Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(multisig)!: move from triggers to custom instructions #5217

Open
wants to merge 20 commits into
base: main
Choose a base branch
from

Conversation

s8sato
Copy link
Contributor

@s8sato s8sato commented Nov 2, 2024

Context

  1. Calling a trigger with args as a multisig operation was not a clear interface
  2. The multisig implementation as triggers introduced validation exceptions for registering and executing triggers to bridge the authority gap between the caller and the executor: feat: improve multisig utility and usability #5027

Solution

  1. Assign dedicated custom instructions to the multisig operations
  2. Switch to the executor context and package validation and execution logics as the custom instructions
  • As a side benefit of removing triggers i.e. no event pools, recursive approvals immediately propagate without ticking time

Migration Guide

  • Introduces MultisigRegister MultisigPropose MultisigApprove custom instructions that replace MultisigAccountArgs MultisigTransactionsArgs
  • Removes CanRegisterAnyTrigger CanUnregisterAnyTrigger permissions that become useless and are unlikely to be used
  • Though it becomes useless for multisig, retains the capability to register wasm triggers in genesis

Future Work


Checklist

  • I've read CONTRIBUTING.md.
  • All review comments have been resolved.
  • All CI checks pass.

@github-actions github-actions bot added api-changes Changes in the API for client libraries config-changes Changes in configuration and start up of the Iroha labels Nov 2, 2024
Copy link

github-actions bot commented Nov 2, 2024

@BAStos525

@s8sato s8sato force-pushed the refactor/4930/custom_instructions branch from e8e1316 to a6b0dce Compare November 2, 2024 21:39
wasm/libs/default_executor/src/lib.rs Outdated Show resolved Hide resolved
wasm/libs/default_executor/src/multisig/account.rs Outdated Show resolved Hide resolved
@s8sato s8sato self-assigned this Nov 2, 2024
@s8sato s8sato marked this pull request as ready for review November 2, 2024 22:11
@s8sato s8sato enabled auto-merge (squash) November 2, 2024 22:13
Comment on lines 77 to 79
let mut executor = executor.clone();
executor.context_mut().authority = target_account.clone();
propose_to_approve_me.execute(&executor)?;
Copy link
Contributor Author

@s8sato s8sato Nov 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

context_mut here is only to indicate what authority is executing the instruction:

I've realized that host.submit() goes through no validation, which seems to me to be rather a correct behavior. That's why context mutations whose purpose is to pass permission validation are removed at 2e2dcd1

Copy link
Contributor

@mversic mversic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

amazing stuff, so much better

crates/iroha_executor/src/default.rs Outdated Show resolved Hide resolved
crates/iroha_executor/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha_telemetry_derive/Cargo.toml Outdated Show resolved Hide resolved
defaults/genesis.json Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha/tests/multisig.rs Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
@s8sato s8sato force-pushed the refactor/4930/custom_instructions branch from 5b0dbeb to 4e4a6b9 Compare November 4, 2024 07:14
@s8sato
Copy link
Contributor Author

s8sato commented Nov 4, 2024

Self-reviewed and made fixes 4e4a6b9 0e4fc3a for now. I'm going to address your comments tomorrow @mversic

@s8sato s8sato force-pushed the refactor/4930/custom_instructions branch 2 times, most recently from 48753cb to 0e4fc3a Compare November 4, 2024 10:42
BREAKING CHANGES:

- (api-changes) `MultisigRegister` `MultisigPropose` `MultisigApprove` custom instructions

Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
Signed-off-by: Shunkichi Sato <[email protected]>
@s8sato s8sato requested a review from DCNick3 as a code owner November 6, 2024 16:25
Copy link
Contributor Author

@s8sato s8sato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates:

Notes:

  • Something happened on merging main branch and @outoftardis involved, but no effect on changed files. Never mind

pub signatories: BTreeMap<AccountId, Weight>,
/// Threshold of total weight at which the multisig is considered authenticated
/// Threshold of total weight at which the multisig account is considered authenticated
pub quorum: u16,
/// Multisig transaction time-to-live in milliseconds based on block timestamps. Defaults to [`DEFAULT_MULTISIG_TTL_MS`]
pub transaction_ttl_ms: u64,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we prohibited 0ms, why not also prohibit 1ms?

pub signatories: BTreeMap<AccountId, Weight>,
/// Threshold of total weight at which the multisig is considered authenticated
/// Threshold of total weight at which the multisig account is considered authenticated
pub quorum: u16,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What good is this type safety, since 0 doesn't lead to errors and there's no incentive for users to set quorum 0?

crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
crates/iroha_multisig_data_model/src/lib.rs Outdated Show resolved Hide resolved
Comment on lines 76 to 77
// Temporarily grant a multisig role to the registrant to delegate the role to the signatories
Role::new(multisig_role.clone(), registrant.clone()),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main topic here should be why Grant::account_role has passed but hasn't taken the expected effect, but okay,

authenticate intrinsics?

My understanding is that authentication by signature is required on facing extrinsic transactions and queries. Imo intrinsics should not be signed in cryptographic sense, especially in the case of multisig, proposals and approvals are extrinsic while automatically deployed multisig transactions themselves are intrinsic, and collecting sufficient signatures will be the authentication

Btw the concept of "keys of a multisig account" or "sign as a multisig account" will be removed by #5022 because keys should represent a personal identity

authorize intrinsics?

The only instructions that should be validated would be extrinsics which hasn't yet experienced authorization i.e. the contains of proposal. Other auxiliary instructions that compose the multisig logic itself should be infallible

Comment on lines 76 to 77
// Temporarily grant a multisig role to the registrant to delegate the role to the signatories
Role::new(multisig_role.clone(), registrant.clone()),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously it was the design that the registrant of a multisig account got equivalent to the domain owner, so as to register and configure a multisig account in the domain. Now that host.submit() from executor goes through no validation, there's no need to elevate the authority. There should be essentially no difference between assigning any desired authority and bypassing any validation

wasm/libs/default_executor/src/multisig/transaction.rs Outdated Show resolved Hide resolved
wasm/libs/default_executor/src/multisig/account.rs Outdated Show resolved Hide resolved
crates/iroha/src/lib.rs Show resolved Hide resolved
crates/iroha_executor/src/default/custom/mod.rs Outdated Show resolved Hide resolved
Cargo.toml Show resolved Hide resolved
crates/iroha_data_model/src/isi.rs Outdated Show resolved Hide resolved
crates/iroha_executor/src/default/custom/mod.rs Outdated Show resolved Hide resolved
crates/iroha_data_model/src/visit.rs Outdated Show resolved Hide resolved
wasm/libs/default_executor/src/multisig/account.rs Outdated Show resolved Hide resolved
@@ -16,5 +16,7 @@ iroha_executor_data_model_derive = { path = "../iroha_executor_data_model_derive
iroha_data_model.workspace = true
iroha_schema.workspace = true

derive_more = { workspace = true, features = ["constructor", "from"] }
parity-scale-codec.workspace = true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
parity-scale-codec.workspace = true

why is it needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because multisig data models need to impl either Encode Decode or WrapperTypeEncode WrapperTypeDecode for IntoSchema

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused because none of the default permissions in executor_data_model/src/permission.rs implement Decode/Encode

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's probably because the permissions are not listed in types!

@s8sato
Copy link
Contributor Author

s8sato commented Nov 8, 2024

@s8sato s8sato force-pushed the refactor/4930/custom_instructions branch from 9d5c74f to 70d51d0 Compare November 8, 2024 06:24
@s8sato s8sato changed the title refactor!: move multisig logics to custom instructions refactor(multisig)!: move from triggers to custom instructions Nov 8, 2024
@s8sato s8sato disabled auto-merge November 8, 2024 07:39
@s8sato s8sato enabled auto-merge (squash) November 8, 2024 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api-changes Changes in the API for client libraries config-changes Changes in configuration and start up of the Iroha
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants