feat: improve tests

Author: valeriyr

crates/iota-e2e-tests/tests/abstract_account_tests.rs

@@ -1426,6 +1426,19 @@ async fn test_sponsored_tx_sender_aa_fails_post_consensus_when_only_sponsor_runs
         "Expected a Move abort from the failed ED25519 authentication"
     );
 
+    // Even though the TX failed, the sponsor must have paid gas. Verify that
+    // computation was charged and that the correct gas object (the sponsor's coin)
+    // was debited.
+    assert!(
+        summary.gas_used.computation_cost > 0,
+        "Expected computation cost > 0: the sponsor must pay gas even for a post-consensus failure"
+    );
+    assert_eq!(
+        effects_cert.data().gas_object().0.object_id,
+        sponsor_gas.object_id,
+        "Expected the sponsor's gas coin to be used for the failed TX"
+    );
+
     Ok(())
 }
 

crates/iota-types/src/transaction.rs

@@ -2114,38 +2114,23 @@ impl SenderSignedData {
     }
 
     /// Computes the auth digest for the sender and, if sponsored, for the
-    /// sponsor.
-    ///
-    /// For [`MoveAuthenticator`] signatures this equals
-    /// [`MoveAuthenticator::digest()`]. For all other signature types it is the
-    /// Blake2b256 of the serialized (flag-prefixed) signature bytes.
+    /// sponsor. See [`auth_digest_for_sig`] for the per-signature logic.
     pub fn compute_auth_digests(&self) -> IotaResult<(Digest, Option<Digest>)> {
         let tx_data = self.transaction_data();
 
-        #[allow(deprecated)]
-        let compute_digest = |address: IotaAddress| {
+        let digest_for_address = |address: IotaAddress| {
             self.tx_signatures()
                 .iter()
                 .find(|sig| IotaAddress::try_from(*sig).ok() == Some(address))
-                .map(|sig| match sig {
-                    GenericSignature::MoveAuthenticator(authenticator) => authenticator.digest(),
-                    GenericSignature::MultiSig(_)
-                    | GenericSignature::Signature(_)
-                    | GenericSignature::ZkLoginAuthenticatorDeprecated(_)
-                    | GenericSignature::PasskeyAuthenticator(_) => {
-                        let mut hasher = DefaultHash::default();
-                        hasher.update(sig.as_ref());
-                        Digest::new(hasher.finalize().into())
-                    }
-                })
                 .ok_or_else(|| IotaError::InvalidSignature {
                     error: format!("no signature found for address {address}"),
                 })
+                .and_then(auth_digest_for_sig)
         };
 
-        let sender_auth_digest = compute_digest(tx_data.sender())?;
+        let sender_auth_digest = digest_for_address(tx_data.sender())?;
         let sponsor_auth_digest = if tx_data.is_sponsored_tx() {
-            Some(compute_digest(tx_data.gas_owner())?)
+            Some(digest_for_address(tx_data.gas_owner())?)
         } else {
             None
         };
@@ -3368,3 +3353,27 @@ impl TransactionKey {
         }
     }
 }
+
+/// Computes the auth digest for a single [`GenericSignature`].
+///
+/// For [`MoveAuthenticator`] signatures this equals
+/// [`MoveAuthenticator::digest()`]. For all other supported signature types it
+/// is the Blake2b256 of the serialized (flag-prefixed) signature bytes.
+/// Returns an error for [`GenericSignature::ZkLoginAuthenticatorDeprecated`]
+/// since zkLogin was never enabled on IOTA.
+#[allow(deprecated)]
+pub fn auth_digest_for_sig(sig: &GenericSignature) -> IotaResult<Digest> {
+    match sig {
+        GenericSignature::MoveAuthenticator(authenticator) => Ok(authenticator.digest()),
+        GenericSignature::ZkLoginAuthenticatorDeprecated(_) => Err(IotaError::UnsupportedFeature {
+            error: "zkLogin is not supported".to_string(),
+        }),
+        GenericSignature::MultiSig(_)
+        | GenericSignature::Signature(_)
+        | GenericSignature::PasskeyAuthenticator(_) => {
+            let mut hasher = DefaultHash::default();
+            hasher.update(sig.as_ref());
+            Ok(Digest::new(hasher.finalize().into()))
+        }
+    }
+}

crates/iota-types/src/unit_tests/messages_tests.rs

@@ -31,6 +31,12 @@ use crate::{
     execution_status::ExecutionStatus,
     gas::GasCostSummary,
     object::Owner,
+    signature::ZkLoginAuthenticatorDeprecated,
+    utils::{
+        blake2b256_of_sig, make_move_authenticator_sig, make_move_authenticator_tx,
+        make_passkey_authenticator_sig, make_sponsored_move_authenticator_tx,
+        make_sponsored_regular_sig_tx, make_transaction, make_upgraded_multisig_tx,
+    },
 };
 
 #[test]
@@ -1382,3 +1388,92 @@ fn check_approx_effects_components_size() {
         "Update APPROX_SIZE_OF_EXECUTION_STATUS constant"
     );
 }
+
+#[test]
+fn auth_digest_for_move_authenticator_equals_authenticator_digest() {
+    let (sender, _): (_, AccountKeyPair) = get_key_pair();
+    let (sig, authenticator) = make_move_authenticator_sig(sender);
+    assert_eq!(auth_digest_for_sig(&sig).unwrap(), authenticator.digest());
+}
+
+#[test]
+fn auth_digest_for_regular_signature_is_hash_of_sig_bytes() {
+    let (sender, kp): (_, AccountKeyPair) = get_key_pair();
+    let tx = make_transaction(sender, &IotaKeyPair::Ed25519(kp));
+    let sig = tx.tx_signatures().first().unwrap();
+    assert_eq!(auth_digest_for_sig(sig).unwrap(), blake2b256_of_sig(sig));
+}
+
+#[test]
+fn auth_digest_for_multisig_is_hash_of_sig_bytes() {
+    let tx = make_upgraded_multisig_tx();
+    let sig = tx.tx_signatures().first().unwrap();
+    assert_eq!(auth_digest_for_sig(sig).unwrap(), blake2b256_of_sig(sig));
+}
+
+#[test]
+fn auth_digest_for_passkey_is_hash_of_sig_bytes() {
+    let sig = make_passkey_authenticator_sig();
+    assert_eq!(auth_digest_for_sig(&sig).unwrap(), blake2b256_of_sig(&sig));
+}
+
+#[test]
+#[allow(deprecated)]
+fn auth_digest_for_zk_login_returns_unsupported_error() {
+    let sig = GenericSignature::ZkLoginAuthenticatorDeprecated(ZkLoginAuthenticatorDeprecated);
+    let err = auth_digest_for_sig(&sig).unwrap_err();
+    assert!(
+        matches!(err, IotaError::UnsupportedFeature { .. }),
+        "expected UnsupportedFeature, got {err:?}",
+    );
+}
+
+#[test]
+fn compute_auth_digests_non_sponsored_move_authenticator() {
+    let sender = IotaAddress::random();
+    let (_, authenticator) = make_move_authenticator_sig(sender);
+    let tx = make_move_authenticator_tx(sender);
+    let (sender_digest, sponsor_digest) = tx.data().compute_auth_digests().unwrap();
+    assert_eq!(sender_digest, authenticator.digest());
+    assert!(sponsor_digest.is_none());
+}
+
+#[test]
+fn compute_auth_digests_non_sponsored_regular_signature() {
+    let (sender, kp): (_, AccountKeyPair) = get_key_pair();
+    let tx = make_transaction(sender, &IotaKeyPair::Ed25519(kp));
+    let sig = tx.tx_signatures().first().unwrap();
+    let (sender_digest, sponsor_digest) = tx.data().compute_auth_digests().unwrap();
+    assert_eq!(sender_digest, blake2b256_of_sig(sig));
+    assert!(sponsor_digest.is_none());
+}
+
+#[test]
+fn compute_auth_digests_sponsored_both_move_authenticators() {
+    let (tx, sender_auth, sponsor_auth) =
+        make_sponsored_move_authenticator_tx(IotaAddress::random(), IotaAddress::random());
+    let (sender_digest, sponsor_digest) = tx.data().compute_auth_digests().unwrap();
+    assert_eq!(sender_digest, sender_auth.digest());
+    assert_eq!(sponsor_digest.unwrap(), sponsor_auth.digest());
+    assert_ne!(sender_digest, sponsor_digest.unwrap());
+}
+
+#[test]
+fn compute_auth_digests_sponsored_regular_signatures() {
+    let (tx, sender, sponsor) = make_sponsored_regular_sig_tx();
+
+    let sender_sig = tx
+        .tx_signatures()
+        .iter()
+        .find(|s| IotaAddress::try_from(*s).ok() == Some(sender))
+        .unwrap();
+    let sponsor_sig = tx
+        .tx_signatures()
+        .iter()
+        .find(|s| IotaAddress::try_from(*s).ok() == Some(sponsor))
+        .unwrap();
+
+    let (sender_digest, sponsor_digest) = tx.data().compute_auth_digests().unwrap();
+    assert_eq!(sender_digest, blake2b256_of_sig(sender_sig));
+    assert_eq!(sponsor_digest.unwrap(), blake2b256_of_sig(sponsor_sig));
+}

crates/iota-types/src/unit_tests/utils.rs

@@ -10,7 +10,7 @@ use rand::{SeedableRng, rngs::StdRng};
 
 use crate::{
     IotaAddress,
-    base_types::{ObjectID, dbg_addr},
+    base_types::{ObjectID, dbg_addr, random_object_ref},
     committee::Committee,
     crypto::{
         AccountKeyPair, AuthorityKeyPair, AuthorityPublicKeyBytes, IotaKeyPair, Signature, Signer,
@@ -22,7 +22,7 @@ use crate::{
     signature::GenericSignature,
     transaction::{
         SenderSignedData, TEST_ONLY_GAS_UNIT_FOR_TRANSFER, Transaction, TransactionData,
-        TransactionDataAPI,
+        TransactionDataAPI, TransactionKind,
     },
 };
 
@@ -94,6 +94,27 @@ pub fn make_transaction_data(sender: IotaAddress) -> TransactionData {
     )
 }
 
+/// Make sponsored [`TransactionData`] with a transfer-IOTA programmable
+/// transaction and a random gas object, for use in tests.
+pub fn make_sponsored_transaction_data(
+    sender: IotaAddress,
+    sponsor: IotaAddress,
+) -> TransactionData {
+    let pt = {
+        let mut builder = ProgrammableTransactionBuilder::new();
+        builder.transfer_iota(dbg_addr(2), None);
+        builder.finish()
+    };
+    TransactionData::new_with_gas_coins_allow_sponsor(
+        TransactionKind::new_programmable(pt),
+        sender,
+        vec![random_object_ref()],
+        TEST_ONLY_GAS_UNIT_FOR_TRANSFER, // gas price is 1
+        1,
+        sponsor,
+    )
+}
+
 /// Make a user signed transaction with the given sender and its keypair. This
 /// is not verified or signed by authority.
 pub fn make_transaction(sender: IotaAddress, kp: &IotaKeyPair) -> Transaction {
@@ -167,37 +188,123 @@ pub fn make_upgraded_multisig_tx() -> Transaction {
     ))
 }
 
+/// Make a sponsored transaction where both sender and sponsor sign with regular
+/// (Ed25519) signatures, for use in tests.
+///
+/// Returns the transaction together with the sender's and sponsor's addresses
+/// so callers can locate each signature within the transaction.
+pub fn make_sponsored_regular_sig_tx() -> (Transaction, IotaAddress, IotaAddress) {
+    let (sender, sender_kp): (_, AccountKeyPair) = get_key_pair();
+    let (sponsor, sponsor_kp): (_, AccountKeyPair) = get_key_pair();
+    let tx_data = make_sponsored_transaction_data(sender, sponsor);
+    let sender_sig: GenericSignature =
+        Transaction::signature_from_signer(tx_data.clone(), Intent::iota_transaction(), &sender_kp)
+            .into();
+    let tx =
+        to_sender_signed_transaction_with_optional_sponsor(tx_data, sender_sig, Some(&sponsor_kp));
+    (tx, sender, sponsor)
+}
+
 mod move_authenticator {
+    use fastcrypto::hash::HashFunction;
+    use iota_sdk_types::Digest;
+
     pub use crate::move_authenticator::MoveAuthenticator;
     use crate::{
         base_types::IotaAddress,
+        crypto::DefaultHash,
         object::OBJECT_START_VERSION,
         signature::GenericSignature,
         transaction::{CallArg, SenderSignedData, SharedObjectRef, Transaction},
-        utils::make_transaction_data,
+        utils::{make_sponsored_transaction_data, make_transaction_data},
     };
 
     /// Make a transaction signed with `MoveAuthenticator` for testing.
     pub fn make_move_authenticator_tx(address: IotaAddress) -> Transaction {
         let data = make_transaction_data(address);
+        let (authenticator, _) = make_move_authenticator_sig(address);
+        Transaction::new(SenderSignedData::new(data, vec![authenticator]))
+    }
 
-        // There is no a real Move account behind this address.
-        //
-        // TODO: if it is necessary, AA accounts need to be supported properly in the
-        // `AuthorityState` used for testing.
-        let self_call_arg = CallArg::Shared(SharedObjectRef {
-            object_id: address.into(),
-            initial_shared_version: OBJECT_START_VERSION,
-            mutable: false,
-        });
-        let authenticator = GenericSignature::MoveAuthenticator(MoveAuthenticator::new_v1(
+    /// Build a [`GenericSignature::MoveAuthenticator`] and the underlying
+    /// [`MoveAuthenticator`] for the given address, for use in tests.
+    ///
+    /// There is no real Move account behind this address.
+    ///
+    /// TODO: if it is necessary, AA accounts need to be supported properly in
+    /// the `AuthorityState` used for testing.
+    pub fn make_move_authenticator_sig(
+        address: IotaAddress,
+    ) -> (GenericSignature, MoveAuthenticator) {
+        let authenticator = MoveAuthenticator::new_v1(
             vec![],
             vec![],
-            self_call_arg,
+            CallArg::Shared(SharedObjectRef {
+                object_id: address.into(),
+                initial_shared_version: OBJECT_START_VERSION,
+                mutable: false,
+            }),
+        );
+        let sig = GenericSignature::MoveAuthenticator(authenticator.clone());
+        (sig, authenticator)
+    }
+
+    /// Make a sponsored transaction where both sender and sponsor sign with
+    /// [`MoveAuthenticator`], for use in tests.
+    ///
+    /// Returns the transaction together with the sender's and sponsor's
+    /// [`MoveAuthenticator`] so callers can independently verify the expected
+    /// auth digests.
+    pub fn make_sponsored_move_authenticator_tx(
+        sender_addr: IotaAddress,
+        sponsor_addr: IotaAddress,
+    ) -> (Transaction, MoveAuthenticator, MoveAuthenticator) {
+        let (sender_sig, sender_auth) = make_move_authenticator_sig(sender_addr);
+        let (sponsor_sig, sponsor_auth) = make_move_authenticator_sig(sponsor_addr);
+        let tx_data = make_sponsored_transaction_data(sender_addr, sponsor_addr);
+        let tx = Transaction::new(SenderSignedData::new(
+            tx_data,
+            vec![sender_sig, sponsor_sig],
         ));
+        (tx, sender_auth, sponsor_auth)
+    }
 
-        Transaction::new(SenderSignedData::new(data, vec![authenticator]))
+    /// Compute the Blake2b256 hash of the serialized (flag-prefixed) bytes of a
+    /// [`GenericSignature`], matching the digest used for
+    /// non-[`MoveAuthenticator`] signatures by [`auth_digest_for_sig`].
+    pub fn blake2b256_of_sig(sig: &GenericSignature) -> Digest {
+        let mut hasher = DefaultHash::default();
+        hasher.update(sig.as_ref());
+        Digest::new(hasher.finalize().into())
     }
 }
 
 pub use move_authenticator::*;
+
+mod passkey {
+    use fastcrypto::secp256r1::Secp256r1KeyPair;
+
+    use crate::{
+        crypto::{Signature, Signer, get_key_pair},
+        passkey_authenticator::PasskeyAuthenticator,
+        signature::GenericSignature,
+    };
+
+    /// Build a [`GenericSignature::PasskeyAuthenticator`] backed by a
+    /// freshly-generated Secp256r1 key pair, for use in tests.
+    ///
+    /// The challenge field is 32 zero-bytes encoded as base64url without
+    /// padding, satisfying the length requirement without needing a real
+    /// WebAuthn round-trip.
+    pub fn make_passkey_authenticator_sig() -> GenericSignature {
+        let (_, r1_kp): (_, Secp256r1KeyPair) = get_key_pair();
+        let user_sig: Signature = r1_kp.sign(&[0u8; 32]);
+        let client_data_json = r#"{"type":"webauthn.get","challenge":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA","origin":"https://test.iota.org"}"#;
+        let passkey =
+            PasskeyAuthenticator::new_for_testing(vec![], client_data_json.to_string(), user_sig)
+                .unwrap();
+        GenericSignature::PasskeyAuthenticator(passkey)
+    }
+}
+
+pub use passkey::*;