Allow list with cohort and auth admin roles #341
Conversation
vzotova
force-pushed
the
new-allow-list
branch
from
2c3f202 to
8cb5b5b
Compare
vzotova
changed the title
vzotova
requested review from
KPrasch,
arjunhassard,
cygnusv,
theref,
derekpierre and
manumonti
There was a problem hiding this comment.
So based on @cygnusv 's comment in Discord:
Maybe we can just add a flag to disallow setting auth admins, so with the flag off the contract simply behaves as a normal global allows list. The point would be to have a single type of contract
The "flag" at the moment, is really just either using the GlobalAllowList or the ManagedAllowList as the accessController for a Ritual. Correct?
| } | ||
| function grantAuthAdminRole(uint32 ritualId, address account) external { | ||
| initializeCohortAdminRole(ritualId); | ||
| grantRole(ritualRole(ritualId, AUTH_ADMIN_BASE), account); |
There was a problem hiding this comment.
So just to confirm, if the ritual authority calls grantRole() directly without having first called initializeCohortAdminRole(), the call will fail.
But, if the ritual authority either:
- makes the two separate calls in here themselves directly
OR - calls
grantAuthAdminRole()
then granting the role will work correctly.
vzotova
force-pushed
the
new-allow-list
branch
2 times, most recently
from
a2bf89c to
86c48c3
Compare
| require(address(_subscription) != address(0), "Subscription cannot be the zero address"); | ||
| subscription = _subscription; | ||
| constructor(Coordinator _coordinator) GlobalAllowList(_coordinator) { | ||
| _disableInitializers(); |
There was a problem hiding this comment.
GlobalAllowList constructor already _disableInitializers(), but I guess we do it just in case this dependence is removed, right? In any case, calling it twice doesn't do any harm. Just double-checking on this.
There was a problem hiding this comment.
just a habit, I'll remove it
| _grantRole(cohortAdminRole, authority); | ||
| } | ||
|
|
||
| function grantAuthAdminRole(uint32 ritualId, address account) external { |
There was a problem hiding this comment.
We need some docstrings here saying that this can only be called by the cohort admin
There was a problem hiding this comment.
Just to be sure: this contract is removed because it was only used in the old ManagedAllowList and we already have AbstractSubscription.sol, correct?
There was a problem hiding this comment.
Yep, Old Subscription contract was there just as reference (and mostly to compile old ManagedAllowList)
| import "./GlobalAllowList.sol"; | ||
| import "./Coordinator.sol"; | ||
| import {UpfrontSubscriptionWithEncryptorsCap} from "./subscription/Subscription.sol"; | ||
|
|
||
| /** | ||
| * @title ManagedAllowList | ||
| * @notice Manages a list of addresses that are authorized to decrypt ciphertexts, with additional management features. |
There was a problem hiding this comment.
| * @notice Manages a list of addresses that are authorized to decrypt ciphertexts, with additional management features. | |
| * @notice Manages a list of addresses that are authorized to encrypt ciphertexts, with additional management features. |
| subscription.authorizationActionsCap(ritualId, addresses[i]), | ||
| "Authorization cap exceeded" | ||
| ); | ||
| function initializeCohortAdminRole(uint32 ritualId) public { |
There was a problem hiding this comment.
When it is expected this function to be called? The way I see it, we could do it in the coordinator when the ritual is initiated. This shouldn't matter in the case of ritual failing, but if ritual succeeds, then this is already done from day 1.
There was a problem hiding this comment.
I'd avoid any changes in Coordinator to call it
This function included in grantAuthAdminRole function, so it will be called anyway during first granting
| managed_allow_list.addAdministrators(RITUAL_ID, [admin.address], ADMIN_CAP, sender=admin) | ||
| managed_allow_list.grantRole(auth_admin_role, initiator, sender=initiator) | ||
| with ape.reverts("Encryptor must be authorized by the sender first"): | ||
| managed_allow_list.deauthorize(ritual_id, [deployer.address], sender=initiator) |
There was a problem hiding this comment.
Here's some food for thought for a new test:
- Cohort admin authorizes auth admin A
- Cohort admin authorizes auth admin B
- A authorizes encryptor E
- B authorizes encryptor E
- A deauthorizes encryptor E
What should happen with E? Is E still authorized or not?
There was a problem hiding this comment.
Interesting scenario. Given that E is used by both A and B, what scenario could yield that? 🤔 . An encryption service of some sort? But it would be using the same signer for both A and B? Maybe the user encrypting for themselves on two different apps (A and B) using the same ritual...?
At first blush, it seems that E should still be authorized for B. It's unclear the relationship between A and B, and feels like without that knowledge the safest philosophy is that A's actions should not affect B's.
Did you have existing thoughts here?
There was a problem hiding this comment.
'B authorizes encryptor E' - that will fail with the current code, encryptor can be authorized only by one auth admin
There was a problem hiding this comment.
Right, if B can't authorize E becasue it's already authorized by A, then the problem disappears. We need to think carefully if this is acceptable, but if so, then I don't have further comments.
There was a problem hiding this comment.
Would the following scenario be a possibility? Two apps, A and B, each being authAdmins for the same ritual (use as part of using the same broader service) and wanting to control their own set of encryptors. The encryptor could be the user and the user utilizes the same wallet across the two apps?
There was a problem hiding this comment.
could you elaborate a bit more
so we have two auth admins? and same ritual? each of them can have own set of encryptors within paid subscription
There was a problem hiding this comment.
Yes. Effectively, two auth admins for the same ritual. e.g. Ceramic pays for a ritual, r, for their developers, and then assigns two separate developers/application owners, A and B, as auth admins as part of their respective applications.
Both applications allow their individual users to be encryptors. User, U, uses both apps and wants to use their EOA wallet as an encryptor...?
There was a problem hiding this comment.
I see, now it's not allowed, but point that we don't have separation for two apps using same ritual, so for contract it will be that any admin authorizes User and this User can authorize for the ritual which effectively means both apps
vzotova
force-pushed
the
new-allow-list
branch
from
86c48c3 to
b077c1b
Compare
Co-authored-by: derekpierre <[email protected]> Co-authored-by: David Núñez <[email protected]>
vzotova
force-pushed
the
new-allow-list
branch
from
b077c1b to
813227e
Compare
Type of PR:
Required reviews:
What this does:
Issues fixed/closed:
Why it's needed:
Notes for reviewers: