Merge pull request #69 from onflow/ls/improvement/access-checker

[LS] Implement account access check
onflow · Jan 20, 2023 · aa05d4c · aa05d4c
2 parents a6dc82f + 76e02ad
commit aa05d4c
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 0 deletions.
diff --git a/languageserver/integration/flow.go b/languageserver/integration/flow.go
@@ -54,6 +54,8 @@ type flowClient interface {
 	) (*flow.Transaction, *flow.TransactionResult, error)
 	GetAccount(address flow.Address) (*flow.Account, error)
 	CreateAccount() (*clientAccount, error)
+	getState() *flowkit.State
+	getConfigPath() string
 }
 
 var _ flowClient = &flowkitClient{}
@@ -130,6 +132,14 @@ func (f *flowkitClient) Initialize(configPath string, numberOfAccounts int) erro
 	return nil
 }
 
+func (f *flowkitClient) getState() *flowkit.State {
+	return f.state
+}
+
+func (f *flowkitClient) getConfigPath() string {
+	return f.configPath
+}
+
 func (f *flowkitClient) Reload() error {
 	state, err := flowkit.Load([]string{f.configPath}, f.loader)
 	if err != nil {

diff --git a/languageserver/integration/integration.go b/languageserver/integration/integration.go
@@ -59,6 +59,7 @@ func NewFlowIntegration(s *server.Server, enableFlowClient bool) (*FlowIntegrati
 			server.WithCodeLensProvider(integration.codeLenses),
 			server.WithAddressImportResolver(resolve.addressImport),
 			server.WithAddressContractNamesResolver(resolve.addressContractNames),
+			server.WithMemberAccountAccessHandler(resolve.accountAccess),
 		)
 
 		comm := commands{client: client}

diff --git a/languageserver/integration/mock_flow_test.go b/languageserver/integration/mock_flow_test.go
diff --git a/languageserver/integration/resolvers.go b/languageserver/integration/resolvers.go
@@ -20,8 +20,11 @@ package integration
 
 import (
 	"github.com/onflow/cadence/runtime/common"
+	"github.com/onflow/cadence/runtime/sema"
 	"github.com/onflow/flow-cli/pkg/flowkit"
+	"github.com/onflow/flow-cli/pkg/flowkit/config"
 	"github.com/onflow/flow-go-sdk"
+	"path/filepath"
 	"strings"
 )
 
@@ -30,6 +33,7 @@ type resolvers struct {
 	loader flowkit.ReaderWriter
 }
 
+// fileImport loads the code for a string location.
 func (r *resolvers) fileImport(location common.StringLocation) (string, error) {
 	filename := cleanWindowsPath(location.String())
 
@@ -41,6 +45,7 @@ func (r *resolvers) fileImport(location common.StringLocation) (string, error) {
 	return string(data), nil
 }
 
+// addressImport loads the code for an address location.
 func (r *resolvers) addressImport(location common.AddressLocation) (string, error) {
 	account, err := r.client.GetAccount(flow.HexToAddress(location.Address.String()))
 	if err != nil {
@@ -50,6 +55,7 @@ func (r *resolvers) addressImport(location common.AddressLocation) (string, erro
 	return string(account.Contracts[location.Name]), nil
 }
 
+// addressContractNames returns a slice of all the contract names on the address location.
 func (r *resolvers) addressContractNames(address common.Address) ([]string, error) {
 	account, err := r.client.GetAccount(flow.HexToAddress(address.String()))
 	if err != nil {
@@ -66,6 +72,32 @@ func (r *resolvers) addressContractNames(address common.Address) ([]string, erro
 	return names, nil
 }
 
+// accountAccess checks whether the current program location and accessed program location were deployed to the same account.
+//
+// if the contracts were deployed on the same account then it returns true and hence allows the access, false otherwise.
+func (r *resolvers) accountAccess(checker *sema.Checker, memberLocation common.Location) bool {
+	contracts, err := r.client.getState().DeploymentContractsByNetwork(config.DefaultEmulatorNetwork().Name)
+	if err != nil {
+		return false
+	}
+
+	var checkerAccount, memberAccount string
+	// go over contracts and match contract by the location of checker and member and assign the account name for later check
+	for _, c := range contracts {
+		// get absolute path of the contract relative to the dir where flow.json is (working env)
+		absLocation, _ := filepath.Abs(filepath.Join(filepath.Dir(r.client.getConfigPath()), c.Source))
+
+		if memberLocation.String() == absLocation {
+			memberAccount = c.AccountName
+		}
+		if checker.Location.String() == absLocation {
+			checkerAccount = c.AccountName
+		}
+	}
+
+	return checkerAccount == memberAccount && checkerAccount != "" && memberAccount != ""
+}
+
 // workaround for Windows files being sent with prefixed '/' which is /c:/test/foo
 // we remove the first / for Windows files, so they are valid, also replace encoded column sign.
 func cleanWindowsPath(path string) string {

diff --git a/languageserver/server/server.go b/languageserver/server/server.go
@@ -264,6 +264,19 @@ func WithInitializationOptionsHandler(handler InitializationOptionsHandler) Opti
 	}
 }
 
+// WithMemberAccountAccessHandler returns a server option that adds the given function
+// as a function that is used to determine access for accounts.
+//
+// When we have a syntax like access(account) this handler is called and
+// determines whether the access is allowed based on the location of program and the called member.
+func WithMemberAccountAccessHandler(handler sema.MemberAccountAccessHandlerFunc) Option {
+	return func(server *Server) error {
+		server.checkerStandardConfig.MemberAccountAccessHandler = handler
+		server.checkerScriptConfig.MemberAccountAccessHandler = handler
+		return nil
+	}
+}
+
 const GetEntryPointParametersCommand = "cadence.server.getEntryPointParameters"
 const GetContractInitializerParametersCommand = "cadence.server.getContractInitializerParameters"
 const ParseEntryPointArgumentsCommand = "cadence.server.parseEntryPointArguments"