imp: Enable custom paths for light client proof verifications

.changelog/unreleased/breaking-changes/1255-enable-custom-paths-for-proof-verificaitons.md

@@ -0,0 +1,4 @@
+- [ibc-core-client] Enable `verify_(non_)membership()` methods to accept custom
+  paths as bytes by defining a new `serializer_path()` API allowing light client
+  developers to introduce the path serialization behavior of their system.
+  ([\#1255](https://github.com/cosmos/ibc-rs/issues/1255))

ibc-clients/cw-context/src/types/msgs.rs

@@ -1,13 +1,12 @@
 //! Defines the messages sent to the CosmWasm contract by the 08-wasm proxy
 //! light client.
-use std::str::FromStr;
-
 use cosmwasm_schema::{cw_serde, QueryResponses};
 use cosmwasm_std::{Binary, Checksum};
 use ibc_core::client::types::proto::v1::Height as RawHeight;
 use ibc_core::client::types::Height;
 use ibc_core::commitment_types::commitment::{CommitmentPrefix, CommitmentProofBytes};
-use ibc_core::host::types::path::Path;
+use ibc_core::commitment_types::merkle::MerklePath;
+use ibc_core::host::types::path::PathBytes;
 use ibc_core::primitives::proto::Any;
 use prost::Message;
 
@@ -116,11 +115,6 @@
     }
 }
 
-#[cw_serde]
-pub struct MerklePath {
-    pub key_path: Vec<String>,
-}
-
 #[cw_serde]
 pub struct VerifyMembershipMsgRaw {
     pub proof: Binary,
@@ -134,7 +128,7 @@
 pub struct VerifyMembershipMsg {
     pub prefix: CommitmentPrefix,
     pub proof: CommitmentProofBytes,
-    pub path: Path,
+    pub path: PathBytes,
     pub value: Vec<u8>,
     pub height: Height,
     pub delay_block_period: u64,
@@ -146,17 +140,16 @@
 
     fn try_from(mut raw: VerifyMembershipMsgRaw) -> Result<Self, Self::Error> {
         let proof = CommitmentProofBytes::try_from(raw.proof.to_vec())?;
-        let prefix = raw.path.key_path.remove(0).into_bytes();
-        let path_str = raw.path.key_path.join("");
-        let path = Path::from_str(&path_str)?;
+        let prefix = CommitmentPrefix::try_from(raw.path.key_path.remove(0).into_vec())?;
+        let path = PathBytes::concat(raw.path.key_path);
         let height = Height::try_from(raw.height)?;
 
         Ok(Self {
             proof,
             path,
             value: raw.value.into(),
             height,
-            prefix: CommitmentPrefix::try_from(prefix)?,
+            prefix,
             delay_block_period: raw.delay_block_period,
             delay_time_period: raw.delay_time_period,
         })
@@ -175,7 +168,7 @@
 pub struct VerifyNonMembershipMsg {
     pub prefix: CommitmentPrefix,
     pub proof: CommitmentProofBytes,
-    pub path: Path,
+    pub path: PathBytes,
     pub height: Height,
     pub delay_block_period: u64,
     pub delay_time_period: u64,
@@ -186,15 +179,15 @@
 
     fn try_from(mut raw: VerifyNonMembershipMsgRaw) -> Result<Self, Self::Error> {
         let proof = CommitmentProofBytes::try_from(raw.proof.to_vec())?;
-        let prefix = raw.path.key_path.remove(0).into_bytes();
-        let path_str = raw.path.key_path.join("");
-        let path = Path::from_str(&path_str)?;
+        let prefix = CommitmentPrefix::try_from(raw.path.key_path.remove(0).into_vec())?;
+        let path = PathBytes::concat(raw.path.key_path);
         let height = raw.height.try_into()?;
+
         Ok(Self {
             proof,
             path,
             height,
-            prefix: CommitmentPrefix::try_from(prefix)?,
+            prefix,
             delay_block_period: raw.delay_block_period,
             delay_time_period: raw.delay_time_period,
         })

ibc-clients/ics07-tendermint/src/client_state/common.rs

@@ -6,11 +6,11 @@
 use ibc_core_commitment_types::commitment::{
     CommitmentPrefix, CommitmentProofBytes, CommitmentRoot,
 };
-use ibc_core_commitment_types::merkle::{apply_prefix, MerkleProof};
+use ibc_core_commitment_types::merkle::{MerklePath, MerkleProof};
 use ibc_core_commitment_types::proto::ics23::{HostFunctionsManager, HostFunctionsProvider};
 use ibc_core_commitment_types::specs::ProofSpecs;
 use ibc_core_host::types::identifiers::ClientType;
-use ibc_core_host::types::path::{Path, UpgradeClientPath};
+use ibc_core_host::types::path::{Path, PathBytes, UpgradeClientPath};
 use ibc_primitives::prelude::*;
 use ibc_primitives::proto::Any;
 use ibc_primitives::ToVec;
@@ -43,22 +43,36 @@
         proof_upgrade_consensus_state: CommitmentProofBytes,
         root: &CommitmentRoot,
     ) -> Result<(), ClientError> {
+        let last_height = self.latest_height().revision_height();
+
+        let upgrade_client_path_bytes =
+            self.serialize_path(UpgradeClientPath::UpgradedClientState(last_height))?;
+
+        let upgrade_consensus_path_bytes =
+            self.serialize_path(UpgradeClientPath::UpgradedClientConsensusState(last_height))?;
+
         verify_upgrade_client::<HostFunctionsManager>(
             self.inner(),
             upgraded_client_state,
             upgraded_consensus_state,
             proof_upgrade_client,
             proof_upgrade_consensus_state,
+            upgrade_client_path_bytes,
+            upgrade_consensus_path_bytes,
             root,
         )
     }
 
+    fn serialize_path(&self, path: impl Into<Path>) -> Result<PathBytes, ClientError> {
+        Ok(path.into().to_string().into_bytes().into())
+    }
+
     fn verify_membership(
         &self,
         prefix: &CommitmentPrefix,
         proof: &CommitmentProofBytes,
         root: &CommitmentRoot,
-        path: Path,
+        path: PathBytes,
         value: Vec<u8>,
     ) -> Result<(), ClientError> {
         verify_membership::<HostFunctionsManager>(
@@ -76,7 +90,7 @@
         prefix: &CommitmentPrefix,
         proof: &CommitmentProofBytes,
         root: &CommitmentRoot,
-        path: Path,
+        path: PathBytes,
     ) -> Result<(), ClientError> {
         verify_non_membership::<HostFunctionsManager>(
             &self.inner().proof_specs,
@@ -139,12 +153,15 @@
 /// Note that this function is typically implemented as part of the
 /// [`ClientStateCommon`] trait, but has been made a standalone function
 /// in order to make the ClientState APIs more flexible.
+#[allow(clippy::too_many_arguments)]
 pub fn verify_upgrade_client<H: HostFunctionsProvider>(
     client_state: &ClientStateType,
     upgraded_client_state: Any,
     upgraded_consensus_state: Any,
     proof_upgrade_client: CommitmentProofBytes,
     proof_upgrade_consensus_state: CommitmentProofBytes,
+    upgrade_client_path_bytes: PathBytes,
+    upgrade_consensus_path_bytes: PathBytes,
     root: &CommitmentRoot,
 ) -> Result<(), ClientError> {
     // Make sure that the client type is of Tendermint type `ClientState`
@@ -178,15 +195,13 @@
     let upgrade_path_prefix = CommitmentPrefix::try_from(upgrade_path[0].clone().into_bytes())
         .map_err(ClientError::InvalidCommitmentProof)?;
 
-    let last_height = latest_height.revision_height();
-
     // Verify the proof of the upgraded client state
     verify_membership::<H>(
         &client_state.proof_specs,
         &upgrade_path_prefix,
         &proof_upgrade_client,
         root,
-        Path::UpgradeClient(UpgradeClientPath::UpgradedClientState(last_height)),
+        upgrade_client_path_bytes,
         upgraded_client_state.to_vec(),
     )?;
 
@@ -196,7 +211,7 @@
         &upgrade_path_prefix,
         &proof_upgrade_consensus_state,
         root,
-        Path::UpgradeClient(UpgradeClientPath::UpgradedClientConsensusState(last_height)),
+        upgrade_consensus_path_bytes,
         upgraded_consensus_state.to_vec(),
     )?;
 
@@ -213,10 +228,10 @@
     prefix: &CommitmentPrefix,
     proof: &CommitmentProofBytes,
     root: &CommitmentRoot,
-    path: Path,
+    path: PathBytes,
     value: Vec<u8>,
 ) -> Result<(), ClientError> {
-    let merkle_path = apply_prefix(prefix, vec![path.to_string()]);
+    let merkle_path = MerklePath::new(vec![prefix.as_bytes().to_vec().into(), path]);
     let merkle_proof = MerkleProof::try_from(proof).map_err(ClientError::InvalidCommitmentProof)?;
 
     merkle_proof
@@ -234,9 +249,9 @@
     prefix: &CommitmentPrefix,
     proof: &CommitmentProofBytes,
     root: &CommitmentRoot,
-    path: Path,
+    path: PathBytes,
 ) -> Result<(), ClientError> {
-    let merkle_path = apply_prefix(prefix, vec![path.to_string()]);
+    let merkle_path = MerklePath::new(vec![prefix.as_bytes().to_vec().into(), path]);
     let merkle_proof = MerkleProof::try_from(proof).map_err(ClientError::InvalidCommitmentProof)?;
 
     merkle_proof

ibc-core/ics02-client/context/src/client_state.rs

@@ -6,7 +6,7 @@ use ibc_core_commitment_types::commitment::{
     CommitmentPrefix, CommitmentProofBytes, CommitmentRoot,
 };
 use ibc_core_host_types::identifiers::{ClientId, ClientType};
-use ibc_core_host_types::path::Path;
+use ibc_core_host_types::path::{Path, PathBytes};
 use ibc_primitives::prelude::*;
 use ibc_primitives::proto::Any;
 
@@ -52,14 +52,23 @@ pub trait ClientStateCommon: Convertible<Any> {
         root: &CommitmentRoot,
     ) -> Result<(), ClientError>;
 
+    /// Serializes a given path into a `PathBytes` object.
+    ///
+    /// This method provides essential information for IBC modules, enabling
+    /// them to understand how path serialization is performed on the
+    /// counterparty chain (where this light client represents it) before
+    /// passing the path bytes to either `verify_membership()` or
+    /// `verify_non_membership()`.
+    fn serialize_path(&self, path: impl Into<Path>) -> Result<PathBytes, ClientError>;
+
     // Verify_membership is a generic proof verification method which verifies a
     // proof of the existence of a value at a given Path.
     fn verify_membership(
         &self,
         prefix: &CommitmentPrefix,
         proof: &CommitmentProofBytes,
         root: &CommitmentRoot,
-        path: Path,
+        path: PathBytes,
         value: Vec<u8>,
     ) -> Result<(), ClientError>;
 
@@ -70,7 +79,7 @@ pub trait ClientStateCommon: Convertible<Any> {
         prefix: &CommitmentPrefix,
         proof: &CommitmentProofBytes,
         root: &CommitmentRoot,
-        path: Path,
+        path: PathBytes,
     ) -> Result<(), ClientError>;
 }
 

ibc-core/ics03-connection/src/handler/conn_open_ack.rs

@@ -96,23 +96,29 @@ where
                 vars.conn_end_on_a.delay_period(),
             )?;
 
+            let path_bytes =
+                client_state_of_b_on_a.serialize_path(ConnectionPath::new(&msg.conn_id_on_b))?;
+
             client_state_of_b_on_a
                 .verify_membership(
                     prefix_on_b,
                     &msg.proof_conn_end_on_b,
                     consensus_state_of_b_on_a.root(),
-                    Path::Connection(ConnectionPath::new(&msg.conn_id_on_b)),
+                    path_bytes,
                     expected_conn_end_on_b.encode_vec(),
                 )
                 .map_err(ConnectionError::VerifyConnectionState)?;
         }
 
+        let path_bytes = client_state_of_b_on_a
+            .serialize_path(ClientStatePath::new(vars.client_id_on_b().clone()))?;
+
         client_state_of_b_on_a
             .verify_membership(
                 prefix_on_b,
                 &msg.proof_client_state_of_a_on_b,
                 consensus_state_of_b_on_a.root(),
-                Path::ClientState(ClientStatePath::new(vars.client_id_on_b().clone())),
+                path_bytes,
                 msg.client_state_of_a_on_b.to_vec(),
             )
             .map_err(|e| ConnectionError::ClientStateVerificationFailure {
@@ -132,12 +138,15 @@ where
             msg.consensus_height_of_a_on_b.revision_height(),
         );
 
+        let path_bytes = client_state_of_b_on_a
+            .serialize_path(Path::ClientConsensusState(client_cons_state_path_on_b))?;
+
         client_state_of_b_on_a
             .verify_membership(
                 prefix_on_b,
                 &msg.proof_consensus_state_of_a_on_b,
                 consensus_state_of_b_on_a.root(),
-                Path::ClientConsensusState(client_cons_state_path_on_b),
+                path_bytes,
                 stored_consensus_state_of_a_on_b.to_vec(),
             )
             .map_err(|e| ConnectionError::ConsensusStateVerificationFailure {

ibc-core/ics03-connection/src/handler/conn_open_confirm.rs

@@ -8,7 +8,7 @@ use ibc_core_connection_types::{ConnectionEnd, Counterparty, State};
 use ibc_core_handler_types::error::ContextError;
 use ibc_core_handler_types::events::{IbcEvent, MessageEvent};
 use ibc_core_host::types::identifiers::{ClientId, ConnectionId};
-use ibc_core_host::types::path::{ClientConsensusStatePath, ConnectionPath, Path};
+use ibc_core_host::types::path::{ClientConsensusStatePath, ConnectionPath};
 use ibc_core_host::{ExecutionContext, ValidationContext};
 use ibc_primitives::prelude::*;
 use ibc_primitives::proto::Protobuf;
@@ -73,12 +73,15 @@ where
             conn_end_on_b.delay_period(),
         )?;
 
+        let path_bytes =
+            client_state_of_a_on_b.serialize_path(ConnectionPath::new(conn_id_on_a))?;
+
         client_state_of_a_on_b
             .verify_membership(
                 prefix_on_a,
                 &msg.proof_conn_end_on_a,
                 consensus_state_of_a_on_b.root(),
-                Path::Connection(ConnectionPath::new(conn_id_on_a)),
+                path_bytes,
                 expected_conn_end_on_a.encode_vec(),
             )
             .map_err(ConnectionError::VerifyConnectionState)?;