You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, anybody can submit a trusted operation and as long as it has a valid signature, it is accepted because we omit checking the signer field as can be seen here:
So for the trusted getters this is probably fine currently, as you need to know the actor ID to get your result (if this is an unacceptable privacy leak now, we have to derive a concept to map a trusted account to an actor ID and implement a lookup table in the trusted getter). But the pay-as-bid command needs to a privileged call, we don't want that anybody can execute this command. So this solve this, I suggest the following.
With the mnemonic you get from subkey write some lines of rust code to print the corresponding byte array of the account id:
use sp_core::{sr25519,Pair};// Don't ever commit the code containing the actual mnemonic. It would be safer to get this from some environment variable, but // as this is only a one time setup, I suggest that you are simply careful. :)let oli_sudo_pair = sr25519::Pair::from_phrase("<mnemonic-from-subkey>",None).unwrap();println!("{:?}", oli_sudo_pair.0.public().to_vec());
/// Oli Sudo account id that has been obtained by/// ```/// use sp_core::{sr25519, Pair};////// let oli_sudo = sr25519::Pair::from_phrase(<mnemonic-from-subkey>, None).unwrap();/// println!("{:?}", oli_sudo.0.public().to_vec());/// assert_eq!(OLI_SUDO, oli_sudo.0.public().into())/// ```pubconstOLI_SUDO:AccountId = AccountId::new([<byte-array that has been printed above>]);fnis_oli_sudo(account:&AccountId) -> bool{
account_id == &OLI_SUDO}
Currently, anybody can submit a trusted operation and as long as it has a valid signature, it is accepted because we omit checking the signer field as can be seen here:
BEST-Energy/app-libs/stf/src/trusted_call.rs
Line 280 in b1bd9aa
So for the trusted getters this is probably fine currently, as you need to know the actor ID to get your result (if this is an unacceptable privacy leak now, we have to derive a concept to map a trusted account to an actor ID and implement a lookup table in the trusted getter). But the
pay-as-bidcommand needs to a privileged call, we don't want that anybody can execute this command. So this solve this, I suggest the following.First you create your oli key with privileged rights. I suggest using https://crates.io/crates/subkey.
Then store the mnemonic somewhere safe, and hardcode the corresponding account id into the source code, analogous to what we have done for a demo here: https://github.com/integritee-network/worker/blob/46515c7dd1fb5875390f8c1a2c062120195e4dd3/core/parentchain/indirect-calls-executor/src/indirect_calls/transfer_to_alice_shields_funds.rs
Steps:
BEST-Energy/app-libs/stf/src/trusted_call.rs
Line 280 in b1bd9aa
Then instead of executing the commands with
./integritee-cli pay-as-bid ... //Aliceyou have to use./integritee-cli pay-as-bid ... <mnemonic>The text was updated successfully, but these errors were encountered: