First version of Authz TLA+

[hvanz]

Closes #1

[ivan-gavran]

I had a high-level look at the model. Let me write preliminary comments as the basis for the synchronous discussion tomorrow.

First thing to say, I am very impressed by how well structured and easy to read it is. It is also extremely modular.
One clarification question wrt to that is:
how does one check for different authorization logics (AuthzSend, AuthzStake...)? I can see that one could create e.g. AuthzSend_MC.[cfg, tla], but this then only allows checking for a single authorization logic (and not mixing between them)

I also notice that the model very much follows the code structure. I can see an advantage being that the developers of the implementation would have an easier time following along the model.
I can also see some disadvantages:

• the model gets fairly complex
• if it faithfully follows the implementation, then we should not expect to see mismatches between the code and the model
  Does this seem right?

Finally, a very high-level question: when you were looking at the existing model, what made you decide to start from scratch?
(Since I was working on the basis of it, this could be a useful feedback in model-writing for me.)

[ivan-gavran]

I just noticed one thing in the Cosmos-SDK codebase: they are also adding the allowList SendAuthorization. This is already merged in main, but is not part of any existing releases (check this PR). Bringing this up here so that we know what to expect when new releases come (I don't think we need to change our model yet).

[ivan-gavran]

It seems that this way of modelling Accept prevents send or stake messages that rely on a generic authorization. Is that true?

[hvanz]

GenericAuthorization accepts any kind of message url, including send or delegate, for instance. The accepted messages are defined in the constant GenericAuthTypes. So one could instantiate this constant with any kind of message (I haven't tried it).

[hvanz]

I just noticed one thing in the Cosmos-SDK codebase: they are also adding the allowList SendAuthorization. This is already merged in main, but is not part of any existing releases (check this PR). Bringing this up here so that we know what to expect when new releases come (I don't think we need to change our model yet).

If it's the same as in the Staking module, it should be easy to change. Good to know anyway.

[hvanz]

I added to SendAuthorization an allowList field, which is implemented in cosmos-sdk since version 0.47.

[andrey-kuprianov]

The model is great! Very well structured, and logical. I have made some comments about potential improvements for using the model for test case generation, but those can be addressed separately later.

[andrey-kuprianov]

My feeling is that the way RequestGrant and other top-level operators from Next are too restrictive for testing purposes. In particular, we want to be able to test inputs where:

• granter is the same as grantee
• there is already a grant given, and it's not expired

So, in short, we should treat the inputs maximally non-deterministically, and ensure that the implementation fails for incorrect combinations of input parameters.

[andrey-kuprianov]

Same as RequestGrant above

[andrey-kuprianov]

Type AUTH is defined in each of Generic/Send/Stake Autohrization separately; and then it is used in Grants here. It is unclear which AUTH is used; in fact Apalache's type checker should have complained about having multiple type aliases with the same name