Skip to content

Commit

Permalink
Restrict execution of transactions exclusively to users with specific…
Browse files Browse the repository at this point in the history 
… roles

Signed-off-by: artem.ivanov <[email protected]>
  • Loading branch information
@Artemkaaas
Artemkaaas committed Feb 16, 2024
1 parent dbc05c2 commit 6cd66e6
Show file tree
Hide file tree
Showing 44 changed files with 509 additions and 248 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,11 @@ logs
.idea
vdr/out
vdr/target
network/config/nodes/validator5/key

# Blockscout
blockscout-db-data
redis-data
stats-db-data


87 changes: 63 additions & 24 deletions docs/design/auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,16 +178,21 @@ Contract name: **transactionAllowed**

### Account role management

| Contract | Method | Value | Required Role | Action Description |
|-------------|------------|------------|---------------|------------------------------------------|
| RoleControl | hasRole | - | any | Check if an account has a requested role |
| RoleControl | getRole | - | any | Get account role |
| RoleControl | assignRole | Trustee | Trustee | Assign Trustee role to an account |
| RoleControl | assignRole | Endorser | Trustee | Assign Endorser role to an account |
| RoleControl | assignRole | Steward | Trustee | Assign Steward role to an account |
| RoleControl | revokeRole | Trustee | Trustee | Revoke Trustee role from an account |
| RoleControl | revokeRole | Endorser | Trustee | Assign Endorser role to an account |
| RoleControl | revokeRole | Steward | Trustee | Assign Steward role to an account |
| Contract | Method | Value | Required Role | Action Description |
|-------------|-------------------------------|------------|---------------|----------------------------------------------------------------------------|
| RoleControl | hasRole | - | any | Check if an account has a requested role |
| RoleControl | getRole | - | any | Get account role |
| RoleControl | isTrustee | - | any | Ensure that account has a Trustee role assigned |
| RoleControl | isEndorser | - | any | Ensure that account has a Endorser role assigned |
| RoleControl | isSteward | - | any | Ensure that account has a Steward role assigned |
| RoleControl | isTrusteeOrEndorser | - | any | Ensure that account has either Trustee or Endorse role assigned |
| RoleControl | isTrusteeOrEndorserOrSteward | - | any | Ensure that account has either Trustee or Endorse or Steward role assigned |
| RoleControl | assignRole | Trustee | Trustee | Assign Trustee role to an account |
| RoleControl | assignRole | Endorser | Trustee | Assign Endorser role to an account |
| RoleControl | assignRole | Steward | Trustee | Assign Steward role to an account |
| RoleControl | revokeRole | Trustee | Trustee | Revoke Trustee role from an account |
| RoleControl | revokeRole | Endorser | Trustee | Assign Endorser role to an account |
| RoleControl | revokeRole | Steward | Trustee | Assign Steward role to an account |

### Validator nodes management

Expand All @@ -197,23 +202,46 @@ Contract name: **transactionAllowed**
| ValidatorControl | addValidator | Steward | Add new validator node |
| ValidatorControl | removeValidator | Steward | Remove validator node |

### DID Document management

| Contract | Method | Required Role | Action Description |
|-------------------|--------------------------------|-----------------------------|---------------------------------|
| IndyDidRegistry | createDid | Trustee, Endorser, Steward | Create a new DID Document |
| IndyDidRegistry | updateDid | DID owner | Update DID an existing Document |
| IndyDidRegistry | deactivateDid | DID owner | Deactivate an existing DID |
| IndyDidRegistry | resolveDid | any | Resolve DID Document for a DID |
### DID `indybesu` Registry management

| Contract | Method | Required Role | Action Description |
|-------------------|---------------------|----------------------------|---------------------------------------------|
| IndyDidRegistry | createDid | Trustee, Endorser, Steward | Create a new DID Document |
| IndyDidRegistry | createDidSigned | Trustee, Endorser, Steward | Endorse creation of a new DID Document |
| IndyDidRegistry | updateDid | DID owner, Trustee | Update DID an existing Document |
| IndyDidRegistry | updateDidSigned | Trustee | Endorse update of an existing DID Document |
| IndyDidRegistry | deactivateDid | DID owner, Trustee | Deactivate an existing DID |
| IndyDidRegistry | deactivateDidSigned | Trustee | Endorse deactivation of an existing DID |
| IndyDidRegistry | resolveDid | any | Resolve DID Document for a DID |

### DID `ethr` Registry management

| Contract | Method | Required Role | Action Description |
|------------------------|-----------------------|---------------|---------------------------------------|
| EthereumExtDidRegistry | changeOwner | DID owner | Change DID owner |
| EthereumExtDidRegistry | changeOwnerSigned | DID owner | Endorse changing of a DID owner |
| EthereumExtDidRegistry | addDelegate | DID owner | Add a delegate key |
| EthereumExtDidRegistry | addDelegateSigned | DID owner | Endorse adding of a delegate key |
| EthereumExtDidRegistry | revokeDelegate | DID owner | Revoke a delegate key |
| EthereumExtDidRegistry | revokeDelegateSigned | DID owner | Endorse revoking of a delegate key |
| EthereumExtDidRegistry | setAttribute | DID owner | Add a DID attribute |
| EthereumExtDidRegistry | setAttributeSigned | DID owner | Endorse adding of a DID attribute |
| EthereumExtDidRegistry | revokeAttribute | DID owner | Revoke a DID attribute |
| EthereumExtDidRegistry | revokeAttributeSigned | DID owner | Endorse revoking of a DID attribute |
| EthereumExtDidRegistry | identityOwner | any | Get DID owner |
| EthereumExtDidRegistry | changed | any | Get block number of latest DID change |
| EthereumExtDidRegistry | nonce | any | Get nonce to signe for endorsing |

### CL Registry management

| Contract | Method | Required Role | Action Description |
|------------------------------|-----------------------------|-----------------------------|------------------------------------------|
| SchemaRegistry | createSchema | Trustee, Endorser, Steward | Create a new Schema |
| SchemaRegistry | resolveSchema | any | Resolve Schema by id |
| CredentialDefinitionRegistry | createCredentialDefinition | Trustee, Endorser, Steward | Create a new Credential Definition |
| CredentialDefinitionRegistry | resolveCredentialDefinition | any | Resolve Credential Definition by id |
| Contract | Method | Required Role | Action Description |
|------------------------------|----------------------------------|-----------------------------|-------------------------------------------------|
| SchemaRegistry | createSchema | Trustee, Endorser, Steward | Create a new Schema |
| SchemaRegistry | createSchemaSigned | Trustee, Endorser, Steward | Endorse creation of a new Schema |
| SchemaRegistry | resolveSchema | any | Resolve Schema by id |
| CredentialDefinitionRegistry | createCredentialDefinition | Trustee, Endorser, Steward | Create a new Credential Definition |
| CredentialDefinitionRegistry | createCredentialDefinitionSigned | Trustee, Endorser, Steward | Endorse creation of a new Credential Definition |
| CredentialDefinitionRegistry | resolveCredentialDefinition | any | Resolve Credential Definition by id |

### Contract upgrade management

Expand All @@ -223,6 +251,17 @@ Contract name: **transactionAllowed**
| UpgradeControl | approve | Trustee | Approve the upgrade of a specefic contract implementation |
| UpgradeControl | ensureSufficientApprovals | any | Ensures that an implementation upgrade has received sufficient approvals |

### Legacy identifiers mapping

| Contract | Method | Required Role | Action Description |
|--------------------------|-----------------------------|----------------------------|---------------------------------------------------------------------------------------------|
| LegacyMappingRegistry | createDidMapping | Trustee, Endorser, Steward | Create a new mapping of legacy indy/sov DID identifier to account address |
| LegacyMappingRegistry | createDidMappingSigned | Trustee, Endorser, Steward | Endorse creation a new mapping of legacy indy/sov DID identifier to account address |
| LegacyMappingRegistry | createResourceMapping | Trustee, Endorser, Steward | Create a new mapping of legacy schema/credential definition identifier to new one |
| LegacyMappingRegistry | createResourceMappingSigned | Trustee, Endorser, Steward | Endorse creation a new mapping of legacy schema/credential definition identifier to new one |
| LegacyMappingRegistry | didMapping | any | Resolve mapping account address for legacy DID identifier |
| LegacyMappingRegistry | resourceMapping | any | Resolve resource mapping for legacy idetifier |

### General transactions management

| Transaction | Required Role | Action Description |
Expand Down
8 changes: 6 additions & 2 deletions docs/design/cl-registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,9 @@ Contract name: **SchemaRegistry**
* `schema` - AnonCreds schema JSON as bytes.
* Restrictions:
* Schema id must be unique.
* Corresponding issuer DID must exist, be active, and owned by sender.
* Sender is equal to identity.
* Corresponding issuer DID must exist, be active, and owned by identity.
* Sender must have either TRUSTEE or ENDORSER or STEWARD role assigned.
* Format:
```
SchemaRegistry.createSchema(
Expand Down Expand Up @@ -190,8 +192,10 @@ Contract name: **CredentialDefinitionRegistry**
* `credDef` - AnonCreds Credential Definition JSON as bytes
* Restrictions:
* Credential Definition must be unique.
* Corresponding issuer DID must exist, be active, and owned by sender.
* Sender mus tbe equal to identity.
* Corresponding issuer DID must exist, be active, and owned by identity.
* Corresponding schema must exist.
* Sender must have either TRUSTEE or ENDORSER or STEWARD role assigned.
* Format:
```
CredentialDefinitionRegistry.createCredentialDefinition(
Expand Down
Binary file modified docs/design/conmponents.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions docs/design/conmponents.puml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ package "Ethereum Network" {
component [Universal Did Resolver]
component [Schema Registry]
component [Credential Definition Registry]
component [Legacy Mapping Registry]
}
}
}
Expand Down
8 changes: 8 additions & 0 deletions docs/design/contracts.puml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,13 @@ package "Smart Contracts" {
Store CL Credential Definitions
end note
}

package "Migration" {
component [Legacy Mapping Registry]
note bottom of [Legacy Mapping Registry]
Store Mapping for legacy DID/Schema/CredentialDefinition identifiers
end note
}
}

[Identity] --> [Role Control]
Expand All @@ -86,6 +93,7 @@ package "Smart Contracts" {
[Universal Did Resolver] --> [Ethereum Did Registry]
[Schema Registry] --> [Universal Did Resolver]
[Credential Definition Registry] --> [Universal Did Resolver]
[Legacy Mapping Registry] --> [Universal Did Resolver]
}

@enduml
13 changes: 7 additions & 6 deletions docs/design/indybesu-did-registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
struct DidMetadata {
address owner;
address sender;
uint256 created;
uint256 updated;
uint256 versionId;
Expand Down Expand Up @@ -44,7 +43,6 @@
"),
metadata: {
owner: 0x93917cadbace5dfce132b991732c6cda9bcc5b8a,
sender: 0x93917cadbace5dfce132b991732c6cda9bcc5b8a,
created: 1234,
updated: 1234,
versionId: 1234,
Expand All @@ -66,7 +64,6 @@ DID Document must match to the [specification](https://www.w3.org/TR/did-core/).
Each DID Document MUST have a metadata section when a representation is produced. It can have the following properties:

* owner (address): An address of DID owner
* sender (address): An address of DID Document sender
* created (timestamp): Time of a block ordered a transaction for DID Doc creation
* updated (timestamp): The updated field is null if an Update operation has never been performed on the DID document
Time of a block ordered a transaction changed a DID Doc last time
Expand All @@ -88,6 +85,8 @@ Contract name: **IndyDidRegistry**
* Restrictions:
* DID must not exist
* Valid DID must be provided
* Sender must be equal to identity
* Sender must have either TRUSTEE or ENDORSER or STEWARD role assigned
* Format:
```
IndyDidRegistry.createDid(
Expand Down Expand Up @@ -115,7 +114,8 @@ Contract name: **IndyDidRegistry**
* Restrictions:
* DID must exist
* DID must be active
* Sender must be authorized to perform update (owner or sender)
* Sender must be equal to identity
* Sender must be either identity owner or have a TRUSTEE role assigned
* Format:
```
IndyDidRegistry.updateDid(
Expand All @@ -138,11 +138,12 @@ Contract name: **IndyDidRegistry**
* Method: `deactivateDid`
* Description: Transaction to deactivate an existing DID
* Parameters:
* `did` - Address of DID owner
* `identity` - Address of DID owner
* Restrictions:
* DID must exist
* DID must be active
* Sender must be authorized to perform deactivation (owner or sender)
* Sender must be equal to identity
* Sender must be either identity owner or have a TRUSTEE role assigned
* Format:
```
IndyDidRegistry.deactivateDid(
Expand Down
Loading

0 comments on commit 6cd66e6

Please sign in to comment.