CosmWasm · alpe · Sep 15, 2023 · Sep 14, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/tests/system/fraud_test.go b/tests/system/fraud_test.go
@@ -13,6 +13,7 @@ import (
 )
 
 func TestRecursiveMsgsExternalTrigger(t *testing.T) {
+	sut.ResetChain(t)
 	const maxBlockGas = 2_000_000
 	sut.ModifyGenesisJSON(t, SetConsensusMaxGas(t, maxBlockGas))
 	sut.StartChain(t)

diff --git a/tests/system/genesis_io.go b/tests/system/genesis_io.go
@@ -31,3 +31,15 @@ func GetGenesisBalance(rawGenesis []byte, addr string) sdk.Coins {
 	}
 	return r
 }
+
+// SetCodeUploadPermission sets the code upload permissions
+func SetCodeUploadPermission(t *testing.T, permission string, addresses []string) GenesisMutator {
-func SetCodeUploadPermission(t *testing.T, permission string, addresses []string) GenesisMutator {
+func SetCodeUploadPermission(t *testing.T, permission string, addresses ...string) GenesisMutator {
-func SetCodeUploadPermission(t *testing.T, permission string, addresses []string) GenesisMutator {
+func SetCodeUploadPermission(t *testing.T, permission string, addresses ...string) GenesisMutator {
+	return func(genesis []byte) []byte {
+		t.Helper()
+		state, err := sjson.Set(string(genesis), "app_state.wasm.params.code_upload_access.permission", permission)
+		require.NoError(t, err)
+		state, err = sjson.Set(state, "app_state.wasm.params.code_upload_access.addresses", addresses)
+		require.NoError(t, err)
+		return []byte(state)
+	}
+}
diff --git a/tests/system/grant_test.go b/tests/system/grant_test.go
@@ -0,0 +1,115 @@
+//go:build system_test
+
+package system
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tidwall/gjson"
+)
+
+func TestGrantStoreCodePermissionedChain(t *testing.T) {
+	sut.ResetChain(t)
+	cli := NewWasmdCLI(t, sut, verbose)
+
+	// add genesis account with some tokens
+	account1Addr := cli.AddKey("account1")
+
+	// add genesis account with some tokens
+	account2Addr := cli.AddKey("account2")
+
+	sut.ModifyGenesisCLI(t,
+		[]string{"genesis", "add-genesis-account", account1Addr, "100000000stake"},
+	)
+	sut.ModifyGenesisCLI(t,
+		[]string{"genesis", "add-genesis-account", account2Addr, "100000000stake"},
+	)
+
+	//set params
+	sut.ModifyGenesisJSON(t, SetCodeUploadPermission(t, "AnyOfAddresses", []string{account1Addr}))
+	sut.StartChain(t)
+
+	// query params
+	rsp := cli.CustomQuery("q", "wasm", "params")
+	permission := gjson.Get(rsp, "code_upload_access.permission").String()
+	addrRes := gjson.Get(rsp, "code_upload_access.addresses").Array()
+	assert.Equal(t, 1, len(addrRes))
+
+	assert.Equal(t, permission, "AnyOfAddresses")
+	assert.Equal(t, account1Addr, addrRes[0].Str)
+
+	// address1 grant upload permission to address2
+	rsp = cli.CustomCommand("tx", "wasm", "grant-store-code", account2Addr, "*:*", "--from="+account1Addr)
+	RequireTxSuccess(t, rsp)
+
+	// address2 store code fails
-	// address2 store code fails
+	// address2 store code fails as the address is not in the code-upload accept-list
-	// address2 store code fails
+	// address2 store code fails as the address is not in the code-upload accept-list
+	rsp = cli.CustomCommand("tx", "wasm", "store", "./testdata/hackatom.wasm.gzip", "--from="+account2Addr, "--gas=1500000", "--fees=2stake")
+	RequireTxFailure(t, rsp)
+
+	// create tx
-	// create tx
+	// create tx should work for addresses in the accept-list
-	// create tx
+	// create tx should work for addresses in the accept-list
+	args := cli.withTXFlags("tx", "wasm", "store", "./testdata/hackatom.wasm.gzip", "--from="+account1Addr, "--generate-only")
+	tx, ok := cli.run(args)
+	require.True(t, ok)
+
+	pathToTx := filepath.Join(t.TempDir(), "tx.json")
+	err := os.WriteFile(pathToTx, []byte(tx), os.FileMode(0o744))
+	require.NoError(t, err)
+
+	// address2 authz exec  store code should succeed
-	// address2 authz exec  store code should succeed
+	// store code via authz execution uses the given grant and should succeed
-	// address2 authz exec  store code should succeed
+	// store code via authz execution uses the given grant and should succeed
+	rsp = cli.CustomCommand("tx", "authz", "exec", pathToTx, "--from="+account2Addr, "--gas=1500000", "--fees=2stake")
+	RequireTxSuccess(t, rsp)
+}
+
+func TestGrantStoreCode(t *testing.T) {
+	sut.ResetChain(t)
+	cli := NewWasmdCLI(t, sut, verbose)
+
+	// add genesis account with some tokens
+	account1Addr := cli.AddKey("account1")
+
+	// add genesis account with some tokens
+	account2Addr := cli.AddKey("account2")
+
+	sut.ModifyGenesisCLI(t,
+		[]string{"genesis", "add-genesis-account", account1Addr, "100000000stake"},
+	)
+	sut.ModifyGenesisCLI(t,
+		[]string{"genesis", "add-genesis-account", account2Addr, "100000000stake"},
+	)
+
+	sut.StartChain(t)
+
+	// address1 grant upload permission to address2
+	rsp := cli.CustomCommand("tx", "wasm", "grant-store-code", account2Addr, "*:nobody", "--from="+account1Addr)
+	RequireTxSuccess(t, rsp)
+
+	// create tx - permission everybody
+	args := cli.withTXFlags("tx", "wasm", "store", "./testdata/hackatom.wasm.gzip", "--instantiate-everybody=true", "--from="+account1Addr, "--generate-only")
+	tx, ok := cli.run(args)
+	require.True(t, ok)
+
+	pathToTx := filepath.Join(t.TempDir(), "tx.json")
+	err := os.WriteFile(pathToTx, []byte(tx), os.FileMode(0o744))
+	require.NoError(t, err)
+
+	// address2 authz exec fails because instantiate permissions do not match
+	rsp = cli.CustomCommand("tx", "authz", "exec", pathToTx, "--from="+account2Addr, "--gas=1500000", "--fees=2stake")
+	RequireTxFailure(t, rsp)
+
+	// create tx - permission nobody
+	args = cli.withTXFlags("tx", "wasm", "store", "./testdata/hackatom.wasm.gzip", "--instantiate-nobody=true", "--from="+account1Addr, "--generate-only")
+	tx, ok = cli.run(args)
+	require.True(t, ok)
+
+	pathToTx = filepath.Join(t.TempDir(), "tx.json")
+	err = os.WriteFile(pathToTx, []byte(tx), os.FileMode(0o744))
+	require.NoError(t, err)
+
+	// address2 authz exec succeeds
+	rsp = cli.CustomCommand("tx", "authz", "exec", pathToTx, "--from="+account2Addr, "--gas=1500000", "--fees=2stake")
+	RequireTxSuccess(t, rsp)
+}
diff --git a/tests/system/system.go b/tests/system/system.go
@@ -390,7 +390,6 @@ type GenesisMutator func([]byte) []byte
 //		return state
 //	}
 func (s *SystemUnderTest) ModifyGenesisJSON(t *testing.T, mutators ...GenesisMutator) {
-	s.ResetChain(t)
 	s.modifyGenesisJSON(t, mutators...)
 }
 

diff --git a/x/wasm/client/cli/tx.go b/x/wasm/client/cli/tx.go
@@ -560,15 +560,15 @@ $ %s tx grant <grantee_addr> execution <contract_addr> --allow-all-messages --ma
 
 func GrantStoreCodeAuthorizationCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "grant [grantee] store-code [code_hash:permission]",
+		Use:   "grant-store-code [grantee] [code_hash:permission]",
 		Short: "Grant authorization to an address",
 		Long: fmt.Sprintf(`Grant authorization to an address.
 Examples:
-$ %s tx grant <grantee_addr> store-code 13a1fc994cc6d1c81b746ee0c0ff6f90043875e0bf1d9be6b7d779fc978dc2a5:everybody  1wqrtry681b746ee0c0ff6f90043875e0bf1d9be6b7d779fc978dc2a5:nobody --expiration 1667979596
+$ %s tx grant-store-code <grantee_addr> 13a1fc994cc6d1c81b746ee0c0ff6f90043875e0bf1d9be6b7d779fc978dc2a5:everybody  1wqrtry681b746ee0c0ff6f90043875e0bf1d9be6b7d779fc978dc2a5:nobody --expiration 1667979596
 
-$ %s tx grant <grantee_addr> store-code *:%s1l2rsakp388kuv9k8qzq6lrm9taddae7fpx59wm,%s1vx8knpllrj7n963p9ttd80w47kpacrhuts497x
+$ %s tx grant-store-code <grantee_addr> *:%s1l2rsakp388kuv9k8qzq6lrm9taddae7fpx59wm,%s1vx8knpllrj7n963p9ttd80w47kpacrhuts497x
 `, version.AppName, version.AppName, version.AppName, version.AppName),
-		Args: cobra.MinimumNArgs(3),
+		Args: cobra.MinimumNArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			clientCtx, err := client.GetClientTxContext(cmd)
 			if err != nil {
@@ -580,11 +580,7 @@ $ %s tx grant <grantee_addr> store-code *:%s1l2rsakp388kuv9k8qzq6lrm9taddae7fpx5
 				return err
 			}
 
-			if args[1] != "store-code" {
-				return fmt.Errorf("%s authorization type not supported", args[1])
-			}
-
-			grants, err := parseStoreCodeGrants(args[2:])
+			grants, err := parseStoreCodeGrants(args[1:])
 			if err != nil {
 				return err
 			}

diff --git a/x/wasm/types/authz.go b/x/wasm/types/authz.go
@@ -51,7 +51,7 @@ func (a *StoreCodeAuthorization) Accept(ctx sdk.Context, msg sdk.Msg) (authztype
 	}
 
 	code := storeMsg.WASMByteCode
-	permission := *storeMsg.InstantiatePermission
+	permission := storeMsg.InstantiatePermission
 
 	if ioutils.IsGzip(code) {
 		gasRegister, ok := GasRegisterFromContext(ctx)
@@ -127,7 +127,7 @@ func (g CodeGrant) ValidateBasic() error {
 }
 
 // Accept checks if checksum and permission match the grant
-func (g CodeGrant) Accept(checksum []byte, permission AccessConfig) bool {
+func (g CodeGrant) Accept(checksum []byte, permission *AccessConfig) bool {
 	if !strings.EqualFold(string(g.CodeHash), CodehashWildcard) && !bytes.EqualFold(g.CodeHash, checksum) {
 		return false
 	}