fix #245

pallets/distance/src/mock.rs

@@ -243,6 +243,7 @@ impl pallet_identity::Config for Test {
     type IdtyNameValidator = IdtyNameValidatorTestImpl;
     type OnNewIdty = ();
     type OnRemoveIdty = ();
+    type OwnerKeyChangePermission = ();
     type RuntimeEvent = RuntimeEvent;
     type Signature = TestSignature;
     type Signer = UintAuthorityId;

pallets/duniter-wot/src/mock.rs

@@ -123,6 +123,7 @@ impl pallet_identity::Config for Test {
     type IdtyNameValidator = IdtyNameValidatorTestImpl;
     type OnNewIdty = DuniterWot;
     type OnRemoveIdty = DuniterWot;
+    type OwnerKeyChangePermission = ();
     type RuntimeEvent = RuntimeEvent;
     type Signature = TestSignature;
     type Signer = UintAuthorityId;

pallets/identity/src/lib.rs

@@ -132,6 +132,9 @@ pub mod pallet {
         /// The type used to check account worthiness.
         type CheckAccountWorthiness: CheckAccountWorthiness<Self>;
 
+        /// Handler that checks the necessary permissions for an identity's owner key change.
+        type OwnerKeyChangePermission: CheckKeyChangeAllowed<Self>;
+
         /// Custom data to store in each identity.
         type IdtyData: Clone
             + Codec
@@ -453,6 +456,12 @@ pub mod pallet {
                 Error::<T>::OwnerKeyAlreadyUsed
             );
 
+            // Ensure that the key is not currently as a validator
+            ensure!(
+                T::OwnerKeyChangePermission::check_allowed(&idty_index),
+                Error::<T>::OwnerKeyUsedAsValidator
+            );
+
             let block_number = frame_system::Pallet::<T>::block_number();
             let maybe_old_old_owner_key =
                 if let Some((old_owner_key, last_change)) = idty_value.old_owner_key {
@@ -690,6 +699,8 @@ pub mod pallet {
         AccountNotExist,
         /// Insufficient balance to create an identity.
         InsufficientBalance,
+        /// Owner key currently used as validator.
+        OwnerKeyUsedAsValidator,
     }
 
     // INTERNAL FUNCTIONS //

pallets/identity/src/mock.rs

@@ -116,6 +116,7 @@ impl pallet_identity::Config for Test {
     type IdtyNameValidator = IdtyNameValidatorTestImpl;
     type OnNewIdty = ();
     type OnRemoveIdty = ();
+    type OwnerKeyChangePermission = ();
     type RuntimeEvent = RuntimeEvent;
     type Signature = Signature;
     type Signer = AccountPublic;

pallets/identity/src/traits.rs

@@ -94,3 +94,15 @@ impl<AccountId, IdtyIndex> LinkIdty<AccountId, IdtyIndex> for () {
         Ok(())
     }
 }
+
+/// Trait for checking whether a key change is allowed for a given identity.
+pub trait CheckKeyChangeAllowed<T: Config> {
+    /// Determines if a key change is allowed for the given identity.
+    fn check_allowed(account_id: &T::IdtyIndex) -> bool;
+}
+
+impl<T: Config> CheckKeyChangeAllowed<T> for () {
+    fn check_allowed(_: &T::IdtyIndex) -> bool {
+        true
+    }
+}

pallets/quota/src/mock.rs

@@ -157,6 +157,7 @@ impl pallet_identity::Config for Test {
     type IdtyNameValidator = IdtyNameValidatorTestImpl;
     type OnNewIdty = ();
     type OnRemoveIdty = ();
+    type OwnerKeyChangePermission = ();
     type RuntimeEvent = RuntimeEvent;
     type Signature = Signature;
     type Signer = AccountPublic;

runtime/common/src/handlers.rs

@@ -165,3 +165,17 @@ where
         }
     }
 }
+
+/// Runtime handler OwnerKeyChangePermission.
+pub struct OwnerKeyChangePermissionHandler<Runtime>(core::marker::PhantomData<Runtime>);
+impl<
+        Runtime: frame_system::Config
+            + pallet_identity::Config<IdtyIndex = IdtyIndex>
+            + pallet_authority_members::Config<MemberId = IdtyIndex>,
+    > pallet_identity::traits::CheckKeyChangeAllowed<Runtime>
+    for OwnerKeyChangePermissionHandler<Runtime>
+{
+    fn check_allowed(idty_index: &IdtyIndex) -> bool {
+        !pallet_authority_members::Pallet::<Runtime>::online().contains(idty_index)
+    }
+}

runtime/common/src/pallets_config.rs

@@ -470,6 +470,7 @@ macro_rules! pallets_config {
             type IdtyNameValidator = IdtyNameValidatorImpl;
             type OnNewIdty = OnNewIdtyHandler<Runtime>;
             type OnRemoveIdty = OnRemoveIdtyHandler<Runtime>;
+            type OwnerKeyChangePermission = OwnerKeyChangePermissionHandler<Runtime>;
             type RuntimeEvent = RuntimeEvent;
             type Signature = Signature;
             type Signer = <Signature as sp_runtime::traits::Verify>::Signer;

runtime/gdev/tests/integration_tests.rs

@@ -1361,6 +1361,31 @@ fn test_link_account() {
         })
 }
 
+/// test change owner key
+#[test]
+fn test_change_owner_key_validator_online() {
+    ExtBuilder::new(1, 3, 4).build().execute_with(|| {
+        let genesis_hash = System::block_hash(0);
+        let alice = AccountKeyring::Alice.to_account_id();
+        let ferdie = AccountKeyring::Ferdie.to_account_id();
+        let payload = (b"icok", genesis_hash, 1u32, alice.clone()).encode();
+        let signature = AccountKeyring::Alice.sign(&payload);
+
+        // Alice is an online validator
+        assert!(pallet_authority_members::OnlineAuthorities::<Runtime>::get().contains(&1));
+
+        // As an online validator she cannot change key
+        assert_noop!(
+            Identity::change_owner_key(
+                frame_system::RawOrigin::Signed(alice.clone()).into(),
+                ferdie.clone(),
+                signature.into()
+            ),
+            pallet_identity::Error::<gdev_runtime::Runtime>::OwnerKeyUsedAsValidator
+        );
+    })
+}
+
 /// test change owner key
 #[test]
 fn test_change_owner_key() {