#310 - added protocolPath validation

thehenrytsai · web-flow · commit f6eb76ceedc2 · 2023-04-24T17:26:30.000-07:00
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 # Decentralized Web Node (DWN) SDK
 
 Code Coverage
-![Statements](https://img.shields.io/badge/statements-93.95%25-brightgreen.svg?style=flat) ![Branches](https://img.shields.io/badge/branches-93.46%25-brightgreen.svg?style=flat) ![Functions](https://img.shields.io/badge/functions-91.69%25-brightgreen.svg?style=flat) ![Lines](https://img.shields.io/badge/lines-93.95%25-brightgreen.svg?style=flat)
+![Statements](https://img.shields.io/badge/statements-93.99%25-brightgreen.svg?style=flat) ![Branches](https://img.shields.io/badge/branches-93.5%25-brightgreen.svg?style=flat) ![Functions](https://img.shields.io/badge/functions-91.72%25-brightgreen.svg?style=flat) ![Lines](https://img.shields.io/badge/lines-93.99%25-brightgreen.svg?style=flat)
 
 ## Introduction
 
diff --git a/json-schemas/records/records-write.json b/json-schemas/records/records-write.json
@@ -105,7 +105,8 @@
           "type": "string"
         },
         "protocolPath": {
-          "type": "string"
+          "type": "string",
+          "pattern": "^[a-zA-Z]+(\/[a-zA-Z]+)*$"
         },
         "schema": {
           "type": "string"
@@ -208,7 +209,9 @@
         "descriptor": {
           "type": "object",
           "required": [
-            "protocol"
+            "protocol",
+            "protocolPath",
+            "schema"
           ]
         }
       },
@@ -236,6 +239,18 @@
               }
             }
           }
+        },
+        {
+          "properties": {
+            "descriptor": {
+              "type": "object",
+              "not": {
+                "required": [
+                  "protocolPath"
+                ]
+              }
+            }
+          }
         }
       ]
     }
diff --git a/src/core/dwn-error.ts b/src/core/dwn-error.ts
@@ -20,6 +20,8 @@ export enum DwnErrorCode {
   MessageStoreDataCidMismatch = 'MessageStoreDataCidMismatch',
   MessageStoreDataNotFound = 'MessageStoreDataNotFound',
   MessageStoreDataSizeMismatch = 'MessageStoreDataSizeMismatch',
+  ProtocolAuthorizationIncorrectProtocolPath = 'ProtocolAuthorizationIncorrectProtocolPath',
+  ProtocolAuthorizationInvalidSchema = 'ProtocolAuthorizationInvalidSchema',
   RecordsDecryptNoMatchingKeyDerivationScheme = 'RecordsDecryptNoMatchingKeyDerivationScheme',
   RecordsDeriveLeafPrivateKeyUnSupportedCurve = 'RecordsDeriveLeafPrivateKeyUnSupportedCurve',
   RecordsDeriveLeafPublicKeyUnSupportedCurve = 'RecordsDeriveLeafPublicKeyUnSupportedCurve',
diff --git a/src/core/protocol-authorization.ts b/src/core/protocol-authorization.ts
@@ -5,6 +5,7 @@ import type { ProtocolDefinition, ProtocolRuleSet, ProtocolsConfigureMessage } f
 import type { RecordsReadMessage, RecordsWriteMessage } from '../interfaces/records/types.js';
 
 import { RecordsWrite } from '../interfaces/records/messages/records-write.js';
+import { DwnError, DwnErrorCode } from './dwn-error.js';
 import { DwnInterfaceName, DwnMethodName, Message } from './message.js';
 
 const methodToAllowedActionMap: Record<string, string> = {
@@ -43,6 +44,9 @@ export class ProtocolAuthorization {
       recordSchemaToLabelMap.set(schema, schemaLabel);
     }
 
+    // validate `protocolPath`
+    ProtocolAuthorization.verifyProtocolPath(incomingMessage, ancestorMessageChain, recordSchemaToLabelMap);
+
     // get the rule set for the inbound message
     const inboundMessageRuleSet = ProtocolAuthorization.getRuleSet(
       incomingMessage.message,
@@ -176,12 +180,8 @@ export class ProtocolAuthorization {
     let allowedRecordsAtCurrentLevel: { [key: string]: ProtocolRuleSet} | undefined = protocolDefinition.records;
     let currentMessageIndex = 0;
     while (true) {
-      const currentRecordSchema = messageChain[currentMessageIndex].descriptor.schema;
-      const currentRecordType = recordSchemaToLabelMap.get(currentRecordSchema!);
-
-      if (currentRecordType === undefined) {
-        throw new Error(`record with schema '${currentRecordSchema}' not allowed in protocol`);
-      }
+      const currentRecordSchema = messageChain[currentMessageIndex].descriptor.schema!;
+      const currentRecordType = recordSchemaToLabelMap.get(currentRecordSchema)!;
 
       if (allowedRecordsAtCurrentLevel === undefined || !(currentRecordType in allowedRecordsAtCurrentLevel)) {
         throw new Error(`record with schema: '${currentRecordSchema}' not allowed in structure level ${currentMessageIndex}`);
@@ -199,6 +199,43 @@ export class ProtocolAuthorization {
     }
   }
 
+  /**
+   * Verifies the `protocolPath` declared in the given message (if it is a RecordsWrite) matches the path of actual ancestor chain.
+   * @throws {DwnError} if fails verification.
+   */
+  private static verifyProtocolPath(
+    inboundMessage: RecordsRead | RecordsWrite,
+    ancestorMessageChain: RecordsWriteMessage[],
+    recordSchemaToLabelMap: Map<string, string>
+  ): void {
+    // skip verification if this is not a RecordsWrite
+    if (inboundMessage.message.descriptor.method !== DwnMethodName.Write) {
+      return;
+    }
+
+    const currentRecordSchema = inboundMessage.message.descriptor.schema!;
+    const currentRecordSchemaLabel = recordSchemaToLabelMap.get(currentRecordSchema);
+    if (currentRecordSchemaLabel === undefined) {
+      throw new DwnError(DwnErrorCode.ProtocolAuthorizationInvalidSchema, `record with schema '${currentRecordSchema}' not allowed in protocol`);
+    }
+
+    const declaredProtocolPath = (inboundMessage as RecordsWrite).message.descriptor.protocolPath!;
+    let ancestorProtocolPath: string = '';
+    for (const ancestor of ancestorMessageChain) {
+      const ancestorSchemaLabel = recordSchemaToLabelMap.get(ancestor.descriptor.schema!);
+      ancestorProtocolPath += `${ancestorSchemaLabel}/`; // e.g. `foo/bar/`, notice the trailing slash
+    }
+
+    const actualProtocolPath = ancestorProtocolPath + currentRecordSchemaLabel; // e.g. `foo/bar/baz`
+
+    if (declaredProtocolPath !== actualProtocolPath) {
+      throw new DwnError(
+        DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath,
+        `Declared protocol path '${declaredProtocolPath}' is not the same as actual protocol path '${actualProtocolPath}'.`
+      );
+    }
+  }
+
   /**
    * Verifies the actions specified in the given message matches the allowed actions in the rule set.
    * @throws {Error} if action not allowed.
diff --git a/tests/interfaces/records/handlers/records-write.spec.ts b/tests/interfaces/records/handlers/records-write.spec.ts
@@ -998,7 +998,35 @@ describe('RecordsWriteHandler.handle()', () => {
 
         const reply = await dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
         expect(reply.status.code).to.equal(401);
-        expect(reply.status.detail).to.equal('record with schema \'unexpectedSchema\' not allowed in protocol');
+        expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationInvalidSchema);
+      });
+
+      it('should fail authorization if given `protocolPath` is mismatching with actual path', async () => {
+        const alice = await DidKeyResolver.generate();
+
+        const protocol = 'https://identity.foundation/decentralized-web-node/protocols/credential-issuance';
+        const protocolConfig = await TestDataGenerator.generateProtocolsConfigure({
+          requester          : alice,
+          protocol,
+          protocolDefinition : credentialIssuanceProtocolDefinition
+        });
+
+        const protocolConfigureReply = await dwn.processMessage(alice.did, protocolConfig.message, protocolConfig.dataStream);
+        expect(protocolConfigureReply.status.code).to.equal(202);
+
+        const data = Encoder.stringToBytes('any data');
+        const credentialApplication = await TestDataGenerator.generateRecordsWrite({
+          requester    : alice,
+          recipientDid : alice.did,
+          protocol,
+          protocolPath : 'incorrect/protocol/path',
+          schema       : credentialIssuanceProtocolDefinition.labels.credentialApplication.schema,
+          data
+        });
+
+        const reply = await dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+        expect(reply.status.code).to.equal(401);
+        expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath);
       });
 
       it('should fail authorization if record schema is not allowed at the hierarchical level attempted for the RecordsWrite', async () => {
diff --git a/tests/interfaces/records/messages/records-write.spec.ts b/tests/interfaces/records/messages/records-write.spec.ts
@@ -133,7 +133,8 @@ describe('RecordsWrite', () => {
         dataFormat                  : 'application/json',
         authorizationSignatureInput : Jws.createSignatureInput(alice),
         protocol                    : 'example.com/',
-        protocolPath                : 'example'
+        protocolPath                : 'example',
+        schema                      : 'http://foo.bar/schema'
       };
       const recordsWrite = await RecordsWrite.create(options);
 
diff --git a/tests/validation/json-schemas/records/records-write.spec.ts b/tests/validation/json-schemas/records/records-write.spec.ts
@@ -123,14 +123,44 @@ describe('RecordsWrite schema definition', () => {
     }).throws('must NOT have additional properties');
   });
 
-  it('should pass if `contextId` and `protocol` are both present', () => {
+  it('should pass if `protocol` exists and its related properties are all present', () => {
+    const validMessage = {
+      recordId   : 'anyRecordId',
+      contextId  : 'someContext', // must exist because `protocol` exists
+      descriptor : {
+        interface    : 'Records',
+        method       : 'Write',
+        protocol     : 'someProtocolId',
+        protocolPath : 'foo/bar', // must exist because `protocol` exists
+        schema       : 'http://foo.bar/schema', // must exist because `protocol` exists
+        dataCid      : 'anyCid',
+        dataFormat   : 'application/json',
+        dataSize     : 123,
+        dateCreated  : '2022-12-19T10:20:30.123456',
+        dateModified : '2022-12-19T10:20:30.123456'
+      },
+      authorization: {
+        payload    : 'anyPayload',
+        signatures : [{
+          protected : 'anyProtectedHeader',
+          signature : 'anySignature'
+        }]
+      }
+    };
+
+    Message.validateJsonSchema(validMessage);
+  });
+
+  it('should throw if `protocolPath` contains invalid characters', () => {
     const invalidMessage = {
       recordId   : 'anyRecordId',
-      contextId  : 'someContext', // protocol must exist
+      contextId  : 'someContext',
       descriptor : {
         interface    : 'Records',
         method       : 'Write',
-        protocol     : 'someProtocolId', // contextId must exist
+        protocol     : 'http://foo.bar',
+        protocolPath : 'invalid:path', // `:` is not a valid char in `protocolPath`
+        schema       : 'http://foo.bar/schema',
         dataCid      : 'anyCid',
         dataFormat   : 'application/json',
         dataSize     : 123,
@@ -146,10 +176,12 @@ describe('RecordsWrite schema definition', () => {
       }
     };
 
-    Message.validateJsonSchema(invalidMessage);
+    expect(() => {
+      Message.validateJsonSchema(invalidMessage);
+    }).throws('protocolPath: must match pattern "^[a-zA-Z]+(/[a-zA-Z]+)*$');
   });
 
-  it('should pass if `contextId` and `protocol` are both not present', () => {
+  it('should pass if none of `protocol` related properties are present', () => {
     const invalidMessage = {
       recordId   : 'anyRecordId',
       descriptor : {
@@ -227,6 +259,94 @@ describe('RecordsWrite schema definition', () => {
     }).throws('must have required property \'contextId\'');
   });
 
+  it('should throw if `protocol` is set but `protocolPath` is missing', () => {
+    const invalidMessage = {
+      recordId   : 'anyRecordId',
+      contextId  : 'anyContextId', // required by protocol-based message
+      descriptor : {
+        interface    : 'Records',
+        method       : 'Write',
+        protocol     : 'http://foo.bar',
+        // protocolPath : 'foo/bar', // intentionally missing
+        dataCid      : 'anyCid',
+        dataFormat   : 'application/json',
+        dataSize     : 123,
+        dateCreated  : '2022-12-19T10:20:30.123456',
+        dateModified : '2022-12-19T10:20:30.123456'
+      },
+      authorization: {
+        payload    : 'anyPayload',
+        signatures : [{
+          protected : 'anyProtectedHeader',
+          signature : 'anySignature'
+        }]
+      }
+    };
+
+    expect(() => {
+      Message.validateJsonSchema(invalidMessage);
+    }).throws('descriptor: must have required property \'protocolPath\'');
+  });
+
+  it('should throw if `protocolPath` is set but `protocol` is missing', () => {
+    const invalidMessage = {
+      recordId   : 'anyRecordId',
+      contextId  : 'anyContextId',
+      descriptor : {
+        interface    : 'Records',
+        method       : 'Write',
+        // protocol     : 'http://foo.bar', // intentionally missing
+        protocolPath : 'foo/bar',
+        dataCid      : 'anyCid',
+        dataFormat   : 'application/json',
+        dataSize     : 123,
+        dateCreated  : '2022-12-19T10:20:30.123456',
+        dateModified : '2022-12-19T10:20:30.123456'
+      },
+      authorization: {
+        payload    : 'anyPayload',
+        signatures : [{
+          protected : 'anyProtectedHeader',
+          signature : 'anySignature'
+        }]
+      }
+    };
+
+    expect(() => {
+      Message.validateJsonSchema(invalidMessage);
+    }).throws('descriptor: must have required property \'protocol\'');
+  });
+
+  it('should throw if `protocol` is set but `schema` is missing', () => {
+    const invalidMessage = {
+      recordId   : 'anyRecordId',
+      contextId  : 'anyContextId', // required by protocol-based message
+      descriptor : {
+        interface    : 'Records',
+        method       : 'Write',
+        protocol     : 'http://foo.bar',
+        protocolPath : 'foo/bar',
+        // schema       : 'http://foo.bar/schema', // intentionally missing
+        dataCid      : 'anyCid',
+        dataFormat   : 'application/json',
+        dataSize     : 123,
+        dateCreated  : '2022-12-19T10:20:30.123456',
+        dateModified : '2022-12-19T10:20:30.123456'
+      },
+      authorization: {
+        payload    : 'anyPayload',
+        signatures : [{
+          protected : 'anyProtectedHeader',
+          signature : 'anySignature'
+        }]
+      }
+    };
+
+    expect(() => {
+      Message.validateJsonSchema(invalidMessage);
+    }).throws('descriptor: must have required property \'schema\'');
+  });
+
   it('should throw if published is false but datePublished is present', () => {
     const invalidMessage = {
       recordId   : 'anyRecordId',

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,8 @@`
`105`	`105`	`"type": "string"`
`106`	`106`	`},`
`107`	`107`	`"protocolPath": {`
`108`		`- "type": "string"`
	`108`	`+ "type": "string",`
	`109`	`+ "pattern": "^[a-zA-Z]+(\/[a-zA-Z]+)*$"`
`109`	`110`	`},`
`110`	`111`	`"schema": {`
`111`	`112`	`"type": "string"`
`@@ -208,7 +209,9 @@`
`208`	`209`	`"descriptor": {`
`209`	`210`	`"type": "object",`
`210`	`211`	`"required": [`
`211`		`- "protocol"`
	`212`	`+ "protocol",`
	`213`	`+ "protocolPath",`
	`214`	`+ "schema"`
`212`	`215`	`]`
`213`	`216`	`}`
`214`	`217`	`},`
`@@ -236,6 +239,18 @@`
`236`	`239`	`}`
`237`	`240`	`}`
`238`	`241`	`}`
	`242`	`+ },`
	`243`	`+ {`
	`244`	`+ "properties": {`
	`245`	`+ "descriptor": {`
	`246`	`+ "type": "object",`
	`247`	`+ "not": {`
	`248`	`+ "required": [`
	`249`	`+ "protocolPath"`
	`250`	`+ ]`
	`251`	`+ }`
	`252`	`+ }`
	`253`	`+ }`
`239`	`254`	`}`
`240`	`255`	`]`
`241`	`256`	`}`