add limited key

near · Apr 27, 2023 · 6e44925 · 6e44925
1 parent b935bcc
commit 6e44925
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 0 deletions.
diff --git a/integration-tests/tests/mpc/negative.rs b/integration-tests/tests/mpc/negative.rs
@@ -15,6 +15,7 @@ async fn test_invalid_token() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: token::invalid(),
                     public_key: user_public_key.clone(),
                 })
@@ -27,6 +28,7 @@ async fn test_invalid_token() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: user_public_key.clone(),
                 })
@@ -97,6 +99,7 @@ async fn test_malformed_account_id() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: malformed_account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: user_public_key.clone(),
                 })
@@ -111,6 +114,7 @@ async fn test_malformed_account_id() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: user_public_key.clone(),
                 })
@@ -180,6 +184,7 @@ async fn test_malformed_public_key() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: malformed_public_key.clone(),
                 })
@@ -194,6 +199,7 @@ async fn test_malformed_public_key() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: user_public_key.clone(),
                 })

diff --git a/integration-tests/tests/mpc/positive.rs b/integration-tests/tests/mpc/positive.rs
@@ -61,6 +61,7 @@ async fn test_basic_action() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: oidc_token.clone(),
                     public_key: user_public_key.clone(),
                 })
@@ -133,6 +134,7 @@ async fn test_random_recovery_keys() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: token::valid_random(),
                     public_key: user_public_key.clone(),
                 })
@@ -155,6 +157,7 @@ async fn test_random_recovery_keys() -> anyhow::Result<()> {
                 .leader_node
                 .new_account(NewAccountRequest {
                     near_account_id: account_id.to_string(),
+                    limited_public_key: None,
                     oidc_token: token::valid_random(),
                     public_key: user_public_key.clone(),
                 })

diff --git a/mpc-recovery/src/leader_node/mod.rs b/mpc-recovery/src/leader_node/mod.rs
@@ -156,6 +156,14 @@ async fn process_new_account<T: OAuthTokenVerifier>(
         .public_key
         .parse()
         .map_err(|e| NewAccountError::MalformedPublicKey(request.public_key, e))?;
+    let limited_user_account_pk: Option<PublicKey> = request
+        .limited_public_key
+        .clone()
+        .map(|k| k.parse())
+        .transpose()
+        .map_err(|e| {
+            NewAccountError::MalformedPublicKey(request.limited_public_key.unwrap_or_default(), e)
+        })?;
     let new_user_account_id: AccountId = request
         .near_account_id
         .parse()
@@ -198,6 +206,7 @@ async fn process_new_account<T: OAuthTokenVerifier>(
             new_user_account_id.clone(),
             mpc_user_recovery_pk.clone(),
             new_user_account_pk.clone(),
+            limited_user_account_pk.clone(),
             state.near_root_account.clone(),
             nonce,
             block_height + 100,

diff --git a/mpc-recovery/src/msg.rs b/mpc-recovery/src/msg.rs
@@ -5,6 +5,7 @@ use serde::{Deserialize, Serialize};
 #[derive(Serialize, Deserialize, Debug)]
 pub struct NewAccountRequest {
     pub public_key: String,
+    pub limited_public_key: Option<String>,
     pub near_account_id: String,
     pub oidc_token: String,
 }

diff --git a/mpc-recovery/src/transaction.rs b/mpc-recovery/src/transaction.rs
@@ -21,10 +21,24 @@ use serde_json::json;
 use crate::msg::SigShareRequest;
 use crate::sign_node::aggregate_signer::{Reveal, SignedCommitment};
 
+#[derive(Serialize, Deserialize)]
+/// Information about any limited access keys that are being added to the account as part of `create_account_advanced`.
+pub struct LimitedAccessKey {
+    /// The public key of the limited access key.
+    pub public_key: PublicKey,
+    /// The amount of yoctoNEAR$ that can be spent on Gas by this key.
+    pub allowance: String,
+    /// Which contract should this key be allowed to call.
+    pub receiver_id: AccountId,
+    /// Which methods should this key be allowed to call.
+    pub method_names: String,
+}
+
 #[derive(Serialize, Deserialize)]
 pub struct CreateAccountOptions {
     // Note: original structure contains other unrelated fields
     pub full_access_keys: Option<Vec<PublicKey>>,
+    pub limited_access_keys: Option<Vec<LimitedAccessKey>>,
 }
 
 #[allow(clippy::too_many_arguments)]
@@ -34,12 +48,20 @@ pub fn get_create_account_delegate_action(
     new_account_id: AccountId,
     new_account_recovery_pk: PublicKey,
     new_account_user_pk: PublicKey,
+    limited_user_account_pk: Option<PublicKey>,
     near_root_account: AccountId,
     nonce: Nonce,
     max_block_height: u64,
 ) -> anyhow::Result<DelegateAction> {
+    let limited_user_account_pk = limited_user_account_pk.map(|pk| LimitedAccessKey {
+        public_key: pk,
+        allowance: "0".to_string(), // Unlimited
+        receiver_id: AccountId::try_from("".to_string()).unwrap(), // TODO: replace with an actual account
+        method_names: "".to_string(),                              // Any method can called
+    });
     let create_acc_options = CreateAccountOptions {
         full_access_keys: Some(vec![new_account_user_pk, new_account_recovery_pk]),
+        limited_access_keys: limited_user_account_pk.map(|pk| vec![pk]),
     };
     let create_acc_action = Action::FunctionCall(FunctionCallAction {
         method_name: "create_account_advanced".to_string(),