feat!: recognize and activate accounts

[s8sato]

BREAKING_CHANGE:

• Account contains is_active field
• AccountEvent::Created divides into Recognized and Activated
• ValidationFail contains UnrecognizedAuthority and InactiveAuthority variants

Description

When an account is recognized,

• it becomes able to hold assets, permissions, roles, and metadata
• it cannot yet execute any queries or transactions

When an account is activated,

• it becomes able to execute queries and transactions

Recognize and activate an account when targeted as:

• Register<Account> object

Recognize an account when targeted as:

• Register<Asset> object.account
• Mint<Numeric, Asset> destination.account
• Transfer<Account, DomainId, Account> destination See comment
• Transfer<Account, AssetDefinitionId, Account> destination
• Transfer<Asset, Numeric, Account> destination
• Transfer<Asset, Metadata, Account> destination
• SetKeyValue<Account> object
• SetKeyValue<Asset> object.account
• Grant<Permission, Account> destination
• Grant<Role, Account> destination

Let me call these creative instructions in documentation

Linked issue

• closes Target accounts before registration #4426

Benefits

• who targets an account does not need to care if it has been registered or not
• depending on use case, accounts can be registered implicitly/automatically or explicitly/manually

Checklist

• I've read CONTRIBUTING.md
• I've used the standard signed-off commit format (or will squash just before merging)
• All applicable CI checks pass (or I promised to make them pass later)
• (optional) I've written unit tests for the code changes
• I replied to all comments after code review, marking all implemented changes with thumbs up

[s8sato]

• unit tests for all patterns of account recognition

[s8sato]

This public scenario describes the main goal of this PR

[s8sato]

The trigger authority is tentatively set to alice, but once the account ID is expanded to off-curve multihash, this should be a system (non-personal) authority

[nxsaken]

Is there an issue for it?

[s8sato]

I don't think it has been broken down into issues yet.
If we want to support use cases where a trigger needs different permission than the registrant account (e.g. swap between two accounts, #1212), the trigger should reference its own account (or should be identified as an account).
The ideas of system level triggers and technical accounts were suggested in as early as Triggers ADR.
Similar concepts include Contract Address and Program Derived Addresses

[s8sato]

I found my first comment off topic. In this use case the trigger manages domain membership, so alice (domain owner) would be an appropriate authority

[s8sato]

• created identify trigger as an account? #4670

[s8sato]

For private scenarios, the aim is no impact on membership and privacy while relaxing restrictions on the order of registering and targeting accounts

[s8sato]

The idea is to realize public/private characteristics not by different executors, but by different account activators (trigger/administrator). In this way, each domain can have different activation policies under the common executor

[s8sato]

It may be dangerous to recognize an account when targeted as Transfer<Account, DomainId, Account> destination. The risk is that the previous owner can no longer activate the current owner who cannot yet take any action by oneself

[s8sato]

This PR keeps the nested structure of IDs as it is focused on feat. My another commit eliminated dependency between entity IDs and the event hierarchy, so hopefully entities can be placed in storages directly under the world. However, I'd leave it to another perf. PR with proper benchmarking and profiling

[Erigara]

I agree, let's stay focused

[nxsaken]

This frequent pattern of creating a new account and immediately activating it is asking for an Account::new_active / Account::activated constructor (marked with #[cfg(test)] probably).

[mversic]

yes, this is not something that client should be able to call. I think having a separate activate method is perfectly fine, but you should mark it with transparent_api

[s8sato]

This pattern only appears in core unit tests, so I provided a utility in its tests module

[mversic]

this should be verified before calling executor

[mversic]

this way it seems like it's optional. Was that intended?

[s8sato]

Could you paraphrase, what seems like optional?

[mversic]

yes, this is not something that client should be able to call. I think having a separate activate method is perfectly fine, but you should mark it with transparent_api

[mversic]

I don't think this event useful for the end user? seems more like an internal thing - iroha has started tracking this account in memory

[s8sato]

The design required emitting this data event to trigger the activator

[mversic]

this part is now weird because NewAccount can carry more information (like some metadata) that you just disregard

[mversic]

This is not how I would implement it. I would rather just control the access through executor as follows:

1. By default all instructions that target accounts are allowed:

• this covers public use
• requires no executor (public case shouldn't require executor)

2. Custom executor rejects instructions that target accounts that have not yet been registered:

• this covers private use
• should be part of our default executor

I also believe this approach reduces the implementation complexity.

I don't think there is any need to support inactive accounts in private blockchains. In private blockchains accounts first have to get registered then they can be used. The is_active limbo doesn't bring anything for private case

[s8sato]

As I understand it, according to @mversic your suggestion, the process when an account is targeted is as follows:

• public use
  • the target is immediately registered no matter what domain the target belongs to
    • may be reasonable, since the domain boundaries may not make sense in public chains
• private use
  • as before, only registered accounts can be valid targets

This means that no intermediate state is needed for account registration. If so, let's remove is_active flag and forget about recognize/activate terms.

Now, there are two possible approaches in terms of granularity of the account auto-registration policy:

1. core processes back to executor for auto-registering the target
   • executor is responsible for registering targeted accounts
     • returns uniform results regardless of authority of the instruction
   • chain level public/private characterization
   • needs a flag to indicate if Register<Account> is called back from core for auto-registration
2. each domain has a flag, and core determines whether to auto-register the target from its domain, without processing back to executor
   • core is responsible for registering targeted accounts
   • domain level public/private characterization
   • how should the flag be modified, if it should be?

Dealing with the concept of domains and public/private uses at the same time is new to me, and I seek further input

[mversic]

• the target is immediately registered no matter what domain the target belongs to

wasn't that how you implemented, or was there something different?

as before, only registered accounts can be valid targets

yes

This means that no intermediate state is needed for account registration. If so, let's remove is_active flag and forget about recognize/activate terms.

yes

[mversic]

1. core processes back to executor for auto-registering the target

can't executor make sure account is registered before calling isi.execute(), i.e. handing over execution to the core

[Erigara]

I don't think there is any need to support inactive accounts in private blockchains.

What about offline transactions? do you think they are required only in public case?

Is full registration even possible automatically?

I mean that executor/trigger might have not enough data to perform registration (i.e. metadata)

[Erigara]

Requirement for auto registration emerge from our implementation details (account structs holds assets).

Shouldn't we reconsider this?

In this case we would allow isi where target account is not registered yet and if required we can prohibit this isi by checking if account is registered in the executor.

[s8sato]

The feature might require the separate and relational entities after all.
As I understand it, an example where a new account "carol" comes to exercise its authority in public use is as follows:

1. the world has separate assets and accounts maps

   - world:
     - numeric_assets:
       - rose:
         - alice: 13
     - accounts:
       - alice:
         - metadata:

2. (public use) alice transfers 3 roses to carol, who is not registered yet

   - world:
     - numeric_assets:
       - rose:
         - alice: 10
         - carol:  3 # appeared
     - accounts: # not checked when carol is targeted
       - alice:
         - metadata:

3. (public use) carol registers herself

   - world:
     - numeric_assets:
       - rose:
         - alice: 10
         - carol:  3
     - accounts:
       - alice:
         - metadata:
       - carol: # registered
         - metadata:

4. carol successfully transfers 2 roses to alice

   - world:
     - numeric_assets:
       - rose:
         - alice: 12
         - carol:  1
     - accounts: # checked when carol is authority
       - alice:
         - metadata:
       - carol:
         - metadata:

I'll extend this idea to other ISIs and other entity maps and consider consistency.
For example, I can immediately see that SetKeyValue<Account> would be invalid before account registration

[mversic]

What about offline transactions? do you think they are required only in public case?

IMHO yes, but that should be confirmed. In private use-case it's expected users are registered before becoming entities in the network

[s8sato]

So the idea is to deliberately introduce an inconsistency, the absence of a primary entity in ACCOUNTS in this diagram while other storages referencing it, and thereby represent a pre-registration state of the account. I'll convert this PR to draft (and maybe close it) and resume after #4792

[s8sato]

Closed as the issue should be addressed by a different approach such as #4668 (comment)