Permissionless Authorized Dispatch for pallet-whitelist#12452
Permissionless Authorized Dispatch for pallet-whitelist#12452PSYKYODAI wants to merge 9 commits into
pallet-whitelist#12452Conversation
|
@PSYKYODAI marge master please. there is some major changes merged to the pallet #11336 |
|
/cmd label T2-pallets |
|
Master has been merged @muharem |
Co-authored-by: Branislav Kontur <bkontur@gmail.com>
| } | ||
|
|
||
| #[pallet::authorize(Self::authorize_dispatch_whitelisted_call)] | ||
| #[pallet::weight_of_authorize(T::DbWeight::get().reads(1))] |
There was a problem hiding this comment.
I am not sure about this hard-coded weights, should have proper benchmarking
There was a problem hiding this comment.
Both callbacks now use benchmarked weights (authorize_dispatch_whitelisted_call and authorize_dispatch_whitelisted_call_with_preimage(n)), measured via the Authorize trait as in pallet-im-online.
| _call_encoded_len: &u32, | ||
| _call_weight_witness: &Weight, | ||
| ) -> TransactionValidityWithRefund { | ||
| Self::authorize_whitelisted_dispatch(*call_hash) |
There was a problem hiding this comment.
when we go this branch (expected Call is stored T::Preimages), shouldn't we also check T::Preimages::fetch(&call_hash, Some(call_encoded_len)) here? (Maybe just T::Preimages::len or something efficient)
Just thinking, if we whitelist_call_hash and expecting authorize_dispatch_whitelisted_call_with_preimage, then we basically allow anybody/unsigned to spam the chain for free with dispatch_whitelisted_call -> because it will pass unsigned/Authorized validation, but the extrinsic itself will fail on UnavailablePreImage and nobody will be charged for failed ones.
Also relates to my previous comment about hard-coded weight_of_authorize
There was a problem hiding this comment.
authorize_dispatch_whitelisted_call now rejects at the pool unless T::Preimages::len(call_hash) == Some(call_encoded_len), so a missing preimage or wrong length witness can't be relayed for free. Used len over fetch to keep it to one read.
The call_weight_witness can't be checked without decoding, so it stays in the dispatch body. The inline with_preimage variant already derives the hash from the call, so it's unaffected. New test coverage in authorize_dispatch_whitelisted_call_uses_hash_argument.
|
/cmd bench --pallet pallet_whitelist |
|
Command "bench --pallet pallet_whitelist" has started 🚀 See logs here |
|
Command "bench --pallet pallet_whitelist" has finished ✅ See logs here DetailsSubweight results:
Command output:❌ Failed benchmarks of runtimes/pallets: |
|
/cmd fmt |
closes #12224
Adds
#[pallet::authorize]callbacks todispatch_whitelisted_callanddispatch_whitelisted_call_with_preimage: an unsigned submission is admitted at the pool only ifDispatchWhitelistedOrigin::try_origin(Authorized)passes and the call hash is inWhitelistedCall.Adds
frame_system::EnsureAuthorizedfor runtimes to opt in: