From 748dddcc3246092869f55ecea80152c079af0308 Mon Sep 17 00:00:00 2001 From: catbref Date: Mon, 20 May 2019 14:35:05 +0100 Subject: [PATCH] Add checks to API call POST /admin/forgingaccounts. Now only accepts private keys for accounts with minting rights or derives to known proxy forging public key. --- src/main/java/org/qora/api/resource/AdminResource.java | 8 +++++++- src/main/java/org/qora/repository/AccountRepository.java | 2 ++ .../qora/repository/hsqldb/HSQLDBAccountRepository.java | 9 +++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/qora/api/resource/AdminResource.java b/src/main/java/org/qora/api/resource/AdminResource.java index fc1f9c1a..65e1c912 100644 --- a/src/main/java/org/qora/api/resource/AdminResource.java +++ b/src/main/java/org/qora/api/resource/AdminResource.java @@ -32,6 +32,7 @@ import javax.ws.rs.core.MediaType; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.core.LoggerContext; import org.apache.logging.log4j.core.appender.RollingFileAppender; +import org.qora.account.Forging; import org.qora.account.PrivateKeyAccount; import org.qora.api.ApiError; import org.qora.api.ApiErrors; @@ -238,8 +239,13 @@ public class AdminResource { public String addForgingAccount(String seed58) { try (final Repository repository = RepositoryManager.getRepository()) { byte[] seed = Base58.decode(seed58.trim()); + // Check seed is valid - new PrivateKeyAccount(null, seed); + PrivateKeyAccount forgingAccount = new PrivateKeyAccount(repository, seed); + + // Account must derive to known proxy forging public key or have minting flag set + if (!Forging.canForge(forgingAccount) && !repository.getAccountRepository().isProxyPublicKey(forgingAccount.getPublicKey())) + throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_PRIVATE_KEY); ForgingAccountData forgingAccountData = new ForgingAccountData(seed); diff --git a/src/main/java/org/qora/repository/AccountRepository.java b/src/main/java/org/qora/repository/AccountRepository.java index a1533b2d..fda28639 100644 --- a/src/main/java/org/qora/repository/AccountRepository.java +++ b/src/main/java/org/qora/repository/AccountRepository.java @@ -89,6 +89,8 @@ public interface AccountRepository { public ProxyForgerData getProxyForgeData(byte[] proxyPublicKey) throws DataException; + public boolean isProxyPublicKey(byte[] publicKey) throws DataException; + public List findProxyAccounts(List recipients, List forgers, Integer limit, Integer offset, Boolean reverse) throws DataException; public void save(ProxyForgerData proxyForgerData) throws DataException; diff --git a/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java b/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java index 943fb79f..a626882d 100644 --- a/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java +++ b/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java @@ -352,6 +352,15 @@ public class HSQLDBAccountRepository implements AccountRepository { } } + @Override + public boolean isProxyPublicKey(byte[] publicKey) throws DataException { + try { + return this.repository.exists("ProxyForgers", "proxy_public_key = ?", publicKey); + } catch (SQLException e) { + throw new DataException("Unable to check for proxy public key in repository", e); + } + } + @Override public List findProxyAccounts(List recipients, List forgers, Integer limit, Integer offset, Boolean reverse) throws DataException { String sql = "SELECT forger, recipient, share, proxy_public_key FROM ProxyForgers ";