[Work in Progress] add AccountPermission

[yinyiqian1]

spec:
XRPLF/XRPL-Standards#217
XRPLF/XRPL-Standards#218

This PR includes the following changes:

1. Added AccountPermissionSet transaction.
   to enable an account(delegating account) delegate some permissions to another account(delegated account), so that the delegated account can send transactions on behalf of the delegating account.
2. Added Account_Permission ledger object
   The AccountPermissionSet transaction will create AccountPermission ledger object, with keylet(delegating account, delegated account)
3. Added Onbehalf of common field.
4. Permission has two types:
   a. transaction level permission
   b. granular permission which will be part of a transaction

more details:

1. introduced account and isDelegated in PreflightContext, PreclaimContext and ApplyContext. The account is the account which is the transaction being operated on.
2. transactor's member account_ is updated to the account which is the transaction being operated on.
3. a set of Granular Permissions gpSet is added to ApplyContext. It contains the granular permissions enabled for that transaction. But if the transaction is fully delegated, then even there are granular permissions related to that transaction, the gpSet will be cleared up. To be more specific:
   a. isDelegated=true && gpSet not empty: only granular permissions delegated to the transaction
   b. isDelegated=true && gpSet is empty: the transaction is fully delegated
4. only the granular permissions listed in Permissions.cpp are supported, so the unauthorized granular operations and the other parts under these transactions are prohibited under granular permission mode.

High Level Overview of Change

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Performance (increase or change in throughput and/or latency)
• Tests (you added tests for code that already exists, or your new feature included in this PR)
• Documentation update
• Chore (no impact to binary, e.g. .gitignore, formatting, dropping support for older tooling)
• Release

API Impact

• Public API: New feature (new methods and/or new fields)
• Public API: Breaking change (in general, breaking changes should only impact the next api_version)
• libxrpl change (any change that may affect libxrpl or dependents of libxrpl)
• Peer protocol change (must be backward compatible or bump the peer protocol version)

[codecov]

Codecov Report

Attention: Patch coverage is 47.22892% with 219 lines in your changes missing coverage. Please review.

Project coverage is 77.7%. Comparing base (838978b) to head (7a7fa0c).
Report is 4 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/xrpld/app/tx/detail/AccountPermissionSet.cpp	0.0%	56 Missing ⚠️
src/libxrpl/protocol/Permissions.cpp	0.0%	34 Missing ⚠️
src/xrpld/app/tx/detail/Transactor.cpp	13.9%	31 Missing ⚠️
src/xrpld/rpc/handlers/LedgerEntry.cpp	5.0%	19 Missing ⚠️
src/xrpld/app/tx/detail/SetTrust.cpp	26.3%	14 Missing ⚠️
src/libxrpl/protocol/STParsedJSON.cpp	23.5%	13 Missing ⚠️
src/xrpld/app/tx/detail/SetAccount.cpp	50.0%	13 Missing ⚠️
src/xrpld/app/tx/detail/Payment.cpp	33.3%	12 Missing ⚠️
src/libxrpl/protocol/Indexes.cpp	0.0%	5 Missing ⚠️
src/xrpld/app/tx/detail/DeleteAccount.cpp	28.6%	5 Missing ⚠️
... and 8 more

Additional details and impacted files

@@            Coverage Diff            @@
##           develop   #5164     +/-   ##
=========================================
- Coverage     77.9%   77.7%   -0.2%     
=========================================
  Files          782     787      +5     
  Lines        66621   66927    +306     
  Branches      8161    8270    +109     
=========================================
+ Hits         51902   51975     +73     
- Misses       14719   14952    +233     

Files with missing lines	Coverage Δ
include/xrpl/protocol/Feature.h	100.0% <ø> (ø)
include/xrpl/protocol/Indexes.h	100.0% <ø> (ø)
include/xrpl/protocol/detail/ledger_entries.macro	100.0% <100.0%> (ø)
include/xrpl/protocol/detail/transactions.macro	100.0% <100.0%> (ø)
src/libxrpl/protocol/InnerObjectFormats.cpp	100.0% <100.0%> (ø)
src/libxrpl/protocol/TxFormats.cpp	100.0% <ø> (ø)
src/xrpld/app/tx/applySteps.h	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/AMMBid.cpp	90.4% <100.0%> (ø)
src/xrpld/app/tx/detail/AMMClawback.cpp	100.0% <100.0%> (ø)
src/xrpld/app/tx/detail/AMMCreate.cpp	90.5% <100.0%> (ø)
... and 50 more

... and 14 files with indirect coverage changes

[shawnxie999]

should probably delete copy and copy assignment constructors

[shawnxie999]

does this still needs to be done?

[yinyiqian1]

just added

[gregtatcam]

PR description should be added with a link to technical specifications if applicable.

[yinyiqian1]

PR description should be added with a link to technical specifications if applicable.

just added

[yinyiqian1]

FYI: unit test failures are transient, which have passed locally. "ERR:Env Env::close() failed: no response from server"

[gregtatcam]

I took a pass and left a few comments.
My big concern is how sfAccount is obfuscated by sfOnBehalfOf. sfAccount pretty much should never be used in the transactors with some exceptions. It's easy to miss these kind of errors where sfAccount is used instead of the account included in the context.

[gregtatcam]

Does it make sense to make this optional since it could be empty?

[yinyiqian1]

Since being empty means deleting all the permissions, can we keep it as required? So that the user won't delete the permissions by accident when they mistakenly leave out the Permissions field. Giving an empty field is more clear that they want to delete all the permissions.

[gregtatcam]

This is an on-ledger object, not the transaction. It's empty if there is no permissions so it could be optional. Can save a bit of space this way, right?

[yinyiqian1]

yes. make sense.

[gregtatcam]

Does it make sense to make it optional since it could be empty?

[gregtatcam]

Is gp prefix necessary? Can we just have TrustlineAuthorize, etc?

[yinyiqian1]

gp is to indicate it is a granular permission set's member. I'm ok with either way.

[yinyiqian1]

just deleted gp

[gregtatcam]

This value is already used by DEPOSIT_PREAUTH_CREDENTIALS

[gregtatcam]

Is this needed? If the array is invalid it should fail in the array parsing. And if the name is not Permission then it should fail also before it gets to the transactor. Should have a unit-test fo this.

[gregtatcam]

Should be const&. Please check everywhere where an alias variable is used for ctx.account. It should be AccountID const&.

[gregtatcam]

Can simplify here and below.

if (bLock && !ctx.gpSet.contains(gpMPTokenIssuanceLock))

[gregtatcam]

Can simplify here and below:

if (amountIssue.account == account_ &&
        ctx_.gpSet.contains(gpPaymentMint))

[gregtatcam]

Can simplify here and below:

if (bSetAuth &&
        !ctx_.gpSet.contains(gpTrustlineAuthorize))

[gregtatcam]

I can't leave a comment on unchanged lines so commenting here for ValidClawback::finalize:924, which is this line:

 AccountID const issuer = tx.getAccountID(sfAccount);

The issuer in this case could be either sfAccount or sfOnBehalfOf, right?

[yinyiqian1]

This is missed out. I'll also check all the other similar places which is missed out.

[yinyiqian1]

@gregtatcam
I also need to make change to AcceptedLedgerTx.cpp, LedgerToJson.cpp, and NetworkOPs.cpp, because they also check the account id when the transaction type is ttOFFER_CREATE. I'm working on this as well

[gregtatcam]

Should be STTx const&

[gregtatcam]

Should use require instead here and below.

[gregtatcam]

They should be also static. There should be only one instance of those maps.

[gregtatcam]

I think it also makes sense to add implicit conversion operator to STTx const&. Then don't need to call tx.getTx() in many cases. Can just pass tx.

[gregtatcam]

And perhaps change getTx() to something else, maybe getSTTx? tx.getTx() doesn't look right.

[gregtatcam]

The unit-tests are missing for AccountPermissionSet, all delegated transactions, and all granular permissions.

[gregtatcam]

How about renaming to STTxDelegated?

[gregtatcam]

This and next include are not used.

[gregtatcam]

What do you about adding getDelegatingAccountID() to STTx?

[yinyiqian1]

can we give it a more precise name like getDelegatingOrOriginalAccountID() or getEffectiveAccountID()?

[gregtatcam]

getEffectiveAccountID() sounds good.

[gregtatcam]

What do you think if STTxWr is hidden even further? I.e. it can be created on a fly in *Context and *Result types and those type will have STTxWr const data member instead of STTWr const&. STTxWr is a lightweight class and it's not a problem instantiating a few instances. preflight, preclaim, *Context, and *Result signatures don't change then.

[gregtatcam]

Should use exists instead and simplify:

if (!ctx.view.exists(keylet::account(ctx.tx[sfAccount]))

[gregtatcam]

This is already checked at the beginning of the function.

[gregtatcam]

Should be exists instead.

Should we check if sfOnBehalfOf is included in tx? checkPermissions is so far only called in delegated but still might make sense to check.

[gregtatcam]

Change the error code?

[yinyiqian1]

how about tecNO_PERMISSION because the permission does not exist?

[gregtatcam]

Why is this needed? We always need the account sender to update the balance. I.e. it's always sfAccount. And if it's not delegated then account_ is sfAccount.

[yinyiqian1]

I removed the check here. But I still need to add
if (!ctx_.tx.isDelegated()) mSourceBalance -= feePaid;
to keep mSourceBalance value precise.

[gregtatcam]

This is not amm, is it?

[yinyiqian1]

forgot to change when copying :(