Make OmniAccount derivation on chain verifiable (#3511)

Author: silva-fj

.gitignore

@@ -22,3 +22,5 @@ rococo-fork.json
 **/.env
 
 rust-analyzer.json
+
+*.local.md

parachain/pallets/omni-account/runtime-api/src/lib.rs

@@ -16,6 +16,15 @@
 
 #![cfg_attr(not(feature = "std"), no_std)]
 
+#[cfg(not(feature = "std"))]
+extern crate alloc;
+
+#[cfg(not(feature = "std"))]
+use alloc::string::String;
+
+#[cfg(feature = "std")]
+use std::string::String;
+
 use heima_primitives::Identity;
 use parity_scale_codec::Codec;
 
@@ -24,6 +33,6 @@ sp_api::decl_runtime_apis! {
 	where
 		AccountId: Codec,
 	{
-		fn omni_account(id: Identity) -> AccountId;
+		fn omni_account(client_id: String, id: Identity) -> AccountId;
 	}
 }

parachain/pallets/omni-account/src/lib.rs

@@ -16,6 +16,15 @@
 
 #![cfg_attr(not(feature = "std"), no_std)]
 
+#[cfg(not(feature = "std"))]
+extern crate alloc;
+
+#[cfg(not(feature = "std"))]
+use alloc::string::String;
+
+#[cfg(feature = "std")]
+use std::string::String;
+
 #[cfg(test)]
 mod mock;
 #[cfg(test)]
@@ -323,11 +332,12 @@ pub mod pallet {
 		#[pallet::weight((195_000_000, DispatchClass::Normal))]
 		pub fn create_account_store(
 			origin: OriginFor<T>,
+			client_id: String,
 			identity: Identity,
 		) -> DispatchResultWithPostInfo {
 			// initial creation request has to come from `TEECallOrigin`
 			let _ = T::TEECallOrigin::ensure_origin(origin)?;
-			let _ = Self::do_create_account_store(identity)?;
+			let _ = Self::do_create_account_store(identity, &client_id)?;
 			Ok(Pays::No.into())
 		}
 
@@ -449,16 +459,17 @@ pub mod pallet {
 		#[pallet::weight((195_000_000, DispatchClass::Normal))]
 		pub fn update_account_store_by_one(
 			origin: OriginFor<T>,
+			client_id: String,
 			who: Identity,
 			member_account: MemberAccount,
 		) -> DispatchResultWithPostInfo {
 			let _ = T::TEECallOrigin::ensure_origin(origin.clone())?;
 
-			let who_account = T::OmniAccountConverter::convert(&who);
+			let who_account = T::OmniAccountConverter::convert(&who, &client_id);
 
 			let mut member_accounts = match AccountStore::<T>::get(&who_account) {
 				Some(s) => s,
-				None => Self::do_create_account_store(who)?,
+				None => Self::do_create_account_store(who, &client_id)?,
 			};
 
 			if !member_accounts.contains(&member_account) {
@@ -556,18 +567,21 @@ pub mod pallet {
 		/// Given an `Identity`, get its derived OmniAccount:
 		/// - if the given Identity is a member Identity of some AccountStore, get its belonged OmniAccount
 		/// - directly derive it otherwise
-		pub fn omni_account(identity: Identity) -> T::AccountId {
+		pub fn omni_account(client_id: String, identity: Identity) -> T::AccountId {
 			let hash = identity.hash();
 			if let Some(account) = MemberAccountHash::<T>::get(hash) {
 				account
 			} else {
-				T::OmniAccountConverter::convert(&identity)
+				T::OmniAccountConverter::convert(&identity, &client_id)
 			}
 		}
 
-		fn do_create_account_store(identity: Identity) -> Result<MemberAccounts<T>, Error<T>> {
+		fn do_create_account_store(
+			identity: Identity,
+			client_id: &str,
+		) -> Result<MemberAccounts<T>, Error<T>> {
 			let hash = identity.hash();
-			let omni_account = T::OmniAccountConverter::convert(&identity);
+			let omni_account = T::OmniAccountConverter::convert(&identity, client_id);
 
 			ensure!(!MemberAccountHash::<T>::contains_key(hash), Error::<T>::AccountAlreadyAdded);
 			ensure!(

parachain/pallets/omni-account/src/mock.rs

@@ -33,6 +33,9 @@ use sp_runtime::{
 };
 use sp_std::marker::PhantomData;
 
+// Test client_id constant
+pub const TEST_CLIENT_ID: &str = "test_client";
+
 pub type Signature = sp_runtime::MultiSignature;
 pub type AccountId = <<Signature as Verify>::Signer as IdentifyAccount>::AccountId;
 pub type Balance = u64;
@@ -82,7 +85,7 @@ pub struct Accounts {
 fn create_accounts(keyring: AccountKeyring) -> Accounts {
 	let native_account = keyring.to_account_id();
 	let identity = Identity::from(native_account.clone());
-	Accounts { native_account, omni_account: identity.to_omni_account(), identity }
+	Accounts { native_account, omni_account: identity.to_omni_account("test_client"), identity }
 }
 
 pub fn alice() -> Accounts {

parachain/pallets/omni-account/src/tests.rs

@@ -66,6 +66,7 @@ fn create_account_store_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -83,7 +84,11 @@ fn create_account_store_works() {
 
 		// create it the second time will fail
 		assert_noop!(
-			OmniAccount::create_account_store(RuntimeOrigin::signed(tee_signer), alice().identity),
+			OmniAccount::create_account_store(
+				RuntimeOrigin::signed(tee_signer),
+				TEST_CLIENT_ID.to_string(),
+				alice().identity
+			),
 			Error::<Test>::AccountAlreadyAdded
 		);
 	});
@@ -120,6 +125,7 @@ fn add_account_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -217,6 +223,7 @@ fn add_account_with_already_linked_account_fails() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity.clone(),
 		));
 
@@ -251,6 +258,7 @@ fn add_account_with_already_linked_account_fails() {
 		// intent to create a new AccountStore with an account that is already added
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			charlie().identity,
 		));
 
@@ -284,6 +292,7 @@ fn add_account_store_len_limit_reached_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -332,6 +341,7 @@ fn remove_account_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -422,6 +432,7 @@ fn remove_account_empty_account_check_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -466,6 +477,7 @@ fn publicize_account_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity.clone(),
 		));
 
@@ -545,6 +557,7 @@ fn publicize_account_identity_not_found_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -586,6 +599,7 @@ fn request_intent_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity
 		));
 
@@ -636,6 +650,7 @@ fn dispatch_as_signed_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -676,6 +691,7 @@ fn dispatch_as_omni_account_increments_omni_account_nonce() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -705,6 +721,7 @@ fn dispatch_as_signed_account_increments_omni_account_nonce() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -730,6 +747,7 @@ fn ensure_permission_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -844,6 +862,7 @@ fn set_permissions_works() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -944,6 +963,7 @@ fn set_permissions_with_only_one_member_fails() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -972,6 +992,7 @@ fn set_permissions_with_no_member_with_default_permissions_fails() {
 
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -1015,12 +1036,12 @@ fn auth_token_requested_works() {
 
 		assert_ok!(OmniAccount::auth_token_requested(
 			RuntimeOrigin::signed(tee_signer.clone()),
-			alice().identity.to_omni_account(),
+			alice().identity.to_omni_account(""),
 			10
 		));
 
 		System::assert_last_event(
-			Event::AuthTokenRequested { who: alice().identity.to_omni_account(), expires_at: 10 }
+			Event::AuthTokenRequested { who: alice().identity.to_omni_account(""), expires_at: 10 }
 				.into(),
 		);
 	});
@@ -1034,6 +1055,7 @@ fn create_account_store_already_exists_fails() {
 		// Create account store with alice
 		assert_ok!(OmniAccount::create_account_store(
 			RuntimeOrigin::signed(tee_signer.clone()),
+			TEST_CLIENT_ID.to_string(),
 			alice().identity,
 		));
 
@@ -1058,7 +1080,11 @@ fn create_account_store_already_exists_fails() {
 		));
 
 		assert_noop!(
-			OmniAccount::create_account_store(RuntimeOrigin::signed(tee_signer), alice().identity),
+			OmniAccount::create_account_store(
+				RuntimeOrigin::signed(tee_signer),
+				TEST_CLIENT_ID.to_string(),
+				alice().identity
+			),
 			Error::<Test>::AccountStoreAlreadyExists
 		);
 	});

parachain/pallets/vc-management/src/tests.rs

@@ -355,7 +355,7 @@ fn on_vc_issued_works() {
 	new_test_ext().execute_with(|| {
 		let signer: SystemAccountId = get_signer(TEST8_SIGNER_PUB);
 		let alice: Identity = get_signer(ALICE_PUBKEY);
-		let omni_account = alice.to_omni_account();
+		let omni_account = alice.to_omni_account("");
 		assert_ok!(VCManagement::on_vc_issued(
 			RuntimeOrigin::signed(signer),
 			alice.clone(),