From 5c83ebc423b24a776fbe15d25c5ef7ab3d794d98 Mon Sep 17 00:00:00 2001 From: YuanXingqiang Date: Fri, 30 Dec 2022 16:32:34 +0800 Subject: [PATCH] Merge PR: nobody can upload wasm code by default (#2904) * nobody can upload wasm code by default * solve bug * add new case * fix ut * make unit test pass * disable vmbridge * fix ut * update to 1.6.8 and set EarthHeight * fix ut Co-authored-by: BananaLF <864685021@qq.com> --- Makefile | 3 ++- dev/wasm-allcases.sh | 35 ++++++++++++++++++++++++++++++- x/vmbridge/keeper/keeper_test.go | 2 +- x/wasm/keeper/genesis_test.go | 2 +- x/wasm/keeper/keeper_test.go | 4 +++- x/wasm/keeper/proposal_handler.go | 2 +- x/wasm/keeper/test_common.go | 2 +- x/wasm/types/params.go | 14 ++++++++++--- x/wasm/types/params_test.go | 4 ++-- x/wasm/types/proposal_custom.go | 10 +++++++++ 10 files changed, 66 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 155a61ff21..4dde015db3 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ IGNORE_CHECK_GO=false install_rocksdb_version:=$(ROCKSDB_VERSION) -Version=v1.6.7.2 +Version=v1.6.8 CosmosSDK=v0.39.2 Tendermint=v0.33.9 Iavl=v0.14.3 @@ -59,6 +59,7 @@ else ifeq ($(MAKECMDGOALS),testnet) Venus1Height=12067000 Venus2Height=14781000 Venus3Height=15540000 + EarthHeight=17363500 WITH_ROCKSDB=true endif diff --git a/dev/wasm-allcases.sh b/dev/wasm-allcases.sh index c931fb966c..755f681a29 100755 --- a/dev/wasm-allcases.sh +++ b/dev/wasm-allcases.sh @@ -136,6 +136,24 @@ proposal_vote() { fi; } +res=$(exchaincli tx wasm store ./wasm/cw20-base/artifacts/cw20_base.wasm --instantiate-everybody=true --from captain $TX_EXTRA) +raw_log=$(echo "$res" | jq '.raw_log' | sed 's/\"//g') +failed_log="unauthorized: can not create code: failed to execute message; message index: 0" +if [[ "${raw_log}" != "${failed_log}" ]]; +then + echo "expect fail when update-wasm-deployment-whitelist is nobody" + exit 1 +fi; + +##################################################### +######## update deployment whitelist ######### +##################################################### +echo "## update wasm code deployment whitelist" +res=$(exchaincli tx gov submit-proposal update-wasm-deployment-whitelist "$captain,$admin18" --deposit 10okt --title "test title" --description "test description" --from captain $TX_EXTRA) +proposal_id=$(echo "$res" | jq '.logs[0].events[1].attributes[1].value' | sed 's/\"//g') +echo "proposal_id: $proposal_id" +proposal_vote "$proposal_id" + ##################################################### ############# store code ################ ##################################################### @@ -797,6 +815,21 @@ echo "txhash: $tx_hash" burner_code_id=$(echo "$res" | jq '.logs[0].events[1].attributes[0].value' | sed 's/\"//g') echo "burner_code_id: $burner_code_id" +# update nobody whitelist +res=$(exchaincli tx gov submit-proposal update-wasm-deployment-whitelist nobody --deposit 10.1okt --title "test title" --description "test description" --from captain $TX_EXTRA) +proposal_id=$(echo "$res" | jq '.logs[0].events[1].attributes[1].value' | sed 's/\"//g') +echo "proposal_id: $proposal_id" +proposal_vote "$proposal_id" + +res=$(exchaincli tx wasm store ./wasm/cw20-base/artifacts/cw20_base.wasm --instantiate-everybody=true --from captain $TX_EXTRA) +raw_log=$(echo "$res" | jq '.raw_log' | sed 's/\"//g') +failed_log="unauthorized: can not create code: failed to execute message; message index: 0" +if [[ "${raw_log}" != "${failed_log}" ]]; +then + echo "expect fail when update-wasm-deployment-whitelist is nobody" + exit 1 +fi; + echo "all tests passed! congratulations~" #exchaincli query wasm list-code --limit=5 | jq @@ -879,4 +912,4 @@ then exit 1 fi; -echo "all query cases succeed~" \ No newline at end of file +echo "all query cases succeed~" diff --git a/x/vmbridge/keeper/keeper_test.go b/x/vmbridge/keeper/keeper_test.go index e46cadac4f..69e1f661ba 100644 --- a/x/vmbridge/keeper/keeper_test.go +++ b/x/vmbridge/keeper/keeper_test.go @@ -61,7 +61,7 @@ func (suite *KeeperTestSuite) SetupTest() { err := acc.SetCoins(sdk.NewCoins(sdk.NewInt64Coin(sdk.DefaultBondDenom, 10000))) suite.Require().NoError(err) - suite.app.WasmKeeper.SetParams(suite.ctx, wasmtypes.DefaultParams()) + suite.app.WasmKeeper.SetParams(suite.ctx, wasmtypes.TestParams()) evmParams := evmtypes.DefaultParams() evmParams.EnableCreate = true evmParams.EnableCall = true diff --git a/x/wasm/keeper/genesis_test.go b/x/wasm/keeper/genesis_test.go index 4cea3704ca..160a3c5c68 100644 --- a/x/wasm/keeper/genesis_test.go +++ b/x/wasm/keeper/genesis_test.go @@ -562,7 +562,7 @@ func TestSupportedGenMsgTypes(t *testing.T) { ) const denom = "stake" importState := types.GenesisState{ - Params: types.DefaultParams(), + Params: types.TestParams(), GenMsgs: []types.GenesisState_GenMsgs{ { Sum: &types.GenesisState_GenMsgs_StoreCode{ diff --git a/x/wasm/keeper/keeper_test.go b/x/wasm/keeper/keeper_test.go index b3ee8d1a0f..3e9ce5c0da 100644 --- a/x/wasm/keeper/keeper_test.go +++ b/x/wasm/keeper/keeper_test.go @@ -149,6 +149,7 @@ func TestCreateWithParamPermissions(t *testing.T) { }{ "default": { srcPermission: types.DefaultUploadAccess, + expError: sdkerrors.ErrUnauthorized, }, "everybody": { srcPermission: types.AllowEverybody, @@ -244,7 +245,7 @@ func TestEnforceValidPermissionsOnCreate(t *testing.T) { } for msg, spec := range specs { t.Run(msg, func(t *testing.T) { - params := types.DefaultParams() + params := types.TestParams() params.InstantiateDefaultPermission = spec.defaultPermssion keeper.SetParams(ctx, params) codeID, err := contractKeeper.Create(ctx, creator, hackatomWasm, spec.requestedPermission) @@ -504,6 +505,7 @@ func TestInstantiateWithPermissions(t *testing.T) { "default": { srcPermission: types.DefaultUploadAccess, srcActor: anyAddr, + expError: sdkerrors.ErrUnauthorized, }, "everybody": { srcPermission: types.AllowEverybody, diff --git a/x/wasm/keeper/proposal_handler.go b/x/wasm/keeper/proposal_handler.go index cda3d82a2b..ddf0d184cc 100644 --- a/x/wasm/keeper/proposal_handler.go +++ b/x/wasm/keeper/proposal_handler.go @@ -260,7 +260,7 @@ func handleUpdateDeploymentWhitelistProposal(ctx sdk.Context, k types.ContractOp } var config types.AccessConfig - if len(p.DistributorAddrs) == 0 { + if types.IsNobody(p.DistributorAddrs) { config.Permission = types.AccessTypeNobody } else if types.IsAllAddress(p.DistributorAddrs) { config.Permission = types.AccessTypeEverybody diff --git a/x/wasm/keeper/test_common.go b/x/wasm/keeper/test_common.go index d93a389a54..7f4897ba92 100644 --- a/x/wasm/keeper/test_common.go +++ b/x/wasm/keeper/test_common.go @@ -414,7 +414,7 @@ func createTestInput( supportedFeatures, opts..., ) - keeper.SetParams(ctx, types.DefaultParams()) + keeper.SetParams(ctx, types.TestParams()) // add wasm handler so we can loop-back (contracts calling contracts) contractKeeper := NewDefaultPermissionKeeper(&keeper) router.AddRoute(types.RouterKey, TestHandler(contractKeeper)) diff --git a/x/wasm/types/params.go b/x/wasm/types/params.go index 1b68e17839..7e7a6ab857 100644 --- a/x/wasm/types/params.go +++ b/x/wasm/types/params.go @@ -81,7 +81,7 @@ func (a AccessConfig) Equals(o AccessConfig) bool { } var ( - DefaultUploadAccess = AllowEverybody + DefaultUploadAccess = AllowNobody AllowEverybody = AccessConfig{Permission: AccessTypeEverybody} AllowNobody = AccessConfig{Permission: AccessTypeNobody} ) @@ -94,13 +94,21 @@ func ParamKeyTable() paramtypes.KeyTable { // DefaultParams returns default wasm parameters func DefaultParams() Params { return Params{ - CodeUploadAccess: AllowEverybody, + CodeUploadAccess: AllowNobody, InstantiateDefaultPermission: AccessTypeEverybody, UseContractBlockedList: true, - VmbridgeEnable: true, + VmbridgeEnable: false, } } +// TestParams returns default wasm parameters for unit tests +func TestParams() Params { + params := DefaultParams() + params.CodeUploadAccess = AllowEverybody + params.VmbridgeEnable = true + return params +} + func (p Params) String() string { out, err := yaml.Marshal(p) if err != nil { diff --git a/x/wasm/types/params_test.go b/x/wasm/types/params_test.go index 8a4c10747e..40164ccf5b 100644 --- a/x/wasm/types/params_test.go +++ b/x/wasm/types/params_test.go @@ -149,10 +149,10 @@ func TestParamsUnmarshalJson(t *testing.T) { exp Params }{ "defaults": { - src: `{"code_upload_access": {"permission": "Everybody"}, + src: `{"code_upload_access": {"permission": "Nobody"}, "instantiate_default_permission": "Everybody", "use_contract_blocked_list":true, - "vmbridge_enable":true}`, + "vmbridge_enable":false}`, exp: DefaultParams(), }, } diff --git a/x/wasm/types/proposal_custom.go b/x/wasm/types/proposal_custom.go index 5ffc3fa29a..d33dc9ac67 100644 --- a/x/wasm/types/proposal_custom.go +++ b/x/wasm/types/proposal_custom.go @@ -44,6 +44,9 @@ func (p UpdateDeploymentWhitelistProposal) MarshalYAML() (interface{}, error) { } func validateDistributorAddrs(addrs []string) error { + if IsNobody(addrs) { + return nil + } if IsAllAddress(addrs) { return nil } @@ -55,6 +58,13 @@ func validateDistributorAddrs(addrs []string) error { return nil } +func IsNobody(addrs []string) bool { + if len(addrs) == 1 && addrs[0] == "nobody" { + return true + } + return false +} + func IsAllAddress(addrs []string) bool { return len(addrs) == 1 && addrs[0] == "all" }