Transactions should Explicitly Declare Required Authority Level

[bytemaster]

In BitShares and Steem the required authority is implicitly defined by the operation type and data contained within. Under EOS this is no longer the case, message types are dynamic and defined at run time.

The goal is to facilitate validating that a transaction has all required signatures for the declared authority without having to know how to read internals of messages.

struct transaction {
    ... header....
    vector<message> messages;
}

struct permission {
    account_id               account   
    permission_id_type permission; // owner, active, or custom...
}

struct signed_transaction : public transaction {
     vector<signature>   signatures;
     vector<permission> required_authority;
}

The blockchain can verify that the given signatures provide the required authority without having to execute scripts.

Before applying a message to a contract, the blockchain can look up the permission level required for the SENDER / TO pair and verify that the permission is in the required_authority set of the transaction.

[nathanielhourt]

Relevant commit: 4e59a50

[nathanielhourt]

Also TODO: create configuration option to disable all auth checking (for debugging)

[nathanielhourt]

@bytemaster and I just discussed this, and realized it was a mistake to move authorizations to Transaction rather than Messages. I was thinking this would work such that when the contract code executed and asserted that joe has authorized the transaction, the chain would look up what permission level joe must use to approve the message being evaluated, then check that the transaction declared an authority sufficient to confer that permission.

This approach has two major shortcomings, however:

• We can't look up what authority level joe is using until we're executing contracts, because we don't know until then which messages in the transaction joe is supposed to be authorizing
• We must look up authority information in the database after messages have begun processing, which means that one message in the block could update authorities in a way that changes the validity/behavior of a later message in the block

Instead, we have decided to move the authorizations back from Transaction to Message. In this model, we can do all authority checks in full prior to processing any transactions: we scan the declared authorities declared by all messages in all transactions in the block before processing any messages. During this scan, we first check what authority level the declared user requires to execute the message type, and check that the declared authority level is at least as high as the required authority level. Next, we check that the transaction bears signatures to access the declared authority.

Later, when we execute the messages, and the handlers emit their require_authorization calls, we simply check that the required username is in the message's declared authorities list. When we finish processing the message, we check that all of the declared authorities got used. These are both very fast checks.

This solves both of our problems: we do all the authority database lookups prior to processing transactions (which may have parallelization advantages, since no writes to the database are possible at this time), and we get all authority checking out of the way prior to evaluating any transactions, which eliminates the possibility of one message updating authorities in a way that affects another message in the same block.