refactor(authority): adjust permissions to be more restrictive (#2542)

* change authorization

* changelogs

* fix permissions

* fix test permissions

* refactor addresses

* add query to check authorization

* format

* fix lint

Author: lumtis

changelog.md

@@ -65,6 +65,7 @@
 * [2428](https://github.com/zeta-chain/node/pull/2428) - propagate context across codebase & refactor zetacore client
 * [2464](https://github.com/zeta-chain/node/pull/2464) - move common voting logic to voting.go and add new function VoteOnBallot
 * [2515](https://github.com/zeta-chain/node/pull/2515) - replace chainName by chainID for ChainNonces indexing
+* [2542](https://github.com/zeta-chain/node/pull/2542) - adjust permissions to be more restrictive
 
 ### Tests
 

cmd/zetae2e/config/clients.go

@@ -13,6 +13,7 @@ import (
 	"google.golang.org/grpc"
 
 	"github.com/zeta-chain/zetacore/e2e/config"
+	authoritytypes "github.com/zeta-chain/zetacore/x/authority/types"
 	crosschaintypes "github.com/zeta-chain/zetacore/x/crosschain/types"
 	fungibletypes "github.com/zeta-chain/zetacore/x/fungible/types"
 	lightclienttypes "github.com/zeta-chain/zetacore/x/lightclient/types"
@@ -28,18 +29,30 @@ type E2EClients struct {
 	EvmAuth      *bind.TransactOpts
 
 	// the gRPC clients for ZetaChain
-	CctxClient     crosschaintypes.QueryClient
-	FungibleClient fungibletypes.QueryClient
-	AuthClient     authtypes.QueryClient
-	BankClient     banktypes.QueryClient
-	ObserverClient observertypes.QueryClient
-	LightClient    lightclienttypes.QueryClient
+	AuthorityClient authoritytypes.QueryClient
+	CctxClient      crosschaintypes.QueryClient
+	FungibleClient  fungibletypes.QueryClient
+	AuthClient      authtypes.QueryClient
+	BankClient      banktypes.QueryClient
+	ObserverClient  observertypes.QueryClient
+	LightClient     lightclienttypes.QueryClient
 
 	// the RPC clients for ZetaChain
 	ZevmClient *ethclient.Client
 	ZevmAuth   *bind.TransactOpts
 }
 
+// zetaChainClients contains all the RPC clients and gRPC clients for ZetaChain
+type zetaChainClients struct {
+	AuthorityClient authoritytypes.QueryClient
+	CctxClient      crosschaintypes.QueryClient
+	FungibleClient  fungibletypes.QueryClient
+	AuthClient      authtypes.QueryClient
+	BankClient      banktypes.QueryClient
+	ObserverClient  observertypes.QueryClient
+	LightClient     lightclienttypes.QueryClient
+}
+
 // getClientsFromConfig get clients from config
 func getClientsFromConfig(ctx context.Context, conf config.Config, account config.Account) (
 	E2EClients,
@@ -60,7 +73,7 @@ func getClientsFromConfig(ctx context.Context, conf config.Config, account confi
 	if err != nil {
 		return E2EClients{}, fmt.Errorf("failed to get evm client: %w", err)
 	}
-	cctxClient, fungibleClient, authClient, bankClient, observerClient, lightclientClient, err := getZetaClients(
+	zetaChainClients, err := getZetaClients(
 		conf.RPCs.ZetaCoreGRPC,
 	)
 	if err != nil {
@@ -72,18 +85,19 @@ func getClientsFromConfig(ctx context.Context, conf config.Config, account confi
 	}
 
 	return E2EClients{
-		BtcRPCClient:   btcRPCClient,
-		SolanaClient:   solanaClient,
-		EvmClient:      evmClient,
-		EvmAuth:        evmAuth,
-		CctxClient:     cctxClient,
-		FungibleClient: fungibleClient,
-		AuthClient:     authClient,
-		BankClient:     bankClient,
-		ObserverClient: observerClient,
-		LightClient:    lightclientClient,
-		ZevmClient:     zevmClient,
-		ZevmAuth:       zevmAuth,
+		BtcRPCClient:    btcRPCClient,
+		SolanaClient:    solanaClient,
+		EvmClient:       evmClient,
+		EvmAuth:         evmAuth,
+		AuthorityClient: zetaChainClients.AuthorityClient,
+		CctxClient:      zetaChainClients.CctxClient,
+		FungibleClient:  zetaChainClients.FungibleClient,
+		AuthClient:      zetaChainClients.AuthClient,
+		BankClient:      zetaChainClients.BankClient,
+		ObserverClient:  zetaChainClients.ObserverClient,
+		LightClient:     zetaChainClients.LightClient,
+		ZevmClient:      zevmClient,
+		ZevmAuth:        zevmAuth,
 	}, nil
 }
 
@@ -140,25 +154,29 @@ func getEVMClient(
 
 // getZetaClients get zeta clients
 func getZetaClients(rpc string) (
-	crosschaintypes.QueryClient,
-	fungibletypes.QueryClient,
-	authtypes.QueryClient,
-	banktypes.QueryClient,
-	observertypes.QueryClient,
-	lightclienttypes.QueryClient,
+	zetaChainClients,
 	error,
 ) {
 	grpcConn, err := grpc.Dial(rpc, grpc.WithInsecure())
 	if err != nil {
-		return nil, nil, nil, nil, nil, nil, err
+		return zetaChainClients{}, err
 	}
 
+	authorityClient := authoritytypes.NewQueryClient(grpcConn)
 	cctxClient := crosschaintypes.NewQueryClient(grpcConn)
 	fungibleClient := fungibletypes.NewQueryClient(grpcConn)
 	authClient := authtypes.NewQueryClient(grpcConn)
 	bankClient := banktypes.NewQueryClient(grpcConn)
 	observerClient := observertypes.NewQueryClient(grpcConn)
 	lightclientClient := lightclienttypes.NewQueryClient(grpcConn)
 
-	return cctxClient, fungibleClient, authClient, bankClient, observerClient, lightclientClient, nil
+	return zetaChainClients{
+		AuthorityClient: authorityClient,
+		CctxClient:      cctxClient,
+		FungibleClient:  fungibleClient,
+		AuthClient:      authClient,
+		BankClient:      bankClient,
+		ObserverClient:  observerClient,
+		LightClient:     lightclientClient,
+	}, nil
 }

cmd/zetae2e/config/config.go

@@ -32,6 +32,7 @@ func RunnerFromConfig(
 		account,
 		e2eClients.EvmClient,
 		e2eClients.ZevmClient,
+		e2eClients.AuthorityClient,
 		e2eClients.CctxClient,
 		e2eClients.FungibleClient,
 		e2eClients.AuthClient,

cmd/zetae2e/local/local.go

@@ -157,6 +157,9 @@ func localE2ETest(cmd *cobra.Command, _ []string) {
 	)
 	noError(err)
 
+	// set the authority client to the zeta tx server to be able to query message permissions
+	deployerRunner.ZetaTxServer.SetAuthorityClient(deployerRunner.AutorithyClient)
+
 	// wait for keygen to be completed
 	// if setup is skipped, we assume that the keygen is already completed
 	if !skipSetup {

e2e/e2etests/test_migrate_chain_support.go

@@ -68,9 +68,9 @@ func TestMigrateChainSupport(r *runner.E2ERunner, _ []string) {
 	// setup the gas token
 	require.NoError(r, err)
 	_, err = newRunner.ZetaTxServer.BroadcastTx(
-		utils.OperationalPolicyName,
+		utils.AdminPolicyName,
 		fungibletypes.NewMsgDeployFungibleCoinZRC20(
-			r.ZetaTxServer.MustGetAccountAddressFromName(utils.OperationalPolicyName),
+			r.ZetaTxServer.MustGetAccountAddressFromName(utils.AdminPolicyName),
 			"",
 			chainParams.ChainId,
 			18,
@@ -156,8 +156,8 @@ func TestMigrateChainSupport(r *runner.E2ERunner, _ []string) {
 
 	// whitelist erc20 zrc20
 	newRunner.Logger.Info("whitelisting ERC20 on new network")
-	res, err := newRunner.ZetaTxServer.BroadcastTx(utils.OperationalPolicyName, crosschaintypes.NewMsgWhitelistERC20(
-		r.ZetaTxServer.MustGetAccountAddressFromName(utils.OperationalPolicyName),
+	res, err := newRunner.ZetaTxServer.BroadcastTx(utils.AdminPolicyName, crosschaintypes.NewMsgWhitelistERC20(
+		r.ZetaTxServer.MustGetAccountAddressFromName(utils.AdminPolicyName),
 		newRunner.ERC20Addr.Hex(),
 		chains.Sepolia.ChainId,
 		"USDT",
@@ -203,6 +203,7 @@ func configureEVM2(r *runner.E2ERunner) (*runner.E2ERunner, error) {
 		r.Account,
 		r.EVMClient,
 		r.ZEVMClient,
+		r.AutorithyClient,
 		r.CctxClient,
 		r.FungibleClient,
 		r.AuthClient,

e2e/runner/runner.go

@@ -33,6 +33,7 @@ import (
 	"github.com/zeta-chain/zetacore/e2e/contracts/zevmswap"
 	"github.com/zeta-chain/zetacore/e2e/txserver"
 	"github.com/zeta-chain/zetacore/e2e/utils"
+	authoritytypes "github.com/zeta-chain/zetacore/x/authority/types"
 	crosschaintypes "github.com/zeta-chain/zetacore/x/crosschain/types"
 	fungibletypes "github.com/zeta-chain/zetacore/x/fungible/types"
 	lightclienttypes "github.com/zeta-chain/zetacore/x/lightclient/types"
@@ -65,6 +66,7 @@ type E2ERunner struct {
 	SolanaClient *rpc.Client
 
 	// grpc clients
+	AutorithyClient   authoritytypes.QueryClient
 	CctxClient        crosschaintypes.QueryClient
 	FungibleClient    fungibletypes.QueryClient
 	AuthClient        authtypes.QueryClient
@@ -140,6 +142,7 @@ func NewE2ERunner(
 	account config.Account,
 	evmClient *ethclient.Client,
 	zevmClient *ethclient.Client,
+	authorityClient authoritytypes.QueryClient,
 	cctxClient crosschaintypes.QueryClient,
 	fungibleClient fungibletypes.QueryClient,
 	authClient authtypes.QueryClient,
@@ -161,6 +164,7 @@ func NewE2ERunner(
 
 		ZEVMClient:        zevmClient,
 		EVMClient:         evmClient,
+		AutorithyClient:   authorityClient,
 		CctxClient:        cctxClient,
 		FungibleClient:    fungibleClient,
 		AuthClient:        authClient,

e2e/runner/setup_zeta.go

@@ -74,34 +74,35 @@ func (r *E2ERunner) SetZEVMContracts() {
 	}()
 
 	// deploy system contracts and ZRC20 contracts on ZetaChain
-	uniswapV2FactoryAddr, uniswapV2RouterAddr, zevmConnectorAddr, wzetaAddr, erc20zrc20Addr, err := r.ZetaTxServer.DeploySystemContractsAndZRC20(
+	addresses, err := r.ZetaTxServer.DeploySystemContractsAndZRC20(
 		e2eutils.OperationalPolicyName,
+		e2eutils.AdminPolicyName,
 		r.ERC20Addr.Hex(),
 	)
 	require.NoError(r, err)
 
 	// Set ERC20ZRC20Addr
-	r.ERC20ZRC20Addr = ethcommon.HexToAddress(erc20zrc20Addr)
+	r.ERC20ZRC20Addr = ethcommon.HexToAddress(addresses.ERC20zrc20Addr)
 	r.ERC20ZRC20, err = zrc20.NewZRC20(r.ERC20ZRC20Addr, r.ZEVMClient)
 	require.NoError(r, err)
 
 	// UniswapV2FactoryAddr
-	r.UniswapV2FactoryAddr = ethcommon.HexToAddress(uniswapV2FactoryAddr)
+	r.UniswapV2FactoryAddr = ethcommon.HexToAddress(addresses.UniswapV2FactoryAddr)
 	r.UniswapV2Factory, err = uniswapv2factory.NewUniswapV2Factory(r.UniswapV2FactoryAddr, r.ZEVMClient)
 	require.NoError(r, err)
 
 	// UniswapV2RouterAddr
-	r.UniswapV2RouterAddr = ethcommon.HexToAddress(uniswapV2RouterAddr)
+	r.UniswapV2RouterAddr = ethcommon.HexToAddress(addresses.UniswapV2RouterAddr)
 	r.UniswapV2Router, err = uniswapv2router.NewUniswapV2Router02(r.UniswapV2RouterAddr, r.ZEVMClient)
 	require.NoError(r, err)
 
 	// ZevmConnectorAddr
-	r.ConnectorZEVMAddr = ethcommon.HexToAddress(zevmConnectorAddr)
+	r.ConnectorZEVMAddr = ethcommon.HexToAddress(addresses.ZEVMConnectorAddr)
 	r.ConnectorZEVM, err = connectorzevm.NewZetaConnectorZEVM(r.ConnectorZEVMAddr, r.ZEVMClient)
 	require.NoError(r, err)
 
 	// WZetaAddr
-	r.WZetaAddr = ethcommon.HexToAddress(wzetaAddr)
+	r.WZetaAddr = ethcommon.HexToAddress(addresses.WZETAAddr)
 	r.WZeta, err = wzeta.NewWETH9(r.WZetaAddr, r.ZEVMClient)
 	require.NoError(r, err)
 
@@ -229,7 +230,7 @@ func (r *E2ERunner) SetupSOLZRC20() {
 func (r *E2ERunner) EnableHeaderVerification(chainIDList []int64) error {
 	r.Logger.Print("⚙️ enabling verification flags for block headers")
 
-	return r.ZetaTxServer.EnableHeaderVerification(e2eutils.OperationalPolicyName, chainIDList)
+	return r.ZetaTxServer.EnableHeaderVerification(e2eutils.AdminPolicyName, chainIDList)
 }
 
 // FundEmissionsPool funds the emissions pool on ZetaChain with the same value as used originally on mainnet (20M ZETA)