From cd328a0ca53705bf8c76fee19c5e063e0e4d3b2a Mon Sep 17 00:00:00 2001
From: Adel El-Beik <adel.el-beik@r3.com>
Date: Tue, 5 Nov 2024 17:35:01 +0000
Subject: [PATCH] ENT-12373: Dont output constraint warnings if they fail when
 we retry with rotated keys.

---
 .../corda/core/contracts/AttachmentConstraint.kt   | 14 ++++++++++++--
 .../corda/core/internal/verification/Verifier.kt   |  3 ++-
 .../corda/core/transactions/TransactionBuilder.kt  |  2 +-
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
index 1e3593d28d..561879f76b 100644
--- a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
+++ b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
@@ -115,10 +115,12 @@ object AutomaticPlaceholderConstraint : AttachmentConstraint {
  * @property key A [PublicKey] that must be fulfilled by the owning keys of the attachment's signing parties.
  */
 data class SignatureAttachmentConstraint(val key: PublicKey) : AttachmentConstraint {
-    override fun isSatisfiedBy(attachment: Attachment): Boolean {
+    override fun isSatisfiedBy(attachment: Attachment) = isSatisfiedBy(attachment, disableWarnings = false)
+
+    fun isSatisfiedBy(attachment: Attachment, disableWarnings: Boolean): Boolean {
         log.debug { "Checking signature constraints: verifying $key in contract attachment signer keys: ${attachment.signerKeys}" }
         return if (!key.isFulfilledBy(attachment.signerKeys)) {
-            log.warn("Untrusted signing key: expected $key. but contract attachment contains ${attachment.signerKeys}")
+            if (!disableWarnings) log.warn("Untrusted signing key: expected $key. but contract attachment contains ${attachment.signerKeys}")
             false
         } else true
     }
@@ -135,3 +137,11 @@ data class SignatureAttachmentConstraint(val key: PublicKey) : AttachmentConstra
         fun create(key: PublicKey) = interner.intern(SignatureAttachmentConstraint(key))
     }
 }
+
+fun isSatisfiedByWithNoWarnForSigConstraint(constraint: AttachmentConstraint, attachment: Attachment): Boolean {
+    return if (constraint is SignatureAttachmentConstraint) {
+        constraint.isSatisfiedBy(attachment, true)
+    } else {
+        constraint.isSatisfiedBy(attachment)
+    }
+}
diff --git a/core/src/main/kotlin/net/corda/core/internal/verification/Verifier.kt b/core/src/main/kotlin/net/corda/core/internal/verification/Verifier.kt
index f6c82b23c9..4cc6123bfb 100644
--- a/core/src/main/kotlin/net/corda/core/internal/verification/Verifier.kt
+++ b/core/src/main/kotlin/net/corda/core/internal/verification/Verifier.kt
@@ -28,6 +28,7 @@ import net.corda.core.contracts.TransactionVerificationException.TransactionMiss
 import net.corda.core.contracts.TransactionVerificationException.TransactionNonMatchingEncumbranceException
 import net.corda.core.contracts.TransactionVerificationException.TransactionNotaryMismatchEncumbranceException
 import net.corda.core.contracts.TransactionVerificationException.TransactionRequiredContractUnspecifiedException
+import net.corda.core.contracts.isSatisfiedByWithNoWarnForSigConstraint
 import net.corda.core.crypto.CompositeKey
 import net.corda.core.crypto.SecureHash
 import net.corda.core.internal.AttachmentWithContext
@@ -432,7 +433,7 @@ private class Validator(private val ltx: LedgerTransaction, private val transact
 
             if (HashAttachmentConstraint.disableHashConstraints && constraint is HashAttachmentConstraint)
                 logger.warnOnce("Skipping hash constraints verification.")
-            else if (!constraint.isSatisfiedBy(constraintAttachment)) {
+            else if (!isSatisfiedByWithNoWarnForSigConstraint(constraint, constraintAttachment)) {
                 verifyConstraintUsingRotatedKeys(constraint, constraintAttachment, contract)
             }
         }
diff --git a/core/src/main/kotlin/net/corda/core/transactions/TransactionBuilder.kt b/core/src/main/kotlin/net/corda/core/transactions/TransactionBuilder.kt
index 2874590104..35aac052e0 100644
--- a/core/src/main/kotlin/net/corda/core/transactions/TransactionBuilder.kt
+++ b/core/src/main/kotlin/net/corda/core/transactions/TransactionBuilder.kt
@@ -571,7 +571,7 @@ open class TransactionBuilder(
 
         // Sanity check that the selected attachment actually passes.
 
-        if (!defaultOutputConstraint.isSatisfiedBy(constraintAttachment)) {
+        if (!isSatisfiedByWithNoWarnForSigConstraint(defaultOutputConstraint, constraintAttachment)) {
             // The defaultOutputConstraint is the input constraint by the attachment in use currently may have a rotated key
             if (defaultOutputConstraint is SignatureAttachmentConstraint && services.toVerifyingServiceHub().rotatedKeys.canBeTransitioned(defaultOutputConstraint.key, constraintAttachment.signerKeys)) {
                 return Pair(makeSignatureAttachmentConstraint(attachmentToUse.signerKeys), constraintAttachment)