[Stellar] security contact as contract metadata (#679)

Co-authored-by: Eric Lau <[email protected]>

Author: CoveMB

.changeset/silent-bags-repair.md

@@ -0,0 +1,5 @@
+---
+'@openzeppelin/wizard-stellar': patch
+---
+
+Set security contact as contract metadata

packages/core/stellar/src/contract.test.ts

@@ -3,6 +3,7 @@ import test from 'ava';
 import type { BaseFunction, BaseTraitImplBlock } from './contract';
 import { ContractBuilder } from './contract';
 import { printContract } from './print';
+import { setInfo } from './set-info';
 
 test('contract basics', t => {
   const Foo = new ContractBuilder('Foo');
@@ -89,15 +90,41 @@ test('contract with documentation', t => {
   t.snapshot(printContract(Foo));
 });
 
-test('contract with security info', t => {
+test('contract with security contact metadata', t => {
   const Foo = new ContractBuilder('Foo');
-  Foo.addSecurityTag('[email protected]');
+  Foo.addContractMetadata({ key: 'contact', value: '[email protected]' });
   t.snapshot(printContract(Foo));
 });
 
-test('contract with security info and documentation', t => {
+test('setting metadata with same key throws', t => {
   const Foo = new ContractBuilder('Foo');
-  Foo.addSecurityTag('[email protected]');
+  Foo.addContractMetadata({ key: 'contact', value: '[email protected]' });
+
+  t.throws(() => Foo.addContractMetadata({ key: 'contact', value: '[email protected]' }));
+});
+
+test('contract with multiple metadata', t => {
+  const Foo = new ContractBuilder('Foo');
+  Foo.addContractMetadata([
+    { key: 'contact', value: '[email protected]' },
+    { key: 'meta', value: 'data' },
+  ]);
+  t.snapshot(printContract(Foo));
+});
+
+test('contract with multiple metadata and documentation', t => {
+  const Foo = new ContractBuilder('Foo');
+  Foo.addContractMetadata([
+    { key: 'contact', value: '[email protected]' },
+    { key: 'meta', value: 'data' },
+  ]);
   Foo.addDocumentation('Some documentation');
   t.snapshot(printContract(Foo));
 });
+
+test('contract with setInfo', t => {
+  const Foo = new ContractBuilder('Foo');
+  setInfo(Foo, { securityContact: '[email protected]', license: 'MIT' });
+
+  t.snapshot(printContract(Foo));
+});

packages/core/stellar/src/contract.test.ts.md

@@ -155,36 +155,70 @@ Generated by [AVA](https://avajs.dev).
     pub struct Foo;␊
     `
 
-## contract with security info
+## contract with security contact metadata
 
 > Snapshot 1
 
     `// SPDX-License-Identifier: MIT␊
     // Compatible with OpenZeppelin Stellar Soroban Contracts ^0.4.1␊
+    #![no_std]␊
+    ␊
+    use soroban_sdk::contractmeta;␊
     ␊
-    //! # Security␊
-    //!␊
-    //! For security issues, please contact: [email protected]␊
+    contractmeta!(key="contact", val="[email protected]");␊
+    ␊
+    #[contract]␊
+    pub struct Foo;␊
+    `
+
+## contract with multiple metadata
+
+> Snapshot 1
+
+    `// SPDX-License-Identifier: MIT␊
+    // Compatible with OpenZeppelin Stellar Soroban Contracts ^0.4.1␊
     #![no_std]␊
     ␊
+    use soroban_sdk::contractmeta;␊
+    ␊
+    contractmeta!(key="contact", val="[email protected]");␊
+    contractmeta!(key="meta", val="data");␊
+    ␊
     #[contract]␊
     pub struct Foo;␊
     `
 
-## contract with security info and documentation
+## contract with multiple metadata and documentation
 
 > Snapshot 1
 
     `// SPDX-License-Identifier: MIT␊
     // Compatible with OpenZeppelin Stellar Soroban Contracts ^0.4.1␊
     ␊
     //! Some documentation␊
+    #![no_std]␊
+    ␊
+    use soroban_sdk::contractmeta;␊
     ␊
-    //! # Security␊
-    //!␊
-    //! For security issues, please contact: [email protected]␊
+    contractmeta!(key="contact", val="[email protected]");␊
+    contractmeta!(key="meta", val="data");␊
+    ␊
+    #[contract]␊
+    pub struct Foo;␊
+    `
+
+## contract with setInfo
+
+> Snapshot 1
+
+    `// SPDX-License-Identifier: MIT␊
+    // Compatible with OpenZeppelin Stellar Soroban Contracts ^0.4.1␊
     #![no_std]␊
     ␊
+    use soroban_sdk::contractmeta;␊
+    ␊
+    contractmeta!(key="security_contact", val="[email protected]");␊
+    ␊
     #[contract]␊
     pub struct Foo;␊
     `

packages/core/stellar/src/contract.test.ts.snap

@@ -1,8 +1,8 @@
-import { toIdentifier } from './utils/convert-strings';
+import { toByteArray, toIdentifier } from './utils/convert-strings';
 
 export interface Contract {
+  metadata: Map<string, string>;
   license: string;
-  securityContact: string;
   documentations: string[];
   name: string;
   useClauses: UseClause[];
@@ -74,7 +74,7 @@ export interface Argument {
 export class ContractBuilder implements Contract {
   readonly name: string;
   license = 'MIT';
-  securityContact = '';
+  metadata = new Map<string, string>();
   ownable = false;
 
   readonly documentations: string[] = [];
@@ -267,7 +267,13 @@ export class ContractBuilder implements Contract {
     this.documentations.push(description);
   }
 
-  addSecurityTag(securityContact: string) {
-    this.securityContact = securityContact;
+  addContractMetadata(metadata: { key: string; value: string }[] | { key: string; value: string }) {
+    (Array.isArray(metadata) ? metadata : [metadata]).forEach(({ key, value }) => {
+      if (this.metadata.has(key)) throw new Error(`Setting metadata failed: ${key} is already set`);
+
+      this.metadata.set(key, toByteArray(value));
+    });
+
+    if (this.metadata.size > 0) this.addUseClause('soroban_sdk', 'contractmeta');
   }
 }

packages/core/stellar/src/contract.ts

@@ -290,3 +290,24 @@ test.serial(
     { snapshotResult: false },
   ),
 );
+
+test.serial(
+  'compilation fungible upgradable mintable pausable with security contact metadata',
+  runRustCompilationTest(
+    buildFungible,
+    {
+      kind: 'Fungible',
+      name: 'MyToken',
+      symbol: 'MTK',
+      premint: '2000',
+      burnable: false,
+      mintable: true,
+      pausable: true,
+      upgradeable: true,
+      info: {
+        securityContact: '[email protected]',
+      },
+    },
+    { snapshotResult: false },
+  ),
+);

packages/core/stellar/src/fungible.compile.test.ts

@@ -4,6 +4,7 @@ import type { Lines } from './utils/format-lines';
 import { formatLines, spaceBetween } from './utils/format-lines';
 import { getSelfArg } from './common-options';
 import { compatibleContractsSemver } from './utils/version';
+import { toByteArray } from './utils/convert-strings';
 
 const DEFAULT_SECTION = '1. with no section';
 const STANDALONE_IMPORTS_GROUP = 'Standalone Imports';
@@ -24,11 +25,11 @@ export function printContract(contract: Contract): string {
         `// SPDX-License-Identifier: ${contract.license}`,
         `// Compatible with OpenZeppelin Stellar Soroban Contracts ${compatibleContractsSemver}`,
         ...(contract.documentations.length ? ['', ...printDocumentations(contract.documentations)] : []),
-        ...(contract.securityContact ? ['', ...printSecurityTag(contract.securityContact)] : []),
         ...createLevelAttributes,
       ],
       spaceBetween(
         printUseClauses(contract),
+        printMetadata(contract),
         printVariables(contract),
         printContractStruct(contract),
         printContractErrors(contract),
@@ -367,6 +368,6 @@ function printDocumentations(documentations: string[]): string[] {
   return documentations.map(documentation => `//! ${documentation}`);
 }
 
-function printSecurityTag(securityContact: string) {
-  return ['//! # Security', '//!', `//! For security issues, please contact: ${securityContact}`];
+function printMetadata(contract: Contract) {
+  return Array.from(contract.metadata.entries()).map(([key, value]) => `contractmeta!(key="${key}", val="${value}");`);
 }

packages/core/stellar/src/print.ts

@@ -1,7 +1,5 @@
 import type { ContractBuilder } from './contract';
 
-export const TAG_SECURITY_CONTACT = `@custom:security-contact`;
-
 export const infoOptions = [{}, { license: 'WTFPL' }] as const;
 
 export const defaults: Info = { license: 'MIT' };
@@ -11,14 +9,8 @@ export type Info = {
   securityContact?: string;
 };
 
-export function setInfo(c: ContractBuilder, info: Info): void {
-  const { securityContact, license } = info;
-
-  if (securityContact) {
-    c.addSecurityTag(securityContact);
-  }
+export function setInfo(c: ContractBuilder, { securityContact, license }: Info): void {
+  if (securityContact) c.addContractMetadata({ key: 'security_contact', value: securityContact });
 
-  if (license) {
-    c.license = license;
-  }
+  if (license) c.license = license;
 }