Fix verify_zklogin_id and issuer functions (#14100)

jonas-lj · web-flow · commit 06f34cd62efb · 2023-10-04T22:56:33.000+02:00
## Description 

Fix `verify_zklogin_id` and `verify_zklogin_issuer` functions such that
they transfer the verified id or issuer objects to the sender.

## Test Plan 

Unit tests

### Type of Change (Check all that apply)

- [x] protocol change
- [x] user-visible impact
- [ ] breaking change for a client SDKs
- [x] breaking change for FNs (FN binary must upgrade)
- [x] breaking change for validators or node operators (must upgrade
binaries)
- [ ] breaking change for on-chain data layout
- [ ] necessitate either a data wipe or data migration

### Release notes
Fix bug in `verify_zklogin_id` and `verify_zklogin_issuer` functions.
diff --git a/crates/sui-framework/packages/sui-framework/sources/crypto/zklogin_verified_id.move b/crates/sui-framework/packages/sui-framework/sources/crypto/zklogin_verified_id.move
@@ -5,6 +5,7 @@ module sui::zklogin_verified_id {
     use std::string::String;
     use sui::object;
     use sui::object::UID;
+    use sui::transfer;
     use sui::tx_context::TxContext;
     use sui::tx_context;
 
@@ -69,9 +70,20 @@ module sui::zklogin_verified_id {
         audience: String,
         pin_hash: u256,
         ctx: &mut TxContext,
-    ): VerifiedID {
-        assert!(check_zklogin_id(tx_context::sender(ctx), &key_claim_name, &key_claim_value, &issuer, &audience, pin_hash), EInvalidProof);
-        VerifiedID { id: object::new(ctx), owner: tx_context::sender(ctx), key_claim_name, key_claim_value, issuer, audience}
+    ) {
+        let sender = tx_context::sender(ctx);
+        assert!(check_zklogin_id(sender, &key_claim_name, &key_claim_value, &issuer, &audience, pin_hash), EInvalidProof);
+        transfer::transfer(
+            VerifiedID {
+                id: object::new(ctx),
+                owner: sender,
+                key_claim_name,
+                key_claim_value,
+                issuer,
+                audience
+            },
+            sender
+        );
     }
 
     /// Returns true if `address` was created using zklogin and the given parameters.
diff --git a/crates/sui-framework/packages/sui-framework/sources/crypto/zklogin_verified_issuer.move b/crates/sui-framework/packages/sui-framework/sources/crypto/zklogin_verified_issuer.move
@@ -3,6 +3,7 @@
 
 module sui::zklogin_verified_issuer {
     use std::string::String;
+    use sui::transfer;
     use sui::object;
     use sui::object::UID;
     use sui::tx_context::TxContext;
@@ -43,9 +44,17 @@ module sui::zklogin_verified_issuer {
         address_seed: u256,
         issuer: String,
         ctx: &mut TxContext,
-    ): VerifiedIssuer {
-        assert!(check_zklogin_issuer(tx_context::sender(ctx), address_seed, &issuer), EInvalidProof);
-        VerifiedIssuer {id: object::new(ctx), owner: tx_context::sender(ctx), issuer}
+    ) {
+        let sender = tx_context::sender(ctx);
+        assert!(check_zklogin_issuer(sender, address_seed, &issuer), EInvalidProof);
+        transfer::transfer(
+            VerifiedIssuer {
+                id: object::new(ctx),
+                owner: sender,
+                issuer
+            },
+            sender
+        )
     }
 
     /// Returns true if `address` was created using zklogin with the given issuer and address seed.
diff --git a/crates/sui-framework/packages/sui-framework/tests/crypto/zklogin_verified_id_tests.move b/crates/sui-framework/packages/sui-framework/tests/crypto/zklogin_verified_id_tests.move
@@ -3,13 +3,15 @@
 
 #[test_only]
 module sui::zklogin_verified_id_tests {
-    use sui::zklogin_verified_id::check_zklogin_id;
+    use sui::zklogin_verified_id::{check_zklogin_id, verify_zklogin_id, VerifiedID};
     use sui::address;
     use std::string::utf8;
+    use sui::bag::add;
+    use sui::test_scenario;
 
     #[test]
     fun test_check_zklogin_id() {
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         let kc_name = utf8(b"sub");
         let kc_value = utf8(b"106294049240999307923");
         let aud = utf8(b"575519204237-msop9ep45u2uo98hapqmngv8d84qdc8k.apps.googleusercontent.com");
@@ -41,7 +43,7 @@ module sui::zklogin_verified_id_tests {
     fun test_check_zklogin_id_upper_bounds() {
         // Set kc_name, kc_value and aud to be as long as they can be (32, 115 and 145 bytes respectively) and verify
         // that the check function doesn't abort.
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         let kc_name = utf8(b"qvKbuwvu6LTnYocFPwz1EiIClFUAuMC3");
         let kc_value = utf8(b"BA7SREzYLKG5opithujfrU8SFaSpKI4zezu8Vb2GBPVpZsMUpYVeXl6oEAo84ryIlbHOqrMWpI7mlTfvr7HYxiF70jdyIY4rPOOpuJIYWwN3o1olTP2");
         let aud = utf8(b"munO2fnn2XnBNq5fXRmSmhC4GPL3yX4Rv9fGoECXTsmniR8dwkPTefbmLF08zh7BnVcaxriii4dEPNwzEF2puLIHmJoeuYbQxV84J9of4NRaL3IhwImVGubgPHWfMfCuGuedCdLn6KUdJsgG1");
@@ -53,7 +55,7 @@ module sui::zklogin_verified_id_tests {
     #[test]
     #[expected_failure(abort_code = sui::zklogin_verified_id::EInvalidInput)]
     fun test_check_zklogin_id_long_kc_name() {
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         // Should at most be 32 bytes
         let long_kc_name = utf8(b"qvKbuwvu6LTnYocFPwz1EiIClFUAuMC3G");
         let kc_value = utf8(b"106294049240999307923");
@@ -66,7 +68,7 @@ module sui::zklogin_verified_id_tests {
     #[test]
     #[expected_failure(abort_code = sui::zklogin_verified_id::EInvalidInput)]
     fun test_check_zklogin_id_long_aud() {
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         let kc_name = utf8(b"sub");
         // Should at most be 115 bytes
         let long_kc_value = utf8(b"BA7SREzYLKG5opithujfrU8SFaSpKI4zezu8Vb2GBPVpZsMUpYVeXl6oEAo84ryIlbHOqrMWpI7mlTfvr7HYxiF70jdyIY4rPOOpuJIYWwN3o1olTP2c");
@@ -79,7 +81,7 @@ module sui::zklogin_verified_id_tests {
     #[test]
     #[expected_failure(abort_code = sui::zklogin_verified_id::EInvalidInput)]
     fun test_check_zklogin_id_long_kc_value() {
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         let kc_name = utf8(b"sub");
         let kc_value = utf8(b"106294049240999307923");
         // Should be at most 145 bytes
@@ -88,4 +90,45 @@ module sui::zklogin_verified_id_tests {
         let salt_hash = 15232766888716517538274372547598053531354666056102343895255590477425668733026u256;
         check_zklogin_id(address, &kc_name, &kc_value, &iss, &long_aud, salt_hash);
     }
+
+    #[test]
+    fun test_verified_id() {
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
+
+        let kc_name = utf8(b"sub");
+        let kc_value = utf8(b"106294049240999307923");
+        let aud = utf8(b"575519204237-msop9ep45u2uo98hapqmngv8d84qdc8k.apps.googleusercontent.com");
+        let iss = utf8(b"https://accounts.google.com");
+        let salt_hash = 15232766888716517538274372547598053531354666056102343895255590477425668733026u256;
+
+        let scenario_val = test_scenario::begin(address);
+        let scenario = &mut scenario_val;
+        {
+            verify_zklogin_id(kc_name, kc_value, iss, aud, salt_hash, test_scenario::ctx(scenario));
+        };
+        test_scenario::next_tx(scenario, address);
+        {
+            assert!(test_scenario::has_most_recent_for_sender<VerifiedID>(scenario), 0);
+        };
+        test_scenario::end(scenario_val);
+    }
+
+    #[test]
+    #[expected_failure(abort_code = sui::zklogin_verified_id::EInvalidProof)]
+    fun test_invalid_verified_issuer() {
+        let other_address = @0x1;
+
+        let kc_name = utf8(b"sub");
+        let kc_value = utf8(b"106294049240999307923");
+        let aud = utf8(b"575519204237-msop9ep45u2uo98hapqmngv8d84qdc8k.apps.googleusercontent.com");
+        let iss = utf8(b"https://accounts.google.com");
+        let salt_hash = 15232766888716517538274372547598053531354666056102343895255590477425668733026u256;
+
+        let scenario_val = test_scenario::begin(other_address);
+        let scenario = &mut scenario_val;
+        {
+            verify_zklogin_id(kc_name, kc_value, iss, aud, salt_hash, test_scenario::ctx(scenario));
+        };
+        test_scenario::end(scenario_val);
+    }
 }
diff --git a/crates/sui-framework/packages/sui-framework/tests/crypto/zklogin_verified_issuer_tests.move b/crates/sui-framework/packages/sui-framework/tests/crypto/zklogin_verified_issuer_tests.move
@@ -3,18 +3,18 @@
 
 #[test_only]
 module sui::zklogin_verified_issuer_tests {
-    use sui::zklogin_verified_issuer::check_zklogin_issuer;
-    use sui::address;
+    use sui::zklogin_verified_issuer::{check_zklogin_issuer, verify_zklogin_issuer, VerifiedIssuer};
     use std::string::utf8;
+    use sui::test_scenario;
 
     #[test]
     fun test_check_zklogin_issuer() {
-        let address = address::from_bytes(x"1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         let iss = utf8(b"https://accounts.google.com");
         let address_seed = 3006596378422062745101035755700472756930796952630484939867684134047976874601u256;
         assert!(check_zklogin_issuer(address,  address_seed, &iss,), 0);
 
-        let other_address = address::from_bytes(x"006b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b");
+        let other_address = @0x006b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
         assert!(!check_zklogin_issuer(other_address, address_seed, &iss), 1);
 
         let other_address_seed = 1234u256;
@@ -23,4 +23,38 @@ module sui::zklogin_verified_issuer_tests {
         let other_iss = utf8(b"https://other.issuer.com");
         assert!(!check_zklogin_issuer(address, address_seed, &other_iss), 3);
     }
+
+    #[test]
+    fun test_verified_issuer() {
+        let address = @0x1c6b623a2f2c91333df730c98d220f11484953b391a3818680f922c264cc0c6b;
+        let iss = utf8(b"https://accounts.google.com");
+        let address_seed = 3006596378422062745101035755700472756930796952630484939867684134047976874601u256;
+
+        assert!(check_zklogin_issuer(address,  address_seed, &iss), 0);
+
+        let scenario_val = test_scenario::begin(address);
+        let scenario = &mut scenario_val;
+        {
+            verify_zklogin_issuer(address_seed, iss, test_scenario::ctx(scenario));
+        };
+        test_scenario::next_tx(scenario, address);
+        {
+            assert!(test_scenario::has_most_recent_for_sender<VerifiedIssuer>(scenario), 1);
+        };
+        test_scenario::end(scenario_val);
+    }
+
+    #[test]
+    #[expected_failure(abort_code = sui::zklogin_verified_issuer::EInvalidProof)]
+    fun test_invalid_verified_issuer() {
+        let other_address = @0x1;
+        let iss = utf8(b"https://accounts.google.com");
+        let address_seed = 3006596378422062745101035755700472756930796952630484939867684134047976874601u256;
+        let scenario_val = test_scenario::begin(other_address);
+        let scenario = &mut scenario_val;
+        {
+            verify_zklogin_issuer(address_seed, iss, test_scenario::ctx(scenario));
+        };
+        test_scenario::end(scenario_val);
+    }
 }
