R4R: Dynamic Capabilities with Routing

[AdityaSripal]

Closes: #5542

Description

Start routing implementation in new PR since it may require changes to design. Currently router from portID => module callbacks is in portkeeper

All routing gets handled within the IBC handler itself

---

For contributor use:

• Targeted PR against correct branch (see CONTRIBUTING.md)
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Code follows the module structure standards.
• Wrote unit and integration tests
• Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• Added relevant godoc comments.
• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

---

For admin use:

• Added appropriate labels to PR (ex. WIP, R4R, docs, etc)
• Reviewers assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[AdityaSripal]

Put Get/Claim capability callbacks as well so that ibc can request a module to provide the right capability or pass a module a capability that it can claim

[cwgoes]

Hmm, I'm a bit confused by these - why would IBC need to request a capability from a module or vice-versa? Generally in an object-capability system it is very dangerous for a module to expose an API that allows other modules to just fetch capabilities.

[AdityaSripal]

No longer handled in 20-transfer's Handler

[AdityaSripal]

Currently Acknowledgement callback doesn't exist, so i have a no-op. Will implement spec later

[AdityaSripal]

Get port capability from module using callback

[cwgoes]

Why do we need to look this up? The module should already have the port capability.

[AdityaSripal]

Call user defined OnChanOpenInit callback

[cwgoes]

Hmm, should this happen before or after HandleMsgChannelOpenInit?

Both are safe as long as the transaction is atomic. If it's after then it can expect the channel state to be there.

[AdityaSripal]

Module claims created channel capability using callback

[cwgoes]

Instead of doing it this way, how about passing the channel capability to OnChanOpenInit ? I think that's cleaner.

[AdityaSripal]

Rather than assuming portID == moduleName and using baseapp Router, we lookup module here in IBC handler and call appropriate callback

[cwgoes]

This actually needs to be based on the channel capability, not the port capability

[cwgoes]

Unfortunately I don't think we can safely use a map in this way - the routing table needs to be persisted in an analogous way to how dynamic capabilities are - perhaps the moduleName on scoped capability keepers can be used to help us out here? When an incoming packet comes in, for example, we should look up (in the capability ownership table) which module owns the channel capability associated with that packet, then call the callback on that module. Since the module set is fixed in app.go in all SDK apps, it's fine to have a static map of moduleName to callbacks.

[cwgoes]

The problem is that BindPort will not be re-called when e.g. gaiad is stopped & re-started

[cwgoes]

Can we delete this now?

[cwgoes]

Hmm, I'm a bit confused by these - why would IBC need to request a capability from a module or vice-versa? Generally in an object-capability system it is very dangerous for a module to expose an API that allows other modules to just fetch capabilities.

[cwgoes]

In principle, token transfer channels can safely be unordered. I think we should test the relayer with both.

[cwgoes]

Not necessarily, it's not "safety-critical", just convention. I think it's useful convention for now though.

[cwgoes]

Why do we need to look this up? The module should already have the port capability.

[cwgoes]

Hmm, should this happen before or after HandleMsgChannelOpenInit?

Both are safe as long as the transaction is atomic. If it's after then it can expect the channel state to be there.

[cwgoes]

Instead of doing it this way, how about passing the channel capability to OnChanOpenInit ? I think that's cleaner.

[cwgoes]

This actually needs to be based on the channel capability, not the port capability

[cwgoes]

Basic pattern

• Static map based on module name from scoped capability keeper to callbacks
• When a message comes in for ConnOpenInit (analogously for ConnOpenTry)
  • Message has a port
  • Look up which module owns that port (for now: first module)
    • Needs new function on ScopedCapabilityKeeper to look up first other owning module
  • Find (in the capability mapping) the moduleName for that module
  • Use the static map to look up the callbacks
  • Call onConnOpenInit and pass the new channel capability as an argument (module must store)
• For last two steps of handshake & packets, route based on channel capability instead

Notes

• Routing has to exclude the IBC module's moduleName

[cwgoes]

Almost there! A few minor concerns / cleanup remaining.

[cwgoes]

Are we sure that the ordering will always be this way? Isn't it dependent on the module name?

[fedekunze]

yeah this needs a test case for sure

[cwgoes]

Can we delete this now?

[cwgoes]

Are we sure that the ordering will always be this way? Isn't it dependent on the module name?

[fedekunze]

ditto test case

[cwgoes]

We shouldn't need to pass the port capability to the module

[cwgoes]

(we do need to pass the channel capability)

[AdityaSripal]

whoops misnamed

[fedekunze]

good work @AdityaSripal! Thanks for tackling this

[fedekunze]

yeah this needs a test case for sure

[fedekunze]

ditto test case

[fedekunze]

Suggested change

	return nil, sdkerrors.Wrap(porttypes.ErrInvalidPort, "could not retrieve module from portID")
	return nil, sdkerrors.Wrapf(porttypes.ErrInvalidPort, "could not retrieve module from portID %s" msg.PortID)

[fedekunze]

Suggested change

	return nil, sdkerrors.Wrap(porttypes.ErrInvalidPort, "could not retrieve module from portID")
	return nil, sdkerrors.Wrapf(porttypes.ErrInvalidPort, "could not retrieve module from portID %s" msg.PortID)

[lgtm-com]

This pull request fixes 2 alerts when merging 8086e42 into 06e7b80 - view on LGTM.com

fixed alerts:

• 2 for Useless assignment to local variable

[fedekunze]

LGTM. minor suggestion

[fedekunze]

nit, you can avoid duplication by abstracting this part and passing the path:

func (k ScopedKeeper) LookupModule(ctx sdk.Context, path string) (string, capability.Capability, bool) {
	capOwners, ok := k.GetOwners(ctx, path)
	if !ok {
		return "", nil, false
	}
	// For now, we enforce that only IBC and the module bound to port can own the capability
	// while future implementations may allow multiple modules to bind to a port, currently we
	// only allow one module to be bound to a port at any given time
	if len(capOwners.Owners) != 2 {
		panic("more than one module has bound to this port; currently not supported")
	}
	// the module that owns the port, for now, is the only module owner that isn't "ibc"
	var module string
	if capOwners.Owners[0].Module == "ibc" {
		module = capOwners.Owners[1].Module
	} else {
		module = capOwners.Owners[0].Module
	}
	cap, found := k.GetCapability(ctx, path)
	if !found {
		return "", nil, false
	}
	return module, cap, true
}

and then:

// LookupModuleByChannel will return the IBCModule along with the capability associated with a given channel defined by its portID and channelID
func (k Keeper) LookupModuleByChannel(ctx sdk.Context, portID, channelID string) (string, capability.Capability, bool) {
	return k.scopedKeeper.LookupModule(ctx, ibctypes.ChannelCapabilityPath(portID, channelID))
}

[AdityaSripal]

Hmm yea doesn't make sense to have the ibc special case in the scopedKeeper code, but I can just return string of modules from scoped keeper and then have a util function in ibc to enforce length-2 and pick non-ibc module

[lgtm-com]

This pull request fixes 3 alerts when merging b282f99 into 06e7b80 - view on LGTM.com

fixed alerts:

• 3 for Useless assignment to local variable

[golangcibot]

string foobar has 3 occurrences, but such constant foobar already exists (from goconst)

[golangcibot]

string 1234 has 5 occurrences, but such constant nums already exists (from goconst)

[golangcibot]

composites: github.com/cosmos/cosmos-sdk/x/ibc/03-connection/types.IdentifiedConnectionEnd composite literal uses unkeyed fields (from govet)

[lgtm-com]

This pull request fixes 3 alerts when merging 9b1aeda into 06e7b80 - view on LGTM.com

fixed alerts:

• 3 for Useless assignment to local variable

[AdityaSripal]

Seems like some test files got committed accidentally. Is there a command to clean these files up or should i manually delete them?

@alexanderbez

[alexanderbez]

errr, not sure how this happened. These files exist on master due to @alessio's changes to the keybase. But I branched off of ibc-alpha, so not sure how these got in here. They also were not in my PR diff.

[AdityaSripal]

Seems like some test files got committed accidentally. Is there a command to clean these files up or should i manually delete them?

@alexanderbez

[alexanderbez]

See above.

[cwgoes]

Logic looks solid, seems like a few test-cases can be uncommented, a few nits.

[cwgoes]

This seems potentially dangerous? What if a packet has a port/channel that isn't routed?

[cwgoes]

Here is where we want to create the escrow address

[AdityaSripal]

Looks like the current implementation just calculates the escrow address from portID, and channelID and uses the bank keeper to send and receive money. This seems like it should work?

Should I make these escrow addresses module accounts instead?

https://github.com/cosmos/cosmos-sdk/blob/ibc-alpha/x/ibc/20-transfer/keeper/relay.go#L97

https://github.com/cosmos/cosmos-sdk/blob/ibc-alpha/x/ibc/20-transfer/keeper/relay.go#L186

[cwgoes]

This is OK for now, I suppose, maybe they should be module accounts but that can be a follow-up.

[cwgoes]

Here is where we want to create the escrow address

[cwgoes]

utACK modulo question on ClaimCapability safety / permissions

[fedekunze]

NOTE: Capability is no longer an interface but a concrete type

[fedekunze]

nit, can we move each of the cases to a private function to avoid bloating the switch and for ease of reading?