chore: limit re-delegation depth

Author: saiintbrisson

pallets/permission0/src/ext/namespace_impl.rs

@@ -105,7 +105,7 @@ pub fn delegate_namespace_permission_impl<T: Config>(
 
                 parents.push(pid);
 
-                resolve_paths::<T>(&delegator, Some(namespace), paths)
+                resolve_paths::<T>(&delegator, Some((*pid, namespace)), paths)
             } else {
                 resolve_paths::<T>(&delegator, None, paths)
             }?;
@@ -150,21 +150,69 @@ pub fn delegate_namespace_permission_impl<T: Config>(
     Ok(permission_id)
 }
 
+/// Maximum allowed delegation depth for namespaces
+const MAX_DELEGATION_DEPTH: u32 = 5;
+
+/// Check the delegation depth of a namespace by traversing up the permission chain
+fn check_namespace_delegation_depth<T: Config>(
+    namespace_path: &NamespacePath,
+    parent_permission_id: Option<PermissionId>,
+    current_depth: u32,
+) -> Result<(), DispatchError> {
+    if current_depth > MAX_DELEGATION_DEPTH {
+        return Err(Error::<T>::DelegationDepthExceeded.into());
+    }
+
+    let Some(parent_id) = parent_permission_id else {
+        return Ok(());
+    };
+
+    let Some(parent_permission) = Permissions::<T>::get(parent_id) else {
+        return Err(Error::<T>::ParentPermissionNotFound.into());
+    };
+
+    let PermissionScope::Namespace(parent_scope) = &parent_permission.scope else {
+        return Err(Error::<T>::UnsupportedPermissionType.into());
+    };
+
+    for (grandparent_id, namespace_set) in parent_scope.paths.iter() {
+        if namespace_set.contains(namespace_path) {
+            return check_namespace_delegation_depth::<T>(
+                namespace_path,
+                *grandparent_id,
+                current_depth.saturating_add(1),
+            );
+        }
+
+        for parent_namespace in namespace_set.iter() {
+            if parent_namespace.is_parent_of(namespace_path) {
+                return check_namespace_delegation_depth::<T>(
+                    parent_namespace,
+                    *grandparent_id,
+                    current_depth.saturating_add(1),
+                );
+            }
+        }
+    }
+
+    Ok(())
+}
+
 fn resolve_paths<T: Config>(
     delegator: &T::AccountId,
-    parent: Option<&NamespaceScope<T>>,
+    parent: Option<(PermissionId, &NamespaceScope<T>)>,
     paths: &BoundedBTreeSet<NamespacePathInner, T::MaxNamespacesPerPermission>,
 ) -> Result<BoundedBTreeSet<NamespacePath, T::MaxNamespacesPerPermission>, DispatchError> {
     let children = paths.iter().map(|path| {
         NamespacePath::new_agent(path).map_err(|_| Error::<T>::NamespacePathIsInvalid.into())
     });
 
-    let paths = if let Some(parent) = &parent {
+    let paths = if let Some((parent_pid, parent)) = parent {
         let children = children.collect::<Result<BTreeSet<_>, DispatchError>>()?;
-        let matched_count = parent
+        let matched_paths = parent
             .paths
             .values()
-            .flat_map(|parent| parent.iter())
+            .flat_map(|p_path| p_path.iter())
             .filter_map(|parent_path| {
                 if children.contains(parent_path) {
                     Some(())
@@ -185,10 +233,14 @@ fn resolve_paths<T: Config>(
             .count();
 
         ensure!(
-            matched_count == children.len(),
+            matched_paths == children.len(),
             Error::<T>::ParentPermissionNotFound
         );
 
+        for child_path in &children {
+            check_namespace_delegation_depth::<T>(child_path, Some(parent_pid), 1)?;
+        }
+
         children
     } else {
         children

pallets/permission0/src/lib.rs

@@ -324,6 +324,8 @@ pub mod pallet {
         RevocationTermsTooStrong,
         /// Too many curator permissions being delegated in a single permission.
         TooManyCuratorPermissions,
+        /// Namespace delegation depth exceeded the maximum allowed limit.
+        DelegationDepthExceeded,
     }
 
     #[pallet::hooks]

pallets/permission0/tests/namespace.rs

@@ -1,4 +1,4 @@
-#![allow(clippy::indexing_slicing)]
+#![allow(clippy::indexing_slicing, clippy::arithmetic_side_effects)]
 
 use pallet_permission0::{
     CuratorPermissions, Error, Pallet, PermissionDuration, PermissionScope, Permissions,
@@ -15,13 +15,15 @@ use test_utils::*;
 
 fn register_agent(id: AccountId) {
     let name = match id {
-        0 => &b"alice"[..],
-        1 => &b"bob"[..],
-        2 => &b"charlie"[..],
-        3 => &b"dave"[..],
-        4 => &b"eve"[..],
-        _ => &b"foo"[..],
+        0 => "alice".to_string(),
+        1 => "bob".to_string(),
+        2 => "charlie".to_string(),
+        3 => "dave".to_string(),
+        4 => "eve".to_string(),
+        5 => "ferdie".to_string(),
+        _ => format!("agent-{id}"),
     };
+    let name = name.as_bytes();
 
     Balances::force_set_balance(RawOrigin::Root.into(), id, u128::MAX).unwrap();
     Torus0::register_agent(get_origin(id), name.to_vec(), name.to_vec(), name.to_vec()).unwrap();
@@ -1572,3 +1574,69 @@ fn delegate_namespace_permission_irrevocable_parent_allows_revocable_after() {
         assert_eq!(PermissionsByDelegator::<Test>::get(bob).len(), 1);
     });
 }
+
+#[test]
+fn delegate_namespace_permission_fails_when_exceeding_depth_limit() {
+    new_test_ext().execute_with(|| {
+        zero_min_burn();
+
+        for i in 0..7 {
+            register_agent(i);
+        }
+
+        let level1 = register_namespace(0, b"agent.alice.compute");
+        let level2 = register_namespace(0, b"agent.alice.compute.gpu");
+        let level3 = register_namespace(0, b"agent.alice.compute.gpu.h100");
+        let level4 = register_namespace(0, b"agent.alice.compute.gpu.h100.cluster");
+        let level5 = register_namespace(0, b"agent.alice.compute.gpu.h100.cluster.node01");
+        let level6 = register_namespace(0, b"agent.alice.compute.gpu.h100.cluster.node01.core01");
+
+        let mut parent_permission_id = None;
+        let namespaces = [level1, level2, level3, level4, level5.clone()];
+
+        for (i, namespace) in namespaces.iter().enumerate() {
+            let delegator = i as u64 as u32;
+            let recipient = (i + 1) as u64 as u32;
+
+            let mut paths = BoundedBTreeMap::new();
+            let mut namespace_set = BoundedBTreeSet::new();
+            namespace_set.try_insert(namespace.clone()).unwrap();
+            paths
+                .try_insert(parent_permission_id, namespace_set)
+                .unwrap();
+
+            dbg!(recipient);
+            assert_ok!(Permission0::delegate_namespace_permission(
+                get_origin(delegator),
+                recipient,
+                paths,
+                PermissionDuration::Indefinite,
+                RevocationTerms::RevocableByDelegator,
+                10
+            ));
+
+            parent_permission_id = Some(PermissionsByDelegator::<Test>::get(delegator)[0]);
+        }
+
+        for to_fail in [level5, level6] {
+            let mut paths = BoundedBTreeMap::new();
+            let mut namespace_set = BoundedBTreeSet::new();
+            namespace_set.try_insert(to_fail).unwrap();
+            paths
+                .try_insert(parent_permission_id, namespace_set)
+                .unwrap();
+
+            assert_err!(
+                Permission0::delegate_namespace_permission(
+                    get_origin(5),
+                    6,
+                    paths,
+                    PermissionDuration::Indefinite,
+                    RevocationTerms::RevocableByDelegator,
+                    10
+                ),
+                Error::<Test>::DelegationDepthExceeded
+            );
+        }
+    });
+}