refactor(threatmodel): move ThreatModel from mockchain to testing-interface

bogdan-manole · bogdan-manole · commit da672c2dd852 · 2026-01-13T15:22:18.000+02:00
- Move ThreatModel modules from convex-mockchain to new namespace Convex.ThreatModel in testing-interface
  - Update convex-testing-interface.cabal with new modules and dependencies
  - Update test imports to use new namespace
diff --git a/src/coin-selection/test/Spec.hs b/src/coin-selection/test/Spec.hs
@@ -44,18 +44,21 @@ import Convex.Class (
   MonadDatumQuery (queryDatumFromHash),
   MonadMockchain,
   getTxById,
+  getTxs,
   getUtxo,
   setReward,
   setUtxo,
   singleUTxO,
  )
+import Convex.Class qualified
 import Convex.CoinSelection (
   BalanceTxError,
   ChangeOutputPosition (TrailingChange),
   keyWitnesses,
   publicKeyCredential,
  )
 import Convex.MockChain (
+  MockchainT,
   ValidationError (..),
   evalMockchain0IO,
   failedTransactions,
@@ -72,7 +75,7 @@ import Convex.MockChain.Defaults qualified as Defaults
 import Convex.MockChain.Gen qualified as Gen
 import Convex.MockChain.Staking (registerPool)
 import Convex.MockChain.Utils (
-  Options (coverageRef),
+  Options (Options, coverageRef, params),
   defaultOptions,
   mockchainFails,
   mockchainFailsWithOptions,
@@ -88,11 +91,21 @@ import Convex.NodeParams (
  )
 import Convex.Query (balancePaymentCredentials)
 import Convex.TestingInterface (
+  Actions (Actions),
   RunOptions (mcOptions),
   TestingInterface (..),
   defaultRunOptions,
   propRunActionsWithOptions,
  )
+import Convex.ThreatModel (
+  ThreatModel,
+  ThreatModelEnv (..),
+  counterexampleTM,
+  ensure,
+  getTxOutputs,
+  paragraph,
+  runThreatModel,
+ )
 import Convex.Utils (failOnError, inBabbage)
 import Convex.Utils.String (unsafeAssetName, unsafeTxId)
 import Convex.Utxos qualified as Utxos
@@ -120,6 +133,7 @@ import Scripts qualified
 import Scripts.PingPong qualified as PingPong
 import System.Exit (ExitCode)
 import Test.QuickCheck.Gen qualified as Gen
+import Test.QuickCheck.Monadic (monadicIO, monitor, run)
 import Test.Tasty (
   TestTree,
   defaultMain,
@@ -129,6 +143,7 @@ import Test.Tasty.HUnit (Assertion, testCase)
 import Test.Tasty.QuickCheck (
   Property,
   classify,
+  counterexample,
   testProperty,
  )
 import Test.Tasty.QuickCheck qualified as QC
@@ -291,6 +306,85 @@ instance TestingInterface PingPongModel where
 
   monitoring _state _action prop = prop
 
+{- | A simple threat model that demonstrates the integration pattern.
+
+This threat model checks basic transaction properties. It serves as an
+example of how to integrate ThreatModel with TestingInterface.
+
+NOTE: For proper threat model testing of output protection:
+1. The UTxO set should be captured at each transaction submission time
+   (not at the end of all transactions, as done here for simplicity)
+2. Only transactions with script inputs should be tested for output protection
+   (since only then does a validator run that could enforce the output)
+
+The DoubleSatisfaction threat model from the library is designed for more
+sophisticated scenarios where you need to test that scripts properly protect
+their outputs from being redirected.
+-}
+basicThreatModel :: ThreatModel ()
+basicThreatModel = do
+  -- Get transaction outputs to verify we can access transaction data
+  outputs <- getTxOutputs
+  -- Skip empty transactions (shouldn't happen, but be defensive)
+  ensure (not $ null outputs)
+  -- Log information about the transaction being tested
+  counterexampleTM $
+    paragraph
+      [ "Transaction has"
+      , show (length outputs)
+      , "outputs."
+      ]
+  -- This trivially passes - it demonstrates the integration pattern
+  -- For real threat models, you would use shouldValidate/shouldNotValidate
+  -- to check specific security properties
+  pure ()
+
+{- | Property test that runs PingPong actions and then checks a
+threat model against all submitted transactions.
+
+This demonstrates how to integrate threat models with TestingInterface.
+-}
+propPingPongWithThreatModel :: RunOptions -> Actions PingPongModel -> Property
+propPingPongWithThreatModel opts (Actions actions) = monadicIO $ do
+  let Options{params} = mcOptions opts
+
+  -- Run the mockchain and collect transactions
+  result <- run $ runMockchain0IOWith Wallet.initialUTxOs params $ do
+    -- Execute all actions
+    _ <- foldMActions (initialState @PingPongModel) actions
+    -- Collect submitted transactions
+    txs <- Convex.Class.getTxs
+    -- Get the current UTxO set
+    ledgerUtxo <- Convex.Class.getUtxo
+    pure (txs, ledgerUtxo)
+
+  case result of
+    ((txs, ledgerUtxo), _finalState) -> do
+      -- Convert ledger UTxO to cardano-api UTxO
+      let utxo = fromLedgerUTxO C.shelleyBasedEra ledgerUtxo
+          pparams' = params ^. ledgerProtocolParameters
+
+      -- Create ThreatModelEnv for each transaction
+      let envs =
+            [ ThreatModelEnv
+                { currentTx = tx
+                , currentUTxOs = utxo
+                , pparams = pparams'
+                }
+            | tx <- txs
+            ]
+
+      -- Run the basic threat model
+      -- This demonstrates the integration pattern
+      monitor (counterexample $ "Tested " ++ show (length txs) ++ " transactions")
+      pure $ runThreatModel basicThreatModel envs
+ where
+  foldMActions :: PingPongModel -> [Action PingPongModel] -> MockchainT C.ConwayEra IO PingPongModel
+  foldMActions s [] = pure s
+  foldMActions s (a : as) = do
+    perform s a
+    foldMActions (nextState s a) as
+
 main :: IO ()
 main = do
   ref <- newIORef mempty
@@ -409,6 +503,9 @@ tests ref =
             , testProperty
                 "Property-based test with TestingInterface"
                 (propRunActionsWithOptions @PingPongModel runOpts)
+            , testProperty
+                "Property-based test with ThreatModel integration"
+                (propPingPongWithThreatModel runOpts)
             ]
         ]
     , testGroup
diff --git a/src/mockchain/convex-mockchain.cabal b/src/mockchain/convex-mockchain.cabal
@@ -42,11 +42,6 @@ library
     Convex.MockChain.Coverage
     Convex.MockChain.Defaults
     Convex.MockChain.Gen
-    Convex.MockChain.ThreatModel
-    Convex.MockChain.ThreatModel.Cardano.Api
-    Convex.MockChain.ThreatModel.DoubleSatisfaction
-    Convex.MockChain.ThreatModel.Pretty
-    Convex.MockChain.ThreatModel.TxModifier
     Convex.MockChain.Utils
 
   hs-source-dirs:  lib
diff --git a/src/testing-interface/convex-testing-interface.cabal b/src/testing-interface/convex-testing-interface.cabal
@@ -39,14 +39,42 @@ common lang
 
 library
   import:          lang
-  exposed-modules: Convex.TestingInterface
+  exposed-modules:
+    Convex.TestingInterface
+    Convex.ThreatModel
+    Convex.ThreatModel.Cardano.Api
+    Convex.ThreatModel.DoubleSatisfaction
+    Convex.ThreatModel.Pretty
+    Convex.ThreatModel.TxModifier
+
   hs-source-dirs:  lib
   build-depends:
     , base              >=4.14.0
+    , bytestring
     , cardano-api
     , containers
     , convex-mockchain
     , convex-wallet
     , mtl
     , QuickCheck
     , transformers
+
+  -- cardano dependencies for ThreatModel
+  build-depends:
+    , cardano-ledger-allegra
+    , cardano-ledger-alonzo
+    , cardano-ledger-api
+    , cardano-ledger-babbage
+    , cardano-ledger-binary
+    , cardano-ledger-conway
+    , cardano-ledger-core
+    , cardano-slotting
+    , cardano-strict-containers
+    , ouroboros-consensus
+    , ouroboros-consensus-cardano
+    , plutus-ledger-api
+    , plutus-tx
+    , pretty
+    , sop-extras
+    , text
+    , time
diff --git a/src/testing-interface/lib/Convex/ThreatModel.hs b/src/testing-interface/lib/Convex/ThreatModel.hs
@@ -31,7 +31,7 @@
 
   For a more complex example see "Test.QuickCheck.ThreatModel.DoubleSatisfaction".
 -}
-module Convex.MockChain.ThreatModel (
+module Convex.ThreatModel (
   -- * Transaction modifiers
 
   -- ** Types
@@ -141,9 +141,9 @@ import Test.QuickCheck
 import Text.PrettyPrint hiding ((<>))
 import Text.Printf
 
-import Convex.MockChain.ThreatModel.Cardano.Api
-import Convex.MockChain.ThreatModel.Pretty
-import Convex.MockChain.ThreatModel.TxModifier
+import Convex.ThreatModel.Cardano.Api
+import Convex.ThreatModel.Pretty
+import Convex.ThreatModel.TxModifier
 
 {- $cardanoHelpers
 Some convenience functions making it easier to work with Cardano API.
diff --git a/src/testing-interface/lib/Convex/ThreatModel/Cardano/Api.hs b/src/testing-interface/lib/Convex/ThreatModel/Cardano/Api.hs
@@ -3,7 +3,7 @@
 {-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE TypeApplications #-}
 
-module Convex.MockChain.ThreatModel.Cardano.Api where
+module Convex.ThreatModel.Cardano.Api where
 
 import Cardano.Api
 
@@ -12,7 +12,6 @@ import Cardano.Ledger.Alonzo.Scripts qualified as Ledger
 import Cardano.Ledger.Alonzo.TxBody qualified as Ledger
 import Cardano.Ledger.Alonzo.TxWits qualified as Ledger
 import Cardano.Ledger.Api.Tx.Body qualified as Ledger
-import Cardano.Ledger.Babbage.TxBody qualified as Ledger
 import Cardano.Ledger.Conway.Scripts qualified as Conway
 import Cardano.Ledger.Conway.TxBody qualified as Conway
 import Cardano.Ledger.Keys (WitVKey (..), coerceKeyRole, hashKey)
diff --git a/src/testing-interface/lib/Convex/ThreatModel/DoubleSatisfaction.hs b/src/testing-interface/lib/Convex/ThreatModel/DoubleSatisfaction.hs
@@ -1,13 +1,13 @@
 {-# LANGUAGE OverloadedStrings #-}
 
-module Convex.MockChain.ThreatModel.DoubleSatisfaction (
+module Convex.ThreatModel.DoubleSatisfaction (
   doubleSatisfaction,
 ) where
 
 import Data.ByteString (ByteString)
 import PlutusTx.Builtins (toBuiltin)
 
-import Convex.MockChain.ThreatModel
+import Convex.ThreatModel
 
 safeScript :: SimpleScript
 safeScript = RequireAllOf [] -- TODO: this is not the right script!
diff --git a/src/testing-interface/lib/Convex/ThreatModel/Pretty.hs b/src/testing-interface/lib/Convex/ThreatModel/Pretty.hs
@@ -1,7 +1,7 @@
 {-# LANGUAGE GADTs #-}
 {-# LANGUAGE RecordWildCards #-}
 
-module Convex.MockChain.ThreatModel.Pretty where
+module Convex.ThreatModel.Pretty where
 
 import Cardano.Api hiding (Doc, (<+>))
 
@@ -21,8 +21,8 @@ import GHC.Exts (toList)
 import Text.PrettyPrint.HughesPJClass hiding ((<>))
 import Text.Printf
 
-import Convex.MockChain.ThreatModel.Cardano.Api
-import Convex.MockChain.ThreatModel.TxModifier
+import Convex.ThreatModel.Cardano.Api
+import Convex.ThreatModel.TxModifier
 
 {- | Format a list of strings as a paragraph. The structure of the list is not considered other than
   inserting whitespace between consecutive elements. Use with
diff --git a/src/testing-interface/lib/Convex/ThreatModel/TxModifier.hs b/src/testing-interface/lib/Convex/ThreatModel/TxModifier.hs
@@ -5,13 +5,12 @@
 {-# LANGUAGE ViewPatterns #-}
 {-# OPTIONS_GHC -Wno-incomplete-uni-patterns #-}
 
-module Convex.MockChain.ThreatModel.TxModifier where
+module Convex.ThreatModel.TxModifier where
 
 import Cardano.Api
 import Cardano.Ledger.Alonzo.TxBody qualified as Ledger
 import Cardano.Ledger.Alonzo.TxWits qualified as Ledger
 import Cardano.Ledger.Api.Era qualified as Ledger
-import Cardano.Ledger.Babbage.TxBody qualified as Ledger
 import Cardano.Ledger.Binary qualified as CBOR
 import Cardano.Ledger.Conway.Scripts qualified as Conway
 import Cardano.Ledger.Conway.TxBody qualified as Conway
@@ -24,7 +23,7 @@ import Data.Maybe.Strict
 import Data.Sequence.Strict qualified as Seq
 import Data.Set qualified as Set
 
-import Convex.MockChain.ThreatModel.Cardano.Api
+import Convex.ThreatModel.Cardano.Api
 
 -- | A transaction output paired with its index in the transaction.
 data Output = Output
