Skip to content

Commit fc4a05d

Browse files
bkioshnbkioshn
authored
fix(rbac-registration): empty role data wrong error report (#256)
Signed-off-by: bkioshn <[email protected]>
1 parent df9af47 commit fc4a05d

File tree

1 file changed

+40
-38
lines changed

1 file changed

+40
-38
lines changed

rust/rbac-registration/src/cardano/cip509/validation.rs

Lines changed: 40 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -167,46 +167,48 @@ fn extract_stake_addresses(uris: Option<&Cip0134UriSet>) -> Vec<VKeyHash> {
167167
pub fn validate_role_data(metadata: &Cip509RbacMetadata, report: &ProblemReport) -> Option<IdUri> {
168168
let context = "Role data validation";
169169

170-
if metadata.role_data.contains_key(&RoleNumber::ROLE_0) {
171-
// For the role 0 there must be exactly once certificate and it must not have `deleted`,
172-
// `undefined` or `C509CertInMetadatumReference` values.
173-
if matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
174-
&& matches!(
175-
metadata.c509_certs.first(),
176-
Some(C509Cert::C509Certificate(_))
177-
)
178-
{
179-
report.other(
180-
"Only one certificate can be defined at index 0 for the role 0",
181-
context,
182-
);
183-
}
184-
if !matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
185-
&& !matches!(
186-
metadata.c509_certs.first(),
187-
Some(C509Cert::C509Certificate(_))
188-
)
189-
{
190-
report.other("The role 0 certificate must be present", context);
191-
}
192-
} else {
193-
// For other roles there still must be exactly one certificate at 0 index, but it must
194-
// have the `undefined` value.
195-
if matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
196-
|| matches!(
197-
metadata.c509_certs.first(),
198-
Some(C509Cert::C509Certificate(_))
199-
)
200-
{
201-
report.other("Only role 0 can contain a certificate at 0 index", context);
202-
}
203-
if matches!(metadata.x509_certs.first(), Some(X509DerCert::Deleted))
204-
|| matches!(metadata.c509_certs.first(), Some(C509Cert::Deleted))
205-
{
206-
report.other("Only role 0 can delete a certificate at 0 index", context);
170+
// There should be some role data
171+
if !metadata.role_data.is_empty() {
172+
if metadata.role_data.contains_key(&RoleNumber::ROLE_0) {
173+
// For the role 0 there must be exactly once certificate and it must not have `deleted`,
174+
// `undefined` or `C509CertInMetadatumReference` values.
175+
if matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
176+
&& matches!(
177+
metadata.c509_certs.first(),
178+
Some(C509Cert::C509Certificate(_))
179+
)
180+
{
181+
report.other(
182+
"Only one certificate can be defined at index 0 for the role 0",
183+
context,
184+
);
185+
}
186+
if !matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
187+
&& !matches!(
188+
metadata.c509_certs.first(),
189+
Some(C509Cert::C509Certificate(_))
190+
)
191+
{
192+
report.other("The role 0 certificate must be present", context);
193+
}
194+
} else {
195+
// For other roles there still must be exactly one certificate at 0 index, but it must
196+
// have the `undefined` value.
197+
if matches!(metadata.x509_certs.first(), Some(X509DerCert::X509Cert(_)))
198+
|| matches!(
199+
metadata.c509_certs.first(),
200+
Some(C509Cert::C509Certificate(_))
201+
)
202+
{
203+
report.other("Only role 0 can contain a certificate at 0 index", context);
204+
}
205+
if matches!(metadata.x509_certs.first(), Some(X509DerCert::Deleted))
206+
|| matches!(metadata.c509_certs.first(), Some(C509Cert::Deleted))
207+
{
208+
report.other("Only role 0 can delete a certificate at 0 index", context);
209+
}
207210
}
208211
}
209-
210212
// It isn't allowed for any role to use a public key at 0 index.
211213
if !matches!(
212214
metadata.pub_keys.first(),

0 commit comments

Comments
 (0)