From a3a40289dfbc7004d72801ee1cbb0f57da029f39 Mon Sep 17 00:00:00 2001 From: kbhat1 Date: Tue, 26 Mar 2024 09:07:02 -0400 Subject: [PATCH 1/2] Authz Nested Evm Messages --- app/ante.go | 1 + app/antedecorators/authz_nested_message.go | 63 +++++++++++++++++++ .../authz_nested_message_test.go | 58 +++++++++++++++++ 3 files changed, 122 insertions(+) create mode 100644 app/antedecorators/authz_nested_message.go create mode 100644 app/antedecorators/authz_nested_message_test.go diff --git a/app/ante.go b/app/ante.go index 0ccb6cd3c4..905420a683 100644 --- a/app/ante.go +++ b/app/ante.go @@ -104,6 +104,7 @@ func NewAnteHandlerAndDepGenerator(options HandlerOptions) (sdk.AnteHandler, sdk sdk.CustomDepWrappedAnteDecorator(sequentialVerifyDecorator, depdecorators.SignerDepDecorator{ReadOnly: true}), sdk.CustomDepWrappedAnteDecorator(ante.NewIncrementSequenceDecorator(options.AccountKeeper), depdecorators.SignerDepDecorator{ReadOnly: false}), sdk.DefaultWrappedAnteDecorator(evmante.NewEVMAddressDecorator(options.EVMKeeper, options.EVMKeeper.AccountKeeper())), + sdk.DefaultWrappedAnteDecorator(antedecorators.NewAuthzNestedMessageDecorator()), sdk.DefaultWrappedAnteDecorator(ibcante.NewAnteDecorator(options.IBCKeeper)), sdk.DefaultWrappedAnteDecorator(dex.NewTickSizeMultipleDecorator(*options.DexKeeper)), dex.NewCheckDexGasDecorator(*options.DexKeeper, options.CheckTxMemState), diff --git a/app/antedecorators/authz_nested_message.go b/app/antedecorators/authz_nested_message.go new file mode 100644 index 0000000000..762db6679c --- /dev/null +++ b/app/antedecorators/authz_nested_message.go @@ -0,0 +1,63 @@ +package antedecorators + +import ( + "errors" + + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/cosmos/cosmos-sdk/x/authz" + evmtypes "github.com/sei-protocol/sei-chain/x/evm/types" +) + +type AuthzNestedMessageDecorator struct{} + +func NewAuthzNestedMessageDecorator() AuthzNestedMessageDecorator { + return AuthzNestedMessageDecorator{} +} + +func (ad AuthzNestedMessageDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulate bool, next sdk.AnteHandler) (newCtx sdk.Context, err error) { + for _, msg := range tx.GetMsgs() { + switch m := msg.(type) { + case *authz.MsgExec: + // find nested evm messages + containsEvm, err := ad.CheckAuthzContainsEvm(ctx, m) + if err != nil { + return ctx, err + } + if containsEvm { + return ctx, errors.New("permission denied, authz tx contains evm message") + } + default: + continue + } + } + + return next(ctx, tx, simulate) +} + +func (ad AuthzNestedMessageDecorator) CheckAuthzContainsEvm(ctx sdk.Context, authzMsg *authz.MsgExec) (bool, error) { + msgs, err := authzMsg.GetMessages() + if err != nil { + return false, err + } + for _, msg := range msgs { + // check if message type is authz exec OR registerWasmDependency + switch m := msg.(type) { + case *evmtypes.MsgEVMTransaction: + return true, nil + case *authz.MsgExec: + // find nested to check for wasm registration + valid, err := ad.CheckAuthzContainsEvm(ctx, m) + + if err != nil { + return false, err + } + + if valid { + return true, nil + } + default: + continue + } + } + return false, nil +} diff --git a/app/antedecorators/authz_nested_message_test.go b/app/antedecorators/authz_nested_message_test.go new file mode 100644 index 0000000000..a1da2ea600 --- /dev/null +++ b/app/antedecorators/authz_nested_message_test.go @@ -0,0 +1,58 @@ +package antedecorators_test + +import ( + "testing" + + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/cosmos/cosmos-sdk/x/authz" + banktypes "github.com/cosmos/cosmos-sdk/x/bank/types" + "github.com/sei-protocol/sei-chain/app/antedecorators" + evmtypes "github.com/sei-protocol/sei-chain/x/evm/types" + "github.com/stretchr/testify/require" + "github.com/tendermint/tendermint/crypto/secp256k1" + tmproto "github.com/tendermint/tendermint/proto/tendermint/types" +) + +func TestAuthzNestedEvmMessage(t *testing.T) { + priv1 := secp256k1.GenPrivKey() + addr1 := sdk.AccAddress(priv1.PubKey().Address()) + output = "" + anteDecorators := []sdk.AnteFullDecorator{ + sdk.DefaultWrappedAnteDecorator(antedecorators.NewAuthzNestedMessageDecorator()), + } + ctx := sdk.NewContext(nil, tmproto.Header{}, false, nil) + chainedHandler, _ := sdk.ChainAnteDecorators(anteDecorators...) + + nestedEvmMessage := authz.NewMsgExec(addr1, []sdk.Msg{&evmtypes.MsgEVMTransaction{}}) + // test with nested evm message + _, err := chainedHandler( + ctx.WithPriority(0), + FakeTx{ + FakeMsgs: []sdk.Msg{&nestedEvmMessage}, + }, + false, + ) + require.NotNil(t, err) + + // Multiple nested layers to evm message + doubleNestedEvmMessage := authz.NewMsgExec(addr1, []sdk.Msg{&nestedEvmMessage}) + _, err = chainedHandler( + ctx.WithPriority(0), + FakeTx{ + FakeMsgs: []sdk.Msg{&doubleNestedEvmMessage}, + }, + false, + ) + require.NotNil(t, err) + + // No error + nestedMessage := authz.NewMsgExec(addr1, []sdk.Msg{&banktypes.MsgSend{}}) + _, err = chainedHandler( + ctx.WithPriority(0), + FakeTx{ + FakeMsgs: []sdk.Msg{&nestedMessage}, + }, + false, + ) + require.Nil(t, err) +} From 69c0cbb08d64b4663597d2353826948c10e93a72 Mon Sep 17 00:00:00 2001 From: kbhat1 Date: Wed, 27 Mar 2024 11:27:19 -0400 Subject: [PATCH 2/2] Update comments --- app/antedecorators/authz_nested_message.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/antedecorators/authz_nested_message.go b/app/antedecorators/authz_nested_message.go index 762db6679c..a7d4957e96 100644 --- a/app/antedecorators/authz_nested_message.go +++ b/app/antedecorators/authz_nested_message.go @@ -40,12 +40,12 @@ func (ad AuthzNestedMessageDecorator) CheckAuthzContainsEvm(ctx sdk.Context, aut return false, err } for _, msg := range msgs { - // check if message type is authz exec OR registerWasmDependency + // check if message type is authz exec or evm switch m := msg.(type) { case *evmtypes.MsgEVMTransaction: return true, nil case *authz.MsgExec: - // find nested to check for wasm registration + // find nested to check for evm valid, err := ad.CheckAuthzContainsEvm(ctx, m) if err != nil {