feat: improve multisig utility and usability

[s8sato]

BREAKING CHANGES:

• (api-changes) CanRegisterAnyTrigger CanUnregisterAnyTrigger permission
• (config-changes) defaults/genesis.json assumes wasm_triggers[*].action.executable is prebuilt under wasm_samples/target/prebuilt/

Major commits:

• feat: support multisig recursion
• feat: introduce multisig quorum and weights
• feat: add multisig subcommand to client CLI
• feat: introduce multisig transaction time-to-live
• feat: predefine multisig world-level trigger in genesis
• feat: allow accounts in domain to register multisig accounts

Context

• Partially resolves Ergonomic MST #4930

Solution

Each commit is explained below, starting with the most recent. You can see the commit history here

feat: support multisig recursion

Allows multisig to function hierarchically, expected to be useful for e.g. automating organizational approval flows.

• When a multisig transaction proposed, every subordinate node (multisig account and corresponding transactions registry) automatically get ready to accept approvals that will be coming up from individual signatories
• Using CLI, individual signatories can query all pending multisig transactions they are involved in, not only those proposed to their direct multisig account

Tests:

cargo test -p iroha integration::multisig::multisig_recursion
bash scripts/tests/multisig.recursion.sh

feat: introduce multisig quorum and weights

Inspired by Sui's multisig. Allows for flexible, if not completely free, authentication policies beyond "m of n". For example, weight equivalent to quorum represents administrative privileges

feat: add multisig subcommand to client CLI

$ cargo build
$ ./target/debug/iroha multisig

The subcommand related to multisig accounts and transactions

Usage: iroha multisig <COMMAND>

Commands:
  register  Register a multisig account
  propose   Propose a multisig transaction
  approve   Approve a multisig transaction
  list      List pending multisig transactions relevant to you
  help      Print this message or the help of the given subcommand(s)

Options:
  -h, --help  Print help

You can see more usage in the testing script

feat: introduce multisig transaction time-to-live

Considers the latest block timestamp as the current time and determines timeout, when the transactions registry is called

feat: predefine multisig world-level trigger in genesis

Defines a global trigger in genesis that exercises authority over all domains. There will be three types of triggers on the system side related to multisig:

• Domains initializer has world-level authority and in response to a domain creation event, registers an accounts registry handled by the domain owner authority
• Accounts registry has domain-level authority and when called by a domain resident, registers a multisig account along with a transactions registry
• Transactions registry has account-level authority and when called by a multisig signatory, accepts proposals or approvals for multisig transactions, and is responsible for executing them

feat: allow accounts in domain to register multisig accounts

Accounts registry has authority of the domain owner, so access was previously restricted. This commit allows anyone to organize any multisig account within the domain.

This may be too lenient. Discussion

---

Review notes

To get an overview,

cargo test -p iroha integration::multisig::multisig
bash scripts/tests/multisig.sh

sequenceDiagram
    autonumber
    participant oo as etc.
    participant DI as Domains Initializer
    Note over DI: /world
    oo-->>DI: domain created
    create participant AR as Accounts Registry
    DI-->>AR: register
    Note over AR: /world/domain
    create actor s0 as signatory 0
    oo->>s0: register
    create actor s1 as signatory 1
    oo->>s1: register
    s0->>AR: request new ms account
    create actor 01 as ms account 01
    AR-->>01: register
    create participant TR as Transactions Registry
    AR-->>TR: register
    AR-->>s0: grant ms role
    AR-->>s1: grant ms role
    Note over 01,TR: /world/domain/account
    s1->>TR: propose instructions
    create participant tx as pending ms transaction
    TR-->>tx: deploy ms transaction
    s0->>TR: approve instructions
    destroy tx
    TR-->>tx: execute instructions

Loading

The dotted line indicates an automatic process

Checklist

• I've read CONTRIBUTING.md.
• I've written integration tests for the code changes.
• All review comments have been resolved.

[github-actions]

@BAStos525

[nxsaken]

Genesis needs to be updated

[Erigara]

I think this change is great improvement to usability of multisigs.

[s8sato]

Updates:

• review doc: add a reference to multisig recursion diagram
• review fix: signatories and weights must be equal in length
• review fix: condition to rebuild multisig subordinate triggers
• review fix: genesis.json includes not wasm blobs but hashes
• review fix: autofill multisig account domains
• review fix: avoid name collisions of multisig role and triggers
• review fix: perpetuate multisig domain-level authority
• review fix: add a domain for domain-free system accounts

commit history

Notes:

• Currently script tests (scripts/tests/multisig.*) are failing after rebase for some reason

[s8sato]

Updates:

• review fix: exception for multisig role registration
• review fix: give genesis.json a special field to register wasm triggers
• DROP: review fix: genesis.json includes not wasm blobs but hashes
• EDIT: review fix: avoid name collisions of multisig role and triggers

commit history

Notes:

• Currently script tests (scripts/tests/multisig.*) are failing after rebase for some reason

  This was because only integration tests passed due to my overlook of privileged Alice in TestGenesis. Fixed

• Stopped pursuing the cause of the failing integration::extra_functional::restart_peer::restarted_peer_should_have_the_same_asset_amount

[mversic]

it doesn't make sense that this is a dependency of CLI because executor_custom_data_model is intended to only be used in tests

[mversic]

you should create a separate crate for MST data model

[s8sato]

This is a temporary workaround. I'm planning to move those *Args for ExecuteTrigger to somewhere under the regular iroha_data_model when iroha introduces custom instructions, then CLI will only depend on iroha.

Or should we pack everything relevant to multisig to one crate for more clear modularity? Related to this, it might be better to move wasm_samples/multisig_* to somewhere as they are not just samples

[mversic]

Suggested change

	pub transaction_ttl_secs: Option<u32>,
	pub transaction_ttl: Duration,

why is it optional? and why not use Duration?

[s8sato]

Yeah, instead of being optional, its default value can be explicitly specified in the arg attribute.

u32 because it needs to be parsed from stdin

[mversic]

so the trigger has to already exist before executing this. Who should register it? Shouldn't it first be registered here?

[s8sato]

The domains initializer should register the accounts registry on the domain creation. See diagram in review notes

[mversic]

I assume this trigger is registered by the trigger from the Register CLI subcommand

[s8sato]

No, the accounts registry should register the transactions registry on the multisig account registration. See diagram in review notes

[mversic]

Suggested change

	pub instructions_hash: iroha::crypto::Hash,
	pub instructions: iroha::crypto::HashOf<Vec<Instruction>>,

[s8sato]

Just utilized iroha::crypto::Hash: FromStr. It is immediately converted to HashOf<Vec<InstructionBox>>

[mversic]

this field should be last as it was before

[s8sato]

The idea is no gap with the actual execution order.

Reviewed discussions around #4739 and didn't find reason for the position in RawGenesisTransaction. Is it because topology is supposed to be edited at genesis.json?

[mversic]

Suggested change

	wasm_triggers: Vec<GenesisWasmTrigger>,
	triggers: Vec<GenesisWasmTrigger>,

[mversic]

I'd also prefer to put it after instructions so that they can execute triggers but it's just not possible atm because triggers depend on some instructions executing before them

[s8sato]

wasm_ prefix implies the executable is supposed to be Wasm, not Instructions.

Yes, ideally it would be in a free position as one of ordinary instructions as before, which would require WasmSmartContract to serialize to a short string and deserialize to a full blob

[mversic]

Suggested change

	executable: String,
	executable: PathBuf,

like ExecutorPath

[mversic]

if you want to have hardcoded system domain and account, then they shouldn't be defined in the genesis.json. Rather they should be always implicitly created

[s8sato]

Like genesis domain and account, right?

[mversic]

Suggested change

	pub transaction_ttl_secs: Option<u32>,
	#[serde(default = DEFAULT_MULTISIG_TTL_SECS)]
	pub transaction_ttl_ms: u32,

1. can we do it like this?
2. we use ms in transaction.rs as unix timestamp

I think there should always be a TTL defined. User an just put a huge number

[s8sato]

Ok, we can accept seconds as an user input and convert it to milliseconds here