[vm-config] Remove script allowlist

matt-am · Jul 31, 2022 · e5b3acd · e5b3acd
1 parent abea67d
commit e5b3acd
Show file tree

Hide file tree

Showing 9 changed files with 9 additions and 66 deletions.
diff --git a/...ts_test__test_get_account_resources_returns_empty_array_for_account_has_no_resources.json b/...ts_test__test_get_account_resources_returns_empty_array_for_account_has_no_resources.json
@@ -298,8 +298,7 @@
   {
     "type": "0x1::transaction_publishing_option::TransactionPublishingOption",
     "data": {
-      "module_publishing_allowed": true,
-      "script_allow_list": []
+      "module_publishing_allowed": true
     }
   }
 ]
diff --git a/...ts_test__test_get_account_resources_returns_empty_array_for_account_has_no_resources.json b/...ts_test__test_get_account_resources_returns_empty_array_for_account_has_no_resources.json
@@ -417,8 +417,7 @@
       "generic_type_params": []
     },
     "data": {
-      "module_publishing_allowed": true,
-      "script_allow_list": []
+      "module_publishing_allowed": true
     }
   }
 ]
diff --git a/aptos-move/e2e-tests/src/executor.rs b/aptos-move/e2e-tests/src/executor.rs
@@ -118,10 +118,6 @@ impl FakeExecutor {
     /// publishing options given by `publishing_options`. These can only be either `Open` or
     /// `CustomScript`.
     pub fn from_genesis_with_options(publishing_options: VMPublishingOption) -> Self {
-        if !publishing_options.is_open_script() {
-            panic!("Allowlisted transactions are not supported as a publishing option")
-        }
-
         Self::custom_genesis(
             cached_framework_packages::module_blobs(),
             None,

diff --git a/aptos-move/e2e-testsuite/src/tests/verify_txn.rs b/aptos-move/e2e-testsuite/src/tests/verify_txn.rs
@@ -435,8 +435,7 @@ fn verify_simple_payment() {
 #[test]
 pub fn test_arbitrary_script_execution() {
     // create a FakeExecutor with a genesis from file
-    let mut executor =
-        FakeExecutor::from_genesis_with_options(VMPublishingOption::custom_scripts());
+    let mut executor = FakeExecutor::from_genesis_with_options(VMPublishingOption::locked());
     executor.set_golden_file(current_function_name!());
 
     // create an empty transaction
@@ -469,8 +468,7 @@ pub fn test_arbitrary_script_execution() {
 #[test]
 pub fn test_publish_from_aptos_root() {
     // create a FakeExecutor with a genesis from file
-    let mut executor =
-        FakeExecutor::from_genesis_with_options(VMPublishingOption::custom_scripts());
+    let mut executor = FakeExecutor::from_genesis_with_options(VMPublishingOption::locked());
     executor.set_golden_file(current_function_name!());
 
     // create a transaction trying to publish a new module.

diff --git a/aptos-move/framework/aptos-framework/sources/account.move b/aptos-move/framework/aptos-framework/sources/account.move
@@ -274,9 +274,8 @@ module aptos_framework::account {
         txn_max_gas_units: u64,
         txn_expiration_time: u64,
         chain_id: u8,
-        script_hash: vector<u8>,
+        _script_hash: vector<u8>,
     ) acquires Account {
-        assert!(transaction_publishing_option::is_script_allowed(&script_hash), error::invalid_state(PROLOGUE_ESCRIPT_NOT_ALLOWED));
         prologue_common(sender, txn_sequence_number, txn_public_key, txn_gas_price, txn_max_gas_units, txn_expiration_time, chain_id)
     }
 

diff --git a/aptos-move/framework/aptos-framework/sources/configs/transaction_publishing_option.move b/aptos-move/framework/aptos-framework/sources/configs/transaction_publishing_option.move
@@ -1,55 +1,33 @@
 /// This module defines a struct storing the publishing policies for the VM.
 module aptos_framework::transaction_publishing_option {
     use std::error;
-    use std::vector;
     use aptos_framework::timestamp;
     use aptos_framework::system_addresses;
     use aptos_framework::reconfiguration;
 
-    /// Defines and holds the publishing policies for the VM. There are three possible configurations:
-    /// 1. No module publishing, only allow-listed scripts are allowed.
-    /// 2. No module publishing, custom scripts are allowed.
-    /// 3. Both module publishing and custom scripts are allowed.
-    /// We represent these as the following resource.
+    /// Defines and holds the publishing policies for the VM.
     struct TransactionPublishingOption has key {
-        /// Only script hashes in the following list can be executed by the network. If the vector is empty, no
-        /// limitation would be enforced.
-        script_allow_list: vector<vector<u8>>,
         /// Anyone can publish new module if this flag is set to true.
         module_publishing_allowed: bool,
     }
 
     const ECONFIG: u64 = 1;
 
-    public fun initialize(
-        account: &signer,
-        script_allow_list: vector<vector<u8>>,
-        module_publishing_allowed: bool,
-    ) {
+    public fun initialize(account: &signer, module_publishing_allowed: bool) {
         timestamp::assert_genesis();
         system_addresses::assert_aptos_framework(account);
         assert!(!exists<TransactionPublishingOption>(@aptos_framework), error::already_exists(ECONFIG));
 
         move_to(
             account,
             TransactionPublishingOption{
-                script_allow_list,
                 module_publishing_allowed
             }
         );
     }
 
-    public fun is_script_allowed(script_hash: &vector<u8>): bool acquires TransactionPublishingOption {
-        if (vector::is_empty(script_hash)) return true;
-        let publish_option = borrow_global<TransactionPublishingOption>(@aptos_framework);
-        // allowlist empty = open publishing, anyone can send txes
-        vector::is_empty(&publish_option.script_allow_list)
-        || vector::contains(&publish_option.script_allow_list, script_hash)
-    }
-
     public fun is_module_allowed(): bool acquires TransactionPublishingOption {
         let publish_option = borrow_global<TransactionPublishingOption>(@aptos_framework);
-
         publish_option.module_publishing_allowed
     }
 

diff --git a/aptos-move/framework/aptos-framework/sources/genesis.move b/aptos-move/framework/aptos-framework/sources/genesis.move
@@ -24,7 +24,6 @@ module aptos_framework::genesis {
     fun initialize(
         core_resource_account: &signer,
         core_resource_account_auth_key: vector<u8>,
-        initial_script_allow_list: vector<vector<u8>>,
         is_open_module: bool,
         instruction_schedule: vector<u8>,
         native_schedule: vector<u8>,
@@ -92,7 +91,7 @@ module aptos_framework::genesis {
         );
 
         consensus_config::set(&aptos_framework_account, consensus_config);
-        transaction_publishing_option::initialize(&aptos_framework_account, initial_script_allow_list, is_open_module);
+        transaction_publishing_option::initialize(&aptos_framework_account, is_open_module);
 
         // This is testnet-specific configuration and can be skipped for mainnet.
         // Mainnet can call Coin::initialize<MainnetCoin> directly and give mint capability to the Staking module.
@@ -175,7 +174,6 @@ module aptos_framework::genesis {
         initialize(
             core_resource_account,
             x"0000000000000000000000000000000000000000000000000000000000000000",
-            vector::empty(),
             true,
             x"", // instruction_schedule not needed for unit tests
             x"", // native schedule not needed for unit tests

diff --git a/aptos-move/vm-genesis/src/lib.rs b/aptos-move/vm-genesis/src/lib.rs
@@ -195,14 +195,6 @@ fn create_and_initialize_main_accounts(
 ) {
     let aptos_root_auth_key = AuthenticationKey::ed25519(aptos_root_key);
 
-    let initial_allow_list = MoveValue::Vector(
-        publishing_option
-            .script_allow_list
-            .into_iter()
-            .map(|hash| MoveValue::vector_u8(hash.to_vec().into_iter().collect()))
-            .collect(),
-    );
-
     let genesis_gas_schedule = &INITIAL_COST_SCHEDULE;
     let instr_gas_costs = bcs::to_bytes(&genesis_gas_schedule.instruction_table)
         .expect("Failure serializing genesis instr gas costs");
@@ -234,7 +226,6 @@ fn create_and_initialize_main_accounts(
         serialize_values(&vec![
             MoveValue::Signer(account_config::aptos_root_address()),
             MoveValue::vector_u8(aptos_root_auth_key.to_vec()),
-            initial_allow_list,
             MoveValue::Bool(publishing_option.is_open_module),
             MoveValue::vector_u8(instr_gas_costs),
             MoveValue::vector_u8(native_gas_costs),

diff --git a/types/src/on_chain_config/vm_publishing_option.rs b/types/src/on_chain_config/vm_publishing_option.rs
@@ -2,7 +2,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use crate::on_chain_config::OnChainConfig;
-use aptos_crypto::HashValue;
 use serde::{Deserialize, Serialize};
 
 /// Defines and holds the publishing policies for the VM. There are three possible configurations:
@@ -13,39 +12,25 @@ use serde::{Deserialize, Serialize};
 /// publishing are mutually exclusive options.
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 pub struct VMPublishingOption {
-    pub script_allow_list: Vec<HashValue>,
     pub is_open_module: bool,
 }
 
 impl VMPublishingOption {
-    pub fn locked(allowlist: Vec<HashValue>) -> Self {
+    pub fn locked() -> Self {
         Self {
-            script_allow_list: allowlist,
-            is_open_module: false,
-        }
-    }
-
-    pub fn custom_scripts() -> Self {
-        Self {
-            script_allow_list: vec![],
             is_open_module: false,
         }
     }
 
     pub fn open() -> Self {
         Self {
-            script_allow_list: vec![],
             is_open_module: true,
         }
     }
 
     pub fn is_open_module(&self) -> bool {
         self.is_open_module
     }
-
-    pub fn is_open_script(&self) -> bool {
-        self.script_allow_list.is_empty()
-    }
 }
 
 impl OnChainConfig for VMPublishingOption {