Transaction permissioning (#6441)

This commit is contained in:
Arkadiy Paronyan 2017-09-05 11:39:50 +02:00 committed by Gav Wood
parent 2df61d0a8c
commit eed0e8b03a
15 changed files with 307 additions and 3 deletions

View File

@ -29,6 +29,7 @@ const SECRETSTORE_ACL_STORAGE_ABI: &'static str = include_str!("res/secretstore_
const VALIDATOR_SET_ABI: &'static str = include_str!("res/validator_set.json"); const VALIDATOR_SET_ABI: &'static str = include_str!("res/validator_set.json");
const VALIDATOR_REPORT_ABI: &'static str = include_str!("res/validator_report.json"); const VALIDATOR_REPORT_ABI: &'static str = include_str!("res/validator_report.json");
const PEER_SET_ABI: &'static str = include_str!("res/peer_set.json"); const PEER_SET_ABI: &'static str = include_str!("res/peer_set.json");
const TX_ACL_ABI: &'static str = include_str!("res/tx_acl.json");
const TEST_VALIDATOR_SET_ABI: &'static str = include_str!("res/test_validator_set.json"); const TEST_VALIDATOR_SET_ABI: &'static str = include_str!("res/test_validator_set.json");
@ -55,6 +56,7 @@ fn main() {
build_file("ValidatorSet", VALIDATOR_SET_ABI, "validator_set.rs"); build_file("ValidatorSet", VALIDATOR_SET_ABI, "validator_set.rs");
build_file("ValidatorReport", VALIDATOR_REPORT_ABI, "validator_report.rs"); build_file("ValidatorReport", VALIDATOR_REPORT_ABI, "validator_report.rs");
build_file("PeerSet", PEER_SET_ABI, "peer_set.rs"); build_file("PeerSet", PEER_SET_ABI, "peer_set.rs");
build_file("TransactAcl", TX_ACL_ABI, "tx_acl.rs");
build_test_contracts(); build_test_contracts();
} }

View File

@ -302,7 +302,8 @@ fn detokenize(name: &str, output_type: ParamType) -> String {
} }
ParamType::Uint(width) => { ParamType::Uint(width) => {
let read_uint = match width { let read_uint = match width {
8 | 16 | 32 | 64 => format!("bigint::prelude::U256(u).low_u64() as u{}", width), 8 => "u[31] as u8".into(),
16 | 32 | 64 => format!("BigEndian::read_u{}(&u[{}..])", width, 32 - (width / 8)),
_ => format!("bigint::prelude::U{}::from(&u[..])", width), _ => format!("bigint::prelude::U{}::from(&u[..])", width),
}; };

View File

@ -0,0 +1 @@
[{"constant":false,"inputs":[{"name":"sender","type":"address"}],"name":"allowedTxTypes","outputs":[{"name":"","type":"uint32"}],"payable":false,"stateMutability":"nonpayable","type":"function"}]

View File

@ -31,6 +31,7 @@ mod secretstore_acl_storage;
mod validator_set; mod validator_set;
mod validator_report; mod validator_report;
mod peer_set; mod peer_set;
mod tx_acl;
pub mod test_contracts; pub mod test_contracts;
@ -42,3 +43,4 @@ pub use self::secretstore_acl_storage::SecretStoreAclStorage;
pub use self::validator_set::ValidatorSet; pub use self::validator_set::ValidatorSet;
pub use self::validator_report::ValidatorReport; pub use self::validator_report::ValidatorReport;
pub use self::peer_set::PeerSet; pub use self::peer_set::PeerSet;
pub use self::tx_acl::TransactAcl;

View File

@ -0,0 +1,21 @@
// Copyright 2015-2017 Parity Technologies (UK) Ltd.
// This file is part of Parity.
// Parity is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// Parity is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with Parity. If not, see <http://www.gnu.org/licenses/>.
#![allow(unused_mut, unused_variables, unused_imports)]
//! Transact permissions contract.
include!(concat!(env!("OUT_DIR"), "/tx_acl.rs"));

View File

@ -1443,6 +1443,10 @@ impl BlockChainClient for Client {
self.state_at(id).and_then(|s| s.code(address).ok()).map(|c| c.map(|c| (&*c).clone())) self.state_at(id).and_then(|s| s.code(address).ok()).map(|c| c.map(|c| (&*c).clone()))
} }
fn code_hash(&self, address: &Address, id: BlockId) -> Option<H256> {
self.state_at(id).and_then(|s| s.code_hash(address).ok())
}
fn balance(&self, address: &Address, id: BlockId) -> Option<U256> { fn balance(&self, address: &Address, id: BlockId) -> Option<U256> {
self.state_at(id).and_then(|s| s.balance(address).ok()) self.state_at(id).and_then(|s| s.balance(address).ok())
} }

View File

@ -454,6 +454,13 @@ impl BlockChainClient for TestBlockChainClient {
} }
} }
fn code_hash(&self, address: &Address, id: BlockId) -> Option<H256> {
match id {
BlockId::Latest | BlockId::Pending => self.code.read().get(address).map(|c| keccak(&c)),
_ => None,
}
}
fn balance(&self, address: &Address, id: BlockId) -> Option<U256> { fn balance(&self, address: &Address, id: BlockId) -> Option<U256> {
match id { match id {
BlockId::Latest | BlockId::Pending => Some(self.balances.read().get(address).cloned().unwrap_or_else(U256::zero)), BlockId::Latest | BlockId::Pending => Some(self.balances.read().get(address).cloned().unwrap_or_else(U256::zero)),

View File

@ -96,6 +96,9 @@ pub trait BlockChainClient : Sync + Send {
.expect("code will return Some if given BlockId::Latest; qed") .expect("code will return Some if given BlockId::Latest; qed")
} }
/// Get address code hash at given block's state.
fn code_hash(&self, address: &Address, id: BlockId) -> Option<H256>;
/// Get address balance at the given block's state. /// Get address balance at the given block's state.
/// ///
/// May not return None if given BlockId::Latest. /// May not return None if given BlockId::Latest.

View File

@ -80,6 +80,8 @@ pub enum TransactionError {
CodeBanned, CodeBanned,
/// Invalid chain ID given. /// Invalid chain ID given.
InvalidChainId, InvalidChainId,
/// Not enough permissions given by permission contract.
NotAllowed,
} }
impl fmt::Display for TransactionError { impl fmt::Display for TransactionError {
@ -104,6 +106,7 @@ impl fmt::Display for TransactionError {
RecipientBanned => "Recipient is temporarily banned.".into(), RecipientBanned => "Recipient is temporarily banned.".into(),
CodeBanned => "Contract code is temporarily banned.".into(), CodeBanned => "Contract code is temporarily banned.".into(),
InvalidChainId => "Transaction of this chain ID is not allowed on this chain.".into(), InvalidChainId => "Transaction of this chain ID is not allowed on this chain.".into(),
NotAllowed => "Sender does not have permissions to execute this type of transction".into(),
}; };
f.write_fmt(format_args!("Transaction error ({})", msg)) f.write_fmt(format_args!("Transaction error ({})", msg))

View File

@ -17,7 +17,7 @@
use std::path::Path; use std::path::Path;
use std::cmp; use std::cmp;
use std::collections::{BTreeMap, HashMap}; use std::collections::{BTreeMap, HashMap};
use std::sync::Arc; use std::sync::{Arc, Weak};
use hash::{KECCAK_EMPTY_LIST_RLP}; use hash::{KECCAK_EMPTY_LIST_RLP};
use ethash::{quick_get_difficulty, slow_get_seedhash, EthashManager}; use ethash::{quick_get_difficulty, slow_get_seedhash, EthashManager};
use util::*; use util::*;
@ -29,13 +29,15 @@ use trace::{Tracer, ExecutiveTracer, RewardType};
use header::{Header, BlockNumber}; use header::{Header, BlockNumber};
use state::CleanupMode; use state::CleanupMode;
use spec::CommonParams; use spec::CommonParams;
use transaction::UnverifiedTransaction; use transaction::{UnverifiedTransaction, SignedTransaction};
use engines::{self, Engine}; use engines::{self, Engine};
use evm::Schedule; use evm::Schedule;
use ethjson; use ethjson;
use rlp::{self, UntrustedRlp}; use rlp::{self, UntrustedRlp};
use vm::LastHashes; use vm::LastHashes;
use semantic_version::SemanticVersion; use semantic_version::SemanticVersion;
use tx_filter::{TransactionFilter};
use client::{Client, BlockChainClient};
/// Parity tries to round block.gas_limit to multiple of this constant /// Parity tries to round block.gas_limit to multiple of this constant
pub const PARITY_GAS_LIMIT_DETERMINANT: U256 = U256([37, 0, 0, 0]); pub const PARITY_GAS_LIMIT_DETERMINANT: U256 = U256([37, 0, 0, 0]);
@ -141,6 +143,7 @@ pub struct Ethash {
ethash_params: EthashParams, ethash_params: EthashParams,
builtins: BTreeMap<Address, Builtin>, builtins: BTreeMap<Address, Builtin>,
pow: EthashManager, pow: EthashManager,
tx_filter: Option<TransactionFilter>,
} }
impl Ethash { impl Ethash {
@ -152,6 +155,7 @@ impl Ethash {
builtins: BTreeMap<Address, Builtin>, builtins: BTreeMap<Address, Builtin>,
) -> Arc<Self> { ) -> Arc<Self> {
Arc::new(Ethash { Arc::new(Ethash {
tx_filter: TransactionFilter::from_params(&params),
params, params,
ethash_params, ethash_params,
builtins, builtins,
@ -437,6 +441,14 @@ impl Engine for Arc<Ethash> {
Ok(()) Ok(())
} }
fn verify_transaction(&self, t: UnverifiedTransaction, header: &Header) -> Result<SignedTransaction, Error> {
let signed = SignedTransaction::new(t)?;
if !self.tx_filter.as_ref().map_or(true, |filter| filter.transaction_allowed(header.parent_hash(), &signed)) {
return Err(From::from(TransactionError::NotAllowed));
}
Ok(signed)
}
fn epoch_verifier<'a>(&self, _header: &Header, _proof: &'a [u8]) -> engines::ConstructedVerifier<'a> { fn epoch_verifier<'a>(&self, _header: &Header, _proof: &'a [u8]) -> engines::ConstructedVerifier<'a> {
engines::ConstructedVerifier::Trusted(Box::new(self.clone())) engines::ConstructedVerifier::Trusted(Box::new(self.clone()))
} }
@ -444,6 +456,13 @@ impl Engine for Arc<Ethash> {
fn snapshot_components(&self) -> Option<Box<::snapshot::SnapshotComponents>> { fn snapshot_components(&self) -> Option<Box<::snapshot::SnapshotComponents>> {
Some(Box::new(::snapshot::PowSnapshot::new(SNAPSHOT_BLOCKS, MAX_SNAPSHOT_BLOCKS))) Some(Box::new(::snapshot::PowSnapshot::new(SNAPSHOT_BLOCKS, MAX_SNAPSHOT_BLOCKS)))
} }
fn register_client(&self, client: Weak<Client>) {
if let Some(ref filter) = self.tx_filter {
filter.register_client(client as Weak<BlockChainClient>);
}
}
} }
// Try to round gas_limit a bit so that: // Try to round gas_limit a bit so that:

View File

@ -171,6 +171,7 @@ mod executive;
mod externalities; mod externalities;
mod blockchain; mod blockchain;
mod factory; mod factory;
mod tx_filter;
#[cfg(test)] #[cfg(test)]
mod tests; mod tests;

View File

@ -103,6 +103,8 @@ pub struct CommonParams {
pub registrar: Address, pub registrar: Address,
/// Node permission managing contract address. /// Node permission managing contract address.
pub node_permission_contract: Option<Address>, pub node_permission_contract: Option<Address>,
/// Transaction permission managing contract address.
pub transaction_permission_contract: Option<Address>,
} }
impl CommonParams { impl CommonParams {
@ -175,6 +177,7 @@ impl From<ethjson::spec::Params> for CommonParams {
block_reward: p.block_reward.map_or_else(U256::zero, Into::into), block_reward: p.block_reward.map_or_else(U256::zero, Into::into),
registrar: p.registrar.map_or_else(Address::new, Into::into), registrar: p.registrar.map_or_else(Address::new, Into::into),
node_permission_contract: p.node_permission_contract.map(Into::into), node_permission_contract: p.node_permission_contract.map(Into::into),
transaction_permission_contract: p.transaction_permission_contract.map(Into::into),
} }
} }
} }

233
ethcore/src/tx_filter.rs Normal file
View File

@ -0,0 +1,233 @@
// Copyright 2015-2017 Parity Technologies (UK) Ltd.
// This file is part of Parity.
// Parity is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// Parity is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with Parity. If not, see <http://www.gnu.org/licenses/>.
//! Smart contract based transaction filter.
use std::sync::Weak;
use std::collections::HashMap;
use std::collections::hash_map::Entry;
use native_contracts::TransactAcl as Contract;
use client::{BlockChainClient, BlockId, ChainNotify};
use util::{Address, H256, Bytes};
use parking_lot::{Mutex, RwLock};
use futures::{self, Future};
use spec::CommonParams;
use transaction::{Action, SignedTransaction};
use hash::KECCAK_EMPTY;
const MAX_CACHE_SIZE: usize = 4096;
mod tx_permissions {
pub const _ALL: u32 = 0xffffffff;
pub const NONE: u32 = 0x0;
pub const BASIC: u32 = 0b00000001;
pub const CALL: u32 = 0b00000010;
pub const CREATE: u32 = 0b00000100;
pub const _PRIVATE: u32 = 0b00001000;
}
/// Connection filter that uses a contract to manage permissions.
pub struct TransactionFilter {
contract: Mutex<Option<Contract>>,
client: RwLock<Option<Weak<BlockChainClient>>>,
contract_address: Address,
permission_cache: Mutex<HashMap<(H256, Address), u32>>,
}
impl TransactionFilter {
/// Create a new instance if address is specified in params.
pub fn from_params(params: &CommonParams) -> Option<TransactionFilter> {
params.transaction_permission_contract.map(|address|
TransactionFilter {
contract: Mutex::new(None),
client: RwLock::new(None),
contract_address: address,
permission_cache: Mutex::new(HashMap::new()),
}
)
}
/// Clear cached permissions.
pub fn clear_cache(&self) {
self.permission_cache.lock().clear();
}
/// Set client reference to be used for contract call.
pub fn register_client(&self, client: Weak<BlockChainClient>) {
*self.client.write() = Some(client);
}
/// Check if transaction is allowed at given block.
pub fn transaction_allowed(&self, parent_hash: &H256, transaction: &SignedTransaction) -> bool {
self.client.read().as_ref().map_or(false, |client| {
let mut cache = self.permission_cache.lock(); let len = cache.len();
let client = match client.upgrade() {
Some(client) => client,
_ => return false,
};
let tx_type = match transaction.action {
Action::Create => tx_permissions::CREATE,
Action::Call(address) => if client.code_hash(&address, BlockId::Hash(*parent_hash)).map_or(false, |c| c != KECCAK_EMPTY) {
tx_permissions::CALL
} else {
tx_permissions::BASIC
}
};
let sender = transaction.sender();
match cache.entry((*parent_hash, sender)) {
Entry::Occupied(entry) => *entry.get() & tx_type != 0,
Entry::Vacant(entry) => {
let mut contract = self.contract.lock();
if contract.is_none() {
*contract = Some(Contract::new(self.contract_address));
}
let permissions = match &*contract {
&Some(ref contract) => {
contract.allowed_tx_types(
|addr, data| futures::done(client.call_contract(BlockId::Hash(*parent_hash), addr, data)),
sender,
).wait().unwrap_or_else(|e| {
debug!("Error callling tx permissions contract: {:?}", e);
tx_permissions::NONE
})
}
_ => tx_permissions::NONE,
};
if len < MAX_CACHE_SIZE {
entry.insert(permissions);
}
trace!("Permissions required: {}, got: {}", tx_type, permissions);
permissions & tx_type != 0
}
}
})
}
}
impl ChainNotify for TransactionFilter {
fn new_blocks(&self, imported: Vec<H256>, _invalid: Vec<H256>, _enacted: Vec<H256>, _retracted: Vec<H256>, _sealed: Vec<H256>, _proposed: Vec<Bytes>, _duration: u64) {
if !imported.is_empty() {
self.clear_cache();
}
}
}
#[cfg(test)]
mod test {
use std::sync::{Arc, Weak};
use spec::Spec;
use client::{BlockChainClient, Client, ClientConfig, BlockId};
use miner::Miner;
use util::{Address};
use io::IoChannel;
use ethkey::{Secret, KeyPair};
use super::TransactionFilter;
use transaction::{Transaction, Action};
/// Contract code: https://gist.github.com/arkpar/38a87cb50165b7e683585eec71acb05a
#[test]
fn transaction_filter() {
let spec_data = r#"
{
"name": "TestNodeFilterContract",
"engine": {
"authorityRound": {
"params": {
"stepDuration": 1,
"startStep": 2,
"validators": {
"contract": "0x0000000000000000000000000000000000000000"
}
}
}
},
"params": {
"accountStartNonce": "0x0",
"maximumExtraDataSize": "0x20",
"minGasLimit": "0x1388",
"networkID" : "0x69",
"gasLimitBoundDivisor": "0x0400",
"transactionPermissionContract": "0x0000000000000000000000000000000000000005"
},
"genesis": {
"seal": {
"generic": "0xc180"
},
"difficulty": "0x20000",
"author": "0x0000000000000000000000000000000000000000",
"timestamp": "0x00",
"parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"extraData": "0x",
"gasLimit": "0x222222"
},
"accounts": {
"0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } },
"0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } },
"0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } },
"0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } },
"0000000000000000000000000000000000000005": {
"balance": "1",
"constructor": "6060604052341561000f57600080fd5b5b6101868061001f6000396000f30060606040526000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff168063e17512211461003e575b600080fd5b341561004957600080fd5b610075600480803573ffffffffffffffffffffffffffffffffffffffff16906020019091905050610097565b604051808263ffffffff1663ffffffff16815260200191505060405180910390f35b6000737e5f4552091a69125d5dfcb7b8c2659029395bdf8273ffffffffffffffffffffffffffffffffffffffff1614156100d75763ffffffff9050610155565b732b5ad5c4795c026514f8317c7a215e218dccd6cf8273ffffffffffffffffffffffffffffffffffffffff1614156101155760026001179050610155565b736813eb9362372eef6200f3b1dbc3f819671cba698273ffffffffffffffffffffffffffffffffffffffff1614156101505760019050610155565b600090505b9190505600a165627a7a72305820f1f21cb978925a8a92c6e30c8c81adf598adff6d1ef941cf5ed6c0ec7ad1ae3d0029"
}
}
}
"#;
let spec = Spec::load(::std::env::temp_dir(), spec_data.as_bytes()).unwrap();
let client_db = Arc::new(::util::kvdb::in_memory(::db::NUM_COLUMNS.unwrap_or(0)));
let client = Client::new(
ClientConfig::default(),
&spec,
client_db,
Arc::new(Miner::with_spec(&spec)),
IoChannel::disconnected(),
).unwrap();
let key1 = KeyPair::from_secret(Secret::from("0000000000000000000000000000000000000000000000000000000000000001")).unwrap();
let key2 = KeyPair::from_secret(Secret::from("0000000000000000000000000000000000000000000000000000000000000002")).unwrap();
let key3 = KeyPair::from_secret(Secret::from("0000000000000000000000000000000000000000000000000000000000000003")).unwrap();
let key4 = KeyPair::from_secret(Secret::from("0000000000000000000000000000000000000000000000000000000000000004")).unwrap();
let filter = TransactionFilter::from_params(spec.params()).unwrap();
filter.register_client(Arc::downgrade(&client) as Weak<BlockChainClient>);
let mut basic_tx = Transaction::default();
basic_tx.action = Action::Call(Address::from("000000000000000000000000000000000000032"));
let create_tx = Transaction::default();
let mut call_tx = Transaction::default();
call_tx.action = Action::Call(Address::from("0000000000000000000000000000000000000005"));
let genesis = client.block_hash(BlockId::Latest).unwrap();
assert!(filter.transaction_allowed(&genesis, &basic_tx.clone().sign(key1.secret(), None)));
assert!(filter.transaction_allowed(&genesis, &create_tx.clone().sign(key1.secret(), None)));
assert!(filter.transaction_allowed(&genesis, &call_tx.clone().sign(key1.secret(), None)));
assert!(filter.transaction_allowed(&genesis, &basic_tx.clone().sign(key2.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &create_tx.clone().sign(key2.secret(), None)));
assert!(filter.transaction_allowed(&genesis, &call_tx.clone().sign(key2.secret(), None)));
assert!(filter.transaction_allowed(&genesis, &basic_tx.clone().sign(key3.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &create_tx.clone().sign(key3.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &call_tx.clone().sign(key3.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &basic_tx.clone().sign(key4.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &create_tx.clone().sign(key4.secret(), None)));
assert!(!filter.transaction_allowed(&genesis, &call_tx.clone().sign(key4.secret(), None)));
}
}

View File

@ -108,6 +108,9 @@ pub struct Params {
/// Node permission contract address. /// Node permission contract address.
#[serde(rename="nodePermissionContract")] #[serde(rename="nodePermissionContract")]
pub node_permission_contract: Option<Address>, pub node_permission_contract: Option<Address>,
/// Transaction permission contract address.
#[serde(rename="transactionPermissionContract")]
pub transaction_permission_contract: Option<Address>,
} }
#[cfg(test)] #[cfg(test)]

View File

@ -315,6 +315,7 @@ pub fn transaction_message(error: TransactionError) -> String {
SenderBanned => "Sender is banned in local queue.".into(), SenderBanned => "Sender is banned in local queue.".into(),
RecipientBanned => "Recipient is banned in local queue.".into(), RecipientBanned => "Recipient is banned in local queue.".into(),
CodeBanned => "Code is banned in local queue.".into(), CodeBanned => "Code is banned in local queue.".into(),
NotAllowed => "Transaction is not permitted.".into(),
} }
} }