Fix authenticated signer syscall and remove the offending field (#4392)

ma2bd · web-flow · commit 58afb8745eb5 · 2025-08-22T03:05:35.000Z
## Motivation Fix authenticated signer. ## Proposal As pointed out in #4374, we were using the transaction instead of the last application on the calling stack, effectively ignoring whether calls were "authenticated" or not. * Fix the bug * Remove the field that caused the confusion in the first place ## Test Plan CI + new unit test I verified that the new unit test fails before the fix. ## Release Plan - These changes should be backported to the latest `devnet` branch, then - be released in a new SDK, - be released in a validator hotfix.
diff --git a/linera-execution/src/runtime.rs b/linera-execution/src/runtime.rs
@@ -87,9 +87,6 @@ pub struct SyncRuntimeInternal<UserInstance: WithContext> {
     height: BlockHeight,
     /// The current consensus round. Only available during block validation in multi-leader rounds.
     round: Option<u32>,
-    /// The authenticated signer of the operation or message, if any.
-    #[debug(skip_if = Option::is_none)]
-    authenticated_signer: Option<AccountOwner>,
     /// The current message being executed, if there is one.
     #[debug(skip_if = Option::is_none)]
     executing_message: Option<ExecutingMessage>,
@@ -311,7 +308,6 @@ impl<UserInstance: WithContext> SyncRuntimeInternal<UserInstance> {
         chain_id: ChainId,
         height: BlockHeight,
         round: Option<u32>,
-        authenticated_signer: Option<AccountOwner>,
         executing_message: Option<ExecutingMessage>,
         execution_state_sender: ExecutionStateSender,
         deadline: Option<Instant>,
@@ -324,7 +320,6 @@ impl<UserInstance: WithContext> SyncRuntimeInternal<UserInstance> {
             chain_id,
             height,
             round,
-            authenticated_signer,
             executing_message,
             execution_state_sender,
             is_finalizing: false,
@@ -1008,7 +1003,6 @@ impl ContractSyncRuntime {
                 chain_id,
                 action.height(),
                 action.round(),
-                action.signer(),
                 if let UserAction::Message(context, _) = action {
                     Some(context.into())
                 } else {
@@ -1085,7 +1079,6 @@ impl ContractSyncRuntimeHandle {
 
         {
             let runtime = self.inner();
-            assert_eq!(runtime.authenticated_signer, action.signer());
             assert_eq!(runtime.chain_id, chain_id);
             assert_eq!(runtime.height, action.height());
         }
@@ -1171,7 +1164,8 @@ impl ContractSyncRuntimeHandle {
 
 impl ContractRuntime for ContractSyncRuntimeHandle {
     fn authenticated_signer(&mut self) -> Result<Option<AccountOwner>, ExecutionError> {
-        Ok(self.inner().authenticated_signer)
+        let this = self.inner();
+        Ok(this.current_application().signer)
     }
 
     fn message_is_bouncing(&mut self) -> Result<Option<bool>, ExecutionError> {
@@ -1686,7 +1680,6 @@ impl ServiceSyncRuntime {
                 context.next_block_height,
                 None,
                 None,
-                None,
                 execution_state_sender,
                 deadline,
                 None,
diff --git a/linera-execution/src/unit_tests/runtime_tests.rs b/linera-execution/src/unit_tests/runtime_tests.rs
@@ -180,7 +180,6 @@ where
         BlockHeight(0),
         Some(0),
         None,
-        None,
         execution_state_sender,
         None,
         None,
diff --git a/linera-execution/tests/contract_runtime_apis.rs b/linera-execution/tests/contract_runtime_apis.rs
@@ -10,7 +10,7 @@ use std::{
 
 use assert_matches::assert_matches;
 use linera_base::{
-    crypto::CryptoHash,
+    crypto::{AccountPublicKey, CryptoHash},
     data_types::{
         Amount, ApplicationDescription, ApplicationPermissions, Blob, BlockHeight, Bytecode,
         CompressedBytecode, OracleResponse,
@@ -1056,3 +1056,72 @@ async fn test_publish_module_different_bytecode() -> anyhow::Result<()> {
 
     Ok(())
 }
+
+#[test_log::test(tokio::test)]
+async fn test_callee_api_calls() -> anyhow::Result<()> {
+    let (state, chain_id) = SystemExecutionState::dummy_chain_state(0);
+    let mut view = state.into_view().await;
+
+    let (caller_id, caller_application, caller_blobs) = view.register_mock_application(0).await?;
+    let (target_id, target_application, target_blobs) = view.register_mock_application(1).await?;
+
+    let owner = AccountOwner::from(AccountPublicKey::test_key(0));
+    let dummy_operation = vec![1];
+
+    caller_application.expect_call({
+        let dummy_operation = dummy_operation.clone();
+        ExpectedCall::execute_operation(move |runtime, operation| {
+            assert_eq!(operation, dummy_operation);
+
+            // Call the target application with authentication.
+            let response =
+                runtime.try_call_application(/* authenticated */ true, target_id, vec![])?;
+            assert!(response.is_empty());
+
+            // Call the target application without authentication.
+            let response =
+                runtime.try_call_application(/* authenticated */ false, target_id, vec![])?;
+            assert!(response.is_empty());
+
+            Ok(vec![])
+        })
+    });
+
+    target_application.expect_call(ExpectedCall::execute_operation(move |runtime, argument| {
+        assert!(argument.is_empty());
+        assert_eq!(runtime.authenticated_signer().unwrap(), Some(owner));
+        assert_eq!(runtime.authenticated_caller_id().unwrap(), Some(caller_id));
+        Ok(vec![])
+    }));
+    target_application.expect_call(ExpectedCall::execute_operation(move |runtime, argument| {
+        assert!(argument.is_empty());
+        assert_eq!(runtime.authenticated_signer().unwrap(), None);
+        assert_eq!(runtime.authenticated_caller_id().unwrap(), None);
+        Ok(vec![])
+    }));
+
+    target_application.expect_call(ExpectedCall::default_finalize());
+    caller_application.expect_call(ExpectedCall::default_finalize());
+
+    let context = OperationContext {
+        authenticated_signer: Some(owner),
+        ..create_dummy_operation_context(chain_id)
+    };
+    let mut controller = ResourceController::default();
+    let mut txn_tracker =
+        TransactionTracker::new_replaying_blobs(caller_blobs.iter().chain(&target_blobs));
+    view.execute_operation(
+        context,
+        Operation::User {
+            application_id: caller_id,
+            bytes: dummy_operation.clone(),
+        },
+        &mut txn_tracker,
+        &mut controller,
+    )
+    .await
+    .unwrap();
+    let txn_outcome = txn_tracker.into_outcome().unwrap();
+    assert!(txn_outcome.outgoing_messages.is_empty());
+    Ok(())
+}
