Adding Advanced Authz message filters

docs/proto/proto-docs.md

@@ -26,6 +26,7 @@
     - [ContractExecutionAuthorization](#cosmwasm.wasm.v1.ContractExecutionAuthorization)
     - [ContractGrant](#cosmwasm.wasm.v1.ContractGrant)
     - [ContractMigrationAuthorization](#cosmwasm.wasm.v1.ContractMigrationAuthorization)
+    - [JMESPathFilter](#cosmwasm.wasm.v1.JMESPathFilter)
     - [MaxCallsLimit](#cosmwasm.wasm.v1.MaxCallsLimit)
     - [MaxFundsLimit](#cosmwasm.wasm.v1.MaxFundsLimit)
     - [StoreCodeAuthorization](#cosmwasm.wasm.v1.StoreCodeAuthorization)
@@ -450,6 +451,22 @@ migration. Since: wasmd 0.30
 
 
 
+<a name="cosmwasm.wasm.v1.JMESPathFilter"></a>
+
+### JMESPathFilter
+JMESPathFilter accepts only payload messages which pass the JMESPath filter
+tests. Since: wasmd 0.30 TODO(PR)
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| `filters` | [string](#string) | repeated | Messages is the list of raw contract messages |
+
+
+
+
+
+
 <a name="cosmwasm.wasm.v1.MaxCallsLimit"></a>
 
 ### MaxCallsLimit

go.mod

@@ -47,6 +47,7 @@ require (
 	github.com/cosmos/cosmos-db v1.1.1
 	github.com/cosmos/ibc-go/v10 v10.1.0
 	github.com/distribution/reference v0.5.0
+	github.com/jmespath/go-jmespath v0.4.0
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/viper v1.19.0
 	golang.org/x/sync v0.12.0
@@ -147,7 +148,6 @@ require (
 	github.com/iancoleman/strcase v0.3.0 // indirect
 	github.com/improbable-eng/grpc-web v0.15.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmhodges/levigo v1.0.0 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/klauspost/cpuid/v2 v2.0.9 // indirect

proto/cosmwasm/wasm/v1/authz.proto

@@ -159,3 +159,14 @@ message AcceptedMessagesFilter {
     (amino.encoding) = "inline_json"
   ];
 }
+
+// JMESPathFilter accepts only payload messages which pass the JMESPath filter
+// tests. Since: wasmd 0.30 TODO(PR)
+message JMESPathFilter {
+  option (amino.name) = "wasm/JMESPathFilter";
+  option (cosmos_proto.implements_interface) =
+      "cosmwasm.wasm.v1.ContractAuthzFilterX";
+
+  // Messages is the list of raw contract messages
+  repeated string filters = 1;
+}

x/wasm/types/authz.go

@@ -528,6 +528,46 @@
 	return nil
 }
 
+// NewJMESPathFilter constructor
+func NewJMESPathFilter(filters ...string) *JMESPathFilter {
+	return &JMESPathFilter{Filters: filters}
+}
+
+// Accept only payload messages which pass the JMESPath conditions.
+func (f *JMESPathFilter) Accept(ctx sdk.Context, msg RawContractMessage) (bool, error) {
+	// Unmarshal once
+	gasForDeserialization := gasDeserializationCostPerByte * uint64(len(msg))
+	ctx.GasMeter().ConsumeGas(gasForDeserialization, "contract authorization")
+
+	value, err := MatchJMESPaths(msg, f.Filters)
+	if err != nil {
+		return false, sdkerrors.ErrUnauthorized.Wrapf("not an allowed msg: %s", err.Error())
+	}
+	if !value {
+		return false, ErrInvalid.Wrapf("JMESPath filters `%s` applied on %s returned a false value", f.Filters, msg)
+	}
+
+	return true, nil
+}
+
+// ValidateBasic validates the filter
+func (f JMESPathFilter) ValidateBasic() error {
+	if len(f.Filters) == 0 {
+		return ErrEmpty.Wrap("filter")
+	}
+	idx := make(map[string]struct{}, len(f.Filters))
+	for _, m := range f.Filters {
+		if m == "" {
+			return ErrEmpty.Wrap("key")
+		}
+		if _, exists := idx[m]; exists {
+			return ErrDuplicate.Wrapf("key %q", m)
+		}
+		idx[m] = struct{}{}
+	}
+	return nil
+}
+
 var (
 	_ ContractAuthzLimitX = &UndefinedLimit{}
 	_ ContractAuthzLimitX = &MaxCallsLimit{}