Verifier plugin interface #1324
Conversation
edmundnoble
requested review from
sirlensalot,
jwiegley,
emilypi and
jmcardon
as code owners
src/Pact/Native/Internal.hs
Outdated
| where | ||
| enforceVerifier :: RNativeFun e | ||
| enforceVerifier i as = case as of | ||
| [TLitString verifierName, TList {_tList = (traverse (preview _TLitString) -> Just args) }] -> do |
There was a problem hiding this comment.
spurious do (but personally i'd not cram everything into views and >>= and just add some let bindings)
edmundnoble
force-pushed
the
edmund/spi
branch
from
afae6f9 to
c84272a
Compare
edmundnoble
force-pushed
the
edmund/spi
branch
from
c84272a to
3f1a7fd
Compare
edmundnoble
force-pushed
the
edmund/spi
branch
from
0371f46 to
de72bbc
Compare
There was a problem hiding this comment.
EDIT I think I understand the change better, so my main concern is not with how this is implemented but future semantic consistency with keysets, where we can't put the cat back in the bag -- keyset enforces will be allowed outside of defcaps, so should we be similarly lenient for this enforce?
Main comment is, please consider not adding the boolean csEvaluating and just doing a callstack check to restrict native application.
It's arguably worse to allow verifier enforces outside of defcaps because while a signer has presumably at least seen the code of the transaction, a verifier has no way to do so. Regardless, to me, a keyset enforce outside of a defcap is a definite, unambiguous bug. I would support looking at a possible migration in the future so that newly deployed modules make it illegal. There exist historical examples and I think that's because capabilities are newer than keysets and guards, but that's not something any new code should do. |
Old code didn't properly detect when a composed capability was managed. Co-authored-by: Jose Cardona <jose@kadena.io>
edmundnoble
force-pushed
the
edmund/spi
branch
from
dce2eef to
fd4f52e
Compare
|
I'm re-requesting review from @sirlensalot specifically for the last two commits in here; @jmcardon spotted an issue where managed caps that are being composed don't actually show up as Specifically I chose to push and pop from this stack in the with-capability and compose-capability native functions and not in the cap runtime (specifically |
This PR provides a prototype of an interface designed to provide generalized verification of Pact transactions using proofs included in the transaction. A KIP will be forthcoming with more details and a higher level view.
The idea is to make it easy to integrate new types of proofs of a transaction's validity, whether they're some new type of signatures, ZK proofs, SPV proofs, or anything else similar. Pact can effectively treat them all the same, as an opaque piece of data and a set of capabilities that it purports to provide. The Pact container layer, usually chainweb, is responsible for actually verifying that the contents of these proofs provide the capabilities they purport to; Pact code only knows that they are scoped to the capabilities they provide.
PR checklist:
cabal run tests. If they pass locally, docs are generated.pact -t), make sure pact-lsp is in sync.Additionally, please justify why you should or should not do the following:
enforce-verifiernative is guarded behind a flag. It's up to the container layer to ensure that verifiers are not accepted before a fork point, and to set the flag.