diff --git a/kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs b/kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs index 34038f40bd..e84bcf5d9a 100644 --- a/kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs +++ b/kms-connector/crates/kms-worker/src/core/event_processor/decryption.rs @@ -208,21 +208,16 @@ where delegator_address: Address, ) -> Result<(), ProcessingError> { let handle_hex = hex::encode(handle); - let is_delegated_call = acl_contract.isHandleDelegatedForUserDecryption( - delegator_address, - user_address, - contract_address, - handle, - ); - let delegator_allowed_call = acl_contract.isAllowed(handle, delegator_address); - let contract_allowed_call = acl_contract.isAllowed(handle, contract_address); - - let (is_delegated, delegator_allowed, contract_allowed) = tokio::try_join!( - is_delegated_call.call(), - delegator_allowed_call.call(), - contract_allowed_call.call(), - ) - .map_err(|e| ProcessingError::Recoverable(anyhow::Error::from(e)))?; + let is_delegated = acl_contract + .isHandleDelegatedForUserDecryption( + delegator_address, + user_address, + contract_address, + handle, + ) + .call() + .await + .map_err(|e| ProcessingError::Recoverable(anyhow::Error::from(e)))?; if !is_delegated { return Err(ProcessingError::Recoverable(anyhow!( @@ -230,16 +225,6 @@ where {contract_address} and handle {handle_hex}!", ))); } - if !delegator_allowed { - return Err(ProcessingError::Recoverable(anyhow!( - "{delegator_address} is not allowed to decrypt {handle_hex}!", - ))); - } - if !contract_allowed { - return Err(ProcessingError::Recoverable(anyhow!( - "{contract_address} is not allowed to decrypt {handle_hex}!", - ))); - } Ok(()) } @@ -603,11 +588,7 @@ mod tests { enum DelegatedUserDecryptACLMock { Failure(&'static str), - Success { - is_delegated: bool, - delegator_allowed: bool, - contract_allowed: bool, - }, + Success { is_delegated: bool }, } #[rstest] @@ -617,22 +598,12 @@ mod tests { None )] #[case::allowed( - DelegatedUserDecryptACLMock::Success { is_delegated: true, delegator_allowed: true, contract_allowed: true }, + DelegatedUserDecryptACLMock::Success { is_delegated: true }, ExpectedOutcome::Ok, None )] - #[case::delegator_allowed_contract_not_allowed( - DelegatedUserDecryptACLMock::Success { is_delegated: true, delegator_allowed: true, contract_allowed: false }, - ExpectedOutcome::Recoverable, - Some("is not allowed to decrypt") - )] - #[case::delegator_not_allowed_contract_allowed( - DelegatedUserDecryptACLMock::Success { is_delegated: true, delegator_allowed: false, contract_allowed: true }, - ExpectedOutcome::Recoverable, - Some("is not allowed to decrypt") - )] #[case::not_delegated( - DelegatedUserDecryptACLMock::Success { is_delegated: false, delegator_allowed: true, contract_allowed: true }, + DelegatedUserDecryptACLMock::Success { is_delegated: false }, ExpectedOutcome::Recoverable, Some("is not a delegate of") )] @@ -670,14 +641,8 @@ mod tests { match mock_response { DelegatedUserDecryptACLMock::Failure(msg) => asserter.push_failure_msg(msg), - DelegatedUserDecryptACLMock::Success { - is_delegated, - delegator_allowed, - contract_allowed, - } => { + DelegatedUserDecryptACLMock::Success { is_delegated } => { asserter.push_success(&is_delegated.abi_encode()); - asserter.push_success(&delegator_allowed.abi_encode()); - asserter.push_success(&contract_allowed.abi_encode()); } }