diff --git a/Makefile b/Makefile index e90d8992..81ed3bf2 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,8 @@ GOLANG_CROSS_VERSION ?= v1.21.0 all: signatory signatory-cli +# build is controlled by Go build system, so mark phony to ignore file timestamps +.PHONY: signatory signatory-cli signatory: CGO_ENABLED=1 go build -ldflags "-X $(COLLECTOR_PKG).GitRevision=$(GIT_REVISION) -X $(COLLECTOR_PKG).GitBranch=$(GIT_BRANCH)" ./cmd/signatory signatory-cli: diff --git a/cmd/commands/list_ops.go b/cmd/commands/list_ops.go index ec2d28c4..409b77fe 100644 --- a/cmd/commands/list_ops.go +++ b/cmd/commands/list_ops.go @@ -51,9 +51,12 @@ func NewListOps(c *Context) *cobra.Command { Short: "Print possible operation types inside the `generic` request", RunE: func(cmd *cobra.Command, args []string) error { var ops []string - for _, k := range encoding.ListVariants[latest.OperationContents]() { + for _, k := range latest.ListOperations() { ops = append(ops, k.OperationKind()) } + for _, op := range latest.ListPseudoOperations() { + ops = append(ops, op.PseudoOperation()) + } sort.Strings(ops) return listOpsTpl.Execute(os.Stdout, ops) }, diff --git a/docs/aws_kms.md b/docs/aws_kms.md index ddb1dedb..bc878620 100644 --- a/docs/aws_kms.md +++ b/docs/aws_kms.md @@ -75,7 +75,6 @@ tezos: - block - endorsement allowed_kinds: - # List of [endorsement, ballot, reveal, transaction, origination, delegation, seed_nonce_revelation, activate_account] - transaction - endorsement - reveal diff --git a/go.mod b/go.mod index 5c0ef366..d2db0e23 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 github.com/ecadlabs/goblst v1.0.0 github.com/ecadlabs/gotez/v2 v2.1.3 - github.com/go-playground/validator/v10 v10.16.0 + github.com/go-playground/validator/v10 v10.22.0 github.com/google/tink/go v1.7.0 github.com/google/uuid v1.4.0 github.com/gorilla/mux v1.8.1 @@ -54,7 +54,7 @@ require ( github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/ecadlabs/pretty v0.0.0-20230412124801-f948fc689a04 // indirect - github.com/gabriel-vasile/mimetype v1.4.3 // indirect + github.com/gabriel-vasile/mimetype v1.4.5 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect @@ -93,14 +93,14 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/leodido/go-urn v1.2.4 // indirect + github.com/leodido/go-urn v1.4.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/spf13/pflag v1.0.5 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/net v0.21.0 // indirect + golang.org/x/net v0.27.0 // indirect golang.org/x/sys v0.26.0 // indirect golang.org/x/term v0.25.0 golang.org/x/text v0.19.0 // indirect diff --git a/go.sum b/go.sum index f78daf3c..edb05038 100644 --- a/go.sum +++ b/go.sum @@ -81,8 +81,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= -github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= +github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4= +github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= @@ -92,8 +92,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.16.0 h1:x+plE831WK4vaKHO/jpgUGsvLKIqRRkz6M78GuJAfGE= -github.com/go-playground/validator/v10 v10.16.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= +github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao= +github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= @@ -185,8 +185,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q= -github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4= +github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= +github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= @@ -242,7 +242,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -274,8 +273,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= +golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= diff --git a/pkg/signatory/signatory.go b/pkg/signatory/signatory.go index e5abebac..d311ab87 100644 --- a/pkg/signatory/signatory.go +++ b/pkg/signatory/signatory.go @@ -193,7 +193,7 @@ func matchFilter(policy *PublicKeyPolicy, req *SignRequest, msg protocol.SignReq if ops, ok := msg.(*protocol.GenericOperationSignRequest); ok { for _, op := range ops.Contents { - kind := op.OperationKind() + kind := core.GetOperationKind(op) allowed = false for _, k := range policy.AllowedOps { if kind == k { @@ -399,7 +399,7 @@ func (s *Signatory) Sign(ctx context.Context, req *SignRequest) (crypt.Signature l.Error(err) return nil, err } - return p.vault.SignMessage(ctx, message, p.key) + return p.vault.SignMessage(ctx, message, key) } var sig crypt.Signature diff --git a/pkg/signatory/signatory_test.go b/pkg/signatory/signatory_test.go index f848c7ca..05232e50 100644 --- a/pkg/signatory/signatory_test.go +++ b/pkg/signatory/signatory_test.go @@ -3,12 +3,19 @@ package signatory_test import ( + "bytes" "context" "encoding/hex" "fmt" "testing" + tz "github.com/ecadlabs/gotez/v2" "github.com/ecadlabs/gotez/v2/crypt" + "github.com/ecadlabs/gotez/v2/encoding" + "github.com/ecadlabs/gotez/v2/protocol" + "github.com/ecadlabs/gotez/v2/protocol/core" + "github.com/ecadlabs/gotez/v2/protocol/core/expression" + "github.com/ecadlabs/gotez/v2/protocol/latest" "github.com/ecadlabs/signatory/pkg/config" "github.com/ecadlabs/signatory/pkg/hashmap" "github.com/ecadlabs/signatory/pkg/signatory" @@ -59,6 +66,7 @@ func TestPolicy(t *testing.T) { type testCase struct { title string msg []byte + req protocol.SignRequest policy signatory.PublicKeyPolicy expected string } @@ -301,6 +309,34 @@ func TestPolicy(t *testing.T) { }, expected: "operation `update_consensus_key' is not allowed", }, + { + title: "Stake allowed", + req: &protocol.GenericOperationSignRequest{ + Branch: &tz.BlockHash{}, + Contents: []latest.OperationContents{ + &latest.Transaction{ + ManagerOperation: latest.ManagerOperation{ + Source: &tz.Ed25519PublicKeyHash{1, 2, 3}, + Fee: tz.BigUint{0x00}, + Counter: tz.BigUint{0x00}, + GasLimit: tz.BigUint{0x00}, + StorageLimit: tz.BigUint{0x00}, + }, + Amount: tz.BigUint{0x00}, + Destination: core.ImplicitContract{PublicKeyHash: &tz.Ed25519PublicKeyHash{1, 2, 3}}, + Parameters: tz.Some(latest.Parameters{ + Entrypoint: latest.EpStake{}, + Value: expression.Prim00(expression.Prim_Unit), + }), + }, + }, + }, + policy: signatory.PublicKeyPolicy{ + AllowedRequests: []string{"generic"}, + AllowedOps: []string{"stake"}, + LogPayloads: true, + }, + }, } priv, err := crypt.ParsePrivateKey([]byte(privateKey)) @@ -322,7 +358,16 @@ func TestPolicy(t *testing.T) { require.NoError(t, err) require.NoError(t, s.Unlock(context.Background())) - _, err = s.Sign(context.Background(), &signatory.SignRequest{PublicKeyHash: pk.Hash(), Message: c.msg}) + var msg []byte + if c.req != nil { + var buf bytes.Buffer + require.NoError(t, encoding.Encode(&buf, &c.req)) + msg = buf.Bytes() + } else { + msg = c.msg + } + + _, err = s.Sign(context.Background(), &signatory.SignRequest{PublicKeyHash: pk.Hash(), Message: msg}) if c.expected != "" { require.EqualError(t, err, c.expected) } else { diff --git a/pkg/signatory/utils.go b/pkg/signatory/utils.go index eae2efed..77fd6b2d 100644 --- a/pkg/signatory/utils.go +++ b/pkg/signatory/utils.go @@ -5,6 +5,7 @@ import ( "github.com/ecadlabs/gotez/v2/encoding" "github.com/ecadlabs/gotez/v2/protocol" + "github.com/ecadlabs/gotez/v2/protocol/core" ) func AuthenticatedBytesToSign(req *SignRequest) ([]byte, error) { @@ -27,7 +28,7 @@ type operationsStat map[string]int func getOperationsStat(u *protocol.GenericOperationSignRequest) operationsStat { ops := make(operationsStat) for _, o := range u.Contents { - ops[o.OperationKind()]++ + ops[core.GetOperationKind(o)]++ } return ops } diff --git a/signatory.yaml b/signatory.yaml index 02ba5b4e..f60a5add 100644 --- a/signatory.yaml +++ b/signatory.yaml @@ -66,12 +66,14 @@ tezos: allow: # List of [block, endorsement, failing_noop, generic, preendorsement] generic: - # List of [activate_account, ballot, delegation, double_baking_evidence, double_endorsement_evidence, - # double_preendorsement_evidence, endorsement, failing_noop, origination, preendorsement, proposals, - # register_global_constant, reveal, sc_rollup_add_messages, sc_rollup_cement, sc_rollup_originate, - # sc_rollup_publish, seed_nonce_revelation, set_deposits_limit, transaction, transfer_ticket, - # tx_rollup_commit, tx_rollup_dispatch_tickets, tx_rollup_finalize_commitment, tx_rollup_origination, - # tx_rollup_rejection, tx_rollup_remove_commitment, tx_rollup_return_bond, tx_rollup_submit_batch] + # List of + # [activate_account, attestation, attestation_with_dal, ballot, dal_publish_commitment, delegation, double_attestation_evidence, + # double_baking_evidence, double_preattestation_evidence, drain_delegate, failing_noop, finalize_unstake, increase_paid_storage, + # origination, preattestation, proposals, register_global_constant, reveal, seed_nonce_revelation, set_delegate_parameters, + # set_deposits_limit, signature_prefix, smart_rollup_add_messages, smart_rollup_cement, smart_rollup_execute_outbox_message, + # smart_rollup_originate, smart_rollup_publish, smart_rollup_recover_bond, smart_rollup_refute, smart_rollup_timeout, stake, + # transaction, transfer_ticket, unstake, update_consensus_key, vdf_revelation, zk_rollup_origination, zk_rollup_publish, + # zk_rollup_update] - transaction - endorsement block: