From 4a0f5cd9a6fe5f7c77d7b23df45bcafdb8c0b4d4 Mon Sep 17 00:00:00 2001
From: Dmitry Bilienko <bududomasidet@gmail.com>
Date: Wed, 12 Apr 2023 13:23:33 +0500
Subject: [PATCH] Check all payload validations on nodes

---
 commonspace/spacestorage/spacestorage.go      | 107 +++-
 commonspace/spacestorage/spacestorage_test.go | 472 ++++++++++++++++++
 2 files changed, 578 insertions(+), 1 deletion(-)
 create mode 100644 commonspace/spacestorage/spacestorage_test.go

diff --git a/commonspace/spacestorage/spacestorage.go b/commonspace/spacestorage/spacestorage.go
index 8d300a48..af4ab7e5 100644
--- a/commonspace/spacestorage/spacestorage.go
+++ b/commonspace/spacestorage/spacestorage.go
@@ -2,8 +2,10 @@
 package spacestorage
 
 import (
+	"bytes"
 	"context"
 	"errors"
+	"fmt"
 	"github.com/anytypeio/any-sync/app"
 	"github.com/anytypeio/any-sync/commonspace/object/acl/aclrecordproto"
 	"github.com/anytypeio/any-sync/commonspace/object/acl/liststorage"
@@ -14,6 +16,7 @@ import (
 	"github.com/anytypeio/any-sync/util/cidutil"
 	"github.com/anytypeio/any-sync/util/crypto"
 	"github.com/gogo/protobuf/proto"
+	"strconv"
 	"strings"
 )
 
@@ -66,10 +69,112 @@ type SpaceStorageProvider interface {
 }
 
 func ValidateSpaceStorageCreatePayload(payload SpaceStorageCreatePayload) (err error) {
-	// TODO: add proper validation
+	err = validateCreateSpaceHeaderPayload(payload.SpaceHeaderWithId)
+	if err != nil {
+		return
+	}
+	err = validateCreateSpaceAclPayload(payload.AclWithId)
+	if err != nil {
+		return
+	}
+	err = validateCreateSpaceSettingsPayload(payload.SpaceSettingsWithId)
+	if err != nil {
+		return
+	}
+
 	return nil
 }
 
+func validateCreateSpaceHeaderPayload(rawHeaderWithId *spacesyncproto.RawSpaceHeaderWithId) (err error) {
+	var rawSpaceHeader spacesyncproto.RawSpaceHeader
+	err = proto.Unmarshal(rawHeaderWithId.RawHeader, &rawSpaceHeader)
+	if err != nil {
+		return
+	}
+	var header spacesyncproto.SpaceHeader
+	err = proto.Unmarshal(rawSpaceHeader.SpaceHeader, &header)
+	if err != nil {
+		return
+	}
+
+	split := strings.Split(rawHeaderWithId.Id, ".")
+	if len(split) != 2 {
+		return ErrIncorrectSpaceHeader
+	}
+	if !cidutil.VerifyCid(rawSpaceHeader.SpaceHeader, split[0]) {
+		err = objecttree.ErrIncorrectCid
+		return
+	}
+	payloadIdentity, err := crypto.UnmarshalEd25519PublicKeyProto(header.Identity)
+	res, err := payloadIdentity.Verify(rawSpaceHeader.SpaceHeader, rawSpaceHeader.Signature)
+	if err != nil || !res {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+
+	id, err := cidutil.NewCidFromBytes(rawSpaceHeader.SpaceHeader)
+	requiredSpaceId := fmt.Sprintf("%s.%s", id, strconv.FormatUint(header.ReplicationKey, 36))
+	if requiredSpaceId != rawHeaderWithId.Id {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+
+	return
+}
+
+func validateCreateSpaceAclPayload(rawWithId *aclrecordproto.RawAclRecordWithId) (err error) {
+	if !cidutil.VerifyCid(rawWithId.Payload, rawWithId.Id) {
+		err = objecttree.ErrIncorrectCid
+		return
+	}
+	var rawAcl aclrecordproto.RawAclRecord
+	err = proto.Unmarshal(rawWithId.Payload, &rawAcl)
+	if err != nil {
+		return
+	}
+	var aclRoot aclrecordproto.AclRoot
+	err = proto.Unmarshal(rawAcl.Payload, &aclRoot)
+	payloadIdentity, err := crypto.UnmarshalEd25519PublicKeyProto(aclRoot.Identity)
+	res, err := payloadIdentity.Verify(rawAcl.Payload, rawAcl.Signature)
+	if err != nil || !res {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+	masterKey, err := crypto.UnmarshalEd25519PrivateKey(aclRoot.MasterKey)
+	identity, err := crypto.UnmarshalEd25519PublicKeyProto(aclRoot.Identity)
+	rawIdentity, err := identity.Raw()
+	signedIdentity, err := masterKey.Sign(rawIdentity)
+	if !bytes.Equal(signedIdentity, aclRoot.IdentitySignature) {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+	return
+}
+
+func validateCreateSpaceSettingsPayload(rawWithId *treechangeproto.RawTreeChangeWithId) (err error) {
+	var raw treechangeproto.RawTreeChange
+	err = proto.Unmarshal(rawWithId.RawChange, &raw)
+	if err != nil {
+		return
+	}
+	var rootChange treechangeproto.RootChange
+	err = proto.Unmarshal(raw.Payload, &rootChange)
+	payloadIdentity, err := crypto.UnmarshalEd25519PublicKeyProto(rootChange.Identity)
+	res, err := payloadIdentity.Verify(raw.Payload, raw.Signature)
+	if err != nil || !res {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+	id, err := cidutil.NewCidFromBytes(rawWithId.RawChange)
+	if id != rawWithId.Id {
+		err = ErrIncorrectSpaceHeader
+		return
+	}
+
+	return
+}
+
+// ValidateSpaceHeader Used in coordinator
 func ValidateSpaceHeader(spaceId string, header []byte, identity crypto.PubKey) (err error) {
 	split := strings.Split(spaceId, ".")
 	if len(split) != 2 {
diff --git a/commonspace/spacestorage/spacestorage_test.go b/commonspace/spacestorage/spacestorage_test.go
new file mode 100644
index 00000000..2eabb66f
--- /dev/null
+++ b/commonspace/spacestorage/spacestorage_test.go
@@ -0,0 +1,472 @@
+package spacestorage
+
+import (
+	"crypto/rand"
+	"fmt"
+	"github.com/anytypeio/any-sync/commonspace/object/accountdata"
+	"github.com/anytypeio/any-sync/commonspace/object/acl/aclrecordproto"
+	"github.com/anytypeio/any-sync/commonspace/object/tree/objecttree"
+	"github.com/anytypeio/any-sync/commonspace/object/tree/treechangeproto"
+	"github.com/anytypeio/any-sync/commonspace/spacesyncproto"
+	"github.com/anytypeio/any-sync/util/cidutil"
+	"github.com/anytypeio/any-sync/util/crypto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	rand2 "golang.org/x/exp/rand"
+	"strconv"
+	"testing"
+	"time"
+)
+
+func TestSuccessHeaderPayloadForSpaceCreate(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceHeaderSeed := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderSeed)
+	require.NoError(t, err)
+	spaceHeaderPayload := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderPayload)
+	require.NoError(t, err)
+	replicationKey := rand2.Uint64()
+	header := &spacesyncproto.SpaceHeader{
+		Identity:           identity,
+		Timestamp:          time.Now().Unix(),
+		SpaceType:          "SpaceType",
+		ReplicationKey:     replicationKey,
+		Seed:               spaceHeaderSeed,
+		SpaceHeaderPayload: spaceHeaderPayload,
+	}
+	marhalled, err := header.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marhalled)
+	require.NoError(t, err)
+	rawHeader := &spacesyncproto.RawSpaceHeader{
+		SpaceHeader: marhalled,
+		Signature:   signature,
+	}
+	marhalledRawHeader, err := rawHeader.Marshal()
+	require.NoError(t, err)
+	id, err := cidutil.NewCidFromBytes(marhalled)
+	require.NoError(t, err)
+	spaceId := fmt.Sprintf("%s.%s", id, strconv.FormatUint(replicationKey, 36))
+	rawHeaderWithId := &spacesyncproto.RawSpaceHeaderWithId{
+		RawHeader: marhalledRawHeader,
+		Id:        spaceId,
+	}
+	err = validateCreateSpaceHeaderPayload(rawHeaderWithId)
+	require.NoError(t, err)
+}
+
+func TestFailedHeaderPayloadForSpaceCreate_InvalidFormatSpaceId(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceHeaderSeed := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderSeed)
+	require.NoError(t, err)
+	spaceHeaderPayload := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderPayload)
+	require.NoError(t, err)
+	replicationKey := rand2.Uint64()
+	header := &spacesyncproto.SpaceHeader{
+		Identity:           identity,
+		Timestamp:          time.Now().Unix(),
+		SpaceType:          "SpaceType",
+		ReplicationKey:     replicationKey,
+		Seed:               spaceHeaderSeed,
+		SpaceHeaderPayload: spaceHeaderPayload,
+	}
+	marhalled, err := header.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marhalled)
+	require.NoError(t, err)
+	rawHeader := &spacesyncproto.RawSpaceHeader{
+		SpaceHeader: marhalled,
+		Signature:   signature,
+	}
+	marhalledRawHeader, err := rawHeader.Marshal()
+	require.NoError(t, err)
+	id, err := cidutil.NewCidFromBytes(marhalled)
+	require.NoError(t, err)
+	spaceId := fmt.Sprintf("%s%s", id, strconv.FormatUint(replicationKey, 36))
+	rawHeaderWithId := &spacesyncproto.RawSpaceHeaderWithId{
+		RawHeader: marhalledRawHeader,
+		Id:        spaceId,
+	}
+	err = validateCreateSpaceHeaderPayload(rawHeaderWithId)
+	assert.EqualErrorf(t, err, ErrIncorrectSpaceHeader.Error(), "Error should be: %v, got: %v", objecttree.ErrIncorrectCid, err)
+}
+
+func TestFailedHeaderPayloadForSpaceCreate_CidIsWrong(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceHeaderSeed := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderSeed)
+	require.NoError(t, err)
+	spaceHeaderPayload := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderPayload)
+	require.NoError(t, err)
+	replicationKey := rand2.Uint64()
+	header := &spacesyncproto.SpaceHeader{
+		Identity:           identity,
+		Timestamp:          time.Now().Unix(),
+		SpaceType:          "SpaceType",
+		ReplicationKey:     replicationKey,
+		Seed:               spaceHeaderSeed,
+		SpaceHeaderPayload: spaceHeaderPayload,
+	}
+	marhalled, err := header.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marhalled)
+	require.NoError(t, err)
+	rawHeader := &spacesyncproto.RawSpaceHeader{
+		SpaceHeader: marhalled,
+		Signature:   signature,
+	}
+	marhalledRawHeader, err := rawHeader.Marshal()
+	require.NoError(t, err)
+	id := "faisdfjpiocpoakopkop34"
+	spaceId := fmt.Sprintf("%s.%s", id, strconv.FormatUint(replicationKey, 36))
+	rawHeaderWithId := &spacesyncproto.RawSpaceHeaderWithId{
+		RawHeader: marhalledRawHeader,
+		Id:        spaceId,
+	}
+	err = validateCreateSpaceHeaderPayload(rawHeaderWithId)
+	assert.EqualErrorf(t, err, objecttree.ErrIncorrectCid.Error(), "Error should be: %v, got: %v", objecttree.ErrIncorrectCid, err)
+}
+
+func TestFailedHeaderPayloadForSpaceCreate_SignedWithAnotherIdentity(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceHeaderSeed := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderSeed)
+	require.NoError(t, err)
+	spaceHeaderPayload := make([]byte, 32)
+	_, err = rand.Read(spaceHeaderPayload)
+	require.NoError(t, err)
+	replicationKey := rand2.Uint64()
+	header := &spacesyncproto.SpaceHeader{
+		Identity:           identity,
+		Timestamp:          time.Now().Unix(),
+		SpaceType:          "SpaceType",
+		ReplicationKey:     replicationKey,
+		Seed:               spaceHeaderSeed,
+		SpaceHeaderPayload: spaceHeaderPayload,
+	}
+	marhalled, err := header.Marshal()
+	require.NoError(t, err)
+	anotherAccountKeys, err := accountdata.NewRandom()
+	signature, err := anotherAccountKeys.SignKey.Sign(marhalled)
+	require.NoError(t, err)
+	rawHeader := &spacesyncproto.RawSpaceHeader{
+		SpaceHeader: marhalled,
+		Signature:   signature,
+	}
+	marhalledRawHeader, err := rawHeader.Marshal()
+	require.NoError(t, err)
+	id := "faisdfjpiocpoakopkop34"
+	spaceId := fmt.Sprintf("%s.%s", id, strconv.FormatUint(replicationKey, 36))
+	rawHeaderWithId := &spacesyncproto.RawSpaceHeaderWithId{
+		RawHeader: marhalledRawHeader,
+		Id:        spaceId,
+	}
+	err = validateCreateSpaceHeaderPayload(rawHeaderWithId)
+	assert.EqualErrorf(t, err, objecttree.ErrIncorrectCid.Error(), "Error should be: %v, got: %v", objecttree.ErrIncorrectCid, err)
+}
+
+func TestSuccessAclPayloadSpace(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	readKeyBytes := make([]byte, 32)
+	_, err = rand.Read(readKeyBytes)
+	require.NoError(t, err)
+	readKey, err := accountKeys.SignKey.GetPublic().Encrypt(readKeyBytes)
+	require.NoError(t, err)
+	masterKey, _, err := crypto.GenerateRandomEd25519KeyPair()
+	require.NoError(t, err)
+	rawIdentity, err := accountKeys.SignKey.GetPublic().Raw()
+	require.NoError(t, err)
+	identitySignature, err := masterKey.Sign(rawIdentity)
+	require.NoError(t, err)
+	rawMasterKey, err := masterKey.Raw()
+	require.NoError(t, err)
+	aclRoot := aclrecordproto.AclRoot{
+		Identity:          identity,
+		MasterKey:         rawMasterKey,
+		SpaceId:           "SpaceId",
+		EncryptedReadKey:  readKey,
+		Timestamp:         time.Now().Unix(),
+		IdentitySignature: identitySignature,
+	}
+	marshalled, err := aclRoot.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marshalled)
+	rawAclRecord := &aclrecordproto.RawAclRecord{
+		Payload:   marshalled,
+		Signature: signature,
+	}
+	marshalledRaw, err := rawAclRecord.Marshal()
+	require.NoError(t, err)
+	aclHeadId, err := cidutil.NewCidFromBytes(marshalledRaw)
+	require.NoError(t, err)
+	rawWithId := &aclrecordproto.RawAclRecordWithId{
+		Payload: marshalledRaw,
+		Id:      aclHeadId,
+	}
+	err = validateCreateSpaceAclPayload(rawWithId)
+	require.NoError(t, err)
+}
+
+func TestFailAclPayloadSpace_IncorrectCid(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	readKeyBytes := make([]byte, 32)
+	_, err = rand.Read(readKeyBytes)
+	require.NoError(t, err)
+	readKey, err := accountKeys.SignKey.GetPublic().Encrypt(readKeyBytes)
+	require.NoError(t, err)
+	masterKey, _, err := crypto.GenerateRandomEd25519KeyPair()
+	require.NoError(t, err)
+	rawIdentity, err := accountKeys.SignKey.GetPublic().Raw()
+	require.NoError(t, err)
+	identitySignature, err := masterKey.Sign(rawIdentity)
+	require.NoError(t, err)
+	rawMasterKey, err := masterKey.Raw()
+	require.NoError(t, err)
+	aclRoot := aclrecordproto.AclRoot{
+		Identity:          identity,
+		MasterKey:         rawMasterKey,
+		SpaceId:           "SpaceId",
+		EncryptedReadKey:  readKey,
+		Timestamp:         time.Now().Unix(),
+		IdentitySignature: identitySignature,
+	}
+	marshalled, err := aclRoot.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marshalled)
+	rawAclRecord := &aclrecordproto.RawAclRecord{
+		Payload:   marshalled,
+		Signature: signature,
+	}
+	marshalledRaw, err := rawAclRecord.Marshal()
+	require.NoError(t, err)
+	aclHeadId := "rand"
+	rawWithId := &aclrecordproto.RawAclRecordWithId{
+		Payload: marshalledRaw,
+		Id:      aclHeadId,
+	}
+	err = validateCreateSpaceAclPayload(rawWithId)
+	assert.EqualErrorf(t, err, objecttree.ErrIncorrectCid.Error(), "Error should be: %v, got: %v", objecttree.ErrIncorrectCid, err)
+}
+
+func TestFailedAclPayloadSpace_IncorrectSignature(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	readKeyBytes := make([]byte, 32)
+	_, err = rand.Read(readKeyBytes)
+	require.NoError(t, err)
+	readKey, err := accountKeys.SignKey.GetPublic().Encrypt(readKeyBytes)
+	require.NoError(t, err)
+	masterKey, _, err := crypto.GenerateRandomEd25519KeyPair()
+	require.NoError(t, err)
+	rawIdentity, err := accountKeys.SignKey.GetPublic().Raw()
+	require.NoError(t, err)
+	identitySignature, err := masterKey.Sign(rawIdentity)
+	require.NoError(t, err)
+	rawMasterKey, err := masterKey.Raw()
+	require.NoError(t, err)
+	aclRoot := aclrecordproto.AclRoot{
+		Identity:          identity,
+		MasterKey:         rawMasterKey,
+		SpaceId:           "SpaceId",
+		EncryptedReadKey:  readKey,
+		Timestamp:         time.Now().Unix(),
+		IdentitySignature: identitySignature,
+	}
+	marshalled, err := aclRoot.Marshal()
+	require.NoError(t, err)
+	rawAclRecord := &aclrecordproto.RawAclRecord{
+		Payload:   marshalled,
+		Signature: marshalled,
+	}
+	marshalledRaw, err := rawAclRecord.Marshal()
+	require.NoError(t, err)
+	aclHeadId, err := cidutil.NewCidFromBytes(marshalledRaw)
+	require.NoError(t, err)
+	rawWithId := &aclrecordproto.RawAclRecordWithId{
+		Payload: marshalledRaw,
+		Id:      aclHeadId,
+	}
+	err = validateCreateSpaceAclPayload(rawWithId)
+	assert.NotNil(t, err)
+	assert.EqualErrorf(t, err, ErrIncorrectSpaceHeader.Error(), "Error should be: %v, got: %v", ErrIncorrectSpaceHeader, err)
+}
+
+func TestFailedAclPayloadSpace_IncorrectIdentitySignature(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	readKeyBytes := make([]byte, 32)
+	_, err = rand.Read(readKeyBytes)
+	require.NoError(t, err)
+	readKey, err := accountKeys.SignKey.GetPublic().Encrypt(readKeyBytes)
+	require.NoError(t, err)
+	masterKey, _, err := crypto.GenerateRandomEd25519KeyPair()
+	require.NoError(t, err)
+	rawMasterKey, err := masterKey.Raw()
+	require.NoError(t, err)
+	aclRoot := aclrecordproto.AclRoot{
+		Identity:          identity,
+		MasterKey:         rawMasterKey,
+		SpaceId:           "SpaceId",
+		EncryptedReadKey:  readKey,
+		Timestamp:         time.Now().Unix(),
+		IdentitySignature: identity,
+	}
+	marshalled, err := aclRoot.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marshalled)
+	rawAclRecord := &aclrecordproto.RawAclRecord{
+		Payload:   marshalled,
+		Signature: signature,
+	}
+	marshalledRaw, err := rawAclRecord.Marshal()
+	require.NoError(t, err)
+	aclHeadId, err := cidutil.NewCidFromBytes(marshalledRaw)
+	require.NoError(t, err)
+	rawWithId := &aclrecordproto.RawAclRecordWithId{
+		Payload: marshalledRaw,
+		Id:      aclHeadId,
+	}
+	err = validateCreateSpaceAclPayload(rawWithId)
+	assert.EqualErrorf(t, err, ErrIncorrectSpaceHeader.Error(), "Error should be: %v, got: %v", ErrIncorrectSpaceHeader, err)
+}
+
+func TestSuccessSettingsPayloadSpace(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceSettingsSeed := make([]byte, 32)
+	_, err = rand.Read(spaceSettingsSeed)
+	require.NoError(t, err)
+	changePayload := make([]byte, 32)
+	_, err = rand.Read(changePayload)
+	require.NoError(t, err)
+	rootChange := &treechangeproto.RootChange{
+		AclHeadId:     "AclHeadId",
+		SpaceId:       "SpaceId",
+		ChangeType:    "ChangeType",
+		Timestamp:     time.Now().Unix(),
+		Seed:          spaceSettingsSeed,
+		Identity:      identity,
+		ChangePayload: changePayload,
+	}
+	marshalledChange, err := rootChange.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marshalledChange)
+	require.NoError(t, err)
+	raw := &treechangeproto.RawTreeChange{
+		Payload:   marshalledChange,
+		Signature: signature,
+	}
+	marshalledRawChange, err := raw.Marshal()
+	id, err := cidutil.NewCidFromBytes(marshalledRawChange)
+	require.NoError(t, err)
+	rawIdChange := &treechangeproto.RawTreeChangeWithId{
+		RawChange: marshalledRawChange,
+		Id:        id,
+	}
+	err = validateCreateSpaceSettingsPayload(rawIdChange)
+	require.NoError(t, err)
+}
+
+func TestFailSettingsPayloadSpace_InvalidSignature(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceSettingsSeed := make([]byte, 32)
+	_, err = rand.Read(spaceSettingsSeed)
+	require.NoError(t, err)
+	changePayload := make([]byte, 32)
+	_, err = rand.Read(changePayload)
+	require.NoError(t, err)
+	rootChange := &treechangeproto.RootChange{
+		AclHeadId:     "AclHeadId",
+		SpaceId:       "SpaceId",
+		ChangeType:    "ChangeType",
+		Timestamp:     time.Now().Unix(),
+		Seed:          spaceSettingsSeed,
+		Identity:      identity,
+		ChangePayload: changePayload,
+	}
+	marshalledChange, err := rootChange.Marshal()
+	require.NoError(t, err)
+	raw := &treechangeproto.RawTreeChange{
+		Payload:   marshalledChange,
+		Signature: marshalledChange,
+	}
+	marshalledRawChange, err := raw.Marshal()
+	id, err := cidutil.NewCidFromBytes(marshalledRawChange)
+	require.NoError(t, err)
+	rawIdChange := &treechangeproto.RawTreeChangeWithId{
+		RawChange: marshalledRawChange,
+		Id:        id,
+	}
+	err = validateCreateSpaceSettingsPayload(rawIdChange)
+	assert.EqualErrorf(t, err, ErrIncorrectSpaceHeader.Error(), "Error should be: %v, got: %v", ErrIncorrectSpaceHeader, err)
+}
+
+func TestFailSettingsPayloadSpace_InvalidCid(t *testing.T) {
+	accountKeys, err := accountdata.NewRandom()
+	require.NoError(t, err)
+	identity, err := accountKeys.SignKey.GetPublic().Marshall()
+	require.NoError(t, err)
+	spaceSettingsSeed := make([]byte, 32)
+	_, err = rand.Read(spaceSettingsSeed)
+	require.NoError(t, err)
+	changePayload := make([]byte, 32)
+	_, err = rand.Read(changePayload)
+	require.NoError(t, err)
+	rootChange := &treechangeproto.RootChange{
+		AclHeadId:     "AclHeadId",
+		SpaceId:       "SpaceId",
+		ChangeType:    "ChangeType",
+		Timestamp:     time.Now().Unix(),
+		Seed:          spaceSettingsSeed,
+		Identity:      identity,
+		ChangePayload: changePayload,
+	}
+	marshalledChange, err := rootChange.Marshal()
+	require.NoError(t, err)
+	signature, err := accountKeys.SignKey.Sign(marshalledChange)
+	require.NoError(t, err)
+	raw := &treechangeproto.RawTreeChange{
+		Payload:   marshalledChange,
+		Signature: signature,
+	}
+	marshalledRawChange, err := raw.Marshal()
+	id := "id"
+	require.NoError(t, err)
+	rawIdChange := &treechangeproto.RawTreeChangeWithId{
+		RawChange: marshalledRawChange,
+		Id:        id,
+	}
+	err = validateCreateSpaceSettingsPayload(rawIdChange)
+	assert.EqualErrorf(t, err, ErrIncorrectSpaceHeader.Error(), "Error should be: %v, got: %v", ErrIncorrectSpaceHeader, err)
+}