[Snowbridge]: Ensure source always from AH for exported message

bridges/snowbridge/primitives/router/Cargo.toml

@@ -23,6 +23,7 @@ sp-runtime = { workspace = true }
 sp-std = { workspace = true }
 
 xcm = { workspace = true }
+xcm-builder = { workspace = true }
 xcm-executor = { workspace = true }
 
 snowbridge-core = { workspace = true }
@@ -43,13 +44,15 @@ std = [
 	"sp-io/std",
 	"sp-runtime/std",
 	"sp-std/std",
+	"xcm-builder/std",
 	"xcm-executor/std",
 	"xcm/std",
 ]
 runtime-benchmarks = [
 	"frame-support/runtime-benchmarks",
 	"snowbridge-core/runtime-benchmarks",
 	"sp-runtime/runtime-benchmarks",
+	"xcm-builder/runtime-benchmarks",
 	"xcm-executor/runtime-benchmarks",
 	"xcm/runtime-benchmarks",
 ]

bridges/snowbridge/primitives/router/src/outbound/barriers.rs

@@ -0,0 +1,126 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023 Snowfork <[email protected]>
+
+use core::{marker::PhantomData, ops::ControlFlow};
+use frame_support::traits::{Contains, ProcessMessageError};
+use xcm::prelude::{ExportMessage, Instruction, Location, NetworkId, Weight};
+use xcm_builder::{CreateMatcher, MatchXcm};
+use xcm_executor::traits::{Properties, ShouldExecute};
+
+pub struct DenyFirstExportMessageFrom<FromOrigin, ToGlobalConsensus>(
+	PhantomData<(FromOrigin, ToGlobalConsensus)>,
+);
+
+impl<FromOrigin, ToGlobalConsensus> ShouldExecute
+	for DenyFirstExportMessageFrom<FromOrigin, ToGlobalConsensus>
+where
+	FromOrigin: Contains<Location>,
+	ToGlobalConsensus: Contains<NetworkId>,
+{
+	fn should_execute<RuntimeCall>(
+		origin: &Location,
+		message: &mut [Instruction<RuntimeCall>],
+		_max_weight: Weight,
+		_properties: &mut Properties,
+	) -> Result<(), ProcessMessageError> {
+		message.matcher().match_next_inst_while(
+			|_| true,
+			|inst| match inst {
+				ExportMessage { network, .. } =>
+					if ToGlobalConsensus::contains(network) && FromOrigin::contains(origin) {
+						return Err(ProcessMessageError::Unsupported)
+					} else {
+						Ok(ControlFlow::Continue(()))
+					},
+				_ => Ok(ControlFlow::Continue(())),
+			},
+		)?;
+		Ok(())
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+	use frame_support::{
+		assert_err, parameter_types,
+		traits::{Equals, Everything, EverythingBut},
+	};
+	use xcm::prelude::*;
+	use xcm_builder::{DenyReserveTransferToRelayChain, DenyThenTry, TakeWeightCredit};
+
+	parameter_types! {
+		pub AssetHubLocation: Location = Location::new(1, Parachain(1000));
+		pub EthereumNetwork: NetworkId = Ethereum { chain_id: 1 };
+	}
+
+	#[test]
+	fn deny_export_message_from_source() {
+		let mut xcm: Vec<Instruction<()>> =
+			vec![ExportMessage { network: Polkadot, destination: Here, xcm: Default::default() }];
+
+		let result = DenyFirstExportMessageFrom::<
+			EverythingBut<Equals<AssetHubLocation>>,
+			Everything,
+		>::should_execute(
+			&Location::parent(),
+			&mut xcm,
+			Weight::zero(),
+			&mut Properties { weight_credit: Weight::zero(), message_id: None },
+		);
+		assert_err!(result, ProcessMessageError::Unsupported);
+	}
+
+	#[test]
+	fn allow_export_message_from_source() {
+		let mut xcm: Vec<Instruction<()>> =
+			vec![ExportMessage { network: Polkadot, destination: Here, xcm: Default::default() }];
+
+		let result = DenyFirstExportMessageFrom::<
+			EverythingBut<Equals<AssetHubLocation>>,
+			Everything,
+		>::should_execute(
+			&AssetHubLocation::get(),
+			&mut xcm,
+			Weight::zero(),
+			&mut Properties { weight_credit: Weight::zero(), message_id: None },
+		);
+		assert!(result.is_ok());
+	}
+
+	#[test]
+	fn allow_xcm_without_export_message() {
+		let mut xcm: Vec<Instruction<()>> = vec![ClearOrigin];
+
+		let result = DenyFirstExportMessageFrom::<Everything, Everything>::should_execute(
+			&Location::parent(),
+			&mut xcm,
+			Weight::zero(),
+			&mut Properties { weight_credit: Weight::zero(), message_id: None },
+		);
+		assert!(result.is_ok());
+	}
+
+	#[test]
+	fn deny_with_reserve_transfer_to_relay_chain() {
+		let mut xcm: Vec<Instruction<()>> = vec![DepositReserveAsset {
+			assets: Wild(All),
+			dest: Location { parents: 1, interior: Here },
+			xcm: Default::default(),
+		}];
+
+		let result = DenyThenTry::<
+			DenyFirstExportMessageFrom<
+				EverythingBut<Equals<AssetHubLocation>>,
+				Equals<EthereumNetwork>,
+			>,
+			DenyThenTry<DenyReserveTransferToRelayChain, TakeWeightCredit>,
+		>::should_execute(
+			&AssetHubLocation::get(),
+			&mut xcm,
+			Weight::zero(),
+			&mut Properties { weight_credit: Weight::zero(), message_id: None },
+		);
+		assert_err!(result, ProcessMessageError::Unsupported);
+	}
+}

bridges/snowbridge/primitives/router/src/outbound/mod.rs

@@ -20,6 +20,8 @@ use sp_std::{iter::Peekable, marker::PhantomData, prelude::*};
 use xcm::prelude::*;
 use xcm_executor::traits::{ConvertLocation, ExportXcm};
 
+pub mod barriers;
+
 pub struct EthereumBlobExporter<
 	UniversalLocation,
 	EthereumNetwork,

cumulus/parachains/integration-tests/emulated/tests/bridges/bridge-hub-westend/src/tests/mod.rs

@@ -20,6 +20,7 @@ mod claim_assets;
 mod register_bridged_assets;
 mod send_xcm;
 mod snowbridge;
+mod snowbridge_edge_case;
 mod teleport;
 mod transact;
 

cumulus/parachains/integration-tests/emulated/tests/bridges/bridge-hub-westend/src/tests/snowbridge.rs

@@ -31,7 +31,7 @@ use xcm_executor::traits::ConvertLocation;
 const INITIAL_FUND: u128 = 5_000_000_000_000;
 pub const CHAIN_ID: u64 = 11155111;
 pub const WETH: [u8; 20] = hex!("87d1f7fdfEe7f651FaBc8bFCB6E086C278b77A7d");
-const ETHEREUM_DESTINATION_ADDRESS: [u8; 20] = hex!("44a57ee2f2FCcb85FDa2B0B18EBD0D8D2333700e");
+pub const ETHEREUM_DESTINATION_ADDRESS: [u8; 20] = hex!("44a57ee2f2FCcb85FDa2B0B18EBD0D8D2333700e");
 const XCM_FEE: u128 = 100_000_000_000;
 const TOKEN_AMOUNT: u128 = 100_000_000_000;