consensus: integrate state root computation and validation with state transition system

- Add _compute_state_root helper function to compute Merkle Patricia Trie state root from account state - Replace direct balance/nonce updates with state_transition.apply_transaction in block proposal - Compute and set state_root for both regular blocks and genesis block - Add state root verification in sync.py after importing blocks - Add application-layer database validation with DatabaseOperationValidator class
2026-04-13 19:16:54 +02:00
parent b3bec1041c
commit b74dfd76e3
12 changed files with 1065 additions and 24 deletions
--- a/apps/blockchain-node/tests/security/test_database_security.py
+++ b/apps/blockchain-node/tests/security/test_database_security.py
@@ -0,0 +1,64 @@
+"""
+Security tests for database access restrictions.
+
+Tests that database manipulation is not possible without detection.
+"""
+
+import os
+import stat
+import pytest
+from pathlib import Path
+
+from aitbc_chain.database import DatabaseOperationValidator, init_db
+from aitbc_chain.config import settings
+
+
+class TestDatabaseSecurity:
+    """Test database security measures."""
+    
+    def test_database_file_permissions(self):
+        """Test that database file has restrictive permissions."""
+        # Initialize database
+        init_db()
+        
+        # Check file permissions
+        db_path = settings.db_path
+        if db_path.exists():
+            file_stat = os.stat(db_path)
+            mode = file_stat.st_mode
+            
+            # Check that file is readable/writable only by owner (600)
+            assert mode & stat.S_IRUSR  # Owner can read
+            assert mode & stat.S_IWUSR  # Owner can write
+            assert not (mode & stat.S_IRGRP)  # Group cannot read
+            assert not (mode & stat.S_IWGRP)  # Group cannot write
+            assert not (mode & stat.S_IROTH)  # Others cannot read
+            assert not (mode & stat.S_IWOTH)  # Others cannot write
+    
+    def test_operation_validator_allowed_operations(self):
+        """Test that operation validator allows valid operations."""
+        validator = DatabaseOperationValidator()
+        
+        assert validator.validate_operation('select')
+        assert validator.validate_operation('insert')
+        assert validator.validate_operation('update')
+        assert validator.validate_operation('delete')
+        assert not validator.validate_operation('drop')
+        assert not validator.validate_operation('truncate')
+    
+    def test_operation_validator_dangerous_queries(self):
+        """Test that operation validator blocks dangerous queries."""
+        validator = DatabaseOperationValidator()
+        
+        # Dangerous patterns should be blocked
+        assert not validator.validate_query('DROP TABLE account')
+        assert not validator.validate_query('DROP DATABASE')
+        assert not validator.validate_query('TRUNCATE account')
+        assert not validator.validate_query('ALTER TABLE account')
+        assert not validator.validate_query('DELETE FROM account')
+        assert not validator.validate_query('UPDATE account SET balance')
+        
+        # Safe queries should pass
+        assert validator.validate_query('SELECT * FROM account')
+        assert validator.validate_query('INSERT INTO transaction VALUES')
+        assert validator.validate_query('UPDATE block SET height = 1')