Adding Advanced Authz message filters

[Kayanski]

This PR aims at adding advanced authz messages filetering based on the JMESPath syntax.

Introduction

Today Authz filtering on messages only has 3 filters :

• Filter Allowed Contract Key : AcceptedMessageKeysFilter
• Filter Exact Raw messages : AcceptedMessagesFilter
• Allow Everything : AllowAllMessagesFilter

We propose to add a Fourth type called JMESPathFilter :

JMESPathFilter{
   filters: string[]
}

This filter is able to include any condition in the filtering process. For instance, the following filter will match with {"msg":{"foo":"bar"}} but not with {"msg":{"foo":"not-bar"}}:

msg.foo==`"bar"`

This allows for deeper message matching that is central to a better and more secure Authz experience, both for developers and and-users.

Core logic addition

Here's how the matching works :

1. The filter is detected and the message is unmarshaled once
2. Each filter is applied on the map message.
3. A filter applied on a message should result in a boolean value. If a non-boolean value is returned OR false is returned, the match fails and the whole authorization is denied.
4. If the boolean value is true, the match passes and the next filter is considered.

Why JMESPath

After experimenting with multiple matching logic engines for JSON (JQ, JSONPath, JMESPath), we decided to go ahead with JMESPath for the following reasons:

• You can write expressive, human-readable expressions like: escrow_nft.token_id == '1654' && escrow_nft.offered_amount == "uatom"
• It offers broad matching, that allows any use-case without needing to update the chain binaries everytime a new use-case appears.
• It allows matching out of the box and doesn't force us to re-create operator, value and comparaison logics.
• It's already broadly used in the wider ecosystem

New Dependencies

We add the direct github.com/jmespath/go-jmespath dependency that resolves JMESPath matching.

NOTES:

• Related Issue : Collect advanced authz use cases #1090
• Because the JMESPath library works with unmarshalled JSON, there might be risks of un-deterministic interactions. We need to make sure these are non-issues before moving forward with this PR. This is namely why we don't propagate the JMESPath error to Cosmos SDK errors.

[codecov]

Codecov Report

Attention: Patch coverage is 30.76923% with 27 lines in your changes missing coverage. Please review.

Project coverage is 44.67%. Comparing base (6420468) to head (6add298).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
x/wasm/types/authz.go	0.00%	22 Missing ⚠️
x/wasm/types/jq_matching.go	73.33%	2 Missing and 2 partials ⚠️
x/wasm/types/codec.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2268      +/-   ##
==========================================
- Coverage   44.72%   44.67%   -0.05%     
==========================================
  Files          79       80       +1     
  Lines       11046    11085      +39     
==========================================
+ Hits         4940     4952      +12     
- Misses       5668     5693      +25     
- Partials      438      440       +2     

Files with missing lines	Coverage Δ
x/wasm/types/codec.go	58.65% <50.00%> (-0.17%)	⬇️
x/wasm/types/jq_matching.go	73.33% <73.33%> (ø)
x/wasm/types/authz.go	76.40% <0.00%> (-5.31%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.