CORDA-2514 Constraints checking failures do not provide indication of cause (#4638)

* Add logging to constraints checking to indicate reason of failure. * Additional debug logging message.
2025-02-11 21:26:23 +00:00 · 2019-01-30 15:53:32 +00:00 · 2019-01-30 15:53:32 +00:00 · c7a77fda91
commit c7a77fda91
parent 384a7c37b9
1 changed files with 21 additions and 3 deletions
--- a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
+++ b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
@ -9,9 +9,12 @@ import net.corda.core.internal.AttachmentWithContext
 import net.corda.core.internal.isUploaderTrusted
 import net.corda.core.serialization.CordaSerializable
 import net.corda.core.transactions.TransactionBuilder
+import net.corda.core.utilities.loggerFor
 import java.lang.annotation.Inherited
 import java.security.PublicKey

+private val log = loggerFor<AttachmentConstraint>()
+
 /**
 * This annotation should only be added to [Contract] classes.
 * If the annotation is present, then we assume that [Contract.verify] will ensure that the output states have an acceptable constraint.
@ -46,8 +49,12 @@ object AlwaysAcceptAttachmentConstraint : AttachmentConstraint {
 data class HashAttachmentConstraint(val attachmentId: SecureHash) : AttachmentConstraint {
    override fun isSatisfiedBy(attachment: Attachment): Boolean {
        return if (attachment is AttachmentWithContext) {
+            log.debug("Checking attachment uploader ${attachment.contractAttachment.uploader} is trusted")
            attachment.id == attachmentId && isUploaderTrusted(attachment.contractAttachment.uploader)
-        } else false
+        } else {
+            log.warn("Hash constraint check failed: $attachmentId does not match contract attachment JAR ${attachment.id} or contract attachment JAR is untrusted")
+            false
+        }
    }
 }

@ -61,8 +68,12 @@ object WhitelistedByZoneAttachmentConstraint : AttachmentConstraint {
    override fun isSatisfiedBy(attachment: Attachment): Boolean {
        return if (attachment is AttachmentWithContext) {
            val whitelist = attachment.networkParameters.whitelistedContractImplementations
+            log.debug("Checking ${attachment.contract} is in CZ whitelist $whitelist")
            attachment.id in (whitelist[attachment.contract] ?: emptyList())
-        } else false
+        } else {
+            log.warn("CZ whitelisted constraint check failed: ${attachment.id} not in CZ whitelist")
+            false
+        }
    }
 }

@ -100,5 +111,12 @@ object AutomaticPlaceholderConstraint : AttachmentConstraint {
 */
@KeepForDJVM
 data class SignatureAttachmentConstraint(val key: PublicKey) : AttachmentConstraint {
-    override fun isSatisfiedBy(attachment: Attachment): Boolean = key.isFulfilledBy(attachment.signerKeys.map { it })
+    override fun isSatisfiedBy(attachment: Attachment): Boolean {
+        log.debug("Checking signature constraints: verifying $key in contract attachment signer keys: ${attachment.signerKeys}")
+        return if (!key.isFulfilledBy(attachment.signerKeys.map { it })) {
+            log.warn("Untrusted signing key: expected $key. but contract attachment contains ${attachment.signerKeys}")
+            false
+        }
+        else true
+    }
 }