chore: added new rpc for marking delegation as revoked

Author: hanzel98

packages/gator-permissions-snap/src/index.ts

@@ -139,6 +139,7 @@ const profileSyncManager = createProfileSyncManager({
       storage: profileSyncOptions.keyStorageOptions,
     },
   ),
+  ethereumProvider: ethereum,
 });
 
 const userEventDispatcher = new UserEventDispatcher();
@@ -187,6 +188,9 @@ const boundRpcHandlers: {
     rpcHandler.getPermissionOffers.bind(rpcHandler),
   [RpcMethod.PermissionsProviderGetGrantedPermissions]:
     rpcHandler.getGrantedPermissions.bind(rpcHandler),
+  [RpcMethod.PermissionProviderSubmitRevocation]: async (
+    params?: JsonRpcParams,
+  ) => rpcHandler.submitRevocation(params as Json),
 };
 
 /**

packages/gator-permissions-snap/src/profileSync/profileSync.ts

@@ -21,6 +21,7 @@ import {
   LimitExceededError,
   ParseError,
   UnsupportedMethodError,
+  type SnapsEthereumProvider,
 } from '@metamask/snaps-sdk';
 import { z } from 'zod';
 
@@ -31,6 +32,7 @@ const MAX_STORAGE_SIZE_BYTES = 400 * 1024; // 400kb limit as documented
 const zStoredGrantedPermission = z.object({
   permissionResponse: zPermissionResponse,
   siteOrigin: z.string().min(1, 'Site origin cannot be empty'),
+  isRevoked: z.boolean().default(false),
 });
 
 /**
@@ -100,17 +102,32 @@ export type ProfileSyncManager = {
   storeGrantedPermissionBatch: (
     storedGrantedPermission: StoredGrantedPermission[],
   ) => Promise<void>;
+  updatePermissionRevocationStatus: (
+    permissionContext: Hex,
+    isRevoked: boolean,
+  ) => Promise<void>;
+  updatePermissionRevocationStatusWithPermission: (
+    existingPermission: StoredGrantedPermission,
+    isRevoked: boolean,
+  ) => Promise<void>;
+  checkDelegationDisabledOnChain: (
+    delegationHash: Hex,
+    chainId: Hex,
+    delegationManagerAddress: Hex,
+  ) => Promise<boolean>;
 };
 
 export type StoredGrantedPermission = {
   permissionResponse: PermissionResponse;
   siteOrigin: string;
+  isRevoked: boolean;
 };
 
 export type ProfileSyncManagerConfig = {
   auth: JwtBearerAuth;
   userStorage: UserStorage;
   isFeatureEnabled: boolean;
+  ethereumProvider: SnapsEthereumProvider;
 };
 
 /**
@@ -122,7 +139,7 @@ export function createProfileSyncManager(
   config: ProfileSyncManagerConfig,
 ): ProfileSyncManager {
   const FEATURE = 'gator_7715_permissions';
-  const { auth, userStorage, isFeatureEnabled } = config;
+  const { auth, userStorage, isFeatureEnabled, ethereumProvider } = config;
   const unConfiguredProfileSyncManager = {
     getAllGrantedPermissions: async () => {
       logger.debug('unConfiguredProfileSyncManager.getAllGrantedPermissions()');
@@ -143,6 +160,25 @@ export function createProfileSyncManager(
         'unConfiguredProfileSyncManager.storeGrantedPermissionBatch()',
       );
     },
+    updatePermissionRevocationStatus: async (_: Hex, __: boolean) => {
+      logger.debug(
+        'unConfiguredProfileSyncManager.updatePermissionRevocationStatus()',
+      );
+    },
+    updatePermissionRevocationStatusWithPermission: async (
+      _: StoredGrantedPermission,
+      __: boolean,
+    ) => {
+      logger.debug(
+        'unConfiguredProfileSyncManager.updatePermissionRevocationStatusWithPermission()',
+      );
+    },
+    checkDelegationDisabledOnChain: async (_: Hex, __: Hex, ___: Hex) => {
+      logger.debug(
+        'unConfiguredProfileSyncManager.checkDelegationDisabledOnChain()',
+      );
+      return false; // Default to not disabled when feature is disabled
+    },
   };
 
   /**
@@ -306,6 +342,123 @@ export function createProfileSyncManager(
     }
   }
 
+  /**
+   * Updates the revocation status of a granted permission in profile sync.
+   *
+   * @param permissionContext - The context of the granted permission to update.
+   * @param isRevoked - The new revocation status.
+   * @throws InvalidInputError if the permission is not found.
+   */
+  async function updatePermissionRevocationStatus(
+    permissionContext: Hex,
+    isRevoked: boolean,
+  ): Promise<void> {
+    try {
+      await authenticate();
+
+      // First, get the existing permission
+      const existingPermission = await getGrantedPermission(permissionContext);
+      if (!existingPermission) {
+        throw new InvalidInputError(
+          `Permission not found for delegation hash: ${permissionContext}`,
+        );
+      }
+
+      // Use the optimized version that accepts the existing permission
+      await updatePermissionRevocationStatusWithPermission(
+        existingPermission,
+        isRevoked,
+      );
+    } catch (error) {
+      logger.error('Error updating permission revocation status');
+      throw error;
+    }
+  }
+
+  /**
+   * Updates the revocation status of a granted permission when you already have the permission object.
+   * This is an optimized version that avoids re-fetching the permission.
+   *
+   * @param existingPermission - The existing permission object.
+   * @param isRevoked - The new revocation status.
+   */
+  async function updatePermissionRevocationStatusWithPermission(
+    existingPermission: StoredGrantedPermission,
+    isRevoked: boolean,
+  ): Promise<void> {
+    try {
+      await authenticate();
+
+      // Update the isRevoked flag
+      const updatedPermission: StoredGrantedPermission = {
+        ...existingPermission,
+        isRevoked,
+      };
+
+      // Store the updated permission
+      await storeGrantedPermission(updatedPermission);
+    } catch (error) {
+      logger.error(
+        'Error updating permission revocation status with existing permission',
+      );
+      throw error;
+    }
+  }
+
+  /**
+   * Checks if a delegation is disabled on-chain by calling the DelegationManager contract.
+   * @param delegationHash - The hash of the delegation to check.
+   * @param chainId - The chain ID in hex format.
+   * @param delegationManagerAddress - The address of the DelegationManager contract.
+   * @returns True if the delegation is disabled, false otherwise.
+   */
+  async function checkDelegationDisabledOnChain(
+    delegationHash: Hex,
+    chainId: Hex,
+    delegationManagerAddress: Hex,
+  ): Promise<boolean> {
+    try {
+      logger.debug('Checking delegation disabled status on-chain', {
+        delegationHash,
+        chainId,
+        delegationManagerAddress,
+      });
+
+      // Encode the function call data for disabledDelegations(bytes32)
+      const functionSelector = '0x2d40d052'; // keccak256("disabledDelegations(bytes32)").slice(0, 10)
+      const encodedParams = delegationHash.slice(2).padStart(64, '0'); // Remove 0x and pad to 32 bytes
+      const callData = `${functionSelector}${encodedParams}`;
+
+      const result = await ethereumProvider.request<Hex>({
+        method: 'eth_call',
+        params: [
+          {
+            to: delegationManagerAddress,
+            data: callData,
+          },
+          'latest',
+        ],
+      });
+
+      if (!result) {
+        logger.warn('No result from contract call');
+        return false;
+      }
+
+      // Parse the boolean result (32 bytes, last byte is the boolean value)
+      const isDisabled =
+        result !==
+        '0x0000000000000000000000000000000000000000000000000000000000000000';
+
+      logger.debug('Delegation disabled status result', { isDisabled });
+      return isDisabled;
+    } catch (error) {
+      logger.error('Error checking delegation disabled status on-chain', error);
+      // In case of error, assume not disabled to avoid blocking legitimate operations
+      return false;
+    }
+  }
+
   /**
    * Feature flag to disable profile sync feature until message-signing-snap v1.1.2 released in MM 12.18: https://github.com/MetaMask/metamask-extension/pull/32521.
    */
@@ -315,6 +468,9 @@ export function createProfileSyncManager(
         getGrantedPermission,
         storeGrantedPermission,
         storeGrantedPermissionBatch,
+        updatePermissionRevocationStatus,
+        updatePermissionRevocationStatusWithPermission,
+        checkDelegationDisabledOnChain,
       }
     : unConfiguredProfileSyncManager;
 }

packages/gator-permissions-snap/src/rpc/permissions.ts

@@ -9,7 +9,10 @@ const allowedPermissionsByOrigin: { [origin: string]: string[] } = {
       RpcMethod.PermissionsProviderGetPermissionOffers,
     ],
   }),
-  metamask: [RpcMethod.PermissionsProviderGetGrantedPermissions],
+  metamask: [
+    RpcMethod.PermissionsProviderGetGrantedPermissions,
+    RpcMethod.PermissionsProviderSubmitRevocation,
+  ],
 };
 
 /**

packages/gator-permissions-snap/src/rpc/rpcHandler.ts

@@ -4,8 +4,14 @@ import { InvalidInputError, type Json } from '@metamask/snaps-sdk';
 
 import type { PermissionHandlerFactory } from '../core/permissionHandlerFactory';
 import { DEFAULT_GATOR_PERMISSION_TO_OFFER } from '../permissions/permissionOffers';
-import type { ProfileSyncManager } from '../profileSync';
-import { validatePermissionRequestParam } from '../utils/validate';
+import type {
+  ProfileSyncManager,
+  StoredGrantedPermission,
+} from '../profileSync/profileSync';
+import {
+  validatePermissionRequestParam,
+  validateRevocationParams,
+} from '../utils/validate';
 
 /**
  * Type for the RPC handler methods.
@@ -32,6 +38,14 @@ export type RpcHandler = {
    * @returns The granted permissions.
    */
   getGrantedPermissions(): Promise<Json>;
+
+  /**
+   * Handles submit revocation requests.
+   *
+   * @param params - The parameters for the revocation.
+   * @returns Success confirmation.
+   */
+  submitRevocation(params: Json): Promise<Json>;
 };
 
 /**
@@ -75,15 +89,19 @@ export function createRpcHandler(config: {
         throw new InvalidInputError(permissionResponse.reason);
       }
 
-      permissionsToStore.push({
+      const storedPermission: StoredGrantedPermission = {
         permissionResponse: permissionResponse.response,
         siteOrigin,
-      });
+        isRevoked: false,
+      };
+      permissionsToStore.push(storedPermission);
     }
 
     // Only after all permissions have been successfully processed, store them all in batch
     if (permissionsToStore.length > 0) {
-      await profileSyncManager.storeGrantedPermissionBatch(permissionsToStore);
+      await profileSyncManager.storeGrantedPermissionBatch(
+        permissionsToStore as StoredGrantedPermission[],
+      );
     }
 
     // Return the permission responses
@@ -114,9 +132,74 @@ export function createRpcHandler(config: {
     return grantedPermission as Json[];
   };
 
+  /**
+   * Handles submit revocation requests.
+   *
+   * @param params - The parameters for the revocation.
+   * @returns Success confirmation.
+   */
+  const submitRevocation = async (params: Json): Promise<Json> => {
+    logger.debug('submitRevocation()', params);
+
+    const { delegationHash } = validateRevocationParams(params);
+
+    // First, get the existing permission to validate it exists
+    const existingPermission =
+      await profileSyncManager.getGrantedPermission(delegationHash);
+
+    if (!existingPermission) {
+      throw new InvalidInputError(
+        `Permission not found for delegation hash: ${delegationHash}`,
+      );
+    }
+
+    // Extract delegationManager and chainId from the permission response for logging
+    const { chainId: permissionChainId, signerMeta } =
+      existingPermission.permissionResponse;
+    const { delegationManager } = signerMeta;
+
+    logger.debug(
+      `Found permission - chainId: ${permissionChainId}, delegationManager: ${delegationManager ?? 'undefined'}`,
+    );
+
+    // Check if the delegation is actually disabled on-chain
+    if (!delegationManager) {
+      throw new InvalidInputError(
+        `No delegation manager found for delegation hash: ${delegationHash}`,
+      );
+    }
+
+    const isDelegationDisabled =
+      await profileSyncManager.checkDelegationDisabledOnChain(
+        delegationHash,
+        permissionChainId,
+        delegationManager,
+      );
+
+    if (!isDelegationDisabled) {
+      throw new InvalidInputError(
+        `Delegation ${delegationHash} is not disabled on-chain. Cannot process revocation.`,
+      );
+    }
+
+    logger.debug(
+      `Processing revocation for delegation ${delegationHash} - validated on-chain`,
+    );
+
+    // Update the permission's revocation status using the optimized method
+    // This avoids re-fetching the permission we already have
+    await profileSyncManager.updatePermissionRevocationStatusWithPermission(
+      existingPermission,
+      true,
+    );
+
+    return { success: true };
+  };
+
   return {
     grantPermission,
     getPermissionOffers,
     getGrantedPermissions,
+    submitRevocation,
   };
 }

packages/gator-permissions-snap/src/rpc/rpcMethod.ts

@@ -16,4 +16,9 @@ export enum RpcMethod {
    * This method is used by Metamask clients to retrieve granted permissions for all sites.
    */
   PermissionsProviderGetGrantedPermissions = 'permissionsProvider_getGrantedPermissions',
+
+  /**
+   * This method is used by MetaMask origin to submit a revocation and update the isRevoked flag.
+   */
+  PermissionsProviderSubmitRevocation = 'permissionsProvider_submitRevocation',
 }