smartcontract: enforce Permission flags on multicast allowlist and subscribe/create-user handlers#3966
Open
bgm-malbeclabs wants to merge 1 commit into
Open
smartcontract: enforce Permission flags on multicast allowlist and subscribe/create-user handlers#3966bgm-malbeclabs wants to merge 1 commit into
bgm-malbeclabs wants to merge 1 commit into
Conversation
…bscribe/create-user handlers Continues the Permission-account authorization migration to the remaining access-pass/multicast/user handlers the feed oracle calls, so the oracle can operate on an ACCESS_PASS_ADMIN | USER_ADMIN Permission account instead of foundation_allowlist membership (least privilege for a hot, always-online key). - AddMulticastGroupSubAllowlist / RemoveMulticastGroupSubAllowlist honor an ACCESS_PASS_ADMIN Permission account, OR'd around the existing multicast-group-owner check. Add uses split_trailing_permission to disambiguate the optional user_payer account from the trailing Permission account. - UpdateMulticastGroupRoles: granting roles on another owner's pass is now an ACCESS_PASS_ADMIN operation; removal-only cleanup stays USER_ADMIN. The historical NotAllowed/Unauthorized error variants are preserved. - CreateSubscribeUser owner-override now accepts a USER_ADMIN Permission holder in addition to the sentinel and foundation. - PERMISSION.md: document domain-instruction enforcement for the access-pass / multicast / user surface, and correct legacy-mapping rows that were stale after the activator retirement. The Permission path carries no owns-it restriction, so a flag holder acts across owners, which the oracle needs for validator-owned users and passes. The change is additive: every existing caller keeps its current authority. Refs: RFC-2 (malbeclabs/infra#1764), malbeclabs/doublezero-shreds#517
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
ACCESS_PASS_ADMIN | USER_ADMINPermission account instead offoundation_allowlistmembership. This is the serviceability half (Unit 1) of RFC-2 — least privilege for a hot, always-online key.AddMulticastGroupSubAllowlist/RemoveMulticastGroupSubAllowlistnow honor anACCESS_PASS_ADMINPermission account, OR'd around the existing multicast-group-owner check.Addswitches tosplit_trailing_permissionso the optionaluser_payer(connect-credit funding) account and the optional trailing Permission account are disambiguated by PDA match rather than a colliding length check.UpdateMulticastGroupRoles: granting roles on another owner's pass is now anACCESS_PASS_ADMINoperation, while removal-only cleanup staysUSER_ADMIN(unchanged from [New Permission 3/5] smartcontract: enforce Permission-based authorization in existing instructions #3206). Splitting by operation preserves the deliberate "USER_ADMIN is removal-only here" contract and its tests, and keeps the historicalNotAllowed/Unauthorizederror variants exact.CreateSubscribeUserowner-override now accepts aUSER_ADMINPermission holder in addition to the sentinel and foundation. The Permission account is threaded throughCreateUserCoreAccounts(NoneforCreateUser, which never overrides the owner).PERMISSION.md: documents domain-instruction enforcement for the access-pass / multicast / user surface, and corrects legacy-mapping rows (USER_ADMIN,ACCESS_PASS_ADMIN,NETWORK_ADMIN,MULTICAST_ADMIN) that were stale after the activator retirement.Context: RFC-2 (malbeclabs/infra#1764), malbeclabs/doublezero-shreds#517.
SetAccessPass,CloseAccessPass,DeleteUser, and theUpdateMulticastGroupRolesremoval branch were already Permission-wired by #3206, so this PR completes the set with no new authorization helper — it follows the establishedauthorize()pattern.Testing Verification
test_multicast_subscriber_allowlist_access_pass_admin_permission— anACCESS_PASS_ADMINholder (not owner/foundation/sentinel/feed) adds then removes a subscriber allowlist entry on a pass it does not own.test_subscribe_access_pass_admin_permission_allowed— anACCESS_PASS_ADMINholder subscribes a user cross-owner.test_create_subscribe_user_user_admin_owner_override— aUSER_ADMINholder creates a subscribe-user withowner != payer.test_subscribe_user_admin_permission_rejected(USER_ADMIN still cannot add roles) andtest_unsubscribe_user_admin_permission_allowed(USER_ADMIN removal cleanup) both still pass.doublezero-serviceabilitysuite green under the host toolchain (cargo test -p doublezero-serviceability);cargo fmt --checkandcargo clippy --all-targetsclean;cargo build-sbfsucceeds.test_set_accesspass_refills_depleted_user_payeris a pre-existing flake onmain(airdrop-refill balance assertion, unrelated to authorization) — confirmed it fails intermittently on a clean checkout without these changes.