add runtime check

app/upgrade.go

@@ -19,6 +19,7 @@ func (app *App) RegisterUpgradeHandlers(chainID string, serverCfg *serverconfig.
 
 	// Register the upgrade handlers here
 	app.registerNagquUpgradeHandler()
+	app.registerXxxxxUpgradeHandler()
 	// app.register...()
 	// ...
 	return nil
@@ -61,6 +62,21 @@ func (app *App) registerNagquUpgradeHandler() {
 			}
 			mm.SetConsensusVersion(2)
 			return nil
+		})
+}
 
+func (app *App) registerXxxxxUpgradeHandler() {
+	// Register the upgrade handler
+	app.UpgradeKeeper.SetUpgradeHandler(upgradetypes.Xxxxx,
+		func(ctx sdk.Context, plan upgradetypes.Plan, fromVM module.VersionMap) (module.VersionMap, error) {
+			app.Logger().Info("upgrade to ", plan.Name)
+			return app.mm.RunMigrations(ctx, app.configurator, fromVM)
+		})
+
+	// Register the upgrade initializer
+	app.UpgradeKeeper.SetUpgradeInitializer(upgradetypes.Xxxxx,
+		func() error {
+			app.Logger().Info("Init Xxxxx upgrade")
+			return nil
 		})
 }

deployment/localup/localup.sh

@@ -171,6 +171,7 @@ function generate_genesis() {
         #sed -i -e "s/\"community_tax\": \"0.020000000000000000\"/\"community_tax\": \"0\"/g" ${workspace}/.local/validator${i}/config/genesis.json
         sed -i -e "s/log_level = \"info\"/\log_level= \"debug\"/g" ${workspace}/.local/validator${i}/config/config.toml
         echo -e '[[upgrade]]\nname = "Nagqu"\nheight = 20\ninfo = ""' >> ${workspace}/.local/validator${i}/config/app.toml
+        echo -e '[[upgrade]]\nname = "Xxxxx"\nheight = 20\ninfo = ""' >> ${workspace}/.local/validator${i}/config/app.toml
     done
 
     # enable swagger API for validator0

e2e/tests/permission_test.go

@@ -251,14 +251,18 @@ func (s *StorageTestSuite) TestCreateObjectByOthers() {
 	s.Require().Equal(verifyPermResp.Effect, types.EFFECT_DENY)
 	s.T().Logf("resp: %s, rep %s", verifyPermReq.String(), verifyPermResp.String())
 
-	// Put bucket policy
-	statement := &types.Statement{
+	// Put object policy
+	statement1 := &types.Statement{
 		Actions: []types.ActionType{types.ACTION_CREATE_OBJECT},
 		Effect:  types.EFFECT_ALLOW,
 	}
+	statement2 := &types.Statement{
+		Actions: []types.ActionType{types.ACTION_UPDATE_OBJECT_INFO},
+		Effect:  types.EFFECT_ALLOW,
+	}
 	principal := types.NewPrincipalWithAccount(user[1].GetAddr())
 	msgPutPolicy := storagetypes.NewMsgPutPolicy(user[0].GetAddr(), types2.NewBucketGRN(bucketName).String(),
-		principal, []*types.Statement{statement}, nil)
+		principal, []*types.Statement{statement1, statement2}, nil)
 	s.SendTxBlock(user[0], msgPutPolicy)
 
 	// verify permission

go.mod

@@ -178,7 +178,7 @@ replace (
 	github.com/cometbft/cometbft => github.com/bnb-chain/greenfield-cometbft v0.0.3
 	github.com/cometbft/cometbft-db => github.com/bnb-chain/greenfield-cometbft-db v0.8.1-alpha.1
 	github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0
-	github.com/cosmos/cosmos-sdk => github.com/bnb-chain/greenfield-cosmos-sdk v0.2.6-alpha.1
+	github.com/cosmos/cosmos-sdk => github.com/forcodedancing/greenfield-cosmos-sdk v0.2.1-0.20230918062228-f66797bea5a1
 	github.com/cosmos/iavl => github.com/bnb-chain/greenfield-iavl v0.20.1
 	github.com/syndtr/goleveldb => github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7
 )

go.sum

@@ -163,8 +163,6 @@ github.com/bnb-chain/greenfield-cometbft v0.0.3 h1:tv8NMy3bzX/1urqXGQIIAZSLy83lo
 github.com/bnb-chain/greenfield-cometbft v0.0.3/go.mod h1:f35mk/r5ab6yvzlqEWZt68LfUje68sYgMpVlt2CUYMk=
 github.com/bnb-chain/greenfield-cometbft-db v0.8.1-alpha.1 h1:XcWulGacHVRiSCx90Q8Y//ajOrLNBQWR/KDB89dy3cU=
 github.com/bnb-chain/greenfield-cometbft-db v0.8.1-alpha.1/go.mod h1:ey1CiK4bYo1RBNJLRiVbYr5CMdSxci9S/AZRINLtppI=
-github.com/bnb-chain/greenfield-cosmos-sdk v0.2.6-alpha.1 h1:45vvOMYn2e9OXPoKlJeaJVLjgBaWbZfOZLFt0wIKnDY=
-github.com/bnb-chain/greenfield-cosmos-sdk v0.2.6-alpha.1/go.mod h1:y3hDhQhil5hMIhwBTpu07RZBF30ZITkoE+GHhVZChtY=
 github.com/bnb-chain/greenfield-cosmos-sdk/api v0.0.0-20230816082903-b48770f5e210 h1:GHPbV2bC+gmuO6/sG0Tm8oGal3KKSRlyE+zPscDjlA8=
 github.com/bnb-chain/greenfield-cosmos-sdk/api v0.0.0-20230816082903-b48770f5e210/go.mod h1:vhsZxXE9tYJeYB5JR4hPhd6Pc/uPf7j1T8IJ7p9FdeM=
 github.com/bnb-chain/greenfield-cosmos-sdk/math v0.0.0-20230816082903-b48770f5e210 h1:FLVOn4+OVbsKi2+YJX5kmD27/4dRu4FW7xCXFhzDO5s=
@@ -370,6 +368,8 @@ github.com/fjl/memsize v0.0.0-20190710130421-bcb5799ab5e5/go.mod h1:VvhXpOYNQvB+
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/flynn/noise v1.0.0/go.mod h1:xbMo+0i6+IGbYdJhF31t2eR1BIU0CYc12+BNAKwUTag=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
+github.com/forcodedancing/greenfield-cosmos-sdk v0.2.1-0.20230918062228-f66797bea5a1 h1:UHVhaT7PI9wXgzrzlK+gl7YxuSFokYMyqWWHOut/104=
+github.com/forcodedancing/greenfield-cosmos-sdk v0.2.1-0.20230918062228-f66797bea5a1/go.mod h1:y3hDhQhil5hMIhwBTpu07RZBF30ZITkoE+GHhVZChtY=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=

x/permission/types/types.go

@@ -5,6 +5,8 @@ import (
 	"time"
 
 	"cosmossdk.io/math"
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	upgradetypes "github.com/cosmos/cosmos-sdk/x/upgrade/types"
 
 	gnfd "github.com/bnb-chain/greenfield/types"
 	"github.com/bnb-chain/greenfield/types/common"
@@ -26,6 +28,19 @@ var (
 		ACTION_UPDATE_BUCKET_INFO: true,
 		ACTION_DELETE_BUCKET:      true,
 
+		ACTION_CREATE_OBJECT:  true,
+		ACTION_DELETE_OBJECT:  true,
+		ACTION_GET_OBJECT:     true,
+		ACTION_COPY_OBJECT:    true,
+		ACTION_EXECUTE_OBJECT: true,
+		ACTION_LIST_OBJECT:    true,
+
+		ACTION_TYPE_ALL: true,
+	}
+	BucketAllowedActionsAfterXxxxx = map[ActionType]bool{
+		ACTION_UPDATE_BUCKET_INFO: true,
+		ACTION_DELETE_BUCKET:      true,
+
 		ACTION_CREATE_OBJECT:      true,
 		ACTION_DELETE_OBJECT:      true,
 		ACTION_GET_OBJECT:         true,
@@ -168,26 +183,25 @@ func (s *Statement) ValidateBasic(resType resource.ResourceType) error {
 	case resource.RESOURCE_TYPE_UNSPECIFIED:
 		return ErrInvalidStatement.Wrap("Please specify the ResourceType explicitly. Not allowed set RESOURCE_TYPE_UNSPECIFIED")
 	case resource.RESOURCE_TYPE_BUCKET:
-		containsCreateObject := false
-		for _, a := range s.Actions {
-			if !BucketAllowedActions[a] {
-				return ErrInvalidStatement.Wrapf("%s not allowed to be used on bucket.", a.String())
-			}
-			if a == ACTION_CREATE_OBJECT {
-				containsCreateObject = true
-			}
-		}
+		//containsCreateObject := false
+		//for _, a := range s.Actions {
+		//	if !BucketAllowedActions[a] {
+		//		return ErrInvalidStatement.Wrapf("%s not allowed to be used on bucket.", a.String())
+		//	}
+		//	if a == ACTION_CREATE_OBJECT {
+		//		containsCreateObject = true
+		//	}
+		//}
+		//if !containsCreateObject && s.LimitSize != nil {
+		//	return ErrInvalidStatement.Wrap("The LimitSize option can only be used with CreateObject actions at the bucket level. .")
+		//}
 		for _, r := range s.Resources {
 			var grn gnfd.GRN
 			err := grn.ParseFromString(r, true)
 			if err != nil {
 				return ErrInvalidStatement.Wrapf("GRN parse from string failed, err: %s", err)
 			}
 		}
-
-		if !containsCreateObject && s.LimitSize != nil {
-			return ErrInvalidStatement.Wrap("The LimitSize option can only be used with CreateObject actions at the bucket level. .")
-		}
 	case resource.RESOURCE_TYPE_OBJECT:
 		for _, a := range s.Actions {
 			if !ObjectAllowedActions[a] {
@@ -239,3 +253,27 @@ func (s *Statement) ValidateAfterNagqu(resType resource.ResourceType) error {
 	}
 	return nil
 }
+
+func (s *Statement) ValidateRuntime(ctx sdk.Context, resType resource.ResourceType) error {
+	var bucketAllowedActions map[ActionType]bool
+	if ctx.IsUpgraded(upgradetypes.Xxxxx) {
+		bucketAllowedActions = BucketAllowedActionsAfterXxxxx
+	} else {
+		bucketAllowedActions = BucketAllowedActions
+	}
+	if resType == resource.RESOURCE_TYPE_BUCKET {
+		containsCreateObject := false
+		for _, a := range s.Actions {
+			if !bucketAllowedActions[a] {
+				return ErrInvalidStatement.Wrapf("%s not allowed to be used on bucket.", a.String())
+			}
+			if a == ACTION_CREATE_OBJECT {
+				containsCreateObject = true
+			}
+		}
+		if !containsCreateObject && s.LimitSize != nil {
+			return ErrInvalidStatement.Wrap("The LimitSize option can only be used with CreateObject actions at the bucket level. .")
+		}
+	}
+	return nil
+}

x/storage/types/message.go

@@ -8,6 +8,7 @@ import (
 	"cosmossdk.io/errors"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
+	upgradetypes "github.com/cosmos/cosmos-sdk/x/upgrade/types"
 	"github.com/cosmos/gogoproto/proto"
 
 	grn2 "github.com/bnb-chain/greenfield/types"
@@ -1186,6 +1187,19 @@ func (msg *MsgPutPolicy) ValidateBasic() error {
 	return nil
 }
 
+func (msg *MsgPutPolicy) ValidateRuntime(ctx sdk.Context) error {
+	var grn grn2.GRN
+	_ = grn.ParseFromString(msg.Resource, true) // no error after ValidateBasic
+	for _, s := range msg.Statements {
+		err := s.ValidateRuntime(ctx, grn.ResourceType())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func NewMsgDeletePolicy(operator sdk.AccAddress, resource string, principal *permtypes.Principal) *MsgDeletePolicy {
 	return &MsgDeletePolicy{
 		Operator:  operator.String(),
@@ -1235,11 +1249,15 @@ func (msg *MsgDeletePolicy) ValidateBasic() error {
 		return gnfderrors.ErrInvalidPrincipal.Wrapf("Not allow grant group's permission to another group")
 	}
 
-	err = msg.Principal.ValidateBasic()
-	if err != nil {
-		return err
-	}
+	return nil
+}
 
+func (msg *MsgDeletePolicy) ValidateRuntime(ctx sdk.Context) error {
+	if ctx.IsUpgraded(upgradetypes.Xxxxx) {
+		if err := msg.Principal.ValidateBasic(); err != nil {
+			return err
+		}
+	}
 	return nil
 }