feat(sequencer)!: refactor authorization checks for use in mempool logic #1713
Conversation
Lilyjjo
changed the title
Lilyjjo
force-pushed
the
lilyjjo/transaction_auth_checks
branch
2 times, most recently
from
b9c4815
to
47982cc
Compare
There was a problem hiding this comment.
I have pretty big reservations about this change because it breaks away from the reason we merged check & execute in the first place (namely TOCTOU).
It's also a very large conceptual change change from how we execute transactions. This change does not seem motivated by fixing issues in the execution flow, but is driven by requirements of another component.
Finally, this change moves the state reads in the mempool yet again closer to full execution.
At this point, is there even a lot of extra steps left in check_and_execute that the extra logic in the mempool?
|
Is TOCTOU a problem here? We're running the same checks for authorization in both the mempool and in the There is a large overlap between the work that is being done during execution and work done in the mempool checks, I'm not sure how to get around that without re-introducing the TOCTOU issue. |
I partially misunderstood the PR then (because I misread the diff), but that makes my reservations stronger: While the mempool had a very limited subset of checks run in its early days, the fact that it starts to run more and more parts of the full execution pipeline is worrisome. How do you propose to keep the checks that are being run in both cases in sync? |
|
The auth code is still ran during execution, I just refactored it to a different method on the |
| async fn check_and_execute<S: StateWrite>(&self, mut state: S) -> Result<()> { | ||
| // Add the current signed transaction into the ephemeral state in case | ||
| // downstream actions require access to it. | ||
| // XXX: This must be deleted at the end of `check_stateful`. | ||
| let mut transaction_context = state.put_transaction_context(self); | ||
|
|
||
| // check authorization | ||
| self.check_authorization(&state, self.address_bytes()) |
There was a problem hiding this comment.
The authorization checks are still being ran during execution here @SuperFluffy
There was a problem hiding this comment.
This is the wrong place to call it. The ActionHandler for Transaction trait delegates to its inner actions.
The idea is that checks and executions are atomic on a per-action level.
This is not atomic and on top of it surprising: why is authorization handled at the transaction but not the action level?
There was a problem hiding this comment.
Ah, ok I see what you mean by calling it in the wrong place. I'll refactor it
I commented on that code. This is a TOCTOU issue which was flagged in an audit and subsequently addressed. Instead of doing the checks atomically this patch is reverting the logic to the status quo ante. It is incompatible with the execution design. |
Lilyjjo
force-pushed
the
lilyjjo/transaction_auth_checks
branch
from
a94356d
to
d1fba2f
Compare
|
@SuperFluffy, is this refactor closer to something that is in line with our execution design? I still refactored out the authority checks but this time I wrote it as a new handler similar to the It now runs the checks per-action inside of |
Summary
We want to be able to reject transactions from the mempool which have incorrect signers for authority actions. In the old code the authentication checks were mixed in with the action execution logic. This PR refactors the authentication checks out of the
ActionHandler::check_and_execute()and into a new handlerAuthenticationHandler(), similar to the already existingFeeHandler.Background
We'd like a way to fail transactions in the mempool's
handle_check_tx()that will not pass authorization checks.Changes
AuthenticationHandler.Actionin a transaction.IBCandIcs20Withdrawactions.Testing
Metrics
check_tx_duration_seconds_check_authorization.Breaking Changelist
Changelog
Updated changelog.