diff --git a/src/_zkapauthorizer/controller.py b/src/_zkapauthorizer/controller.py
index 69571ca2c03ab26d3389775df4849f1134b0e256..fa1cecda38348a93d0917ed40c68f4ae0a272901 100644
--- a/src/_zkapauthorizer/controller.py
+++ b/src/_zkapauthorizer/controller.py
@@ -705,6 +705,9 @@ class PaymentController(object):
redeeming a voucher, if no other count is given when the redemption is
started.
+ :ivar set[unicode] allowed_public_keys: The base64-encoded public keys for
+ which to accept tokens.
+
:ivar dict[unicode, Redeeming] _active: A mapping from voucher identifiers
which currently have redemption attempts in progress to a
``Redeeming`` state representing the attempt.
@@ -735,6 +738,8 @@ class PaymentController(object):
redeemer = attr.ib()
default_token_count = attr.ib()
+ allowed_public_keys = attr.ib(validator=attr.validators.instance_of(set))
+
num_redemption_groups = attr.ib(default=16)
_clock = attr.ib(default=None)
diff --git a/src/_zkapauthorizer/resource.py b/src/_zkapauthorizer/resource.py
index e5e31eae14212a1b9d9f9ad716e96ae27460d786..cc584940fd1cb44f329a43932d483bdb929e3508 100644
--- a/src/_zkapauthorizer/resource.py
+++ b/src/_zkapauthorizer/resource.py
@@ -64,6 +64,7 @@ from .storage_common import (
get_configured_shares_total,
get_configured_pass_value,
get_configured_lease_duration,
+ get_configured_allowed_public_keys,
)
from .pricecalculator import (
@@ -157,6 +158,7 @@ def from_configuration(
store,
redeemer,
default_token_count,
+ allowed_public_keys=get_configured_allowed_public_keys(node_config),
clock=clock,
)
diff --git a/src/_zkapauthorizer/storage_common.py b/src/_zkapauthorizer/storage_common.py
index 487c164aa7f5cce69a2e9a66d5cbbfaa475ecd4e..22fa76676d92cdd657bb995ccf95fa7928af7b03 100644
--- a/src/_zkapauthorizer/storage_common.py
+++ b/src/_zkapauthorizer/storage_common.py
@@ -132,6 +132,13 @@ def get_configured_lease_duration(node_config):
return 31 * 24 * 60 * 60
+def get_configured_allowed_public_keys(node_config):
+ """
+ Read the set of allowed issuer public keys from the given configuration.
+ """
+ return set()
+
+
def required_passes(bytes_per_pass, share_sizes):
"""
Calculate the number of passes that are required to store shares of the
diff --git a/src/_zkapauthorizer/tests/fixtures.py b/src/_zkapauthorizer/tests/fixtures.py
index 1b226500bc327358f4dfa3ee28b981b209ca9d88..39d111cb1b356ea90cb9be6f72f4c66f319b8959 100644
--- a/src/_zkapauthorizer/tests/fixtures.py
+++ b/src/_zkapauthorizer/tests/fixtures.py
@@ -136,6 +136,7 @@ class ConfiglessMemoryVoucherStore(Fixture):
# minimum token count requirement (can't have fewer tokens
# than groups).
num_redemption_groups=1,
+ allowed_public_keys={self._public_key},
clock=Clock(),
).redeem(
voucher,
diff --git a/src/_zkapauthorizer/tests/test_controller.py b/src/_zkapauthorizer/tests/test_controller.py
index 73398aabd9fcbdaecdb4e8b4ed4c0dcbb27b2ff8..e96aafbc0c999d13075f543dabc05703a6e838e4 100644
--- a/src/_zkapauthorizer/tests/test_controller.py
+++ b/src/_zkapauthorizer/tests/test_controller.py
@@ -231,6 +231,7 @@ class PaymentControllerTests(TestCase):
store,
DummyRedeemer(public_key),
default_token_count=100,
+ allowed_public_keys={public_key},
clock=Clock(),
)
@@ -267,6 +268,7 @@ class PaymentControllerTests(TestCase):
store,
NonRedeemer(),
default_token_count=100,
+ allowed_public_keys=set(),
clock=Clock(),
)
self.assertThat(
@@ -304,6 +306,7 @@ class PaymentControllerTests(TestCase):
# Require more success than we're going to get so it doesn't
# finish.
num_redemption_groups=counter,
+ allowed_public_keys={public_key},
clock=Clock(),
)
@@ -360,6 +363,7 @@ class PaymentControllerTests(TestCase):
),
default_token_count=num_tokens,
num_redemption_groups=num_redemption_groups,
+ allowed_public_keys={public_key},
clock=Clock(),
)
self.assertThat(
@@ -386,6 +390,7 @@ class PaymentControllerTests(TestCase):
# The number of redemption groups must not change for
# redemption of a particular voucher.
num_redemption_groups=num_redemption_groups,
+ allowed_public_keys={public_key},
clock=Clock(),
)
@@ -421,6 +426,7 @@ class PaymentControllerTests(TestCase):
redeemer,
default_token_count=num_tokens,
num_redemption_groups=num_redemption_groups,
+ allowed_public_keys=set(),
clock=Clock(),
)
self.assertThat(
@@ -445,6 +451,7 @@ class PaymentControllerTests(TestCase):
store,
DummyRedeemer(public_key),
default_token_count=100,
+ allowed_public_keys={public_key},
clock=Clock(),
)
self.assertThat(
@@ -473,6 +480,7 @@ class PaymentControllerTests(TestCase):
store,
DoubleSpendRedeemer(),
default_token_count=100,
+ allowed_public_keys=set(),
clock=Clock(),
)
self.assertThat(
@@ -503,6 +511,7 @@ class PaymentControllerTests(TestCase):
store,
UnpaidRedeemer(),
default_token_count=100,
+ allowed_public_keys=set(),
clock=Clock(),
)
self.assertThat(
@@ -523,6 +532,7 @@ class PaymentControllerTests(TestCase):
store,
DummyRedeemer(public_key),
default_token_count=100,
+ allowed_public_keys={public_key},
clock=Clock(),
)
@@ -553,6 +563,7 @@ class PaymentControllerTests(TestCase):
store,
UnpaidRedeemer(),
default_token_count=100,
+ allowed_public_keys=set(),
clock=clock,
)
self.assertThat(
diff --git a/src/_zkapauthorizer/tests/test_plugin.py b/src/_zkapauthorizer/tests/test_plugin.py
index 0db1a375d2ffe5c1c7143920909f4a346f6791c5..4975c048be3b1a476f1c39f7d812f8060bc82232 100644
--- a/src/_zkapauthorizer/tests/test_plugin.py
+++ b/src/_zkapauthorizer/tests/test_plugin.py
@@ -500,6 +500,7 @@ class ClientPluginTests(TestCase):
DummyRedeemer(public_key),
default_token_count=num_passes,
num_redemption_groups=1,
+ allowed_public_keys={public_key},
clock=Clock(),
)
# Get a token inserted into the store.