Merge PR: nobody can upload wasm code by default (#2904)

* nobody can upload wasm code by default * solve bug * add new case * fix ut * make unit test pass * disable vmbridge * fix ut * update to 1.6.8 and set EarthHeight * fix ut Co-authored-by: BananaLF <[email protected]>
okx · Dec 30, 2022 · 5c83ebc · 5c83ebc
1 parent da54c47
commit 5c83ebc
Show file tree

Hide file tree

Showing 10 changed files with 66 additions and 12 deletions.
diff --git a/Makefile b/Makefile
@@ -13,7 +13,7 @@ IGNORE_CHECK_GO=false
 install_rocksdb_version:=$(ROCKSDB_VERSION)
 
 
-Version=v1.6.7.2
+Version=v1.6.8
 CosmosSDK=v0.39.2
 Tendermint=v0.33.9
 Iavl=v0.14.3
@@ -59,6 +59,7 @@ else ifeq ($(MAKECMDGOALS),testnet)
    Venus1Height=12067000
    Venus2Height=14781000
    Venus3Height=15540000
+   EarthHeight=17363500
 
    WITH_ROCKSDB=true
 endif

diff --git a/dev/wasm-allcases.sh b/dev/wasm-allcases.sh
@@ -136,6 +136,24 @@ proposal_vote() {
   fi;
 }
 
+res=$(exchaincli tx wasm store ./wasm/cw20-base/artifacts/cw20_base.wasm --instantiate-everybody=true --from captain $TX_EXTRA)
+raw_log=$(echo "$res" | jq '.raw_log' | sed 's/\"//g')
+failed_log="unauthorized: can not create code: failed to execute message; message index: 0"
+if [[ "${raw_log}" != "${failed_log}" ]];
+then
+  echo "expect fail when update-wasm-deployment-whitelist is nobody"
+  exit 1
+fi;
+
+#####################################################
+########    update deployment whitelist     #########
+#####################################################
+echo "## update wasm code deployment whitelist"
+res=$(exchaincli tx gov submit-proposal update-wasm-deployment-whitelist "$captain,$admin18" --deposit 10okt --title "test title" --description "test description" --from captain $TX_EXTRA)
+proposal_id=$(echo "$res" | jq '.logs[0].events[1].attributes[1].value' | sed 's/\"//g')
+echo "proposal_id: $proposal_id"
+proposal_vote "$proposal_id"
+
 #####################################################
 #############       store code       ################
 #####################################################
@@ -797,6 +815,21 @@ echo "txhash: $tx_hash"
 burner_code_id=$(echo "$res" | jq '.logs[0].events[1].attributes[0].value' | sed 's/\"//g')
 echo "burner_code_id: $burner_code_id"
 
+# update nobody whitelist
+res=$(exchaincli tx gov submit-proposal update-wasm-deployment-whitelist nobody --deposit 10.1okt --title "test title" --description "test description" --from captain $TX_EXTRA)
+proposal_id=$(echo "$res" | jq '.logs[0].events[1].attributes[1].value' | sed 's/\"//g')
+echo "proposal_id: $proposal_id"
+proposal_vote "$proposal_id"
+
+res=$(exchaincli tx wasm store ./wasm/cw20-base/artifacts/cw20_base.wasm --instantiate-everybody=true --from captain $TX_EXTRA)
+raw_log=$(echo "$res" | jq '.raw_log' | sed 's/\"//g')
+failed_log="unauthorized: can not create code: failed to execute message; message index: 0"
+if [[ "${raw_log}" != "${failed_log}" ]];
+then
+  echo "expect fail when update-wasm-deployment-whitelist is nobody"
+  exit 1
+fi;
+
 echo "all tests passed! congratulations~"
 
 #exchaincli query wasm list-code --limit=5 | jq
@@ -879,4 +912,4 @@ then
   exit 1
 fi;
 
-echo "all query cases succeed~"
+echo "all query cases succeed~"
diff --git a/x/vmbridge/keeper/keeper_test.go b/x/vmbridge/keeper/keeper_test.go
@@ -61,7 +61,7 @@ func (suite *KeeperTestSuite) SetupTest() {
 	err := acc.SetCoins(sdk.NewCoins(sdk.NewInt64Coin(sdk.DefaultBondDenom, 10000)))
 	suite.Require().NoError(err)
 
-	suite.app.WasmKeeper.SetParams(suite.ctx, wasmtypes.DefaultParams())
+	suite.app.WasmKeeper.SetParams(suite.ctx, wasmtypes.TestParams())
 	evmParams := evmtypes.DefaultParams()
 	evmParams.EnableCreate = true
 	evmParams.EnableCall = true

diff --git a/x/wasm/keeper/genesis_test.go b/x/wasm/keeper/genesis_test.go
@@ -562,7 +562,7 @@ func TestSupportedGenMsgTypes(t *testing.T) {
 	)
 	const denom = "stake"
 	importState := types.GenesisState{
-		Params: types.DefaultParams(),
+		Params: types.TestParams(),
 		GenMsgs: []types.GenesisState_GenMsgs{
 			{
 				Sum: &types.GenesisState_GenMsgs_StoreCode{

diff --git a/x/wasm/keeper/keeper_test.go b/x/wasm/keeper/keeper_test.go
@@ -149,6 +149,7 @@ func TestCreateWithParamPermissions(t *testing.T) {
 	}{
 		"default": {
 			srcPermission: types.DefaultUploadAccess,
+			expError:      sdkerrors.ErrUnauthorized,
 		},
 		"everybody": {
 			srcPermission: types.AllowEverybody,
@@ -244,7 +245,7 @@ func TestEnforceValidPermissionsOnCreate(t *testing.T) {
 	}
 	for msg, spec := range specs {
 		t.Run(msg, func(t *testing.T) {
-			params := types.DefaultParams()
+			params := types.TestParams()
 			params.InstantiateDefaultPermission = spec.defaultPermssion
 			keeper.SetParams(ctx, params)
 			codeID, err := contractKeeper.Create(ctx, creator, hackatomWasm, spec.requestedPermission)
@@ -504,6 +505,7 @@ func TestInstantiateWithPermissions(t *testing.T) {
 		"default": {
 			srcPermission: types.DefaultUploadAccess,
 			srcActor:      anyAddr,
+			expError:      sdkerrors.ErrUnauthorized,
 		},
 		"everybody": {
 			srcPermission: types.AllowEverybody,

diff --git a/x/wasm/keeper/proposal_handler.go b/x/wasm/keeper/proposal_handler.go
@@ -260,7 +260,7 @@ func handleUpdateDeploymentWhitelistProposal(ctx sdk.Context, k types.ContractOp
 	}
 
 	var config types.AccessConfig
-	if len(p.DistributorAddrs) == 0 {
+	if types.IsNobody(p.DistributorAddrs) {
 		config.Permission = types.AccessTypeNobody
 	} else if types.IsAllAddress(p.DistributorAddrs) {
 		config.Permission = types.AccessTypeEverybody

diff --git a/x/wasm/keeper/test_common.go b/x/wasm/keeper/test_common.go
@@ -414,7 +414,7 @@ func createTestInput(
 		supportedFeatures,
 		opts...,
 	)
-	keeper.SetParams(ctx, types.DefaultParams())
+	keeper.SetParams(ctx, types.TestParams())
 	// add wasm handler so we can loop-back (contracts calling contracts)
 	contractKeeper := NewDefaultPermissionKeeper(&keeper)
 	router.AddRoute(types.RouterKey, TestHandler(contractKeeper))

diff --git a/x/wasm/types/params.go b/x/wasm/types/params.go
@@ -81,7 +81,7 @@ func (a AccessConfig) Equals(o AccessConfig) bool {
 }
 
 var (
-	DefaultUploadAccess = AllowEverybody
+	DefaultUploadAccess = AllowNobody
 	AllowEverybody      = AccessConfig{Permission: AccessTypeEverybody}
 	AllowNobody         = AccessConfig{Permission: AccessTypeNobody}
 )
@@ -94,13 +94,21 @@ func ParamKeyTable() paramtypes.KeyTable {
 // DefaultParams returns default wasm parameters
 func DefaultParams() Params {
 	return Params{
-		CodeUploadAccess:             AllowEverybody,
+		CodeUploadAccess:             AllowNobody,
 		InstantiateDefaultPermission: AccessTypeEverybody,
 		UseContractBlockedList:       true,
-		VmbridgeEnable:               true,
+		VmbridgeEnable:               false,
 	}
 }
 
+// TestParams returns default wasm parameters for unit tests
+func TestParams() Params {
+	params := DefaultParams()
+	params.CodeUploadAccess = AllowEverybody
+	params.VmbridgeEnable = true
+	return params
+}
+
 func (p Params) String() string {
 	out, err := yaml.Marshal(p)
 	if err != nil {

diff --git a/x/wasm/types/params_test.go b/x/wasm/types/params_test.go
@@ -149,10 +149,10 @@ func TestParamsUnmarshalJson(t *testing.T) {
 		exp Params
 	}{
 		"defaults": {
-			src: `{"code_upload_access": {"permission": "Everybody"},
+			src: `{"code_upload_access": {"permission": "Nobody"},
 				"instantiate_default_permission": "Everybody",
 				"use_contract_blocked_list":true,
-				"vmbridge_enable":true}`,
+				"vmbridge_enable":false}`,
 			exp: DefaultParams(),
 		},
 	}

diff --git a/x/wasm/types/proposal_custom.go b/x/wasm/types/proposal_custom.go
@@ -44,6 +44,9 @@ func (p UpdateDeploymentWhitelistProposal) MarshalYAML() (interface{}, error) {
 }
 
 func validateDistributorAddrs(addrs []string) error {
+	if IsNobody(addrs) {
+		return nil
+	}
 	if IsAllAddress(addrs) {
 		return nil
 	}
@@ -55,6 +58,13 @@ func validateDistributorAddrs(addrs []string) error {
 	return nil
 }
 
+func IsNobody(addrs []string) bool {
+	if len(addrs) == 1 && addrs[0] == "nobody" {
+		return true
+	}
+	return false
+}
+
 func IsAllAddress(addrs []string) bool {
 	return len(addrs) == 1 && addrs[0] == "all"
 }