Skip to content

Commit

Permalink
Merge pull request #525 from energywebfoundation/task/ICL-253_authori…
Browse files Browse the repository at this point in the history 
…ze_issuer

task/ICL-253 authorize issuer
  • Loading branch information
@JGiter
JGiter committed Apr 20, 2022
2 parents ee0bfe4 + b55c86b commit d3d1a67
Show file tree
Hide file tree
Showing 6 changed files with 72 additions and 0 deletions.
30 changes: 30 additions & 0 deletions docs/api/classes/NotAuthorizedIssuer.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Class: NotAuthorizedIssuer

## Hierarchy

- `Error`

**`NotAuthorizedIssuer`**

## Table of contents

### Constructors

- [constructor](NotAuthorizedIssuer.md#constructor)

## Constructors

### constructor

**new NotAuthorizedIssuer**(`issuer`, `role`)

#### Parameters

| Name | Type |
| :------ | :------ |
| `issuer` | `string` |
| `role` | `string` |

#### Overrides

Error.constructor
1 change: 1 addition & 0 deletions docs/api/modules.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
- [MalformedDIDError](classes/MalformedDIDError.md)
- [MessagingService](classes/MessagingService.md)
- [MethodNotAvailableInNodeEnvError](classes/MethodNotAvailableInNodeEnvError.md)
- [NotAuthorizedIssuer](classes/NotAuthorizedIssuer.md)
- [SignerService](classes/SignerService.md)
- [StakingFactoryService](classes/StakingFactoryService.md)
- [StakingPoolService](classes/StakingPoolService.md)
Expand Down
22 changes: 22 additions & 0 deletions e2e/claims.service.e2e.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ const mockGetClaimsBySubject = jest.fn();
const mockRequestClaim = jest.fn();
const mockIssueClaim = jest.fn();
const mockRejectClaim = jest.fn();
const mockGetAllowedRoles = jest.fn();
jest.mock('../src/modules/cache-client/cache-client.service', () => {
return {
CacheClient: jest.fn().mockImplementation(() => {
Expand All @@ -105,6 +106,7 @@ jest.mock('../src/modules/cache-client/cache-client.service', () => {
requestClaim: mockRequestClaim,
issueClaim: mockIssueClaim,
rejectClaim: mockRejectClaim,
getAllowedRolesByIssuer: mockGetAllowedRoles,
};
}),
};
Expand Down Expand Up @@ -162,6 +164,26 @@ describe('Enrollment claim tests', () => {
returnSteps: false,
});
({ didRegistry, claimsService } = await connectToDidRegistry());
mockGetAllowedRoles.mockImplementation(async (issuer) => {
const roleDefs = Object.values(roles);
const isRoleIssuerOfRole = await Promise.all(
roleDefs.map(
(r) =>
r.issuer.roleName &&
claimsService.hasOnChainRole(issuer, r.issuer.roleName, version)
)
);
const allowedRoles = roleDefs
.filter((r, i) => {
return (
(r.issuer.issuerType === 'DID' && r.issuer.did?.includes(issuer)) ||
(r.issuer.issuerType === 'ROLE' && isRoleIssuerOfRole[i])
);
})
.map((r) => ({ ...r, namespace: `${r.roleName}.${root}` }));

return allowedRoles;
});
Reflect.set(didRegistry, '_cacheClient', undefined);
setLogger(new ConsoleLogger(LogLevel.warn));
});
Expand Down
1 change: 1 addition & 0 deletions src/errors/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ export { DeletingNamespaceNotPossibleError } from './deleting-namespace-not-poss
export { ENSOwnerNotValidAddressError } from './ens-owner-not-valid-address.error';
export { ERROR_MESSAGES } from './error-messages';
export { MalformedDIDError } from './malformed-did.error';
export { NotAuthorizedIssuer } from './not-authorized-issuer';
5 changes: 5 additions & 0 deletions src/errors/not-authorized-issuer.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
export class NotAuthorizedIssuer extends Error {
constructor(issuer: string, role: string) {
super(`${issuer} is not authorized to issue ${role}`);
}
}
13 changes: 13 additions & 0 deletions src/modules/claims/claims.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import { JWT } from '@ew-did-registry/jwt';
import { privToPem, KeyType } from '@ew-did-registry/keys';
import { readyToBeRegisteredOnchain } from './claims.types';
import { VerifiableCredentialsServiceBase } from '../verifiable-credentials';
import { NotAuthorizedIssuer } from '../../errors/not-authorized-issuer';

const {
id,
Expand Down Expand Up @@ -257,6 +258,7 @@ export class ClaimsService {
claimData: { claimType: string; claimTypeVersion: number };
sub: string;
};
await this.verifyIssuer(claimData.claimType);

await this.verifyEnrolmentPrerequisites({
subject: sub,
Expand Down Expand Up @@ -447,6 +449,7 @@ export class ClaimsService {
issuerFields: { key: string; value: string | number }[];
};
}) {
await this.verifyIssuer(claim.claimType);
await this.verifyEnrolmentPrerequisites({ subject, role: claim.claimType });

const message: IClaimIssuance = {
Expand Down Expand Up @@ -697,6 +700,16 @@ export class ClaimsService {
}
}

private async verifyIssuer(role: string) {
if (
!(
await this._cacheClient.getAllowedRolesByIssuer(this._signerService.did)
).some((r) => r.namespace === role)
) {
throw new NotAuthorizedIssuer(this._signerService.did, role);
}
}

private async createOnChainProof(
role: string,
version: number,
Expand Down

0 comments on commit d3d1a67

Please sign in to comment.