feat: add governance-controlled machine whitelist system

cboh4 · cboh4 · commit 3f37c0d0a548 · 2025-10-08T14:28:16.000+03:00
Implements machine whitelist management through governance proposals with
antehandler validation. Machine IDs must be exactly 20 bytes and validated
against passed governance proposals.

Changes:
- Add MsgUpdateMachineWhitelistProposal for governance proposals
- Add MsgUpdateMachineWhitelist for executing approved whitelists
- Implement antehandler validation in CountTXDecorator
  - Queries governance module for proposal status
  - Validates machine IDs match proposal exactly (order preserved)
  - Rejects transactions if proposal not passed or IDs mismatch
- Add CLI command: update-machine-whitelist [proposal-id] [machine-ids-file]
  - Supports JSON file format with hex-encoded machine IDs
  - Validates each ID is 20 bytes
diff --git a/proto/secret/compute/v1beta1/msg.proto b/proto/secret/compute/v1beta1/msg.proto
@@ -31,6 +31,8 @@ service Msg {
   rpc UpgradeProposalPassed(MsgUpgradeProposalPassed) returns (MsgUpgradeProposalPassedResponse);
   rpc ContractGovernanceProposal(MsgContractGovernanceProposal) returns (MsgContractGovernanceProposalResponse);
   rpc SetContractGovernance(MsgSetContractGovernance) returns (MsgSetContractGovernanceResponse);
+  rpc UpdateMachineWhitelistProposal(MsgUpdateMachineWhitelistProposal) returns (MsgUpdateMachineWhitelistProposalResponse);
+  rpc UpdateMachineWhitelist(MsgUpdateMachineWhitelist) returns (MsgUpdateMachineWhitelistResponse);
 }
 
 message MsgStoreCode {
@@ -252,4 +254,30 @@ message MsgSetContractGovernance {
   string contract_address = 2;
 }
 
-message MsgSetContractGovernanceResponse {}
+message MsgSetContractGovernanceResponse {}
+
+message MsgUpdateMachineWhitelistProposal {
+  option (gogoproto.goproto_getters) = false;
+  option (cosmos.msg.v1.signer) = "authority";
+  option (amino.name) = "wasm/MsgUpdateMachineWhitelistProposal";
+
+  string authority = 1;
+  string title = 2;
+  string description = 3;
+  repeated bytes machine_ids = 4;
+}
+
+message MsgUpdateMachineWhitelistProposalResponse {}
+
+// Execution message - sent by anyone after proposal passes
+message MsgUpdateMachineWhitelist {
+  option (gogoproto.goproto_getters) = false;
+  option (cosmos.msg.v1.signer) = "sender";
+  option (amino.name) = "wasm/MsgUpdateMachineWhitelist";
+
+  string sender = 1;
+  uint64 proposal_id = 2;
+  repeated bytes machine_ids = 3;
+}
+
+message MsgUpdateMachineWhitelistResponse {}
diff --git a/x/compute/client/cli/tx.go b/x/compute/client/cli/tx.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"context"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"os"
 	"strconv"
@@ -644,3 +645,80 @@ Examples:
 	flags.AddTxFlagsToCmd(cmd)
 	return cmd
 }
+
+func UpdateMachineWhitelistCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "update-machine-whitelist [proposal-id] [machine-ids-file]",
+		Short: "Update machine whitelist after governance approval",
+		Long: `Execute machine whitelist update after governance proposal passes.
+Machine IDs must match the approved proposal exactly.
+
+Machine IDs file format (JSON):
+{
+  "machine_ids": [
+    "01507c9577896bc1afde972d67f1fd53af1a8da",
+    "a3b4c5d6e7f8091a2b3c4d5e6f708192a3b4c5d6"
+  ]
+}
+
+Each machine ID must be exactly 20 bytes.`,
+		Args: cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			clientCtx, err := client.GetClientTxContext(cmd)
+			if err != nil {
+				return err
+			}
+
+			proposalID, err := strconv.ParseUint(args[0], 10, 64)
+			if err != nil {
+				return fmt.Errorf("invalid proposal ID: %w", err)
+			}
+
+			// Read machine IDs from file
+			machineIDs, err := readMachineIDsFromFile(args[1])
+			if err != nil {
+				return err
+			}
+
+			msg := &types.MsgUpdateMachineWhitelist{
+				Sender:     clientCtx.GetFromAddress().String(),
+				ProposalId: proposalID,
+				MachineIds: machineIDs,
+			}
+
+			return tx.GenerateOrBroadcastTxCLI(clientCtx, cmd.Flags(), msg)
+		},
+	}
+
+	flags.AddTxFlagsToCmd(cmd)
+	return cmd
+}
+
+func readMachineIDsFromFile(filename string) ([][]byte, error) {
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file: %w", err)
+	}
+
+	var config struct {
+		MachineIDs []string `json:"machine_ids"`
+	}
+
+	if err := json.Unmarshal(data, &config); err != nil {
+		return nil, fmt.Errorf("failed to parse JSON: %w", err)
+	}
+
+	machineIDs := make([][]byte, len(config.MachineIDs))
+	for i, idHex := range config.MachineIDs {
+		id, err := hex.DecodeString(idHex)
+		if err != nil {
+			return nil, fmt.Errorf("invalid hex at index %d: %w", i, err)
+		}
+		if len(id) != 20 {
+			return nil, fmt.Errorf("machine ID at index %d must be 20 bytes, got %d", i, len(id))
+		}
+		machineIDs[i] = id
+	}
+
+	return machineIDs, nil
+}
diff --git a/x/compute/internal/keeper/ante.go b/x/compute/internal/keeper/ante.go
@@ -26,7 +26,10 @@ type CountTXDecorator struct {
 	storeService store.KVStoreService
 }
 
-const msgSoftwareUpgradeTypeURL = "/cosmos.upgrade.v1beta1.MsgSoftwareUpgrade"
+const (
+	msgSoftwareUpgradeTypeURL                = "/cosmos.upgrade.v1beta1.MsgSoftwareUpgrade"
+	msgUpdateMachineWhitelistProposalTypeURL = "/secret.compute.v1beta1.MsgUpdateMachineWhitelistProposal"
+)
 
 // NewCountTXDecorator constructor
 func NewCountTXDecorator(appcodec codec.Codec, govkeeper govkeeper.Keeper, storeService store.KVStoreService) *CountTXDecorator {
@@ -96,6 +99,14 @@ func (a CountTXDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulate bool,
 				return ctx, err
 			}
 		}
+		msgUpdateWhitelist, ok := msg.(*types.MsgUpdateMachineWhitelist)
+		if ok {
+			err = a.validateUpdateMachineWhitelist(ctx, msgUpdateWhitelist)
+			if err != nil {
+				ctx.Logger().Error("*** update machine whitelist rejected: ", err.Error())
+				return ctx, err
+			}
+		}
 	}
 
 	return next(types.WithTXCounter(ctx, txCounter), tx, simulate)
@@ -113,6 +124,41 @@ func extractInfoFromProposalMessages(message *types1.Any, cdc codec.Codec) (stri
 	return softwareUpgradeMsg.Plan.Info, nil
 }
 
+func (a *CountTXDecorator) validateUpdateMachineWhitelist(ctx sdk.Context, msgUpdateWhitelist *types.MsgUpdateMachineWhitelist) error {
+	proposal, err := a.govkeeper.Proposals.Get(ctx, msgUpdateWhitelist.ProposalId) // just to ensure the proposal exists
+	if err != nil {
+		ctx.Logger().Error("*** proposal with such id %d not found: ", msgUpdateWhitelist.ProposalId, err.Error())
+		return err
+	}
+	if proposal.Status != govtypes.ProposalStatus_PROPOSAL_STATUS_PASSED {
+		return sdkerrors.ErrInvalidRequest.Wrapf("proposal with id %d not passed", msgUpdateWhitelist.ProposalId)
+	}
+	if len(proposal.Messages) != 1 {
+		return sdkerrors.ErrInvalidRequest.Wrapf("proposal with id %d has %d messages, expected exactly 1", msgUpdateWhitelist.ProposalId, len(proposal.Messages))
+	}
+	if proposal.Messages[0].GetTypeUrl() != msgUpdateMachineWhitelistProposalTypeURL {
+		return sdkerrors.ErrInvalidRequest.Wrapf("proposal with id %d is not of type MsgUpdateMachineWhitelist", msgUpdateWhitelist.ProposalId)
+	}
+
+	var updateMachineWhitelistProposalMsg *types.MsgUpdateMachineWhitelistProposal
+	err = a.appcodec.UnpackAny(proposal.Messages[0], &updateMachineWhitelistProposalMsg)
+	if err != nil {
+		ctx.Logger().Error("*** failed to unpack UpdateMachineWhitelist proposal message: ", err.Error())
+		return err
+	}
+
+	if len(msgUpdateWhitelist.MachineIds) != len(updateMachineWhitelistProposalMsg.MachineIds) {
+		return sdkerrors.ErrInvalidRequest.Wrapf("machine ids count %d does not match the proposal %d", len(msgUpdateWhitelist.MachineIds), len(updateMachineWhitelistProposalMsg.MachineIds))
+	}
+	// ensure the machine ids match the proposal exactly in order
+	for i, mid := range msgUpdateWhitelist.MachineIds {
+		if !bytes.Equal(mid, updateMachineWhitelistProposalMsg.MachineIds[i]) {
+			return sdkerrors.ErrInvalidRequest.Wrapf("machine id %s at position %d does not match the proposal", mid, i)
+		}
+	}
+	return nil
+}
+
 // verifyUpgradeProposal verifies the latest passed upgrade proposal to ensure the MREnclave hash matches.
 func (a *CountTXDecorator) verifyUpgradeProposal(ctx sdk.Context, msgUpgrade *types.MsgUpgradeProposalPassed) error {
 	var proposals govtypes.Proposals
diff --git a/x/compute/internal/keeper/msg_server.go b/x/compute/internal/keeper/msg_server.go
@@ -313,3 +313,41 @@ func (m msgServer) SetContractGovernance(goCtx context.Context, msg *types.MsgSe
 
 	return &types.MsgSetContractGovernanceResponse{}, nil
 }
+
+func (m msgServer) UpdateMachineWhitelistProposal(goCtx context.Context, msg *types.MsgUpdateMachineWhitelistProposal) (*types.MsgUpdateMachineWhitelistProposalResponse, error) {
+	ctx := sdk.UnwrapSDKContext(goCtx)
+
+	if err := msg.ValidateBasic(); err != nil {
+		return nil, err
+	}
+
+	// Verify sender has authority (only governance module)
+	if m.keeper.authority != msg.Authority {
+		return nil, errorsmod.Wrapf(govtypes.ErrInvalidSigner, "invalid authority; expected %s, got %s", m.keeper.authority, msg.Authority)
+	}
+
+	ctx.EventManager().EmitEvent(sdk.NewEvent(
+		types.EventTypeMachineWhitelistProposal,
+		sdk.NewAttribute("machine_count", fmt.Sprintf("%d", len(msg.MachineIds))),
+		sdk.NewAttribute(sdk.AttributeKeySender, msg.Authority),
+	))
+
+	return &types.MsgUpdateMachineWhitelistProposalResponse{}, nil
+}
+
+func (m msgServer) UpdateMachineWhitelist(goCtx context.Context, msg *types.MsgUpdateMachineWhitelist) (*types.MsgUpdateMachineWhitelistResponse, error) {
+	ctx := sdk.UnwrapSDKContext(goCtx)
+
+	if err := msg.ValidateBasic(); err != nil {
+		return nil, err
+	}
+
+	ctx.EventManager().EmitEvent(sdk.NewEvent(
+		types.EventTypeMachineWhitelistUpdate,
+		sdk.NewAttribute("proposal_id", fmt.Sprintf("%d", msg.ProposalId)),
+		sdk.NewAttribute("machine_count", fmt.Sprintf("%d", len(msg.MachineIds))),
+		sdk.NewAttribute(sdk.AttributeKeySender, msg.Sender),
+	))
+
+	return &types.MsgUpdateMachineWhitelistResponse{}, nil
+}
diff --git a/x/compute/internal/types/events.go b/x/compute/internal/types/events.go
@@ -17,6 +17,8 @@ const (
 	EventTypeUpdateContractAdmin        = "update_contract_admin"
 	EventTypeUpgradeProposalPassed      = "upgrade_proposal_passed"
 	EventTypeContractGovernanceProposal = "contract_governance_proposal"
+	EventTypeMachineWhitelistProposal   = "machine_whitelist_proposal"
+	EventTypeMachineWhitelistUpdate     = "machine_whitelist_update"
 )
 
 // event attributes returned from contract execution
diff --git a/x/compute/internal/types/msg.go b/x/compute/internal/types/msg.go
@@ -318,3 +318,82 @@ func (msg MsgSetContractGovernance) GetSigners() []sdk.AccAddress {
 	}
 	return []sdk.AccAddress{senderAddr}
 }
+
+func (msg MsgUpdateMachineWhitelistProposal) Route() string {
+	return RouterKey
+}
+
+func (msg MsgUpdateMachineWhitelistProposal) Type() string {
+	return "update-machine-whitelist-proposal"
+}
+
+func (msg MsgUpdateMachineWhitelistProposal) ValidateBasic() error {
+	if _, err := sdk.AccAddressFromBech32(msg.Authority); err != nil {
+		return errorsmod.Wrap(err, "invalid authority")
+	}
+
+	if len(msg.MachineIds) == 0 {
+		return errorsmod.Wrap(ErrEmpty, "machine_ids cannot be empty")
+	}
+
+	for i, id := range msg.MachineIds {
+		if len(id) != 20 {
+			return errorsmod.Wrapf(ErrInvalid,
+				"machine_id at index %d must be 20 bytes, got %d", i, len(id))
+		}
+	}
+
+	return nil
+}
+
+func (msg MsgUpdateMachineWhitelistProposal) GetSignBytes() []byte {
+	return sdk.MustSortJSON(ModuleCdc.MustMarshalJSON(&msg))
+}
+
+func (msg MsgUpdateMachineWhitelistProposal) GetSigners() []sdk.AccAddress {
+	addr, err := sdk.AccAddressFromBech32(msg.Authority)
+	if err != nil {
+		panic(err.Error())
+	}
+	return []sdk.AccAddress{addr}
+}
+
+func (msg MsgUpdateMachineWhitelist) Route() string {
+	return RouterKey
+}
+
+func (msg MsgUpdateMachineWhitelist) Type() string {
+	return "update-machine-whitelist"
+}
+
+func (msg MsgUpdateMachineWhitelist) ValidateBasic() error {
+	if _, err := sdk.AccAddressFromBech32(msg.Sender); err != nil {
+		return errorsmod.Wrap(err, "invalid sender address")
+	}
+
+	if msg.ProposalId == 0 {
+		return errorsmod.Wrap(sdkerrors.ErrInvalidRequest, "proposal ID cannot be zero")
+	}
+
+	if len(msg.MachineIds) == 0 {
+		return errorsmod.Wrap(sdkerrors.ErrInvalidRequest, "machine IDs cannot be empty")
+	}
+
+	// Validate each machine ID is exactly 20 bytes
+	for i, id := range msg.MachineIds {
+		if len(id) != 20 {
+			return errorsmod.Wrapf(sdkerrors.ErrInvalidRequest, "machine ID at index %d must be 20 bytes, got %d", i, len(id))
+		}
+	}
+
+	return nil
+}
+
+func (msg MsgUpdateMachineWhitelist) GetSignBytes() []byte {
+	return sdk.MustSortJSON(ModuleCdc.MustMarshalJSON(&msg))
+}
+
+func (msg MsgUpdateMachineWhitelist) GetSigners() []sdk.AccAddress {
+	addr, _ := sdk.AccAddressFromBech32(msg.Sender)
+	return []sdk.AccAddress{addr}
+}
diff --git a/x/compute/internal/types/msg.pb.go b/x/compute/internal/types/msg.pb.go

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@ const (`
`17`	`17`	`EventTypeUpdateContractAdmin = "update_contract_admin"`
`18`	`18`	`EventTypeUpgradeProposalPassed = "upgrade_proposal_passed"`
`19`	`19`	`EventTypeContractGovernanceProposal = "contract_governance_proposal"`
	`20`	`+ EventTypeMachineWhitelistProposal = "machine_whitelist_proposal"`
	`21`	`+ EventTypeMachineWhitelistUpdate = "machine_whitelist_update"`
`20`	`22`	`)`
`21`	`23`
`22`	`24`	`// event attributes returned from contract execution`