[refactor] #3526: Allow only a fixed set of signature verification conditions

Signed-off-by: Nikita Strygin <dcnick3@users.noreply.github.com>

Author: DCNick3

client/tests/integration/multisignature_transaction.rs

@@ -7,10 +7,8 @@ use iroha_client::client::{self, Client, QueryResult};
 use iroha_config::client::Configuration as ClientConfiguration;
 use iroha_crypto::KeyPair;
 use iroha_data_model::{
-    account::TRANSACTION_SIGNATORIES_VALUE,
     parameter::{default::MAX_TRANSACTIONS_IN_BLOCK, ParametersBuilder},
     prelude::*,
-    val_vec,
 };
 use test_network::*;
 
@@ -35,15 +33,9 @@ fn multisignature_transactions_should_wait_for_all_signatures() -> Result<()> {
     let asset_definition_id = AssetDefinitionId::from_str("camomile#wonderland")?;
     let create_asset = RegisterBox::new(AssetDefinition::quantity(asset_definition_id.clone()));
     let set_signature_condition = MintBox::new(
-        SignatureCheckCondition::new(EvaluatesTo::new_unchecked(ContainsAll::new(
-            EvaluatesTo::new_unchecked(ContextValue::new(Name::from_str(
-                TRANSACTION_SIGNATORIES_VALUE,
-            )?)),
-            val_vec![
-                alice_key_pair.public_key().clone(),
-                key_pair_2.public_key().clone(),
-            ],
-        ))),
+        SignatureCheckCondition::AllAccountSignaturesAnd(
+            vec![key_pair_2.public_key().clone()].into(),
+        ),
         IdBox::AccountId(alice_id.clone()),
     );
 
@@ -84,7 +76,8 @@ fn multisignature_transactions_should_wait_for_all_signatures() -> Result<()> {
         .collect::<QueryResult<Vec<_>>>()?;
     assert_eq!(
         assets.len(),
-        2 // Alice has roses and cabbage from Genesis
+        2, // Alice has roses and cabbage from Genesis, but doesn't yet have camomile
+        "Multisignature transaction was committed before all required signatures were added"
     );
     let (public_key2, private_key2) = key_pair_2.into();
     client_configuration.public_key = public_key2;

client_cli/src/main.rs

@@ -519,8 +519,9 @@ mod account {
             let deser_err_msg =
                 format!("Failed to deserialize signature condition from file {}", &s);
             let content = fs::read_to_string(s).wrap_err(err_msg)?;
-            let condition: EvaluatesTo<bool> = json5::from_str(&content).wrap_err(deser_err_msg)?;
-            Ok(Self(SignatureCheckCondition::new(condition)))
+            let condition: SignatureCheckCondition =
+                json5::from_str(&content).wrap_err(deser_err_msg)?;
+            Ok(Self(condition))
         }
     }
 

configs/peer/validator.wasm

@@ -14,12 +14,7 @@ use dashmap::{mapref::entry::Entry, DashMap};
 use eyre::{Report, Result};
 use iroha_config::queue::Configuration;
 use iroha_crypto::HashOf;
-use iroha_data_model::{
-    account::{Account, AccountId},
-    evaluate::ExpressionEvaluator as _,
-    expression::{EvaluatesTo, Where},
-    transaction::prelude::*,
-};
+use iroha_data_model::{account::AccountId, transaction::prelude::*};
 use iroha_logger::{debug, info, trace, warn};
 use iroha_primitives::must_use::MustUse;
 use rand::seq::IteratorRandom;
@@ -32,16 +27,17 @@ impl AcceptedTransaction {
     fn check_signature_condition(&self, wsv: &WorldStateView) -> Result<MustUse<bool>> {
         let authority = &self.payload().authority;
 
-        let signatories = self
+        let transaction_signatories = self
             .signatures()
             .iter()
             .map(|signature| signature.public_key())
-            .cloned();
+            .cloned()
+            .collect();
 
         wsv.map_account(authority, |account| {
-            wsv.evaluate(&check_signature_condition(account, signatories))
-                .map(MustUse::new)
-                .map_err(Into::into)
+            Ok(account
+                .signature_check_condition
+                .check(&account.signatories, &transaction_signatories))
         })?
     }
 
@@ -51,29 +47,6 @@ impl AcceptedTransaction {
     }
 }
 
-fn check_signature_condition(
-    account: &Account,
-    signatories: impl IntoIterator<Item = PublicKey>,
-) -> EvaluatesTo<bool> {
-    let where_expr = Where::new(EvaluatesTo::new_evaluates_to_value(
-        *account.signature_check_condition.0.expression.clone(),
-    ))
-    .with_value(
-        iroha_data_model::account::ACCOUNT_SIGNATORIES_VALUE
-            .parse()
-            .expect("ACCOUNT_SIGNATORIES_VALUE should be valid."),
-        account.signatories.iter().cloned().collect::<Vec<_>>(),
-    )
-    .with_value(
-        iroha_data_model::account::TRANSACTION_SIGNATORIES_VALUE
-            .parse()
-            .expect("TRANSACTION_SIGNATORIES_VALUE should be valid."),
-        signatories.into_iter().collect::<Vec<_>>(),
-    );
-
-    EvaluatesTo::new_unchecked(where_expr)
-}
-
 /// Lockfree queue for transactions
 ///
 /// Multiple producers, single consumer
@@ -414,11 +387,7 @@ mod tests {
     use std::{str::FromStr, sync::Arc, thread, time::Duration};
 
     use iroha_config::{base::proxy::Builder, queue::ConfigurationProxy};
-    use iroha_data_model::{
-        account::{ACCOUNT_SIGNATORIES_VALUE, TRANSACTION_SIGNATORIES_VALUE},
-        prelude::*,
-        transaction::TransactionLimits,
-    };
+    use iroha_data_model::{prelude::*, transaction::TransactionLimits};
     use iroha_primitives::must_use::MustUse;
     use rand::Rng as _;
 
@@ -509,46 +478,6 @@ mod tests {
         ));
     }
 
-    #[test]
-    fn push_tx_signature_condition_failure() {
-        let max_txs_in_queue = 10;
-        let key_pair = KeyPair::generate().unwrap();
-
-        let wsv = {
-            let domain_id = DomainId::from_str("wonderland").expect("Valid");
-            let account_id = AccountId::from_str("alice@wonderland").expect("Valid");
-            let mut domain = Domain::new(domain_id.clone()).build(&account_id);
-            let mut account = Account::new(account_id.clone(), [key_pair.public_key().clone()])
-                .build(&account_id);
-            // Cause `check_siganture_condition` failure by trying to convert `u32` to `bool`
-            account.signature_check_condition =
-                SignatureCheckCondition(EvaluatesTo::new_unchecked(0u32));
-            assert!(domain.add_account(account).is_none());
-
-            let kura = Kura::blank_kura_for_testing();
-            Arc::new(WorldStateView::new(
-                World::with([domain], PeersIds::new()),
-                kura.clone(),
-            ))
-        };
-
-        let queue = Queue::from_configuration(&Configuration {
-            transaction_time_to_live_ms: 100_000,
-            max_transactions_in_queue: max_txs_in_queue,
-            ..ConfigurationProxy::default()
-                .build()
-                .expect("Default queue config should always build")
-        });
-
-        assert!(matches!(
-            queue.push(accepted_tx("alice@wonderland", key_pair), &wsv),
-            Err(Failure {
-                err: Error::SignatureCondition { .. },
-                ..
-            })
-        ));
-    }
-
     #[test]
     fn push_multisignature_tx() {
         let max_txs_in_block = 2;
@@ -563,19 +492,7 @@ mod tests {
                 key_pairs.iter().map(KeyPair::public_key).cloned(),
             )
             .build(&account_id);
-            account.signature_check_condition = SignatureCheckCondition(
-                ContainsAll::new(
-                    EvaluatesTo::new_unchecked(ContextValue::new(
-                        Name::from_str(TRANSACTION_SIGNATORIES_VALUE)
-                            .expect("TRANSACTION_SIGNATORIES_VALUE should be valid."),
-                    )),
-                    EvaluatesTo::new_unchecked(ContextValue::new(
-                        Name::from_str(ACCOUNT_SIGNATORIES_VALUE)
-                            .expect("ACCOUNT_SIGNATORIES_VALUE should be valid."),
-                    )),
-                )
-                .into(),
-            );
+            account.signature_check_condition = SignatureCheckCondition::all_account_signatures();
             assert!(domain.add_account(account).is_none());
             Arc::new(WorldStateView::new(
                 World::with([domain], PeersIds::new()),

core/src/queue.rs

@@ -15,6 +15,7 @@ use std::collections::{btree_map, btree_set};
 use derive_more::{Constructor, DebugCustom, Display};
 use getset::Getters;
 use iroha_data_model_derive::{model, IdEqOrdHash};
+use iroha_primitives::{const_vec::ConstVec, must_use::MustUse};
 use iroha_schema::IntoSchema;
 use parity_scale_codec::{Decode, Encode};
 use serde::{Deserialize, Serialize};
@@ -27,7 +28,6 @@ use crate::{
         AssetsMap,
     },
     domain::prelude::*,
-    expression::{ContainsAny, ContextValue, EvaluatesTo},
     metadata::Metadata,
     role::{prelude::RoleId, RoleIds},
     HasMetadata, Identifiable, Name, ParseError, PublicKey, Registered,
@@ -44,18 +44,6 @@ pub type AccountsMap = btree_map::BTreeMap<AccountId, Account>;
 // of space, over `Vec`.
 type Signatories = btree_set::BTreeSet<PublicKey>;
 
-/// The context value name for transaction signatories.
-#[cfg(feature = "transparent_api")]
-pub const TRANSACTION_SIGNATORIES_VALUE: &str = "transaction_signatories";
-#[cfg(not(feature = "transparent_api"))]
-const TRANSACTION_SIGNATORIES_VALUE: &str = "transaction_signatories";
-
-/// The context value name for account signatories.
-#[cfg(feature = "transparent_api")]
-pub const ACCOUNT_SIGNATORIES_VALUE: &str = "account_signatories";
-#[cfg(not(feature = "transparent_api"))]
-const ACCOUNT_SIGNATORIES_VALUE: &str = "account_signatories";
-
 #[model]
 pub mod model {
     use super::*;
@@ -154,18 +142,20 @@ pub mod model {
         Eq,
         PartialOrd,
         Ord,
-        Constructor,
         Decode,
         Encode,
         Deserialize,
         Serialize,
         IntoSchema,
     )]
-    #[serde(transparent)]
-    #[repr(transparent)]
-    // SAFETY: `SignatureCheckCondition` has no trap representation in `EvalueatesTo<bool>`
-    #[ffi_type(unsafe {robust})]
-    pub struct SignatureCheckCondition(pub EvaluatesTo<bool>);
+    #[ffi_type(opaque)]
+    #[allow(clippy::enum_variant_names)]
+    pub enum SignatureCheckCondition {
+        #[display(fmt = "AnyAccountSignatureOr({_0:?})")]
+        AnyAccountSignatureOr(ConstVec<PublicKey>),
+        #[display(fmt = "AllAccountSignaturesAnd({_0:?})")]
+        AllAccountSignaturesAnd(ConstVec<PublicKey>),
+    }
 }
 
 impl Account {
@@ -278,27 +268,6 @@ impl NewAccount {
     }
 }
 
-/// Default signature condition check for accounts.
-/// Returns true if any of the signatories have signed the transaction.
-impl Default for SignatureCheckCondition {
-    #[inline]
-    fn default() -> Self {
-        Self(
-            ContainsAny::new(
-                EvaluatesTo::new_unchecked(ContextValue::new(
-                    Name::from_str(TRANSACTION_SIGNATORIES_VALUE)
-                        .expect("TRANSACTION_SIGNATORIES_VALUE should be valid."),
-                )),
-                EvaluatesTo::new_unchecked(ContextValue::new(
-                    Name::from_str(ACCOUNT_SIGNATORIES_VALUE)
-                        .expect("ACCOUNT_SIGNATORIES_VALUE should be valid."),
-                )),
-            )
-            .into(),
-        )
-    }
-}
-
 impl HasMetadata for NewAccount {
     fn metadata(&self) -> &Metadata {
         &self.metadata
@@ -345,6 +314,50 @@ impl FromStr for AccountId {
     }
 }
 
+impl Default for SignatureCheckCondition {
+    fn default() -> Self {
+        Self::AnyAccountSignatureOr(ConstVec::new_empty())
+    }
+}
+
+impl SignatureCheckCondition {
+    /// Shorthand to create a [`SignatureCheckCondition::AnyAccountSignatureOr`] variant without additional allowed signatures.
+    #[inline]
+    pub fn any_account_signature() -> Self {
+        Self::AnyAccountSignatureOr(ConstVec::new_empty())
+    }
+
+    /// Shorthand to create a [`SignatureCheckCondition::AllAccountSignaturesAnd`] variant without additional required signatures.
+    #[inline]
+    pub fn all_account_signatures() -> Self {
+        Self::AllAccountSignaturesAnd(ConstVec::new_empty())
+    }
+
+    /// Checks whether the transaction contains all the signatures required by the `SignatureCheckCondition`.
+    pub fn check(
+        &self,
+        account_signatories: &btree_set::BTreeSet<PublicKey>,
+        transaction_signatories: &btree_set::BTreeSet<PublicKey>,
+    ) -> MustUse<bool> {
+        let result = match &self {
+            SignatureCheckCondition::AnyAccountSignatureOr(additional_allowed_signatures) => {
+                account_signatories
+                    .iter()
+                    .chain(additional_allowed_signatures.as_ref())
+                    .any(|allowed| transaction_signatories.contains(allowed))
+            }
+            SignatureCheckCondition::AllAccountSignaturesAnd(additional_required_signatures) => {
+                account_signatories
+                    .iter()
+                    .chain(additional_required_signatures.as_ref())
+                    .all(|required_signature| transaction_signatories.contains(required_signature))
+            }
+        };
+
+        MustUse::new(result)
+    }
+}
+
 /// The prelude re-exports most commonly used traits, structs and macros from this crate.
 pub mod prelude {
     pub use super::{Account, AccountId, SignatureCheckCondition};

data_model/src/account.rs

@@ -34,7 +34,6 @@ use block::VersionedCommittedBlock;
 #[cfg(not(target_arch = "aarch64"))]
 use derive_more::Into;
 use derive_more::{AsRef, DebugCustom, Deref, Display, From, FromStr};
-use evaluate::Evaluate;
 use events::TriggeringFilterBox;
 use getset::Getters;
 use iroha_crypto::{HashOf, PublicKey};
@@ -1126,10 +1125,10 @@ impl Value {
             | LengthLimits(_)
             | Numeric(_)
             | Validator(_)
-            | LogLevel(_) => 1_usize,
+            | LogLevel(_)
+            | SignatureCheckCondition(_) => 1_usize,
             Vec(v) => v.iter().map(Self::len).sum::<usize>() + 1_usize,
             LimitedMetadata(data) => data.nested_len() + 1_usize,
-            SignatureCheckCondition(s) => Evaluate::len(&s.0),
         }
     }
 }

data_model/src/lib.rs

@@ -3940,7 +3940,20 @@
       }
     ]
   },
-  "SignatureCheckCondition": "EvaluatesTo<bool>",
+  "SignatureCheckCondition": {
+    "Enum": [
+      {
+        "tag": "AnyAccountSignatureOr",
+        "discriminant": 0,
+        "type": "Vec<PublicKey>"
+      },
+      {
+        "tag": "AllAccountSignaturesAnd",
+        "discriminant": 1,
+        "type": "Vec<PublicKey>"
+      }
+    ]
+  },
   "SignatureOf<CommittedBlock>": "Signature",
   "SignatureOf<QueryPayload>": "Signature",
   "SignatureOf<TransactionPayload>": "Signature",
@@ -4771,6 +4784,9 @@
   "Vec<PeerId>": {
     "Vec": "PeerId"
   },
+  "Vec<PublicKey>": {
+    "Vec": "PublicKey"
+  },
   "Vec<TransactionValue>": {
     "Vec": "TransactionValue"
   },