-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(multisig)!: move from triggers to custom instructions #5217
base: main
Are you sure you want to change the base?
refactor(multisig)!: move from triggers to custom instructions #5217
Conversation
e8e1316
to
a6b0dce
Compare
let mut executor = executor.clone(); | ||
executor.context_mut().authority = target_account.clone(); | ||
propose_to_approve_me.execute(&executor)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
context_mut
here is only to indicate what authority is executing the instruction:
I've realized that host.submit()
goes through no validation, which seems to me to be rather a correct behavior. That's why context mutations whose purpose is to pass permission validation are removed at 2e2dcd1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
amazing stuff, so much better
5b0dbeb
to
4e4a6b9
Compare
48753cb
to
0e4fc3a
Compare
BREAKING CHANGES: - (api-changes) `MultisigRegister` `MultisigPropose` `MultisigApprove` custom instructions Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
…ssions Signed-off-by: Shunkichi Sato <[email protected]>
…ions Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Ekaterina Mekhnetsova <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
…::custom::multisig` Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
This reverts commit 255782e. Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updates:
- rename to
visit_custom_instructions
- move to
{iroha_executor::default, iroha_executor_data_model}::custom::multisig
- minor updates since refactor(multisig)!: move from triggers to custom instructions #5217 (review)
Notes:
- Something happened on merging main branch and @outoftardis involved, but no effect on changed files. Never mind
pub signatories: BTreeMap<AccountId, Weight>, | ||
/// Threshold of total weight at which the multisig is considered authenticated | ||
/// Threshold of total weight at which the multisig account is considered authenticated | ||
pub quorum: u16, | ||
/// Multisig transaction time-to-live in milliseconds based on block timestamps. Defaults to [`DEFAULT_MULTISIG_TTL_MS`] | ||
pub transaction_ttl_ms: u64, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we prohibited 0ms, why not also prohibit 1ms?
pub signatories: BTreeMap<AccountId, Weight>, | ||
/// Threshold of total weight at which the multisig is considered authenticated | ||
/// Threshold of total weight at which the multisig account is considered authenticated | ||
pub quorum: u16, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What good is this type safety, since 0 doesn't lead to errors and there's no incentive for users to set quorum 0?
// Temporarily grant a multisig role to the registrant to delegate the role to the signatories | ||
Role::new(multisig_role.clone(), registrant.clone()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main topic here should be why Grant::account_role
has passed but hasn't taken the expected effect, but okay,
authenticate intrinsics?
My understanding is that authentication by signature is required on facing extrinsic transactions and queries. Imo intrinsics should not be signed in cryptographic sense, especially in the case of multisig, proposals and approvals are extrinsic while automatically deployed multisig transactions themselves are intrinsic, and collecting sufficient signatures will be the authentication
Btw the concept of "keys of a multisig account" or "sign as a multisig account" will be removed by #5022 because keys should represent a personal identity
authorize intrinsics?
The only instructions that should be validated would be extrinsics which hasn't yet experienced authorization i.e. the contains of proposal. Other auxiliary instructions that compose the multisig logic itself should be infallible
// Temporarily grant a multisig role to the registrant to delegate the role to the signatories | ||
Role::new(multisig_role.clone(), registrant.clone()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously it was the design that the registrant of a multisig account got equivalent to the domain owner, so as to register and configure a multisig account in the domain. Now that host.submit()
from executor goes through no validation, there's no need to elevate the authority. There should be essentially no difference between assigning any desired authority and bypassing any validation
Signed-off-by: Shunkichi Sato <[email protected]>
7b437ec
to
45b24d9
Compare
crates/iroha_executor/src/default/custom/multisig/transaction.rs
Outdated
Show resolved
Hide resolved
@@ -16,5 +16,7 @@ iroha_executor_data_model_derive = { path = "../iroha_executor_data_model_derive | |||
iroha_data_model.workspace = true | |||
iroha_schema.workspace = true | |||
|
|||
derive_more = { workspace = true, features = ["constructor", "from"] } | |||
parity-scale-codec.workspace = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
parity-scale-codec.workspace = true |
why is it needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because multisig data models need to impl either Encode
Decode
or WrapperTypeEncode
WrapperTypeDecode
for IntoSchema
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit confused because none of the default permissions in executor_data_model/src/permission.rs
implement Decode
/Encode
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's probably because the permissions are not listed in types!
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Updates:
|
Signed-off-by: Shunkichi Sato <[email protected]>
9d5c74f
to
70d51d0
Compare
Context
Solution
Migration Guide
MultisigRegister
MultisigPropose
MultisigApprove
custom instructions that replaceMultisigAccountArgs
MultisigTransactionsArgs
CanRegisterAnyTrigger
CanUnregisterAnyTrigger
permissions that become useless and are unlikely to be usedFuture Work
#[derive(CustomInstruction)]
or something for custom instructions #5221Grant::account_role
behavior in custom instructions #5222 infers potential bug/crates
and/samples
#5225Checklist
CONTRIBUTING.md
.