From c8fd5e89b201ed73210f5c2e6c8c1a680f781126 Mon Sep 17 00:00:00 2001
From: Pranav Kakaraparti <pranavkakaraparti@greenstand.org>
Date: Tue, 30 Jul 2024 00:50:36 -0400
Subject: [PATCH] fix:  correct validation for trust relationship request

---
 server/models/Trust.js      | 29 ++++++++++++++++++-------
 server/models/Trust.spec.js | 43 +++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 8 deletions(-)

diff --git a/server/models/Trust.js b/server/models/Trust.js
index 95cbf59e..e7d90df9 100644
--- a/server/models/Trust.js
+++ b/server/models/Trust.js
@@ -120,19 +120,19 @@ class Trust {
     //      targetWallet = requesterWallet;
     //    }
 
-    // check if the orginator can control the actor
-    const hasControlOverActor = await walletModel.hasControlOver(
+    // check if the originator can control the actor
+    const origHasControlOverActor = await walletModel.hasControlOver(
       originatorWallet.id,
       actorWallet.id,
     );
 
     // originating wallet has no permission to send request from actor wallet
-    if (!hasControlOverActor) {
+    if (!origHasControlOverActor) {
       throw new HttpError(403, 'Have no permission to deal with this actor');
     }
 
-    // check if originator can control the target
-    const hasControlOverTarget = await walletModel.hasControlOver(
+    // check if the originator can control the target
+    const origHasControlOverTarget = await walletModel.hasControlOver(
       originatorWallet.id,
       targetWallet.id,
     );
@@ -141,8 +141,8 @@ class Trust {
     if (
       originatorWallet.id !== actorWallet.id &&
       originatorWallet.id !== targetWallet.id &&
-      hasControlOverActor &&
-      hasControlOverTarget
+      origHasControlOverActor &&
+      origHasControlOverTarget
     ) {
       throw new HttpError(
         409,
@@ -150,14 +150,27 @@ class Trust {
       );
     }
 
+    // check if actor can control the target
+    const actorHasControlOverTarget = await walletModel.hasControlOver(
+      actorWallet.id,
+      targetWallet.id,
+    );
+
     // originating wallet doesn't need to send requests to a sub wallet it manages
-    if (hasControlOverTarget) {
+    if (actorHasControlOverTarget) {
       throw new HttpError(
         409,
         'The requesting wallet already manages the target wallet',
       );
     }
 
+    if (originatorWallet.id === targetWallet.id && origHasControlOverActor) {
+      throw new HttpError(
+        409,
+        'The requesting wallet is managed by the target wallet',
+      );
+    }
+
     // check if the target wallet can accept the request
     // function below currently empty
     // await walletModel.checkTrustRequestSentToMe(
diff --git a/server/models/Trust.spec.js b/server/models/Trust.spec.js
index 11853566..45676fc7 100644
--- a/server/models/Trust.spec.js
+++ b/server/models/Trust.spec.js
@@ -226,6 +226,10 @@ describe('Trust Model', () => {
         originatorActorWallet.id,
         requesteeWallet.id,
       );
+      expect(hasControlStub.getCall(2)).calledWithExactly(
+        requesterWallet.id,
+        requesteeWallet.id,
+      );
       expect(checkDuplicateStub).not.called;
       expect(trustRepositoryStub.create).not.called;
     });
@@ -261,6 +265,45 @@ describe('Trust Model', () => {
       expect(trustRepositoryStub.create).not.called;
     });
 
+    it('should error out -- The requesting wallet is managed by the target wallet', async () => {
+      // originator has control over both actor and target
+      hasControlStub.onCall(0).resolves(true);
+      hasControlStub.onCall(1).resolves(true);
+      // actor does not have control over target
+      hasControlStub.onCall(2).resolves(false);
+
+      let error;
+      try {
+        await trustModel.requestTrustFromAWallet({
+          trustRequestType,
+          requesteeWallet: originatorWallet,
+          requesterWallet,
+          originatorWallet,
+        });
+      } catch (e) {
+        error = e;
+      }
+
+      expect(error.code).eql(409);
+      expect(error.message).eql(
+        'The requesting wallet is managed by the target wallet',
+      );
+      expect(hasControlStub.getCall(0)).calledWithExactly(
+        originatorWallet.id,
+        requesterWallet.id,
+      );
+      expect(hasControlStub.getCall(1)).calledWithExactly(
+        originatorWallet.id,
+        originatorWallet.id,
+      );
+      expect(hasControlStub.getCall(2)).calledWithExactly(
+        requesterWallet.id,
+        originatorWallet.id,
+      );
+      expect(checkDuplicateStub).not.called;
+      expect(trustRepositoryStub.create).not.called;
+    });
+
     it('should request trust', async () => {
       // originator has control over actor
       hasControlStub.onCall(0).resolves(true);