Revised test cases for authorization and added security annotations. (#15759)

CHANGELOG_BEGIN
CHANGELOG_END

daml-lf/engine/BUILD.bazel

@@ -64,6 +64,7 @@ da_scala_test_suite(
         "@maven//:org_scalatest_scalatest_shouldmatchers",
         "@maven//:org_scalatest_scalatest_wordspec",
         "@maven//:org_scalaz_scalaz_core",
+        "@maven//:com_lihaoyi_sourcecode",
     ],
     scalacopts = lf_scalacopts,
     deps = [
@@ -79,6 +80,8 @@ da_scala_test_suite(
         "//daml-lf/transaction-test-lib",
         "//libs-scala/contextualized-logging",
         "//libs-scala/logging-entries",
+        "//libs-scala/test-evidence/scalatest:test-evidence-scalatest",
+        "//libs-scala/test-evidence/tag:test-evidence-tag",
         "@maven//:com_google_protobuf_protobuf_java",
         "@maven//:org_scalatest_scalatest_compatible",
     ],

daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/EngineTest.scala

@@ -36,6 +36,14 @@ import com.daml.lf.engine.Error.Interpretation.DamlException
 import com.daml.lf.language.{LanguageVersion, PackageInterface, StablePackage}
 import com.daml.lf.transaction.test.TransactionBuilder.assertAsVersionedContract
 import com.daml.logging.LoggingContext
+import com.daml.test.evidence.scalatest.ScalaTestSupport.Implicits.tagToContainer
+import com.daml.test.evidence.tag.Security.SecurityTest.Property.Authorization
+import com.daml.test.evidence.tag.Security.{
+  Attack,
+  SecurityTest,
+  SecurityTestLayer,
+  SecurityTestSuite,
+}
 import org.scalactic.Equality
 import org.scalatest.prop.TableDrivenPropertyChecks
 import org.scalatest.{Assertion, EitherValues}
@@ -58,10 +66,13 @@ class EngineTest
     extends AnyWordSpec
     with Matchers
     with TableDrivenPropertyChecks
-    with EitherValues {
+    with EitherValues
+    with SecurityTestSuite {
 
   import EngineTest._
 
+  override def securityTestLayer = SecurityTestLayer.LedgerModel
+
   "minimal create command" should {
     val id = Identifier(basicTestsPkgId, "BasicTests:Simple")
     val let = Time.Timestamp.now()
@@ -1194,6 +1205,13 @@ class EngineTest
       (Some[Name]("fetcher"), ValueParty(clara)),
     )
 
+    val fetcher3Cid = toContractId("4")
+    val fetcher3TArgs = ImmArray(
+      (Some[Name]("sig"), ValueParty(clara)),
+      (Some[Name]("obs"), ValueParty(alice)),
+      (Some[Name]("fetcher"), ValueParty(party)),
+    )
+
     def makeContract(
         tid: Ref.QualifiedName,
         targs: ImmArray[(Option[Name], Value)],
@@ -1211,6 +1229,7 @@ class EngineTest
         case `fetchedCid` => Some(makeContract(fetchedStrTid, fetchedTArgs))
         case `fetcher1Cid` => Some(makeContract(fetcherStrTid, fetcher1TArgs))
         case `fetcher2Cid` => Some(makeContract(fetcherStrTid, fetcher2TArgs))
+        case `fetcher3Cid` => Some(makeContract(fetcherStrTid, fetcher3TArgs))
         case _ => None
       }
     }
@@ -1265,16 +1284,49 @@ class EngineTest
 
     }
 
-    "propagate the parent's signatories and actors (but not observers) when stakeholders" in {
+    "propagate the parent's signatories and actors (but not observers) when stakeholders" taggedAs SecurityTest(
+      Authorization,
+      "ledger",
+      Attack(
+        "ledger api user",
+        "try to authorize an action through exercise observers", // i.e. bob
+        "only record signatories and actors as fetch actors",
+      ),
+    ) in {
+
+      // fetch stakeholders: alice, bob, clara
+
+      // alice: parent signatory
+      // bob: parent observer
+      // clara: parent actor
 
       val Right((tx, _)) = runExample(fetcher1Cid, clara)
       txFetchActors(tx.transaction) shouldBe Set(alice, clara)
     }
 
-    "not propagate the parent's signatories nor actors when not stakeholders" in {
+    "not propagate the parent's signatories nor actors when not stakeholders" taggedAs SecurityTest(
+      Authorization,
+      "ledger",
+      Attack(
+        "ledger api user",
+        "try to fetch a contract without authorization from a stakeholder of the fetched contract",
+        "only record stakeholders of the fetched contract as fetch actors", // i.e., clara
+      ),
+    ) in {
 
-      val Right((tx, _)) = runExample(fetcher2Cid, clara)
-      txFetchActors(tx.transaction) shouldBe Set(clara)
+      // fetch stakeholders: alice, bob, clara
+
+      // party: parent signatory
+      // alice: parent observer
+      // clara: parent actor
+      val Right((tx1, _)) = runExample(fetcher2Cid, clara)
+      txFetchActors(tx1.transaction) shouldBe Set(clara)
+
+      // clara: parent signatory
+      // alice: parent observer
+      // party: parent actor
+      val Right((tx2, _)) = runExample(fetcher3Cid, party)
+      txFetchActors(tx2.transaction) shouldBe Set(clara)
     }
 
     "be retained when reinterpreting single fetch nodes" in {

daml-lf/tests/BasicTests.daml

@@ -415,7 +415,7 @@ template Fetcher
     fetcher : Party
   where
     signatory sig
-    observer fetcher
+    observer obs
     choice DoFetch : Fetched
       with cid : ContractId Fetched
       controller fetcher

security-evidence.md

@@ -149,7 +149,7 @@
 - Evaluation order of successful lookup_by_key of a local contract: [EvaluationOrderTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/EvaluationOrderTest.scala#L2925)
 - Evaluation order of successful lookup_by_key of a non-cached global contract: [EvaluationOrderTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/EvaluationOrderTest.scala#L2773)
 - Exceptions, throw/catch.: [ExceptionTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/ExceptionTest.scala#L26)
-- Rollback creates cannot be exercise: [EngineTest.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/EngineTest.scala#L2080)
+- Rollback creates cannot be exercise: [EngineTest.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/EngineTest.scala#L2132)
 - This checks that type checking in exercise_interface is done after checking activeness.: [EvaluationOrderTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/EvaluationOrderTest.scala#L1860)
 - This checks that type checking is done after checking activeness.: [EvaluationOrderTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/EvaluationOrderTest.scala#L1750)
 - This checks that type checking is done after checking activeness.: [EvaluationOrderTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/EvaluationOrderTest.scala#L2717)