feat(tempo): add TIP-1049 admin access keys to KeyAuthorization#262
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Add paired `account` and `isAdmin` fields to `KeyAuthorization` and its RPC/tuple representations, matching tempo's TIP-1049 wire format. The two fields are modeled as a OneOf union — either both are specified or neither — since they pair together to declare an admin access key with an explicit account binding (replay protection). - `isAdmin`: encodes as RLP integer `1` (`0x01`) at trailing position 7. Any other marker value is a hard decode error. - `account`: 20-byte address at trailing position 8 (TIP-1049 cross-account replay protection). - `InvalidAdminMarkerError` thrown by `fromTuple` when the marker is present but not `0x01`. - `from`, `fromRpc`, `toRpc`, `fromTuple`, `toTuple` updated to carry both fields end-to-end. `fromTuple` drops orphan wire shapes (only one of the two present) since the public API requires the pair. - Unit tests cover round-trips, paired encoding/decoding, marker validation, and orphan tolerance. - E2E test registers an admin access key via auth+use keychain envelope and verifies `isAdmin` + `account` survive the round trip through the node. Amp-Thread-ID: https://ampcode.com/threads/T-019e6fa7-78d6-70ef-b9de-0cba0eaffcb0
ab0f15c to
0a6b192
Compare
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements TIP-1049 (admin access keys) ox-side, matching the wire format in tempoxyz/tempo.
Summary
Adds two paired fields to
KeyAuthorizationthat together declare an admin access key with an explicit account binding:isAdmin: boolean— encodes as RLP integer1(0x01) at trailing position 7. Any other marker value is a hard decode error (InvalidAdminMarkerError).account: addressType— 20-byte address at trailing position 8, providing TIP-1049 cross-account replay protection.The two fields are modeled as a
OneOfunion — either both are specified or neither — since they conceptually pair together.Wire layout
Built on the extensible
optionalstable from #260, so this PR adds two entries totoTupleand destructures two more slots infromTuple— no structural changes.Behaviour
from,fromRpc) requiresaccount+isAdmintogether or neither — the type-levelOneOfenforces it.toTupleemits both fields when present, omits both when absent (byte-equivalent to pre-TIP-1049).fromTupletolerates orphan wire shapes (only one of the two fields on the wire) by dropping the orphan, since the public API requires the pair.account/isAdminare included in the signing hash, so admin authorizations cannot be replayed against a different account that shares the same root key.Depends on
Tests
src/tempo/KeyAuthorization.test.ts): 11 new tests coveringfrom/toTuple/fromTuple/serialize/hash/toRpc/fromRpcround-trips, paired encoding/decoding, marker validation, orphan tolerance.src/tempo/e2e.test.ts): registers an admin access key via auth+use keychain envelope against the localnet T6 image and verifiesisAdmin+accountsurvive the round trip through the node. Also covers the byte-equivalence check for the no-admin-pair case.89/89 tempo-unit tests pass, 2/2 TIP-1049 e2e tests pass, types clean.