VDR operation containing unknown protobuf fields should be marked as invalid #890
Description
Summary
VDR storage operations (CreateStorageEntry, UpdateStorageEntry, DeactivateStorageEntry) that contain unknown protobuf fields should be marked as invalid and rejected during parsing.
This is the mirror of hyperledger-identus/neoprism#60 which was fixed in hyperledger-identus/neoprism#237.
Background
Protocol Buffers preserves bytes for unrecognised field numbers ("unknown fields") to support forward-compatibility — a receiving node with an older schema can still round-trip a message written by a newer sender without corruption.
For SSI operations (CreateDID, UpdateDID, DeactivateDID) this lenient behaviour is correct: unknown fields should be tolerated so that future protocol extensions remain backward-compatible.
For VDR operations the semantics are different. The VDR is a strict storage layer; an operation that contains unknown fields indicates either a schema mismatch or a malformed/tampered message. Such an operation must be rejected rather than silently accepted, otherwise a future schema extension could cause two nodes running different versions to diverge on what is stored.
Current behaviour
StorageOperations.parseCreate, parseUpdate, and parseDeactivate do not check for unknown fields on:
- the outer
AtalaOperationwrapper, nor - the inner storage operation message itself
An operation carrying unknown protobuf fields is therefore accepted and stored as valid.
Expected behaviour
If either the outer AtalaOperation wrapper or the inner storage operation message contains unknown fields, parsing must return a ValidationError and the operation must be rejected. The containing PRISM operation (the DID chain) must remain valid.
ScalaPB API
ScalaPB (used in this project, v0.11.6) exposes unknown fields via:
message.unknownFields != scalapb.UnknownFieldSet.emptyThis check should be added as a guard inside each of the three StorageOperations.parse* methods.