8 releases
0.1.10 | Oct 14, 2023 |
---|---|
0.1.9 | Sep 28, 2023 |
0.1.8 | Jul 23, 2023 |
0.1.7 | Jun 28, 2023 |
0.1.1 | Feb 27, 2023 |
#725 in Authentication
64 downloads per month
Used in sol-cerberus
19KB
265 lines
sol-cerberus-macros
Collection of usefull Anchor macros to abstract away the complexity of Sol Cerberus RBAC, integrating a full access constrol system into your program with just a few lines of code.
Installation
To install the latest version, add sol-cerberus-macros
into the dependencies of your Cargo.toml file:
[dependencies]
sol-cerberus-macros = "*"
#[rule (Resource, Permission)] macro
The #[rule]
macro annotates Anchor instructions, it checks if the current user running the instruction is allowed to access the defined Resource
and Permission
. For instance the following rule macro example
allows access only to the roles which are allowed to access the Resource Homepage
and the Permission Write
:
declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");
const SOL_CERBERUS_APP_ID: Pubkey = pubkey!("9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3");
#[program]
pub mod my_program {
use super::*;
#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
Ok(())
}
}
If some user tries to run this instruction without having the mentioned permissions, will get an Unauthorized
error.
#[sol_cerberus_accounts] macro
The #[sol_cerberus_accounts]
macro, annotates Anchor accounts, adding all the necessary accounts to perform the permission check. A full working example using the #[rule]
and #[sol_cerberus_accounts]
macros would look like this:
declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");
pub const SOL_CERBERUS_APP_ID: &'static str = "9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3";
#[program]
pub mod my_program {
use super::*;
#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
Ok(())
}
}
#[sol_cerberus_accounts]
#[derive(Accounts)]
pub struct MyContext<'info> {
#[account(mut)]
pub signer: Signer<'info>,
/// CHECK: Validated on CPI call
pub sol_cerberus_app: UncheckedAccount<'info>,
/// CHECK: Validated on CPI call
pub sol_cerberus_rule: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_role: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_token: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_metadata: Option<UncheckedAccount<'info>>,
#[account(mut)]
pub sol_cerberus_seed: Option<UncheckedAccount<'info>>,
pub sol_cerberus: Program<'info, SolCerberus>,
pub system_program: Program<'info, System>,
}
These are the accounts required by Sol Cerberus to verify user access. Hopefully in future versions of Anchor adding all those UncheckedAccounts
will not be necessary because #[sol_cerberus_accounts]
automatically adds all of them. But Anchor currently requires the accounts to be explicitly defined to be able to build the IDL.
Dependencies
~240–690KB
~16K SLoC