Skip to content

[VM2] Support authorization keys #5326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Oct 6, 2025
Merged

[VM2] Support authorization keys #5326

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6d69038
carry authorization keys to vm2
igor-casper Sep 24, 2025
a8110e0
fix compile error
igor-casper Sep 24, 2025
5920040
propagate keys to backend
igor-casper Sep 24, 2025
4671478
fmt
igor-casper Sep 24, 2025
783007e
fix tests
igor-casper Sep 25, 2025
d1776d3
fix regression test
igor-casper Sep 25, 2025
3a9bae8
Merge branch 'feat-2.1' into core-217
igor-casper Sep 29, 2025
5560807
address cr comments
igor-casper Sep 29, 2025
a812cba
fmt
igor-casper Sep 29, 2025
6b807ac
Merge branch 'feat-2.1' into core-217
igor-casper Sep 30, 2025
291446d
Merge branch 'feat-2.1' into core-217
igor-casper Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion executor/wasm/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,7 @@ impl ExecutorV2 {
.with_parent_block_hash(parent_block_hash)
.with_block_height(block_height)
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([initiator]))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also support authorization keys in the installer

.build()
.map_err(InstallContractError::FailedBuildingExecuteRequest)?;

Expand Down Expand Up @@ -499,6 +500,7 @@ impl ExecutorV2 {
block_height,
sandboxed,
runtime_native_config,
authorization_keys,
} = execute_request;

let (entity_addr, source_purse) = get_purse_for_entity(&mut tracking_copy, caller_key)?;
Expand Down Expand Up @@ -577,6 +579,7 @@ impl ExecutorV2 {
block_info,
transaction_hash,
gas_limit,
authorization_keys.clone(),
);
}
EntityKind::SmartContract(ContractRuntimeTag::VmCasperV2) => {
Expand Down Expand Up @@ -686,6 +689,7 @@ impl ExecutorV2 {
block_info,
transaction_hash,
gas_limit,
authorization_keys,
);
}
Some(stored_value) => {
Expand Down Expand Up @@ -752,6 +756,7 @@ impl ExecutorV2 {
runtime_native_config,
parent_block_hash: parent_block_hash.inner().value(),
block_height,
authorization_keys,
};

// Check that the input argument size does not exceed the VM memory limit
Expand Down Expand Up @@ -887,11 +892,16 @@ impl ExecutorV2 {
block_info: BlockInfo,
transaction_hash: TransactionHash,
gas_limit: u64,
authorization_keys: BTreeSet<AccountHash>,
) -> Result<ExecuteResult, ExecuteError>
where
R: GlobalStateReader + 'static,
{
let authorization_keys = BTreeSet::from_iter([initiator]);
let authorization_keys = if authorization_keys.is_empty() {
BTreeSet::from_iter([initiator])
} else {
authorization_keys
};
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems unnecessary - wouldn't VM1 just take authorization keys, and handle the initiator case inside?

let initiator_addr = InitiatorAddr::AccountHash(initiator);
let executable_item =
ExecutableItem::Invocation(TransactionInvocationTarget::ByHash(entity_addr.value()));
Expand Down Expand Up @@ -1112,6 +1122,7 @@ impl Executor for ExecutorV2 {
.with_block_height(request.block_height)
.with_sandboxed(true) // Enable sandboxed mode
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([request.initiator]))
.build()
.map_err(|error| {
ExecuteError::InternalHost(InternalHostError::ExecuteRequestBuildFailure(error))
Expand Down
2 changes: 2 additions & 0 deletions executor/wasm/src/testing.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use std::{
collections::BTreeSet,
env, fs,
path::{Path, PathBuf},
sync::Arc,
Expand Down Expand Up @@ -157,6 +158,7 @@ pub fn base_execute_builder(chainspec_config: &ChainspecConfig) -> ExecuteReques
.with_runtime_native_config(make_runtime_config(chainspec_config))
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
}

pub fn make_runtime_config(chainspec_config: &ChainspecConfig) -> RuntimeNativeConfig {
Expand Down
11 changes: 10 additions & 1 deletion executor/wasm/tests/ee_966.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::sync::Arc;
use std::{collections::BTreeSet, sync::Arc};

use bytes::Bytes;
use casper_execution_engine::engine_state::ExecutionEngineV1;
Expand Down Expand Up @@ -94,6 +94,7 @@ fn argument_size_exceeds_memory_limit() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");
let result = executor.execute_with_provider(state_root_hash, &global_state, execute_request);
Expand Down Expand Up @@ -135,6 +136,7 @@ fn should_run_ee_966_with_zero_min_and_zero_max_memory() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -173,6 +175,7 @@ fn should_run_ee_966_cant_have_too_much_initial_memory() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -217,6 +220,7 @@ fn should_run_ee_966_cant_have_too_much_max_memory() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -261,6 +265,7 @@ fn should_run_ee_966_cant_have_way_too_much_max_memory() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -305,6 +310,7 @@ fn should_run_ee_966_cant_have_larger_initial_than_max_memory() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -354,6 +360,7 @@ fn should_run_ee_966_should_request_exactly_maximum_as_initial() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -394,6 +401,7 @@ fn should_run_ee_966_should_request_exactly_maximum() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down Expand Up @@ -433,6 +441,7 @@ fn should_run_ee_966_regression_fail_when_growing_mem_past_max() {
.with_block_height(1)
.with_parent_block_hash(BlockHash::new(Digest::hash(b"block1")))
.with_runtime_native_config(runtime_native_config)
.with_authorization_keys(BTreeSet::from_iter([*DEFAULT_ACCOUNT_HASH]))
.build()
.expect("should build");

Expand Down
4 changes: 3 additions & 1 deletion executor/wasm_host/src/context.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::sync::Arc;
use std::{collections::BTreeSet, sync::Arc};

use bytes::Bytes;
use casper_executor_wasm_interface::executor::Executor;
Expand Down Expand Up @@ -47,4 +47,6 @@ pub struct Context<S: GlobalStateReader, E: Executor> {
pub sandboxed: bool,
/// Runtime native config.
pub runtime_native_config: RuntimeNativeConfig,
/// Authorization keys for this execution.
pub authorization_keys: BTreeSet<AccountHash>,
}
4 changes: 4 additions & 0 deletions executor/wasm_host/src/host.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -934,6 +934,7 @@ pub fn casper_create<S: GlobalStateReader + 'static, E: Executor + 'static>(
.with_block_height(1) // TODO: Carry on block height
.with_parent_block_hash(BlockHash::new(Digest::from_raw([0; 32]))) // TODO: Carry on parent block hash
.with_runtime_native_config(caller.context().runtime_native_config.clone())
.with_authorization_keys(caller.context().authorization_keys.clone())
.build()
.map_err(InternalHostError::ExecuteRequestBuildFailure)?;

Expand Down Expand Up @@ -1084,6 +1085,7 @@ pub fn casper_system<S: GlobalStateReader + 'static, E: Executor + 'static>(
.with_block_height(1) // TODO: Carry on block height
.with_parent_block_hash(BlockHash::new(Digest::from_raw([0; 32]))) // TODO: Carry on parent block hash
.with_runtime_native_config(caller.context().runtime_native_config.clone())
.with_authorization_keys(caller.context().authorization_keys.clone())
.build()
.map_err(InternalHostError::ExecuteRequestBuildFailure)?;

Expand Down Expand Up @@ -1180,6 +1182,7 @@ pub fn casper_call<S: GlobalStateReader + 'static, E: Executor + 'static>(
.with_block_height(1) // TODO: Carry on block height
.with_parent_block_hash(BlockHash::new(Digest::from_raw([0; 32]))) // TODO: Carry on parent block hash
.with_runtime_native_config(caller.context().runtime_native_config.clone())
.with_authorization_keys(caller.context().authorization_keys.clone())
.build()
.map_err(InternalHostError::ExecuteRequestBuildFailure)?;

Expand Down Expand Up @@ -1568,6 +1571,7 @@ pub fn casper_upgrade<S: GlobalStateReader + 'static, E: Executor>(
.with_block_height(1) // TODO: Carry on block height
.with_parent_block_hash(BlockHash::new(Digest::from_raw([0; 32]))) // TODO: Carry on parent block hash
.with_runtime_native_config(caller.context().runtime_native_config.clone())
.with_authorization_keys(caller.context().authorization_keys.clone())
.build()
.map_err(InternalHostError::ExecuteRequestBuildFailure)?;

Expand Down
15 changes: 14 additions & 1 deletion executor/wasm_interface/src/executor.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::sync::Arc;
use std::{collections::BTreeSet, sync::Arc};

use borsh::BorshSerialize;
use bytes::Bytes;
Expand Down Expand Up @@ -62,6 +62,8 @@ pub struct ExecuteRequest {
pub sandboxed: bool,
/// Runtime native config.
pub runtime_native_config: RuntimeNativeConfig,
/// Authorization keys for this execution.
pub authorization_keys: BTreeSet<AccountHash>,
}

/// Builder for `ExecuteRequest`.
Expand All @@ -82,6 +84,7 @@ pub struct ExecuteRequestBuilder {
block_height: Option<u64>,
sandboxed: Option<bool>,
runtime_native_config: Option<RuntimeNativeConfig>,
authorization_keys: Option<BTreeSet<AccountHash>>,
}

impl ExecuteRequestBuilder {
Expand Down Expand Up @@ -216,6 +219,12 @@ impl ExecuteRequestBuilder {
self
}

/// Set the authorization keys.
pub fn with_authorization_keys(mut self, authorization_keys: BTreeSet<AccountHash>) -> Self {
self.authorization_keys = Some(authorization_keys);
self
}

/// Build the `ExecuteRequest`.
pub fn build(self) -> Result<ExecuteRequest, &'static str> {
let initiator = self.initiator.ok_or("Initiator is not set")?;
Expand All @@ -239,6 +248,9 @@ impl ExecuteRequestBuilder {
let runtime_native_config = self
.runtime_native_config
.ok_or("Runtime native config not set")?;
let authorization_keys = self
.authorization_keys
.ok_or("Authorization keys are not set")?;
Ok(ExecuteRequest {
initiator,
caller_key,
Expand All @@ -255,6 +267,7 @@ impl ExecuteRequestBuilder {
block_height,
sandboxed,
runtime_native_config,
authorization_keys,
})
}
}
Expand Down
1 change: 1 addition & 0 deletions executor/wasmer_backend/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -519,6 +519,7 @@ where
runtime_native_config: data.context.runtime_native_config.clone(),
parent_block_hash: data.context.parent_block_hash,
block_height: data.context.block_height,
authorization_keys: data.context.authorization_keys.clone(),
}
}
}
Expand Down
7 changes: 6 additions & 1 deletion node/src/components/contract_runtime/operations/wasm_v2_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,12 @@ impl WasmV2Request {

builder = builder.with_execution_kind(execution_kind);

let execute_request = builder.build().expect("should build");
let authorization_keys = transaction.signers();

let execute_request = builder
.with_authorization_keys(authorization_keys)
.build()
.expect("should build");

Ok(Self::Execute(execute_request))
}
Expand Down