feat: Witnesser dispatch call filter #4001
Conversation
Only calls that is allowed by the filter will be dispatched.
PRO-478 Witnesser Safe Mode with advanced recovery
When we turn witnessing back on, it should be possible to filter against the calls we want to allow. Not totally sure how to achieve this. Substrate has the FilterStack trait that might help here… (Needs some research) |
Codecov Report
@@ Coverage Diff @@
## main #4001 +/- ##
======================================
- Coverage 72% 72% -0%
======================================
Files 368 369 +1
Lines 58484 58591 +107
Branches 58484 58591 +107
======================================
+ Hits 42327 42376 +49
- Misses 14060 14112 +52
- Partials 2097 2103 +6
... and 4 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Thanks for getting started on this @syan095.
I think the general approach of a top-level call filter is a good one.
However we can be more specific and narrow the filter down to only the calls that can be witnessed. There are some pallets in this implementation that don't have any witness calls (for example system), and others that are missing (funding for example).
The pallets that have witness origin calls are:
Non-instantiable:
- Governance (1 Call)
- Funding (3 Calls)
- Swapping (2 Calls)
Instantiable:
- Broadcast (1 Call)
- Chain Tracking (1 Call)
- Ingress/Egress (3 Calls)
- Vaults (2 Calls)
Ideally I think we should be able to have as fine-grained control as possible.
For example, if we want to allow everything except bitcoin ingress, we should be able to configure this.
To start with, I think a per-pallet filter is enough.
Then we can add support for instantiable pallets.
Then we can add support for individual calls.
Cool - good to know. I didn't go into too much details, I wanted to make sure the general approach was feasible at first. |
Added a unit test for the call filter system.
| @@ -352,7 +376,7 @@ pub mod pallet { | |||
| if let Some(mut extra_data) = ExtraCallData::<T>::get(epoch_index, call_hash) { | |||
| call.combine_and_inject(&mut extra_data) | |||
| } | |||
| if T::SafeMode::get().witness_calls_enabled { | |||
| if T::CallDispatchFilter::should_dispatch(&call) { | |||
There was a problem hiding this comment.
This doesn't seem right - it ignores the safe mode?
There was a problem hiding this comment.
I think it makes sense to combine the WitnesserCallPermission and CallDispatchFilter.
If we change the trait definition to take &self, then we can impl CallDispatchFilter for WitnesserCallPermission, and we don't need to inject so many items via the witnesser config. I think this will make it a bit easier to follow.
Ahh good idea! |
dandanlen
changed the title
Co-authored-by: Daniel <daniel@chainflip.io> Co-authored-by: dandanlen <3168260+dandanlen@users.noreply.github.com>
Co-authored-by: Daniel <daniel@chainflip.io> Co-authored-by: dandanlen <3168260+dandanlen@users.noreply.github.com>
Co-authored-by: Daniel <daniel@chainflip.io> Co-authored-by: dandanlen <3168260+dandanlen@users.noreply.github.com>
Co-authored-by: Daniel <daniel@chainflip.io> Co-authored-by: dandanlen <3168260+dandanlen@users.noreply.github.com>
Pull Request
Closes: PRO-478
Checklist
Please conduct a thorough self-review before opening the PR.
Summary
Add dispatch call filter for WItnesser pallet.
This is part of the Safe Mode for the witnessed pallet.
Only calls that passes the filter are dispatched. Others are kept in the Queue until full recovery.