refactor(multisig)!: move from triggers to custom instructions #5217
Conversation
github-actions
bot
added
api-changes
s8sato
force-pushed
the
refactor/4930/custom_instructions
branch
from
e8e1316
to
a6b0dce
Compare
s8sato
requested review from
mversic,
SamHSmith,
outoftardis,
0x009922 and
dima74
as code owners
| let mut executor = executor.clone(); | ||
| executor.context_mut().authority = target_account.clone(); | ||
| propose_to_approve_me.execute(&executor)?; |
There was a problem hiding this comment.
context_mut here is only to indicate what authority is executing the instruction:
I've realized that host.submit() goes through no validation, which seems to me to be rather a correct behavior. That's why context mutations whose purpose is to pass permission validation are removed at 2e2dcd1
s8sato
force-pushed
the
refactor/4930/custom_instructions
branch
from
5b0dbeb
to
4e4a6b9
Compare
s8sato
force-pushed
the
refactor/4930/custom_instructions
branch
2 times, most recently
from
48753cb
to
0e4fc3a
Compare
BREAKING CHANGES: - (api-changes) `MultisigRegister` `MultisigPropose` `MultisigApprove` custom instructions Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
…ssions Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
…ions Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Ekaterina Mekhnetsova <mekkatya@gmail.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
…::custom::multisig` Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
This reverts commit 255782e. Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
There was a problem hiding this comment.
Updates:
- rename to
visit_custom_instructions - move to
{iroha_executor::default, iroha_executor_data_model}::custom::multisig - minor updates since refactor(multisig)!: move from triggers to custom instructions #5217 (review)
Notes:
- Something happened on merging main branch and @outoftardis involved, but no effect on changed files. Never mind
| pub signatories: BTreeMap<AccountId, Weight>, | ||
| /// Threshold of total weight at which the multisig is considered authenticated | ||
| /// Threshold of total weight at which the multisig account is considered authenticated | ||
| pub quorum: u16, | ||
| /// Multisig transaction time-to-live in milliseconds based on block timestamps. Defaults to [`DEFAULT_MULTISIG_TTL_MS`] | ||
| pub transaction_ttl_ms: u64, |
There was a problem hiding this comment.
If we prohibited 0ms, why not also prohibit 1ms?
| pub signatories: BTreeMap<AccountId, Weight>, | ||
| /// Threshold of total weight at which the multisig is considered authenticated | ||
| /// Threshold of total weight at which the multisig account is considered authenticated | ||
| pub quorum: u16, |
There was a problem hiding this comment.
What good is this type safety, since 0 doesn't lead to errors and there's no incentive for users to set quorum 0?
| // Temporarily grant a multisig role to the registrant to delegate the role to the signatories | ||
| Role::new(multisig_role.clone(), registrant.clone()), |
There was a problem hiding this comment.
The main topic here should be why Grant::account_role has passed but hasn't taken the expected effect, but okay,
authenticate intrinsics?
My understanding is that authentication by signature is required on facing extrinsic transactions and queries. Imo intrinsics should not be signed in cryptographic sense, especially in the case of multisig, proposals and approvals are extrinsic while automatically deployed multisig transactions themselves are intrinsic, and collecting sufficient signatures will be the authentication
Btw the concept of "keys of a multisig account" or "sign as a multisig account" will be removed by #5022 because keys should represent a personal identity
authorize intrinsics?
The only instructions that should be validated would be extrinsics which hasn't yet experienced authorization i.e. the contains of proposal. Other auxiliary instructions that compose the multisig logic itself should be infallible
| // Temporarily grant a multisig role to the registrant to delegate the role to the signatories | ||
| Role::new(multisig_role.clone(), registrant.clone()), |
There was a problem hiding this comment.
Previously it was the design that the registrant of a multisig account got equivalent to the domain owner, so as to register and configure a multisig account in the domain. Now that host.submit() from executor goes through no validation, there's no need to elevate the authority. There should be essentially no difference between assigning any desired authority and bypassing any validation
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
s8sato
force-pushed
the
refactor/4930/custom_instructions
branch
from
7b437ec
to
45b24d9
Compare
crates/iroha_executor/src/default/custom/multisig/transaction.rs
Outdated
Show resolved
Hide resolved
| @@ -16,5 +16,7 @@ iroha_executor_data_model_derive = { path = "../iroha_executor_data_model_derive | |||
| iroha_data_model.workspace = true | |||
| iroha_schema.workspace = true | |||
|
|
|||
| derive_more = { workspace = true, features = ["constructor", "from"] } | |||
| parity-scale-codec.workspace = true | |||
There was a problem hiding this comment.
| parity-scale-codec.workspace = true |
why is it needed?
There was a problem hiding this comment.
Because multisig data models need to impl either Encode Decode or WrapperTypeEncode WrapperTypeDecode for IntoSchema
There was a problem hiding this comment.
I'm a bit confused because none of the default permissions in executor_data_model/src/permission.rs implement Decode/Encode
There was a problem hiding this comment.
That's probably because the permissions are not listed in types!
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
|
Updates:
|
Signed-off-by: Shunkichi Sato <49983831+s8sato@users.noreply.github.com>
s8sato
force-pushed
the
refactor/4930/custom_instructions
branch
from
9d5c74f
to
70d51d0
Compare
s8sato
changed the title
| macro_rules! visit_seq { | ||
| ($executor:ident.$visit:ident($instruction:expr)) => { | ||
| $executor.$visit($instruction); | ||
| if $executor.verdict().is_err() { | ||
| return $executor.verdict().clone(); | ||
| } | ||
| }; | ||
| } |
There was a problem hiding this comment.
| macro_rules! visit_seq { | |
| ($executor:ident.$visit:ident($instruction:expr)) => { | |
| $executor.$visit($instruction); | |
| if $executor.verdict().is_err() { | |
| return $executor.verdict().clone(); | |
| } | |
| }; | |
| } | |
| /// Validate and execute instructions in sequence without returning back to the visit root, | |
| /// checking the sanity of the executor verdict | |
| macro_rules! visit_seq { | |
| ($executor:ident.$visit:ident($instruction:expr)) => { | |
| $executor.$visit($instruction); | |
| if $executor.verdict().is_err() { | |
| return $executor.verdict().clone(); | |
| } | |
| }; | |
| } |
Context
Solution
Migration Guide
MultisigRegisterMultisigProposeMultisigApprovecustom instructions that replaceMultisigAccountArgsMultisigTransactionsArgsCanRegisterAnyTriggerCanUnregisterAnyTriggerpermissions that become useless and are unlikely to be usedFuture Work
#[derive(CustomInstruction)]or something for custom instructions #5221Grant::account_rolebehavior in custom instructions #5222 infers potential bug/cratesand/samples#5225Checklist
CONTRIBUTING.md.