id &&
hasControlOverActor &&
hasControlOverTarget
origHasControlOverActor &&
origHasControlOverTarget
) {
throw new HttpError(
409,
'Cannot send trust relationship request to a sub wallet with the same parent',
);
}

// check if actor can control the target
const actorHasControlOverTarget = await walletModel.hasControlOver(
actorWallet.id,
targetWallet.id,
);

// originating wallet doesn't need to send requests to a sub wallet it manages
if (hasControlOverTarget) {
if (actorHasControlOverTarget) {
throw new HttpError(
409,
'The requesting wallet already manages the target wallet',
);
}

if (originatorWallet.id === targetWallet.id && origHasControlOverActor) {
throw new HttpError(
409,
'The requesting wallet is managed by the target wallet',
);
}

// check if the target wallet can accept the request
// function below currently empty
// await walletModel.checkTrustRequestSentToMe(
Expand Down
43 changes: 43 additions & 0 deletions server/models/Trust.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,10 @@ describe('Trust Model', () => {
originatorActorWallet.id,
requesteeWallet.id,
);
expect(hasControlStub.getCall(2)).calledWithExactly(
requesterWallet.id,
requesteeWallet.id,
);
expect(checkDuplicateStub).not.called;
expect(trustRepositoryStub.create).not.called;
});
Expand Down Expand Up @@ -261,6 +265,45 @@ describe('Trust Model', () => {
expect(trustRepositoryStub.create).not.called;
});

it('should error out -- The requesting wallet is managed by the target wallet', async () => {
// originator has control over both actor and target
hasControlStub.onCall(0).resolves(true);
hasControlStub.onCall(1).resolves(true);
// actor does not have control over target
hasControlStub.onCall(2).resolves(false);

let error;
try {
await trustModel.requestTrustFromAWallet({
trustRequestType,
requesteeWallet: originatorWallet,
requesterWallet,
originatorWallet,
});
} catch (e) {
error = e;
}

expect(error.code).eql(409);
expect(error.message).eql(
'The requesting wallet is managed by the target wallet',
);
expect(hasControlStub.getCall(0)).calledWithExactly(
originatorWallet.id,
requesterWallet.id,
);
expect(hasControlStub.getCall(1)).calledWithExactly(
originatorWallet.id,
originatorWallet.id,
);
expect(hasControlStub.getCall(2)).calledWithExactly(
requesterWallet.id,
originatorWallet.id,
);
expect(checkDuplicateStub).not.called;
expect(trustRepositoryStub.create).not.called;
});

it('should request trust', async () => {
// originator has control over actor
hasControlStub.onCall(0).resolves(true);
Expand Down

0 comments on commit c8fd5e8

Please sign in to comment.