Introduce more strongly typed SNatives and contract templates

[silasdavis]

This PR aims to address the issue of having many versions of the permissions contract in different places. Since eris-db is responsible for interpreting SNative calls it seems sensible that eris-db holds the defintion for SNatives. This PR:

• Introduces a more strongly typed (the functions themselves are still not strongly typed) SNative and contract definition
• Allows you to generate a permissions contract with comments that compiles and can be exported to other projects like smart contract bundles
• Adds a test for the permissions contract

It doesn't change the fundamentals of how SNatives work.

The permissions contract structure is built from the libraries' team's version: https://github.com/eris-ltd/eris-contract-bundles/blob/master/src/commons-auth/contracts/SecureNativeAuthorizations.sol which Jason linked me too which is nicely commented.

Outstanding for this is:

• Finalise what types we are going to use for the permissions function
• Possibly take opportunity to change the naming conventions as in Update keys in sNatives PermsMap to permit/improve sNatives access from Solidity #417
• Add a couple more unit tests

Once that is done then we can mechanical generate the solidity interface that we are advertising to clients and we can do this for any future SNatives (which is why I thought it was worth doing). By running:

vm.SNativeContracts()["permissions_contract"].Solidity()

Also note that the current version of snative.go on release-0.16 is missing a bracket in the signature.

fixes #498
fixes #418
fixes #417

[VoR0220]

Am in favor of changing the names. So yea...lets make this happen.

[silasdavis]

@VoR0220 Can we get some consensus on what the type signatures should actually be also?

[VoR0220]

@silasdavis i think i know what you mean but youre going to need to clarify. I think you mean solidity types. In which case there should be changes. For one, all ints should be uint64s to better align with golang. We should also contemplate switching from bytes32 to string as it could enable longer strings and dynamic ones at that.

[silasdavis]

What I need is a decision on:

• int or uint64 (sounds like uint64)
• bytes32 or string (sounds like bytes32)
• function name casing (sounds like camel case)
• The name of contract (and therefore its address)

These will be breaking changes, but seeing as it was already not working properly I think we are at liberty to make them if they improve the situation.

Here is the contract as currently defined in snatives.go:

/**
* Interface for managing Secure Native authorizations.
* @dev This Solidity interface describes the functions exposed by the SNative permissions layer in the Monax blockchain (ErisDB).
*/
contract permissions_contract {

/**
* @notice Removes a role from an account
* @param _account account
* @param _role role
* @return result whether role was removed
*/
function rm_role(address _account, bytes32 _role) constant returns (bool result);

/**
* @notice Sets a base authorization for an account
* @param _account account
* @param _authorization base authorization
* @param _value value of base authorization
* @return result value passed in
*/
function set_base(address _account, uint64 _authorization, uint64 _value) constant returns (bool result);

/**
* @notice Indicates whether an account has a base authorization
* @param _account account
* @param _authorization base authorization
* @return result whether account has base authorization set
*/
function has_base(address _account, uint64 _authorization) constant returns (bool result);

/**
* @notice Sets a base authorization for an account to the global (default) value of the base authorization
* @param _account account
* @param _authorization base authorization
* @return authorization base authorization passed in
*/
function unset_base(address _account, uint64 _authorization) constant returns (uint64 authorization);

/**
* @notice Sets global (default) value for a base authorization
* @param _account account
* @param _authorization base authorization
* @param _value value of base authorization
* @return authorization base authorization passed in
*/
function set_global(uint64 _authorization, uint64 _value) constant returns (uint64 authorization);

/**
* @notice Adds a role to an account
* @param _account account
* @param _role role
* @return result whether role was added
*/
function add_role(address _account, bytes32 _role) constant returns (bool result);

/**
* @notice Indicates whether an account has a role
* @param _account account
* @param _role role
* @return result whether account has role
*/
function has_role(address _account, bytes32 _role) constant returns (bool result);

}

[VoR0220]

let me play with turning it to string and get back to you later today. It may very well be worth it to send in a string instead of a bytes32 simply because a string can be longer than 32 bytes (why you would ever make a string like that, IDK, but the liberty is nice).

[VoR0220]

Thought we said camelCase?

[silasdavis]

Ah right yeah, I can do that, but it will involve a few more changes. Obviously just a search and replace job in Eris db so I can do it, but it got me to question the wisdom, will do it if you and Jason and Ben think it's good idea

[benjaminbollen]

Overall very nice work. I do want to raise the concern that the SNative should be (possible) without being Solidity specific. We can come back to this at a later point.

The idea with be to define the Args as LanguageUint64 etc rather than SolidityUint64; the templates should be solidity specific only imo

[benjaminbollen]

nice :)

[benjaminbollen]

Strictly speaking, should this not be an interface for which we have a Solidity implementation? The argument is that Solidity is not the only language that can access our Ethereum compatible secure native functions

[benjaminbollen]

Second thought / correction: SNativeFuncDescription should not become an interface as suggested above. Rather the SNative definition should be defined with LanguageTypes and the templating should be a package on itself, that produces the solidity code based on the mapping of LanguageType to SolidityType. We can raise this as an issue and proceed as is for now; the net gain in readability is sufficient for me.

[benjaminbollen]

Make that ProtoType rather than LanguageType

[benjaminbollen]

This should not panic, even if it would only be called on initialization;

[benjaminbollen]

Good on returning Zero256

[benjaminbollen]

Internally we treat roles as strings, but I agree that it is better and sufficient to type it strictly as bytes32; alternatively we should change our impl to treat it as Word256

[benjaminbollen]

LGTM. I have raised comments on the unpleasantness of infection of solidity into the evm/snatives; Talked with Silas and he will examine further; although he does not like to call it ProtoTypes :)

[silasdavis]

The latest commit:

• Refactors Solidity-specific code into a util package and introduces a templating wrapper, and some formatting improvements (like proper indenting)
• Introduces an abi package under evm to decouple Solidity types and calling conventions from those defined by Ethereum by way of the ABI (this can be one path to future expansion to support an ABI-aware chain more generally)
• Improves documentation and naming of variables on contract
• Changes the 'value' argument on set_* functions to be a bool as it should be
• Changes the return value of *set_* functions to be the resultant permission after the permission operation has applied (rather than echoing back the argument the caller passed in). This retains the primary purpose of the return value as a truthy call success flag.
• Reverts the returning of Zero256.Bytes() from Dispatch since error return values should be and are handled by the called (vm.go) here: https://github.com/eris-ltd/eris-db/blob/master/manager/eris-mint/evm/vm.go#L857. If there is an error return then zero is pushed to the stack by the vm so it can't have been the cause of some invalid jump dests observed. Since the existing snatives return nil I think it is confusing to break with go convention and return zero to the stack without clear semantics on what should be done in this error case.

[VoR0220]

Tried this out, works like a charm. Good work.

[VoR0220]

Reason for this?

[silasdavis]

I had a CI failure, timing here was a little tight anyway, also ugly, but pre-existing and we'll get around to that.

[VoR0220]

Should clarify in the notes below that this is an ABI for our SNative contracts. That it creates a binding from our native Go Code to Solidity and vice versa, and could further be extended to Java and whatever language the enterprise institutions want.

[VoR0220]

++

[VoR0220]

++

[VoR0220]

Needs Godoc documentation of what each of the parameters that are exported do.

[VoR0220]

Same here.

[VoR0220]

much better name ++

[VoR0220]

very nice.

[VoR0220]

Need to decide if we're going CamelCase Here...or mixedCase (as is Solidity convention).

[VoR0220]

permissions_contract or are we doing PermissionsContract? Either way I'm fine. Just clarifying.

[VoR0220]

Needs a couple of documentation changes and then its GTM.

[VoR0220]

Very approved. Merge away.

[silasdavis]

In for a penny, in for pound. Have changed case convention of permissions functions to camelCase. Also renamed permission contract to Permissions so the canonical address for it will have changed. Also automated testing a bit more.

The generated solidity for the permissions contract now looks like this:

/**
* Interface for managing Secure Native authorizations.
* @dev This interface describes the functions exposed by the SNative permissions layer in the Monax blockchain (ErisDB).
* @dev These functions can be accessed as if this contract were deployed at the address 0x0000000000000000005065726d697373696f6e73
*/
contract Permissions {
    /**
    * @notice Adds a role to an account
    * @param _account account address
    * @param _role role name
    * @return result whether role was added
    */
    function addRole(address _account, bytes32 _role) constant returns (bool result);

    /**
    * @notice Removes a role from an account
    * @param _account account address
    * @param _role role name
    * @return result whether role was removed
    */
    function removeRole(address _account, bytes32 _role) constant returns (bool result);

    /**
    * @notice Indicates whether an account has a role
    * @param _account account address
    * @param _role role name
    * @return result whether account has role
    */
    function hasRole(address _account, bytes32 _role) constant returns (bool result);

    /**
    * @notice Sets the permission flags for an account. Makes them explicitly set (on or off).
    * @param _account account address
    * @param _permission the base permissions flags to set for the account
    * @param _set whether to set or unset the permissions flags at the account level
    * @return result the resultant permissions flags on the account after the call
    */
    function setBase(address _account, uint64 _permission, bool _set) constant returns (uint64 result);

    /**
    * @notice Unsets the permissions flags for an account. Causes permissions being unset to fall through to global permissions.
    * @param _account account address
    * @param _permission the permissions flags to unset for the account
    * @return result the resultant permissions flags on the account after the call
    */
    function unsetBase(address _account, uint64 _permission) constant returns (uint64 result);

    /**
    * @notice Indicates whether an account has a subset of permissions set
    * @param _account account address
    * @param _permission the permissions flags (mask) to check whether enabled against base permissions for the account
    * @return result whether account has the passed permissions flags set
    */
    function hasBase(address _account, uint64 _permission) constant returns (uint64 result);

    /**
    * @notice Sets the global (default) permissions flags for the entire chain
    * @param _permission the permissions flags to set
    * @param _set whether to set (or unset) the permissions flags
    * @return result the resultant permissions flags on the account after the call
    */
    function setGlobal(uint64 _permission, bool _set) constant returns (uint64 result);
}

[benjaminbollen]

I would want a response on the Resultant Permissions and why we need it; other than than; let s ping products team on the change to the function names; needs to be updated in tooling too then

[benjaminbollen]

A comment is not unwelcome; but great! thx for adding this line

[silasdavis]

"TxCache implements vm.AppState", what sort of comment were you after?

[benjaminbollen]

optionally yes, it s not entirely obvious otherwise

[benjaminbollen]

this is not ok as a public function; It can encourage usage of it and it should be clear that effective permissions are those of the global permissions + delta of base permissions for that account. Why would we have this function?

[silasdavis]

If you want to see what permissions are set at the account level. Knowing effective permissions is also useful I agree.

[silasdavis]

Given that BasePermissions.Perms and BasePermissions.SetBit are both public fields I'd say this was arguably less obscure in meaning than those. Callers are allowed to interrogate account level permissions and global permissions separately.

[benjaminbollen]

Nice ! I like that you moved them to util; even better than having them in evm

[VoR0220]

If we're going to harden these, now would be the time to add a test for every permission. This way we can effectively gauge what parts are on the jobs failing and what parts are on e-db failing, atleast more easily...currently I'm having trouble deciphering this.

[benjaminbollen]

There are extensive unit tests in /manager/eris-mint/state/permissions_test.go that have been passing without failure

[VoR0220]

That's fine, but working directly on the EVM/SNative is not the same as going through the RPC (as we've seen with #477). I would recommend that there is atleast one of every RPC permission call type included in here and to ensure that they are passing.

[benjaminbollen]

BasePermissions.Set actually sets many bits at the same time; the comment is misleading and I thought wrong about it; this is good

[benjaminbollen]

LGTM