sol-cerberus-macros
| Crates.io | sol-cerberus-macros |
| lib.rs | sol-cerberus-macros |
| version | 0.1.10 |
| source | src |
| created_at | 2023-02-24 09:13:03.981225 |
| updated_at | 2023-10-14 06:00:13.424383 |
| description | Rust macros to facilitate the integration of Sol Cerberus (RBAC) to Solana Anchor programs |
| homepage | https://solcerberus.com/ |
| repository | https://github.com/AnderUstarroz/sol-cerberus |
| max_upload_size | |
| id | 793426 |
| size | 25,800 |
Ander (AnderUstarroz)
documentation
README
Sol Cerberus
The new authority
sol-cerberus-macros
Collection of usefull Anchor macros to abstract away the complexity of Sol Cerberus RBAC, integrating a full access constrol system into your program with just a few lines of code.
Installation
To install the latest version, add sol-cerberus-macros into the dependencies of your Cargo.toml file:
[dependencies]
sol-cerberus-macros = "*"
[rule (Resource, Permission)] macro
The #[rule] macro annotates Anchor instructions, it checks if the current user running the instruction is allowed to access the defined Resource and Permission. For instance the following rule macro example
allows access only to the roles which are allowed to access the Resource Homepage and the Permission Write:
declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");
const SOL_CERBERUS_APP_ID: Pubkey = pubkey!("9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3");
#[program]
pub mod my_program {
use super::*;
#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
Ok(())
}
}
If some user tries to run this instruction without having the mentioned permissions, will get an Unauthorized error.
[sol_cerberus_accounts] macro
The #[sol_cerberus_accounts] macro, annotates Anchor accounts, adding all the necessary accounts to perform the permission check. A full working example using the #[rule] and #[sol_cerberus_accounts] macros would look like this:
declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");
pub const SOL_CERBERUS_APP_ID: &'static str = "9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3";
#[program]
pub mod my_program {
use super::*;
#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
Ok(())
}
}
#[sol_cerberus_accounts]
#[derive(Accounts)]
pub struct MyContext<'info> {
#[account(mut)]
pub signer: Signer<'info>,
/// CHECK: Validated on CPI call
pub sol_cerberus_app: UncheckedAccount<'info>,
/// CHECK: Validated on CPI call
pub sol_cerberus_rule: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_role: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_token: Option<UncheckedAccount<'info>>,
/// CHECK: Validated on CPI call
pub sol_cerberus_metadata: Option<UncheckedAccount<'info>>,
#[account(mut)]
pub sol_cerberus_seed: Option<UncheckedAccount<'info>>,
pub sol_cerberus: Program<'info, SolCerberus>,
pub system_program: Program<'info, System>,
}
These are the accounts required by Sol Cerberus to verify user access. Hopefully in future versions of Anchor adding all those UncheckedAccounts will not be necessary because #[sol_cerberus_accounts] automatically adds all of them. But Anchor currently requires the accounts to be explicitly defined to be able to build the IDL.