From 9b91fb6691e99ca0eadeadf876c28e5c51398402 Mon Sep 17 00:00:00 2001 From: echevrier Date: Tue, 24 May 2022 17:16:22 +0200 Subject: [PATCH 1/6] Improve XCM Config: - Remove ParentAsSuperuser from XCM origin converter - Disallow generic XCM execution, do not allow teleport and allow transfer --- .../integritee-runtime/src/xcm_config.rs | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/polkadot-parachains/integritee-runtime/src/xcm_config.rs b/polkadot-parachains/integritee-runtime/src/xcm_config.rs index 1d05dcf2..c52733fa 100644 --- a/polkadot-parachains/integritee-runtime/src/xcm_config.rs +++ b/polkadot-parachains/integritee-runtime/src/xcm_config.rs @@ -28,7 +28,7 @@ use core::marker::PhantomData; use frame_support::{ pallet_prelude::Get, parameter_types, - traits::Everything, + traits::{Everything, Nothing}, weights::{IdentityFee, Weight}, RuntimeDebug, }; @@ -49,9 +49,9 @@ use xcm::latest::prelude::*; use xcm_builder::{ AccountId32Aliases, AllowKnownQueryResponses, AllowSubscriptionsFrom, AllowTopLevelPaidExecutionFrom, CurrencyAdapter, EnsureXcmOrigin, FixedWeightBounds, - LocationInverter, ParentAsSuperuser, ParentIsPreset, RelayChainAsNative, - SiblingParachainAsNative, SiblingParachainConvertsVia, SignedAccountId32AsNative, - SignedToAccountId32, SovereignSignedViaLocation, TakeWeightCredit, UsingComponents, + LocationInverter, ParentIsPreset, RelayChainAsNative, SiblingParachainAsNative, + SiblingParachainConvertsVia, SignedAccountId32AsNative, SignedToAccountId32, + SovereignSignedViaLocation, TakeWeightCredit, UsingComponents, }; use xcm_executor::{Config, XcmExecutor}; @@ -187,9 +187,6 @@ pub type XcmOriginToTransactDispatchOrigin = ( // Native converter for sibling Parachains; will convert to a `SiblingPara` origin when // recognised. SiblingParachainAsNative, - // Superuser converter for the Relay-chain (Parent) location. This will allow it to issue a - // transaction from the Root origin. - ParentAsSuperuser, // Native signed account converter; this just converts an `AccountId32` origin into a normal // `Origin::Signed` origin of the same 32-byte value. SignedAccountId32AsNative, @@ -266,11 +263,11 @@ impl pallet_xcm::Config for Runtime { type Event = Event; type SendXcmOrigin = EnsureXcmOrigin; type XcmRouter = XcmRouter; - type ExecuteXcmOrigin = EnsureXcmOrigin; - type XcmExecuteFilter = Everything; + type ExecuteXcmOrigin = EnsureXcmOrigin; // Anyone can execute XCM messages locally... + type XcmExecuteFilter = Nothing; // but disallow generic XCM execution. As a result only teleports and reserve transfers can be allowed. type XcmExecutor = XcmExecutor; - type XcmTeleportFilter = Everything; - type XcmReserveTransferFilter = Everything; + type XcmTeleportFilter = Nothing; // Do not allow teleports + type XcmReserveTransferFilter = Everything; // Transfer are allowed type Weigher = FixedWeightBounds; type LocationInverter = LocationInverter; type Origin = Origin; From be2b9c60344c39f2b6a6e0f516c9af74a0e3c029 Mon Sep 17 00:00:00 2001 From: echevrier Date: Thu, 25 Aug 2022 18:03:04 +0200 Subject: [PATCH 2/6] Test xcm config changes --- .../integritee-runtime/src/xcm_config.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/polkadot-parachains/integritee-runtime/src/xcm_config.rs b/polkadot-parachains/integritee-runtime/src/xcm_config.rs index c52733fa..acf2ef49 100644 --- a/polkadot-parachains/integritee-runtime/src/xcm_config.rs +++ b/polkadot-parachains/integritee-runtime/src/xcm_config.rs @@ -49,9 +49,9 @@ use xcm::latest::prelude::*; use xcm_builder::{ AccountId32Aliases, AllowKnownQueryResponses, AllowSubscriptionsFrom, AllowTopLevelPaidExecutionFrom, CurrencyAdapter, EnsureXcmOrigin, FixedWeightBounds, - LocationInverter, ParentIsPreset, RelayChainAsNative, SiblingParachainAsNative, - SiblingParachainConvertsVia, SignedAccountId32AsNative, SignedToAccountId32, - SovereignSignedViaLocation, TakeWeightCredit, UsingComponents, + LocationInverter, ParentAsSuperuser, ParentIsPreset, RelayChainAsNative, + SiblingParachainAsNative, SiblingParachainConvertsVia, SignedAccountId32AsNative, + SignedToAccountId32, SovereignSignedViaLocation, TakeWeightCredit, UsingComponents, }; use xcm_executor::{Config, XcmExecutor}; @@ -187,6 +187,9 @@ pub type XcmOriginToTransactDispatchOrigin = ( // Native converter for sibling Parachains; will convert to a `SiblingPara` origin when // recognised. SiblingParachainAsNative, + // Superuser converter for the Relay-chain (Parent) location. This will allow it to issue a + // transaction from the Root origin. + ParentAsSuperuser, // Native signed account converter; this just converts an `AccountId32` origin into a normal // `Origin::Signed` origin of the same 32-byte value. SignedAccountId32AsNative, @@ -261,7 +264,7 @@ pub type LocalOriginToLocation = SignedToAccountId32; + type SendXcmOrigin = EnsureXcmOrigin; //We want to disallow users sending (arbitrary) XCMs from this chain type XcmRouter = XcmRouter; type ExecuteXcmOrigin = EnsureXcmOrigin; // Anyone can execute XCM messages locally... type XcmExecuteFilter = Nothing; // but disallow generic XCM execution. As a result only teleports and reserve transfers can be allowed. From 462c684d4bdddce7c78d46c12a8a8320552d6f02 Mon Sep 17 00:00:00 2001 From: echevrier <84318241+echevrier@users.noreply.github.com> Date: Mon, 29 Aug 2022 12:49:08 +0200 Subject: [PATCH 3/6] Update polkadot-parachains/integritee-runtime/src/xcm_config.rs Co-authored-by: haerdib <73821294+haerdib@users.noreply.github.com> --- polkadot-parachains/integritee-runtime/src/xcm_config.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polkadot-parachains/integritee-runtime/src/xcm_config.rs b/polkadot-parachains/integritee-runtime/src/xcm_config.rs index acf2ef49..f25698d4 100644 --- a/polkadot-parachains/integritee-runtime/src/xcm_config.rs +++ b/polkadot-parachains/integritee-runtime/src/xcm_config.rs @@ -266,7 +266,7 @@ impl pallet_xcm::Config for Runtime { type Event = Event; type SendXcmOrigin = EnsureXcmOrigin; //We want to disallow users sending (arbitrary) XCMs from this chain type XcmRouter = XcmRouter; - type ExecuteXcmOrigin = EnsureXcmOrigin; // Anyone can execute XCM messages locally... + type ExecuteXcmOrigin = EnsureXcmOrigin; // Allow any local origin in XCM execution. type XcmExecuteFilter = Nothing; // but disallow generic XCM execution. As a result only teleports and reserve transfers can be allowed. type XcmExecutor = XcmExecutor; type XcmTeleportFilter = Nothing; // Do not allow teleports From 8f9b8ce6ca997120c0dfaa6fbb32f0cdc3e0e8bb Mon Sep 17 00:00:00 2001 From: echevrier <84318241+echevrier@users.noreply.github.com> Date: Mon, 29 Aug 2022 12:49:29 +0200 Subject: [PATCH 4/6] Update polkadot-parachains/integritee-runtime/src/xcm_config.rs Co-authored-by: haerdib <73821294+haerdib@users.noreply.github.com> --- polkadot-parachains/integritee-runtime/src/xcm_config.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polkadot-parachains/integritee-runtime/src/xcm_config.rs b/polkadot-parachains/integritee-runtime/src/xcm_config.rs index f25698d4..1fb6e884 100644 --- a/polkadot-parachains/integritee-runtime/src/xcm_config.rs +++ b/polkadot-parachains/integritee-runtime/src/xcm_config.rs @@ -267,7 +267,7 @@ impl pallet_xcm::Config for Runtime { type SendXcmOrigin = EnsureXcmOrigin; //We want to disallow users sending (arbitrary) XCMs from this chain type XcmRouter = XcmRouter; type ExecuteXcmOrigin = EnsureXcmOrigin; // Allow any local origin in XCM execution. - type XcmExecuteFilter = Nothing; // but disallow generic XCM execution. As a result only teleports and reserve transfers can be allowed. + type XcmExecuteFilter = Nothing; // Disable generic XCM execution. This does not affect Teleport or Reserve Transfer. type XcmExecutor = XcmExecutor; type XcmTeleportFilter = Nothing; // Do not allow teleports type XcmReserveTransferFilter = Everything; // Transfer are allowed From 3f5b32a60eae28c4c917dc84b3bbe00a711fa680 Mon Sep 17 00:00:00 2001 From: echevrier <84318241+echevrier@users.noreply.github.com> Date: Mon, 29 Aug 2022 12:50:14 +0200 Subject: [PATCH 5/6] Update polkadot-parachains/integritee-runtime/src/xcm_config.rs Co-authored-by: haerdib <73821294+haerdib@users.noreply.github.com> --- polkadot-parachains/integritee-runtime/src/xcm_config.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polkadot-parachains/integritee-runtime/src/xcm_config.rs b/polkadot-parachains/integritee-runtime/src/xcm_config.rs index 1fb6e884..d84bd60b 100644 --- a/polkadot-parachains/integritee-runtime/src/xcm_config.rs +++ b/polkadot-parachains/integritee-runtime/src/xcm_config.rs @@ -264,7 +264,7 @@ pub type LocalOriginToLocation = SignedToAccountId32; //We want to disallow users sending (arbitrary) XCMs from this chain + type SendXcmOrigin = EnsureXcmOrigin; // Prohibit sending arbitrary XCMs from users of this chain type XcmRouter = XcmRouter; type ExecuteXcmOrigin = EnsureXcmOrigin; // Allow any local origin in XCM execution. type XcmExecuteFilter = Nothing; // Disable generic XCM execution. This does not affect Teleport or Reserve Transfer. From 416bba77f3a272e5fea2a34310cbbd47dd3d5ab3 Mon Sep 17 00:00:00 2001 From: echevrier Date: Mon, 29 Aug 2022 14:46:47 +0200 Subject: [PATCH 6/6] Increase version numbers --- Cargo.lock | 4 ++-- polkadot-parachains/Cargo.toml | 2 +- polkadot-parachains/integritee-runtime/Cargo.toml | 2 +- polkadot-parachains/integritee-runtime/src/lib.rs | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1c1c7b93..0c8197d6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3261,7 +3261,7 @@ dependencies = [ [[package]] name = "integritee-collator" -version = "1.5.29" +version = "1.5.30" dependencies = [ "assert_cmd", "async-trait", @@ -3337,7 +3337,7 @@ dependencies = [ [[package]] name = "integritee-runtime" -version = "1.5.25" +version = "1.5.26" dependencies = [ "common", "cumulus-pallet-aura-ext", diff --git a/polkadot-parachains/Cargo.toml b/polkadot-parachains/Cargo.toml index f42b5918..f4dae26b 100644 --- a/polkadot-parachains/Cargo.toml +++ b/polkadot-parachains/Cargo.toml @@ -2,7 +2,7 @@ name = "integritee-collator" description = "The Integritee parachain collator binary" # align major.minor revision with the runtimes. bump patch revision ad lib. make this the github release tag -version = "1.5.29" +version = "1.5.30" authors = ["Integritee AG "] homepage = "https://integritee.network/" repository = "https://github.com/integritee-network/parachain" diff --git a/polkadot-parachains/integritee-runtime/Cargo.toml b/polkadot-parachains/integritee-runtime/Cargo.toml index 756c35fd..0fc8cef1 100644 --- a/polkadot-parachains/integritee-runtime/Cargo.toml +++ b/polkadot-parachains/integritee-runtime/Cargo.toml @@ -2,7 +2,7 @@ name = 'integritee-runtime' description = "The Integritee parachain runtime" # patch revision must match runtime spec_version -version = '1.5.25' +version = '1.5.26' authors = ["Integritee AG "] homepage = "https://integritee.network/" repository = "https://github.com/integritee-network/parachain" diff --git a/polkadot-parachains/integritee-runtime/src/lib.rs b/polkadot-parachains/integritee-runtime/src/lib.rs index d6a2c6ff..19d6f4a7 100644 --- a/polkadot-parachains/integritee-runtime/src/lib.rs +++ b/polkadot-parachains/integritee-runtime/src/lib.rs @@ -107,7 +107,7 @@ pub const VERSION: RuntimeVersion = RuntimeVersion { spec_name: create_runtime_str!("integritee-parachain"), impl_name: create_runtime_str!("integritee-full"), authoring_version: 2, - spec_version: 25, + spec_version: 26, impl_version: 1, apis: RUNTIME_API_VERSIONS, transaction_version: 3,