Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Adapter Access Control Logic #458

Merged
merged 40 commits into from
Oct 2, 2024
Merged

Update Adapter Access Control Logic #458

Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
03c4a6b
Added local Action on account
Kayanski Sep 16, 2024
e1e3663
Make sure the state is erasedé
Kayanski Sep 16, 2024
92fc1f2
Change to actual impl
Kayanski Sep 16, 2024
0acd9ea
Merge
Kayanski Sep 16, 2024
348a2f4
formatting [skip ci]
Kayanski Sep 16, 2024
6433389
Renamed local to account action
Kayanski Sep 16, 2024
3bfc41f
Renamed
Kayanski Sep 16, 2024
27d86c1
Added sdk method for admin checks
Kayanski Sep 17, 2024
387334b
Merge
Kayanski Sep 17, 2024
3c98507
Rename
Kayanski Sep 17, 2024
2a2dad7
Nits
Kayanski Sep 17, 2024
ddc778a
is_admin now takes the call_to context into account
Kayanski Sep 18, 2024
e570ad9
admin_addr instead of env in nestedadmin
Kayanski Sep 23, 2024
e218ffd
Apply github suggestinos
Kayanski Sep 23, 2024
9cb93e6
Merge with develop/v2
Kayanski Sep 23, 2024
03576b5
re-order execute messages in account
CyberHoward Sep 23, 2024
95829f6
add doc-comments
CyberHoward Sep 23, 2024
c96e5a8
formatting [skip ci]
CyberHoward Sep 23, 2024
b7279b8
fix missing permission check and nits
CyberHoward Sep 23, 2024
2ba5280
formatting [skip ci]
CyberHoward Sep 23, 2024
24b6346
undo added authentication
CyberHoward Sep 23, 2024
68f3854
update state assertion fn name to `assert_account_calling_to_as_admin…
CyberHoward Sep 23, 2024
c8ddfed
formatting [skip ci]
CyberHoward Sep 23, 2024
9efd64a
nit renames
CyberHoward Sep 23, 2024
37baf29
formatting [skip ci]
CyberHoward Sep 23, 2024
93754b4
move abstract specific function to abstract trait
CyberHoward Sep 23, 2024
d7069b8
rename
CyberHoward Sep 23, 2024
4f08116
readme
Kayanski Sep 23, 2024
508042e
Moved to env instead of self_addr inside assert_admin
Kayanski Sep 24, 2024
314b22a
Doing so inside modules
Kayanski Sep 24, 2024
9ffb16c
Merge with base
Kayanski Oct 1, 2024
eff33bc
readme nit
CyberHoward Oct 1, 2024
3d659e8
fix manager usage
CyberHoward Oct 1, 2024
4528609
fix test compilation
CyberHoward Oct 1, 2024
6b5326d
fix cargo hack
CyberHoward Oct 1, 2024
9484a89
remove unused dep
CyberHoward Oct 1, 2024
e3a7334
rm ignored dep
CyberHoward Oct 1, 2024
4d0e906
fix module tests
CyberHoward Oct 2, 2024
bdcf977
free disk space on framework test
CyberHoward Oct 2, 2024
74064d3
lower deposit amount
Buckram123 Oct 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 85 additions & 5 deletions framework/packages/abstract-std/src/objects/ownership/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
# CW Ownable
# Abstract Ownership

Abstract uses multiple ownership capabilities for different use cases.

## CW Ownable

Utility for controlling ownership of [CosmWasm](https://github.com/CosmWasm/cosmwasm) smart contracts.

## How to use
### How to use

Initialize the owner during instantiation using the `initialize_owner` method provided by this crate:

Expand Down Expand Up @@ -92,11 +96,87 @@ pub fn query(deps: Deps, env: Env, msg: QueryMsg) -> StdResult<Binary> {
}
```

## Edge cases
### Edge cases

## NFT governance type

Utility for querying the owner of a specific NFT. In case NFT contract does not return owner of `owner_of`, ownership will act as renounced. For example NFT got burned or something happened with NFT contract.

## Abstract Account Controlled Module

For modules and contracts controlled by Abstract Accounts, we present a mechanism that allows those contracts to make sure that an in-coming message from the Account was originally called by an admin and not another module. This prevents any module to call admin functions on other modules and thus makes the module system more resistent to malicious modules.

### Mechanism

Modules and Account Owners can execute actions through the Account using the `account::ExecuteMsg::Execute` message variant. In order to execute an admin call, owners need to call `account::ExecuteMsg::AdminExecute`. This function will in order:

- Set the `CALLING_TO_AS_ADMIN` storage item to the target of the admin call.
- Call the specified function on the target module or contract.
- Remove the `CALLING_TO_AS_ADMIN` storage item.

In order to check that the call is an admin call, the target module or contract needs to check that the `CALLING_TO_AS_ADMIN` storage item is set on the account contract. If it's not set, it should error, as the call is not an authorized admin call.

### Usage inside a module

To use this functionality, Abstract provides helpers in form of the `NestedAdmin` structure. This structure should be used to handle `Abstract Accounts` as admin of a contract.

### NFT governance type
The `NestedAdmin::assert_admin` function will only return an `Result::Ok` if any of those conditions is true:

In case NFT contract does not return owner of `owner_of`, ownership will act as renounced. For example NFT got burned or something happened with NFT contract.
- The caller is the saved Account AND the `CALLING_TO_AS_ADMIN` variable is set on the account to either:
- The contract account address (`env.contract.address` is supposed to be fed to the self_addr variable)
- The `CALLING_TO_AS_ADMIN_WILD_CARD`, that is used for contract migrations to avoid re-setting the flag during migration events.
Kayanski marked this conversation as resolved.
Show resolved Hide resolved
- The caller is the top-level owner of the saved Account

So inside `Abstract Apps` for instance, one should write the following lines to flag admin actions:

```rust
app.admin.assert_admin(deps.as_ref(), &env.contract.address, info.sender)?;
```

### Graphical sequences

#### Successful admin call

```mermaid
sequenceDiagram
User ->> Account: ExecuteMsg::ConfigureModule<br/>{ module_id: Module, msg: ...}
Account ->> Account: Store Module address as <br/>`CALLING_TO_AS_ADMIN`
Account ->> Module: ExecuteMsg
alt query
Module ->> Account: Query `CALLING_TO_AS_ADMIN`
Account ->> Module:
end
Module ->> Module: Make sure `CALLING_TO_AS_ADMIN` == Module
Module ->> Module: Execute Admin Message
Account ->> Account: Remove `CALLING_TO_AS_ADMIN`
```

#### Error, not admin call

```mermaid
sequenceDiagram
Bad Module ->> Account: ExecuteMsg::ExecuteOnModule <br/>{ module_id: Module, msg: ...}
Account ->> Module: ExecuteMsg
alt query
Module -x Account: Query `CALLING_TO_AS_ADMIN`
Account -x Module: Not set
end
```

#### Malicious Module can’t execute Admin function of other Module

```mermaid
sequenceDiagram
User ->> Account: ExecuteMsg::ConfigureModule<br/>{ module_id: Module, msg: ...}
Account ->> Account: Store Bad Module address as <br/>`CALLING_TO_AS_ADMIN`
Account ->> Bad Module: ExecuteMsg
Bad Module ->> Module: ChangeConfig
alt query
Module ->> Account: Query `CALLING_TO_AS_ADMIN`
Account ->> Module:
end
Module ->> Module: `CALLING_TO_AS_ADMIN` != Module --> Error
```

## License

Expand Down
Loading