token-2022: implement CpiGuard (#3712)

token-2022: implement CPI Guard

CPI Guard is an extension to block certain unsafe token operations from being done by programs through CPI

Author: 2501babe

Cargo.lock

@@ -20,8 +20,8 @@ use {
     },
     spl_token_2022::{
         extension::{
-            confidential_transfer, default_account_state, interest_bearing_mint, memo_transfer,
-            transfer_fee, ExtensionType, StateWithExtensionsOwned,
+            confidential_transfer, cpi_guard, default_account_state, interest_bearing_mint,
+            memo_transfer, transfer_fee, ExtensionType, StateWithExtensionsOwned,
         },
         instruction,
         solana_zk_token_sdk::{
@@ -1388,6 +1388,50 @@ where
         .await
     }
 
+    /// Prevent unsafe usage of token account through CPI
+    pub async fn enable_cpi_guard<S: Signers>(
+        &self,
+        account: &Pubkey,
+        authority: &Pubkey,
+        signing_keypairs: &S,
+    ) -> TokenResult<T::Output> {
+        let signing_pubkeys = signing_keypairs.pubkeys();
+        let multisig_signers = self.get_multisig_signers(authority, &signing_pubkeys);
+
+        self.process_ixs(
+            &[cpi_guard::instruction::enable_cpi_guard(
+                &self.program_id,
+                account,
+                authority,
+                &multisig_signers,
+            )?],
+            signing_keypairs,
+        )
+        .await
+    }
+
+    /// Stop preventing unsafe usage of token account through CPI
+    pub async fn disable_cpi_guard<S: Signers>(
+        &self,
+        account: &Pubkey,
+        authority: &Pubkey,
+        signing_keypairs: &S,
+    ) -> TokenResult<T::Output> {
+        let signing_pubkeys = signing_keypairs.pubkeys();
+        let multisig_signers = self.get_multisig_signers(authority, &signing_pubkeys);
+
+        self.process_ixs(
+            &[cpi_guard::instruction::disable_cpi_guard(
+                &self.program_id,
+                account,
+                authority,
+                &multisig_signers,
+            )?],
+            signing_keypairs,
+        )
+        .await
+    }
+
     /// Update interest rate
     pub async fn update_interest_rate<S: Signers>(
         &self,

token/client/src/token.rs

@@ -21,4 +21,5 @@ solana-sdk = "=1.14.4"
 spl-associated-token-account = { version = "1.1", path = "../../associated-token-account/program" }
 spl-memo = { version = "3.0.1", path = "../../memo/program", features = ["no-entrypoint"] }
 spl-token-2022 = { version = "0.4", path="../program-2022", features = ["no-entrypoint"] }
+spl-instruction-padding = { version = "0.1.0", path="../../instruction-padding/program", features = ["no-entrypoint"] }
 spl-token-client = { version = "0.2.1", path = "../client" }

token/program-2022-test/Cargo.toml

@@ -31,24 +31,37 @@ fn rerun_if_changed(directory: &Path) {
 
 fn main() {
     let cwd = env::current_dir().expect("Unable to get current working directory");
+
     let spl_token_2022_dir = cwd
         .parent()
         .expect("Unable to get parent directory of current working dir")
         .join("program-2022");
     rerun_if_changed(&spl_token_2022_dir);
+
+    let instruction_padding_dir = cwd
+        .parent()
+        .expect("Unable to get parent directory of current working dir")
+        .parent()
+        .expect("Unable to get grandparent directory of current working dir")
+        .join("instruction-padding")
+        .join("program");
+    rerun_if_changed(&instruction_padding_dir);
+
     println!("cargo:rerun-if-changed=build.rs");
 
-    let spl_token_2022_toml = spl_token_2022_dir.join("Cargo.toml");
-    let spl_token_2022_toml = format!("{}", spl_token_2022_toml.display());
-    let args = vec!["build-sbf", "--manifest-path", &spl_token_2022_toml];
-    let output = Command::new("cargo")
-        .args(&args)
-        .output()
-        .expect("Error running cargo build-sbf");
-    if let Ok(output_str) = std::str::from_utf8(&output.stdout) {
-        let subs = output_str.split('\n');
-        for sub in subs {
-            println!("cargo:warning=(not a warning) {}", sub);
+    for program_dir in [spl_token_2022_dir, instruction_padding_dir] {
+        let program_toml = program_dir.join("Cargo.toml");
+        let program_toml = format!("{}", program_toml.display());
+        let args = vec!["build-sbf", "--manifest-path", &program_toml];
+        let output = Command::new("cargo")
+            .args(&args)
+            .output()
+            .expect("Error running cargo build-sbf");
+        if let Ok(output_str) = std::str::from_utf8(&output.stdout) {
+            let subs = output_str.split('\n');
+            for sub in subs {
+                println!("cargo:warning=(not a warning) {}", sub);
+            }
         }
     }