#sol #solana #acl #macro #anchor #rbac #programs

macro sol-cerberus-macros

Rust macros to facilitate the integration of Sol Cerberus (RBAC) to Solana Anchor programs

8 releases

0.1.10 Oct 14, 2023
0.1.9 Sep 28, 2023
0.1.8 Jul 23, 2023
0.1.7 Jun 28, 2023
0.1.1 Feb 27, 2023

#725 in Authentication

Download history 40/week @ 2024-07-29 8/week @ 2024-09-23 11/week @ 2024-09-30

64 downloads per month
Used in sol-cerberus

GPL-3.0-or-later

19KB
265 lines

Sol Cerberus

The new authority

Website Website Website Crates.io

sol-cerberus-macros

Collection of usefull Anchor macros to abstract away the complexity of Sol Cerberus RBAC, integrating a full access constrol system into your program with just a few lines of code.

Installation

To install the latest version, add sol-cerberus-macros into the dependencies of your Cargo.toml file:

[dependencies]
sol-cerberus-macros  = "*"

#[rule (Resource, Permission)] macro

The #[rule] macro annotates Anchor instructions, it checks if the current user running the instruction is allowed to access the defined Resource and Permission. For instance the following rule macro example allows access only to the roles which are allowed to access the Resource Homepage and the Permission Write:

declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");

const SOL_CERBERUS_APP_ID: Pubkey = pubkey!("9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3");

#[program]
pub mod my_program {
    use super::*;

    #[rule(Homepage, Write)]
    pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
         Ok(())
    }
}

If some user tries to run this instruction without having the mentioned permissions, will get an Unauthorized error.

#[sol_cerberus_accounts] macro

The #[sol_cerberus_accounts] macro, annotates Anchor accounts, adding all the necessary accounts to perform the permission check. A full working example using the #[rule] and #[sol_cerberus_accounts] macros would look like this:

declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");

pub const SOL_CERBERUS_APP_ID: &'static str = "9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3";

#[program]
pub mod my_program {
    use super::*;

    #[rule(Homepage, Write)]
    pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
         Ok(())
    }
}

#[sol_cerberus_accounts]
#[derive(Accounts)]
pub struct MyContext<'info> {
    #[account(mut)]
    pub signer: Signer<'info>,
    /// CHECK: Validated on CPI call
    pub sol_cerberus_app: UncheckedAccount<'info>,
    /// CHECK: Validated on CPI call
    pub sol_cerberus_rule: Option<UncheckedAccount<'info>>,
    /// CHECK: Validated on CPI call
    pub sol_cerberus_role: Option<UncheckedAccount<'info>>,
    /// CHECK: Validated on CPI call
    pub sol_cerberus_token: Option<UncheckedAccount<'info>>,
    /// CHECK: Validated on CPI call
    pub sol_cerberus_metadata: Option<UncheckedAccount<'info>>,
    #[account(mut)]
    pub sol_cerberus_seed: Option<UncheckedAccount<'info>>,
    pub sol_cerberus: Program<'info, SolCerberus>,
    pub system_program: Program<'info, System>,
}

These are the accounts required by Sol Cerberus to verify user access. Hopefully in future versions of Anchor adding all those UncheckedAccounts will not be necessary because #[sol_cerberus_accounts] automatically adds all of them. But Anchor currently requires the accounts to be explicitly defined to be able to build the IDL.

Dependencies

~240–690KB
~16K SLoC