TransationManifest::securify_unsecurified_entity & ProvisionalSecurifiedConfig

[CyonAlexRDX]

Preface

This should have been two PRs, sorry about that. It could have made sense for all the changes to be part of the same PR if I also implemented the SecurifyEntitiesManager - which I started doing because I'm bad at not-scope-creeping, but I did not wanna create yet another 6k LOC PR.

So two (somewhat distinct) changes this PR brings is:

1. TransactionManifest::securify_unsecurified_entity
2. Adds a provisional: Option<ProvisionalSecurifiedConfig> on UnsecurifiedEntityControl and SecurifiedEntityControl

Additional changes:

• Removed authentication_signing: Option<HierarchicalDeterministicFactorInstance> field on UnsecurifiedEntityControl
• Added authentication_signing_factor_instance: HierarchicalDeterministicFactorInstance field to SecurifiedEntityControl SecurityStructureOfFactorInstances

TransactionManifest::securify_unsecurified_entity

Resurrected impl From<Role> for ScryptoAccessRole (implemented by @0xOmarA ) from before #286 was merged (which temporarily removed this).

ProvisionalSecurifiedConfig

Once a user has selected some accounts and/or personas to securify with a new shield, those accounts should now retain the information that user wants to use some shield with them.

But the FactorInstancesProvider might not contain enough factors to securify all those accounts now. And user can always cancel derivation even if we try to derive more factors. **This means we cannot directly save SecurityStructureOfFactorInstances per account. **

So we start with saving the unique shield ID - SecurityStructureID associated with the accounts (or personas). This is the variant ShieldSelected(SecurityStructureID) of the new type ProvisionalSecurifiedConfig.

Then later when we were able to use the FactorInstanceProvider to provide factor instances for the SecurityStructureOfFactorSourceIds - identified by SecurityStructureID of ProvisionalSecurifiedConfig::ShieldSelected - we update the provisional state of all relevant entities in Profile
from: ProvisionalSecurifiedConfig::ShieldSelected
to: ProvisionalSecurifiedConfig::FactorInstancesDerived(SecurityStructureOfFactorInstances).

Later we might ask user to sign a batch of transaction. User might cancel, so we must support reminding user to batch sign these transaction later.

Later, once signed we update the provisional state of all relevant entities in Profile
from: ProvisionalSecurifiedConfig::FactorInstancesDerived
to: ProvisionalSecurifiedConfig::TransactionQueued(SecurityStructureOfFactorInstances, TXID).

I've put assertions on what is destructive / unsupported transitions:
FactorInstancesDerived(SecurityStructureOfFactorInstances) -> ShieldSelected is invalid for now, since those FactorInstance already have been deleted from the FactorInstancesCache so those factor instances would be lost, and we would have "gaps" in the derivation entity index - not the woooorst thing which can happen, but it makes Account Recovery Scan tricker in the future, since we would need to scan a broader range. So we should try to avoid creating such gaps. By "invalid for now" I mean this PR does not support it. But we can probably quite easily support this as a feature, by allowing us to "put instance back into the cache"!

Furthermore transitions from TransactionQueued to FactorInstancesDerived is not directly supported by set_provisional, I've exposed a dedicated method for it called cancel_queued_transaction, making it clear that we should first actually cancel the transaction and removed it from the queue, and then call account.entity_security_state.cancel_queued_transaction(..).

[codecov]

Codecov Report

Attention: Patch coverage is 95.68106% with 13 lines in your changes missing coverage. Please review.

Project coverage is 93.3%. Comparing base (0c5278b) to head (3ba71d3).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...a/secured_entity_control/secured_entity_control.rs	90.0%	4 Missing ⚠️
..._structures/matrices/matrix_of_factor_instances.rs	94.8%	2 Missing ⚠️
.../sargon/src/system/sargon_os/sargon_os_accounts.rs	0.0%	2 Missing ⚠️
crates/sargon/src/types/samples/persona_samples.rs	95.5%	2 Missing ⚠️
...100/entity_security_state/entity_security_state.rs	94.7%	1 Missing ⚠️
...l/manifest_building/manifests_access_controller.rs	93.7%	1 Missing ⚠️
...low_level/transaction_hashes/transaction_hashes.rs	0.0%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff           @@
##            main    #293    +/-   ##
======================================
  Coverage   93.2%   93.3%            
======================================
  Files       1104    1109     +5     
  Lines      23303   23528   +225     
  Branches      79      79            
======================================
+ Hits       21735   21955   +220     
- Misses      1553    1558     +5     
  Partials      15      15            

Flag	Coverage Δ
kotlin	97.1% <ø> (ø)
rust	92.8% <95.6%> (+<0.1%)	⬆️
swift	94.8% <100.0%> (-0.1%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...pple/Sources/Sargon/Protocols/EntityProtocol.swift	100.0% <100.0%> (ø)
crates/sargon/src/core/error/common_error.rs	93.3% <ø> (ø)
...ates/sargon/src/core/types/signatures/signature.rs	88.5% <100.0%> (+1.4%)	⬆️
...e/logic/profile_network/profile_network_details.rs	98.7% <100.0%> (+1.4%)	⬆️
...or_instance_level/role_into_scrypto_access_rule.rs	100.0% <100.0%> (ø)
..._factors/security_structure_of_factor_instances.rs	100.0% <100.0%> (ø)
...factors/security_structure_of_factor_source_ids.rs	100.0% <ø> (+13.3%)	⬆️
.../sargon/src/profile/v100/entity/account/account.rs	96.5% <100.0%> (+1.7%)	⬆️
...rgon/src/profile/v100/entity/has_security_state.rs	100.0% <100.0%> (ø)
.../sargon/src/profile/v100/entity/persona/persona.rs	99.3% <100.0%> (+<0.1%)	⬆️
... and 24 more

... and 1 file with indirect coverage changes

[CyonAlexRDX]

Alternatives to provisional:

• draft - discarded since it sounds like it is not "saved" or otherwise incomplete.
• pending - make it sound like it has been submitted to the network and waiting for a tx complete
• user_intention - some version of this might be ok.

Definition of provisional: "arranged or existing for the present, possibly to be changed later."

[giannis-rdx]

Temporal?

[Sajjon]

You mean temporary I think? Hmm temporary relates more to time, whereas I'm going for a term which relates more to step in a sequence of steps, which I feel is a little bit more precise. And "temporary" also has a meaning that after some time it is no longer relevant, whereas what is actually happening here is that it holds the state which will be the future state, so not at all temporary, just that we are note quite there yet.

[Sajjon]

I asked ChatGPT about the nuances of "temporal" vs "temporary"

[CyonAlexRDX]

Moved, and added authentication_signing_factor_instance: HierarchicalDeterministicFactorInstance,

[CyonAlexRDX]

also added new ctor with validation!

[micbakos-rdx]

Thank you

[CyonAlexRDX]

was not throwing, is now!

[CyonAlexRDX]

this 2 is threshold

[CyonAlexRDX]

@0xOmarA the RuleSet uses position (index) to determine which AccessRule is primary, recovery and confirmation? Because The values of the Enum seems to be the same?

        Enum<2u8>(
            Enum<1u8>(
                Array<Enum>(

for all three?

[0xOmarA]

It does indeed use the position to determine that since these are just arguments to the function.

[CyonAlexRDX]

we now have stricter validation so that we do not accidentally use Account factorinstances for Persona or vice versa.

[CyonAlexRDX]

small upgrade of impl we got from @0xOmarA some months ago.

[CyonAlexRDX]

this PR does not make use of this From for ScryptoRecoveryProposal

[GhenadieVP]

Nice work! Left some minor-ish comments.

[GhenadieVP]

Need to update the docs for the SecurityStructureOfFactorInstances as it is no more accurate.
@micbakos-rdx FYI, this will be used for ROLA signing.

[GhenadieVP]

maybe provisional_securified_configu

[Sajjon]

sure!

[GhenadieVP]

what does has_auth_signing_key mean? That it literally as a dedicated signing key or that there is some key for signing?

[Sajjon]

AuthorizedPersonaDetailed struct contains that field. Not sure we use it anywhere in hosts, but I did not wanna change that. And the assignment let has_auth_signing_key = persona.is_securified(); is correct. ALL Securified Entties has an auth signing factor. No Unsecurified has one.

[micbakos-rdx]

@CyonAlexRDX We discussed using transaction_signing factor instance when an entity is not securified. Doesn't that mean that has_auth_signing_key will always be true? Or does has_auth_signing_key mean like a true ROLA key?

[Sajjon]

does has_auth_signing_key mean like a true ROLA key?

YES. auth signing KeyKind/Instance == true ROLA

so rather has_auth_signing_key will always be false for unsecurified entities. But unsecurified entities can ofc proof-ownership (which it does using transaction_signing.)

I'm not sure this field is at all relevant. I think it might have been used by iOS behind DEBUG flag. So we should not put too much importance on this field.

[micbakos-rdx]

Thanks Alex, indeed it was used to disable the button that created the rola key for unsecurified entities (under debug ofc). Indeed unneeded.

[GhenadieVP]

This can happen quite easily if user updates a shield a second time before applying it. So most likely we will need to handle this, let's discuss in design session how to do it.

[GhenadieVP]

We do have a constants file

[Sajjon]

constants which have a "natural home" - should be put in a natural home I think. That is most Rusty I think. The constants file seems to contain mostly constants relating to GW?

[GhenadieVP]

well I agree, at the same time MINUTES_PER_DAY is very generic. Anyway, this is minor, we'll migrate in case there will be other components using this.

[Sajjon]

right, ok agreed, this should be moved, since it is common relating to time!

[GhenadieVP]

Why not all instances including authentication_signing?

[Sajjon]

good catch, this should have been unique_all_factor_instances, thx, will change

[micbakos-rdx]

Typo in will user

[micbakos-rdx]

@CyonAlexRDX We discussed using transaction_signing factor instance when an entity is not securified. Doesn't that mean that has_auth_signing_key will always be true? Or does has_auth_signing_key mean like a true ROLA key?