Add checks to API call POST /admin/forgingaccounts.

Now only accepts private keys for accounts with minting rights or derives to known proxy forging public key.
2019-05-20 14:35:05 +01:00 · 2019-05-20 14:35:05 +01:00 · 748dddcc32
commit 748dddcc32
parent 7409c024f6
3 changed files with 18 additions and 1 deletions
--- a/src/main/java/org/qora/api/resource/AdminResource.java
+++ b/src/main/java/org/qora/api/resource/AdminResource.java
@ -32,6 +32,7 @@ import javax.ws.rs.core.MediaType;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.core.LoggerContext;
 import org.apache.logging.log4j.core.appender.RollingFileAppender;
+import org.qora.account.Forging;
 import org.qora.account.PrivateKeyAccount;
 import org.qora.api.ApiError;
 import org.qora.api.ApiErrors;
@ -238,8 +239,13 @@ public class AdminResource {
 	public String addForgingAccount(String seed58) {
 		try (final Repository repository = RepositoryManager.getRepository()) {
 			byte[] seed = Base58.decode(seed58.trim());
+
 			// Check seed is valid
-			new PrivateKeyAccount(null, seed);
+			PrivateKeyAccount forgingAccount = new PrivateKeyAccount(repository, seed);
+
+			// Account must derive to known proxy forging public key or have minting flag set
+			if (!Forging.canForge(forgingAccount) && !repository.getAccountRepository().isProxyPublicKey(forgingAccount.getPublicKey()))
+				throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_PRIVATE_KEY);

 			ForgingAccountData forgingAccountData = new ForgingAccountData(seed);

--- a/src/main/java/org/qora/repository/AccountRepository.java
+++ b/src/main/java/org/qora/repository/AccountRepository.java
@ -89,6 +89,8 @@ public interface AccountRepository {

 	public ProxyForgerData getProxyForgeData(byte[] proxyPublicKey) throws DataException;

+	public boolean isProxyPublicKey(byte[] publicKey) throws DataException;
+
 	public List<ProxyForgerData> findProxyAccounts(List<String> recipients, List<String> forgers, Integer limit, Integer offset, Boolean reverse) throws DataException;

 	public void save(ProxyForgerData proxyForgerData) throws DataException;
--- a/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java
+++ b/src/main/java/org/qora/repository/hsqldb/HSQLDBAccountRepository.java
@ -352,6 +352,15 @@ public class HSQLDBAccountRepository implements AccountRepository {
 		}
 	}

+	@Override
+	public boolean isProxyPublicKey(byte[] publicKey) throws DataException {
+		try {
+			return this.repository.exists("ProxyForgers", "proxy_public_key = ?", publicKey);
+		} catch (SQLException e) {
+			throw new DataException("Unable to check for proxy public key in repository", e);
+		}
+	}
+
 	@Override
 	public List<ProxyForgerData> findProxyAccounts(List<String> recipients, List<String> forgers, Integer limit, Integer offset, Boolean reverse) throws DataException {
 		String sql = "SELECT forger, recipient, share, proxy_public_key FROM ProxyForgers ";