Add signer/writable de/escalation tests (#14726)

2021-01-21 01:19:46 -08:00
parent 04ce33a04e
commit aa96ad042b
7 changed files with 342 additions and 341 deletions
--- a/programs/bpf/rust/invoke/src/lib.rs
+++ b/programs/bpf/rust/invoke/src/lib.rs
@ -27,6 +27,8 @@ const TEST_ALLOC_ACCESS_VIOLATION: u8 = 8;
 const TEST_INSTRUCTION_DATA_TOO_LARGE: u8 = 9;
 const TEST_INSTRUCTION_META_TOO_LARGE: u8 = 10;
 const TEST_RETURN_ERROR: u8 = 11;
+const TEST_PRIVILEGE_DEESCALATION_ESCALATION_SIGNER: u8 = 12;
+const TEST_PRIVILEGE_DEESCALATION_ESCALATION_WRITABLE: u8 = 13;

 // const MINT_INDEX: usize = 0;
 const ARGUMENT_INDEX: usize = 1;
@ -306,6 +308,18 @@ fn process_instruction(
                );
            }

+            msg!("Test privilege deescalation");
+            {
+                assert!(accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+                assert!(accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+                let invoked_instruction = create_instruction(
+                    *accounts[INVOKED_PROGRAM_INDEX].key,
+                    &[(accounts[INVOKED_ARGUMENT_INDEX].key, false, false)],
+                    vec![VERIFY_PRIVILEGE_DEESCALATION],
+                );
+                invoke(&invoked_instruction, accounts)?;
+            }
+
            msg!("Verify data values are retained and updated");
            {
                let data = accounts[ARGUMENT_INDEX].try_borrow_data()?;
@ -492,6 +506,34 @@ fn process_instruction(
            );
            let _ = invoke(&instruction, accounts);
        }
+        TEST_PRIVILEGE_DEESCALATION_ESCALATION_SIGNER => {
+            msg!("Test privilege deescalation escalation signer");
+            assert!(accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+            assert!(accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+            let invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[
+                    (accounts[INVOKED_PROGRAM_INDEX].key, false, false),
+                    (accounts[INVOKED_ARGUMENT_INDEX].key, false, false),
+                ],
+                vec![VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_SIGNER],
+            );
+            invoke(&invoked_instruction, accounts)?;
+        }
+        TEST_PRIVILEGE_DEESCALATION_ESCALATION_WRITABLE => {
+            msg!("Test privilege deescalation escalation writable");
+            assert!(accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+            assert!(accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+            let invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[
+                    (accounts[INVOKED_PROGRAM_INDEX].key, false, false),
+                    (accounts[INVOKED_ARGUMENT_INDEX].key, false, false),
+                ],
+                vec![VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_WRITABLE],
+            );
+            invoke(&invoked_instruction, accounts)?;
+        }
        _ => panic!(),
    }

--- a/programs/bpf/rust/invoked/src/instruction.rs
+++ b/programs/bpf/rust/invoked/src/instruction.rs
@ -13,6 +13,9 @@ pub const VERIFY_WRITER: u8 = 4;
 pub const VERIFY_PRIVILEGE_ESCALATION: u8 = 5;
 pub const NESTED_INVOKE: u8 = 6;
 pub const RETURN_OK: u8 = 7;
+pub const VERIFY_PRIVILEGE_DEESCALATION: u8 = 8;
+pub const VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_SIGNER: u8 = 9;
+pub const VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_WRITABLE: u8 = 10;

 pub fn create_instruction(
    program_id: Pubkey,
--- a/programs/bpf/rust/invoked/src/processor.rs
+++ b/programs/bpf/rust/invoked/src/processor.rs
@ -161,7 +161,41 @@ fn process_instruction(
            assert!(!accounts[ARGUMENT_INDEX].is_writable);
        }
        VERIFY_PRIVILEGE_ESCALATION => {
-            msg!("Success");
+            msg!("Should never get here!");
+        }
+        VERIFY_PRIVILEGE_DEESCALATION => {
+            msg!("verify privilege deescalation");
+            const INVOKED_ARGUMENT_INDEX: usize = 0;
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+        }
+        VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_SIGNER => {
+            msg!("verify privilege deescalation escalation signer");
+            const INVOKED_PROGRAM_INDEX: usize = 0;
+            const INVOKED_ARGUMENT_INDEX: usize = 1;
+
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+            let invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[(accounts[INVOKED_ARGUMENT_INDEX].key, true, false)],
+                vec![VERIFY_PRIVILEGE_ESCALATION],
+            );
+            invoke(&invoked_instruction, accounts)?;
+        }
+        VERIFY_PRIVILEGE_DEESCALATION_ESCALATION_WRITABLE => {
+            msg!("verify privilege deescalation escalation writable");
+            const INVOKED_PROGRAM_INDEX: usize = 0;
+            const INVOKED_ARGUMENT_INDEX: usize = 1;
+
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_signer);
+            assert!(!accounts[INVOKED_ARGUMENT_INDEX].is_writable);
+            let invoked_instruction = create_instruction(
+                *accounts[INVOKED_PROGRAM_INDEX].key,
+                &[(accounts[INVOKED_ARGUMENT_INDEX].key, false, true)],
+                vec![VERIFY_PRIVILEGE_ESCALATION],
+            );
+            invoke(&invoked_instruction, accounts)?;
        }
        NESTED_INVOKE => {
            msg!("nested invoke");