Skip to content

serviceability: authorize link instructions via Permission accounts#3981

Open
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-links
Open

serviceability: authorize link instructions via Permission accounts#3981
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-links

Conversation

@juan-malbeclabs

@juan-malbeclabs juan-malbeclabs commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Gate Link instructions on NETWORK_ADMIN (and HEALTH_ORACLE for sethealth) via authorize(), preserving the contributor-owner path:

  • create, update, delete, suspend, resume, accept, sethealth

Owner-or-admin handlers become owner OR authorize(NETWORK_ADMIN); accept (previously owner-only) gains a NETWORK_ADMIN bypass; sethealth composes HEALTH_ORACLE | NETWORK_ADMIN. delete and update are variable-length (topology union parsed off the tail) and use split_trailing_permission so the trailing Permission PDA is disambiguated by PDA match. Internal foundation-only sub-gates (per-link contributor binding, tunnel-field / topology / unicast_drained edits) are extended to NETWORK_ADMIN holders.

Behavior preserved via the legacy fallback while RequirePermissionAccounts is off. One PR per domain; see PERMISSION.md.

Testing Verification

  • Link WAN / onchain-allocation / bandwidth-validation integration suites and SDK command tests pass.
  • cargo test -p doublezero-serviceability, cargo test -p doublezero_sdk, make rust-lint pass.

Permission migration series

One of 8 per-domain PRs migrating serviceability instructions to the Permission (authorize()) system. The branches partition the change set with no overlap and can be reviewed and merged independently (only the CHANGELOG entry conflicts trivially).

PR Domain Flag(s)
#3977 Governance (globalstate/globalconfig/allowlists) GLOBALSTATE_ADMIN
#3978 Contributor CONTRIBUTOR_ADMIN
#3979 Infra (location/exchange) INFRA_ADMIN
#3980 Devices + interfaces NETWORK_ADMIN, HEALTH_ORACLE
#3981 Links NETWORK_ADMIN, HEALTH_ORACLE ← this PR
#3982 Multicast MULTICAST_ADMIN, ACCESS_PASS_ADMIN
#3983 Tenant TENANT_ADMIN
#3984 User (update / check_access_pass / check_status) USER_ADMIN, ACTIVATOR

Migrate Link create/update/delete/suspend/resume/accept/sethealth to
authorize(). Owner-or-privileged handlers accept the contributor owner OR
NETWORK_ADMIN (foundation legacy); accept gains a NETWORK_ADMIN bypass;
sethealth accepts HEALTH_ORACLE|NETWORK_ADMIN. delete/update use
split_trailing_permission to peel payer/system/permission off the tail past
the variable topology union. Internal foundation sub-gates extended to
NETWORK_ADMIN (is_privileged). Behavior preserved via the legacy fallback.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant