diff --git a/aptos-move/framework/aptos-framework/doc/account.md b/aptos-move/framework/aptos-framework/doc/account.md index 8d5e5f8e1cf7ac..790651de421988 100644 --- a/aptos-move/framework/aptos-framework/doc/account.md +++ b/aptos-move/framework/aptos-framework/doc/account.md @@ -106,6 +106,7 @@ use 0x1::hash; use 0x1::multi_ed25519; use 0x1::option; +use 0x1::permissioned_signer; use 0x1::signer; use 0x1::system_addresses; use 0x1::table; @@ -1202,6 +1203,7 @@ many contexts: vector::length(&new_auth_key) == 32, error::invalid_argument(EMALFORMED_AUTHENTICATION_KEY) ); + permissioned_signer::assert_master_signer(account); let account_resource = borrow_global_mut<Account>(addr); account_resource.authentication_key = new_auth_key; } @@ -1294,6 +1296,7 @@ to rotate his address to Alice's address in the first place. ) acquires Account, OriginatingAddress { let addr = signer::address_of(account); assert!(exists_at(addr), error::not_found(EACCOUNT_DOES_NOT_EXIST)); + permissioned_signer::assert_master_signer(account); let account_resource = borrow_global_mut<Account>(addr); // Verify the given `from_public_key_bytes` matches this account's current authentication key. @@ -1369,9 +1372,10 @@ to rotate his address to Alice's address in the first place. new_public_key_bytes: vector<u8>, cap_update_table: vector<u8> ) acquires Account, OriginatingAddress { + permissioned_signer::assert_master_signer(delegate_signer); assert!(exists_at(rotation_cap_offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST)); - // Check that there exists a rotation capability offer at the offerer's account resource for the delegate. + // Check that there exists a rotation capability offer at the offerer's account resource for the delegate. let delegate_address = signer::address_of(delegate_signer); let offerer_account_resource = borrow_global<Account>(rotation_cap_offerer_address); assert!( @@ -1448,10 +1452,11 @@ offer, calling this function will replace the previous recipient_addressvector<u8>, recipient_address: address, ) acquires Account { + permissioned_signer::assert_master_signer(account); let addr = signer::address_of(account); assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST)); - // proof that this account intends to delegate its rotation capability to another account + // proof that this account intends to delegate its rotation capability to another account let account_resource = borrow_global_mut<Account>(addr); let proof_challenge = RotationCapabilityOfferProofChallengeV2 { chain_id: chain_id::get(), @@ -1491,7 +1496,7 @@ offer, calling this function will replace the previous recipient_addressabort error::invalid_argument(EINVALID_SCHEME) }; - // update the existing rotation capability offer or put in a new rotation capability offer for the current account + // update the existing rotation capability offer or put in a new rotation capability offer for the current account option::swap_or_fill(&mut account_resource.rotation_capability_offer.for, recipient_address); } @@ -1576,6 +1581,7 @@ Revoke the rotation capability offer given to to_be_revoked_recipient_addr 
public entry fun revoke_rotation_capability(account: &signer, to_be_revoked_address: address) acquires Account {
     assert!(exists_at(to_be_revoked_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+    permissioned_signer::assert_master_signer(account);
     let addr = signer::address_of(account);
     let account_resource = borrow_global<Account>(addr);
     assert!(
@@ -1607,6 +1613,7 @@ Revoke any rotation capability offer in the specified account.
 
 
 
public entry fun revoke_any_rotation_capability(account: &signer) acquires Account {
+    permissioned_signer::assert_master_signer(account);
     let account_resource = borrow_global_mut<Account>(signer::address_of(account));
     option::extract(&mut account_resource.rotation_capability_offer.for);
 }
@@ -1647,10 +1654,11 @@ to the account owner's signer capability).
     account_public_key_bytes: vector<u8>,
     recipient_address: address
 ) acquires Account {
+    permissioned_signer::assert_master_signer(account);
     let source_address = signer::address_of(account);
     assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
 
-    // Proof that this account intends to delegate its signer capability to another account.
+    // Proof that this account intends to delegate its signer capability to another account.
     let proof_challenge = SignerCapabilityOfferProofChallengeV2 {
         sequence_number: get_sequence_number(source_address),
         source_address,
@@ -1659,7 +1667,7 @@ to the account owner's signer capability).
     verify_signed_message(
         source_address, account_scheme, account_public_key_bytes, signer_capability_sig_bytes, proof_challenge);
 
-    // Update the existing signer capability offer or put in a new signer capability offer for the recipient.
+    // Update the existing signer capability offer or put in a new signer capability offer for the recipient.
     let account_resource = borrow_global_mut<Account>(source_address);
     option::swap_or_fill(&mut account_resource.signer_capability_offer.for, recipient_address);
 }
@@ -1746,6 +1754,7 @@ has a signer capability offer from accoun
 
 
public entry fun revoke_signer_capability(account: &signer, to_be_revoked_address: address) acquires Account {
     assert!(exists_at(to_be_revoked_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+    permissioned_signer::assert_master_signer(account);
     let addr = signer::address_of(account);
     let account_resource = borrow_global<Account>(addr);
     assert!(
@@ -1777,6 +1786,7 @@ Revoke any signer capability offer in the specified account.
 
 
 
public entry fun revoke_any_signer_capability(account: &signer) acquires Account {
+    permissioned_signer::assert_master_signer(account);
     let account_resource = borrow_global_mut<Account>(signer::address_of(account));
     option::extract(&mut account_resource.signer_capability_offer.for);
 }
@@ -1804,9 +1814,10 @@ at the offerer's address.
 
 
 
public fun create_authorized_signer(account: &signer, offerer_address: address): signer acquires Account {
+    permissioned_signer::assert_master_signer(account);
     assert!(exists_at(offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST));
 
-    // Check if there's an existing signer capability offer from the offerer.
+    // Check if there's an existing signer capability offer from the offerer.
     let account_resource = borrow_global<Account>(offerer_address);
     let addr = signer::address_of(account);
     assert!(
@@ -2174,7 +2185,7 @@ Coin management methods.
 Capability based functions for efficient use.
 
 
-
public fun create_signer_with_capability(capability: &account::SignerCapability): signer
+
public fun create_signer_with_capability(capability: &account::SignerCapability): signer
 

 
 
@@ -2183,8 +2194,8 @@ Capability based functions for efficient use.
 Implementation
 
 
-
public fun create_signer_with_capability(capability: &SignerCapability): signer {
-    let addr = &capability.account;
+
public fun create_signer_with_capability(capability: &SignerCapability): signer {
+    let addr = &capability.account;
     create_signer(*addr)
 }
 

@@ -2199,7 +2210,7 @@ Capability based functions for efficient use.
 
 
 
-
public fun get_signer_capability_address(capability: &account::SignerCapability): address
+
public fun get_signer_capability_address(capability: &account::SignerCapability): address
 

 
 
@@ -2208,8 +2219,8 @@ Capability based functions for efficient use.
 Implementation
 
 
-
public fun get_signer_capability_address(capability: &SignerCapability): address {
-    capability.account
+
public fun get_signer_capability_address(capability: &SignerCapability): address {
+    capability.account
 }
 

 
@@ -2622,6 +2633,7 @@ The length of new_auth_key is 32.
 let post account_resource = global<Account>(addr);
 aborts_if !exists<Account>(addr);
 aborts_if vector::length(new_auth_key) != 32;
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 modifies global<Account>(addr);
 ensures account_resource.authentication_key == new_auth_key;
 

@@ -2644,6 +2656,7 @@ The length of new_auth_key is 32.
 let post account_resource = global<Account>(addr);
 aborts_if !exists<Account>(addr);
 aborts_if vector::length(new_auth_key) != 32;
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 modifies global<Account>(addr);
 ensures account_resource.authentication_key == new_auth_key;
 

@@ -2675,6 +2688,7 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME
 
let addr = signer::address_of(account);
 let account_resource = global<Account>(addr);
 aborts_if !exists<Account>(addr);
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 // This enforces high-level requirement 6:
 include from_scheme == ED25519_SCHEME ==> ed25519::NewUnvalidatedPublicKeyFromBytesAbortsIf { bytes: from_public_key_bytes };
 aborts_if from_scheme == ED25519_SCHEME && ({
@@ -2739,7 +2753,8 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME
 
 
 
-
aborts_if !exists<Account>(rotation_cap_offerer_address);
+
aborts_if permissioned_signer::spec_is_permissioned_signer(delegate_signer);
+aborts_if !exists<Account>(rotation_cap_offerer_address);
 let delegate_address = signer::address_of(delegate_signer);
 let offerer_account_resource = global<Account>(rotation_cap_offerer_address);
 aborts_if !from_bcs::deserializable<address>(offerer_account_resource.authentication_key);
@@ -2798,6 +2813,7 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME
     source_address,
     recipient_address,
 };
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 aborts_if !exists<chain_id::ChainId>(@aptos_framework);
 aborts_if !exists<Account>(recipient_address);
 aborts_if !exists<Account>(source_address);
@@ -2880,7 +2896,8 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME
 
 
 
-
aborts_if !exists<Account>(to_be_revoked_address);
+
aborts_if permissioned_signer::spec_is_permissioned_signer(account);
+aborts_if !exists<Account>(to_be_revoked_address);
 let addr = signer::address_of(account);
 let account_resource = global<Account>(addr);
 aborts_if !exists<Account>(addr);
@@ -2904,7 +2921,8 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME
 
 
 
-
let addr = signer::address_of(account);
+
aborts_if permissioned_signer::spec_is_permissioned_signer(account);
+let addr = signer::address_of(account);
 modifies global<Account>(addr);
 aborts_if !exists<Account>(addr);
 let account_resource = global<Account>(addr);
@@ -2936,6 +2954,7 @@ The authentication scheme is ED25519_SCHEME and MULTI_ED25519_SCHEME.
     source_address,
     recipient_address,
 };
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 aborts_if !exists<Account>(recipient_address);
 aborts_if !exists<Account>(source_address);
 include account_scheme == ED25519_SCHEME ==> ed25519::NewUnvalidatedPublicKeyFromBytesAbortsIf { bytes: account_public_key_bytes };
@@ -3019,7 +3038,8 @@ The Account existed under the signer.
 The value of signer_capability_offer.for of Account resource under the signer is to_be_revoked_address.
 
 
-
aborts_if !exists<Account>(to_be_revoked_address);
+
aborts_if permissioned_signer::spec_is_permissioned_signer(account);
+aborts_if !exists<Account>(to_be_revoked_address);
 let addr = signer::address_of(account);
 let account_resource = global<Account>(addr);
 aborts_if !exists<Account>(addr);
@@ -3042,6 +3062,7 @@ The value of signer_capability_offer.for of Account resource under the signer is
 
 
 
modifies global<Account>(signer::address_of(account));
+aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 // This enforces high-level requirement 7:
 aborts_if !exists<Account>(signer::address_of(account));
 let account_resource = global<Account>(signer::address_of(account));
@@ -3063,7 +3084,8 @@ The Account existed under the signer.
 The value of signer_capability_offer.for of Account resource under the signer is offerer_address.
 
 
-
// This enforces high-level requirement 8:
+
aborts_if permissioned_signer::spec_is_permissioned_signer(account);
+// This enforces high-level requirement 8:
 include AccountContainsAddr{
     account,
     address: offerer_address,
@@ -3223,6 +3245,8 @@ The value of signer_capability_offer.for of Account resource under the signer is
 
 
let source_addr = signer::address_of(source);
 let resource_addr = spec_create_resource_address(source_addr, seed);
+let resource = create_signer::spec_create_signer(resource_addr);
+aborts_if permissioned_signer::spec_is_permissioned_signer(resource);
 aborts_if len(ZERO_AUTH_KEY) != 32;
 include exists_at(resource_addr) ==> CreateResourceAccountAbortsIf;
 include !exists_at(resource_addr) ==> CreateAccountAbortsIf {addr: resource_addr};
@@ -3357,13 +3381,13 @@ The guid_creation_num of the Account is up to MAX_U64.
 ### Function `create_signer_with_capability`
 
 
-
public fun create_signer_with_capability(capability: &account::SignerCapability): signer
+
public fun create_signer_with_capability(capability: &account::SignerCapability): signer
 

 
 
 
 
-
let addr = capability.account;
+
let addr = capability.account;
 ensures signer::address_of(result) == addr;
 

 
diff --git a/aptos-move/framework/aptos-framework/sources/account.move b/aptos-move/framework/aptos-framework/sources/account.move
index f0737306a67c6b..6f2c25e844d13b 100644
--- a/aptos-move/framework/aptos-framework/sources/account.move
+++ b/aptos-move/framework/aptos-framework/sources/account.move
@@ -9,6 +9,7 @@ module aptos_framework::account {
     use aptos_framework::create_signer::create_signer;
     use aptos_framework::event::{Self, EventHandle};
     use aptos_framework::guid;
+    use aptos_framework::permissioned_signer;
     use aptos_framework::system_addresses;
     use aptos_std::ed25519;
     use aptos_std::from_bcs;
@@ -288,6 +289,7 @@ module aptos_framework::account {
             vector::length(&new_auth_key) == 32,
             error::invalid_argument(EMALFORMED_AUTHENTICATION_KEY)
         );
+        permissioned_signer::assert_master_signer(account);
         let account_resource = borrow_global_mut(addr);
         account_resource.authentication_key = new_auth_key;
     }
@@ -340,6 +342,7 @@ module aptos_framework::account {
     ) acquires Account, OriginatingAddress {
         let addr = signer::address_of(account);
         assert!(exists_at(addr), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+        permissioned_signer::assert_master_signer(account);
         let account_resource = borrow_global_mut(addr);
 
         // Verify the given `from_public_key_bytes` matches this account's current authentication key.
@@ -395,6 +398,7 @@ module aptos_framework::account {
         new_public_key_bytes: vector,
         cap_update_table: vector
     ) acquires Account, OriginatingAddress {
+        permissioned_signer::assert_master_signer(delegate_signer);
         assert!(exists_at(rotation_cap_offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST));
 
         // Check that there exists a rotation capability offer at the offerer's account resource for the delegate.
@@ -454,6 +458,7 @@ module aptos_framework::account {
         account_public_key_bytes: vector,
         recipient_address: address,
     ) acquires Account {
+        permissioned_signer::assert_master_signer(account);
         let addr = signer::address_of(account);
         assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
 
@@ -522,6 +527,7 @@ module aptos_framework::account {
     /// Revoke the rotation capability offer given to `to_be_revoked_recipient_address` from `account`
     public entry fun revoke_rotation_capability(account: &signer, to_be_revoked_address: address) acquires Account {
         assert!(exists_at(to_be_revoked_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+        permissioned_signer::assert_master_signer(account);
         let addr = signer::address_of(account);
         let account_resource = borrow_global(addr);
         assert!(
@@ -533,6 +539,7 @@ module aptos_framework::account {
 
     /// Revoke any rotation capability offer in the specified account.
     public entry fun revoke_any_rotation_capability(account: &signer) acquires Account {
+        permissioned_signer::assert_master_signer(account);
         let account_resource = borrow_global_mut(signer::address_of(account));
         option::extract(&mut account_resource.rotation_capability_offer.for);
     }
@@ -553,6 +560,7 @@ module aptos_framework::account {
         account_public_key_bytes: vector,
         recipient_address: address
     ) acquires Account {
+        permissioned_signer::assert_master_signer(account);
         let source_address = signer::address_of(account);
         assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
 
@@ -592,6 +600,7 @@ module aptos_framework::account {
     /// has a signer capability offer from `account` but will be revoked in this function).
     public entry fun revoke_signer_capability(account: &signer, to_be_revoked_address: address) acquires Account {
         assert!(exists_at(to_be_revoked_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+        permissioned_signer::assert_master_signer(account);
         let addr = signer::address_of(account);
         let account_resource = borrow_global(addr);
         assert!(
@@ -603,6 +612,7 @@ module aptos_framework::account {
 
     /// Revoke any signer capability offer in the specified account.
     public entry fun revoke_any_signer_capability(account: &signer) acquires Account {
+        permissioned_signer::assert_master_signer(account);
         let account_resource = borrow_global_mut(signer::address_of(account));
         option::extract(&mut account_resource.signer_capability_offer.for);
     }
@@ -610,6 +620,7 @@ module aptos_framework::account {
     /// Return an authorized signer of the offerer, if there's an existing signer capability offer for `account`
     /// at the offerer's address.
     public fun create_authorized_signer(account: &signer, offerer_address: address): signer acquires Account {
+        permissioned_signer::assert_master_signer(account);
         assert!(exists_at(offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST));
 
         // Check if there's an existing signer capability offer from the offerer.
diff --git a/aptos-move/framework/aptos-framework/sources/account.spec.move b/aptos-move/framework/aptos-framework/sources/account.spec.move
index 83d155ea8222b1..a476445307754a 100644
--- a/aptos-move/framework/aptos-framework/sources/account.spec.move
+++ b/aptos-move/framework/aptos-framework/sources/account.spec.move
@@ -199,6 +199,7 @@ spec aptos_framework::account {
         let post account_resource = global(addr);
         aborts_if !exists(addr);
         aborts_if vector::length(new_auth_key) != 32;
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         modifies global(addr);
         ensures account_resource.authentication_key == new_auth_key;
     }
@@ -209,6 +210,7 @@ spec aptos_framework::account {
         let post account_resource = global(addr);
         aborts_if !exists(addr);
         aborts_if vector::length(new_auth_key) != 32;
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         modifies global(addr);
         ensures account_resource.authentication_key == new_auth_key;
     }
@@ -258,6 +260,7 @@ spec aptos_framework::account {
         let addr = signer::address_of(account);
         let account_resource = global(addr);
         aborts_if !exists(addr);
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
 
         /// [high-level-req-6.1]
         include from_scheme == ED25519_SCHEME ==> ed25519::NewUnvalidatedPublicKeyFromBytesAbortsIf { bytes: from_public_key_bytes };
@@ -331,6 +334,7 @@ spec aptos_framework::account {
         new_public_key_bytes: vector,
         cap_update_table: vector
     ) {
+        aborts_if permissioned_signer::spec_is_permissioned_signer(delegate_signer);
         aborts_if !exists(rotation_cap_offerer_address);
         let delegate_address = signer::address_of(delegate_signer);
         let offerer_account_resource = global(rotation_cap_offerer_address);
@@ -390,7 +394,7 @@ spec aptos_framework::account {
             source_address,
             recipient_address,
         };
-
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         aborts_if !exists(@aptos_framework);
         aborts_if !exists(recipient_address);
         aborts_if !exists(source_address);
@@ -445,6 +449,7 @@ spec aptos_framework::account {
             recipient_address,
         };
 
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         aborts_if !exists(recipient_address);
         aborts_if !exists(source_address);
 
@@ -504,6 +509,7 @@ spec aptos_framework::account {
     /// The Account existed under the signer.
     /// The value of signer_capability_offer.for of Account resource under the signer is to_be_revoked_address.
     spec revoke_signer_capability(account: &signer, to_be_revoked_address: address) {
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         aborts_if !exists(to_be_revoked_address);
         let addr = signer::address_of(account);
         let account_resource = global(addr);
@@ -515,6 +521,7 @@ spec aptos_framework::account {
 
     spec revoke_any_signer_capability(account: &signer) {
         modifies global(signer::address_of(account));
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         /// [high-level-req-7.4]
         aborts_if !exists(signer::address_of(account));
         let account_resource = global(signer::address_of(account));
@@ -522,6 +529,7 @@ spec aptos_framework::account {
     }
 
     spec revoke_rotation_capability(account: &signer, to_be_revoked_address: address) {
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         aborts_if !exists(to_be_revoked_address);
         let addr = signer::address_of(account);
         let account_resource = global(addr);
@@ -534,6 +542,7 @@ spec aptos_framework::account {
     }
 
     spec revoke_any_rotation_capability(account: &signer) {
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         let addr = signer::address_of(account);
         modifies global(addr);
         aborts_if !exists(addr);
@@ -547,6 +556,7 @@ spec aptos_framework::account {
     /// The Account existed under the signer.
     /// The value of signer_capability_offer.for of Account resource under the signer is offerer_address.
     spec create_authorized_signer(account: &signer, offerer_address: address): signer {
+        aborts_if permissioned_signer::spec_is_permissioned_signer(account);
         /// [high-level-req-8]
         include AccountContainsAddr{
             account,
@@ -581,9 +591,13 @@ spec aptos_framework::account {
     spec fun spec_create_resource_address(source: address, seed: vector): address;
 
     spec create_resource_account(source: &signer, seed: vector): (signer, SignerCapability) {
+        use aptos_framework::create_signer;
         let source_addr = signer::address_of(source);
         let resource_addr = spec_create_resource_address(source_addr, seed);
 
+        let resource = create_signer::spec_create_signer(resource_addr);
+        aborts_if permissioned_signer::spec_is_permissioned_signer(resource);
+
         aborts_if len(ZERO_AUTH_KEY) != 32;
         include exists_at(resource_addr) ==> CreateResourceAccountAbortsIf;
         include !exists_at(resource_addr) ==> CreateAccountAbortsIf {addr: resource_addr};