feat: improve multisig utility and usability

s8sato commented 1 month ago

BREAKING CHANGES:

(api-changes) CanRegisterAnyTrigger CanUnregisterAnyTrigger permissions for internal operations only
(api-changes) GenesisWasmTrigger under RawGenesisTransaction for genesis.json readability
(api-changes) Multisig*Args attached to multi-signature operations
(config-changes) defaults/genesis.json assumes wasm_triggers[*].action.executable is prebuilt under wasm/target/prebuilt/libs/

Major commits:

feat: support multisig recursion
feat: introduce multisig quorum and weights
feat: add multisig subcommand to client CLI
feat: introduce multisig transaction time-to-live
feat: predefine multisig world-level trigger in genesis
feat: allow accounts in domain to register multisig accounts

Context

Partially resolves #4930

Opens:

5022: essential to security
5185: essential to true utility
5160
5178

Solution

Each commit is explained below, starting with the most recent. You can see the commit history here

feat: support multisig recursion

Allows multisig to function hierarchically, expected to be useful for e.g. automating organizational approval flows.

When a multisig transaction proposed, every subordinate node (multisig account and corresponding transactions registry) automatically get ready to accept approvals that will be coming up from individual signatories
Using CLI, individual signatories can query all pending multisig transactions they are involved in, not only those proposed to their direct multisig account

Tests:

cargo test -p iroha integration::multisig::multisig_recursion
bash scripts/tests/multisig.recursion.sh

feat: introduce multisig quorum and weights

Inspired by Sui's multisig. Allows for flexible, if not completely free, authentication policies beyond "m of n". For example, weight equivalent to quorum represents administrative privileges

feat: add multisig subcommand to client CLI

$ cargo build
$ ./target/debug/iroha multisig

The subcommand related to multisig accounts and transactions

Usage: iroha multisig <COMMAND>

Commands:
  register  Register a multisig account
  propose   Propose a multisig transaction
  approve   Approve a multisig transaction
  list      List pending multisig transactions relevant to you
  help      Print this message or the help of the given subcommand(s)

Options:
  -h, --help  Print help

You can see more usage in the testing script

feat: introduce multisig transaction time-to-live

Considers the latest block timestamp as the current time and determines timeout, when the transactions registry is called

feat: predefine multisig world-level trigger in genesis

Defines a global trigger in genesis that exercises authority over all domains. There will be three types of triggers on the system side related to multisig:

Domains initializer has world-level authority and in response to a domain creation event, registers an accounts registry handled by the domain owner authority
Accounts registry has domain-level authority and when called by a domain resident, registers a multisig account along with a transactions registry
Transactions registry has account-level authority and when called by a multisig signatory, accepts proposals or approvals for multisig transactions, and is responsible for executing them

feat: allow accounts in domain to register multisig accounts

Accounts registry has authority of the domain owner, so access was previously restricted. This commit allows anyone to organize any multisig account within the domain.

This may be too lenient. Discussion

Review notes

To get an overview,

cargo test -p iroha integration::multisig::multisig
bash scripts/tests/multisig.sh

sequenceDiagram
    autonumber
    participant oo as etc.
    participant DI as Domains Initializer
    Note over DI: /world
    oo-->>DI: domain created
    create participant AR as Accounts Registry
    DI-->>AR: register
    Note over AR: /world/domain
    create actor s0 as signatory 0
    oo->>s0: register
    create actor s1 as signatory 1
    oo->>s1: register
    s0->>AR: request new ms account
    create actor 01 as ms account 01
    AR-->>01: register
    create participant TR as Transactions Registry
    AR-->>TR: register
    AR-->>s0: grant ms role
    AR-->>s1: grant ms role
    Note over 01,TR: /world/domain/account
    s1->>TR: propose instructions
    create participant tx as pending ms transaction
    TR-->>tx: deploy ms transaction
    s0->>TR: approve instructions
    destroy tx
    TR-->>tx: execute instructions

The dotted line indicates an automatic process

Checklist

[x] I've read CONTRIBUTING.md.
[x] I've written integration tests for the code changes.
[ ] All review comments have been resolved.

github-actions[bot] commented 1 month ago

@BAStos525

nxsaken commented 1 month ago

Genesis needs to be updated

s8sato commented 3 weeks ago

Updates:

review doc: add a reference to multisig recursion diagram
review fix: signatories and weights must be equal in length
review fix: condition to rebuild multisig subordinate triggers
review fix: genesis.json includes not wasm blobs but hashes
review fix: autofill multisig account domains
review fix: avoid name collisions of multisig role and triggers
review fix: perpetuate multisig domain-level authority
review fix: add a domain for domain-free system accounts

commit history

Notes:

Currently script tests (scripts/tests/multisig.*) are failing after rebase for some reason

s8sato commented 2 weeks ago

Updates:

review fix: exception for multisig role registration
review fix: give genesis.json a special field to register wasm triggers
DROP: review fix: genesis.json includes not wasm blobs but hashes
EDIT: review fix: avoid name collisions of multisig role and triggers

commit history

Notes:

Currently script tests (scripts/tests/multisig.*) are failing after rebase for some reason

This was because only integration tests passed due to my overlook of privileged Alice in TestGenesis. Fixed
Stopped pursuing the cause of the failing integration::extra_functional::restart_peer::restarted_peer_should_have_the_same_asset_amount

s8sato commented 4 days ago

Major updates:

accept transaction_ttl as humantime::Duration and convert to milliseconds
hide system entities configuration from kagami::genesis::generate
reorganize wasm_samples, remove multisig_*/build.rs
create dedicated iroha_multisig_data_model crate

Minor updates are fixed up with existing commits.

commit history

Notes:

genesis_block_builder_example is failing to compile for some reason. Left to another PR

I'd address further feedbacks in another PR of #4930. This PR is already enough hard to maintain

s8sato commented 14 hours ago

Updates:

fix CI to build, upload and download wasm libraries
- may become a cost on CI @BAStos525
FIXUP: make a wasm trigger executable path relative to genesis.json directory
FIXUP: hide system entity configurations from kagami::genesis::generate
EDIT: review fix: give genesis.json a special field to register wasm triggers

commit history

Notes:

Does this have something to do with the repository change?

When an outside contributor submits a pull request to a public repository, a maintainer with write access may need to approve some workflow runs.

EDIT: resolved by joining the organization

hyperledger-iroha / iroha