diff --git a/crates/sui-source-validation-service/tests/tests.rs b/crates/sui-source-validation-service/tests/tests.rs index d7fd55e2b3540..644fe1ed2657d 100644 --- a/crates/sui-source-validation-service/tests/tests.rs +++ b/crates/sui-source-validation-service/tests/tests.rs @@ -181,6 +181,7 @@ async fn run_publish( package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } @@ -208,6 +209,7 @@ async fn run_upgrade( upgrade_capability: cap.reference.object_id, build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, diff --git a/crates/sui/src/client_commands.rs b/crates/sui/src/client_commands.rs index e9ffae1ffbed3..6f5893c3dd0fc 100644 --- a/crates/sui/src/client_commands.rs +++ b/crates/sui/src/client_commands.rs @@ -360,11 +360,16 @@ pub enum SuiClientCommands { #[clap(flatten)] opts: OptsWithGas, - /// Publish the package without checking whether compiling dependencies from source results - /// in bytecode matching the dependencies found on-chain. + /// Publish the package without checking whether dependency source code compiles to the + /// on-chain bytecode #[clap(long)] skip_dependency_verification: bool, + /// Check that the dependency source code compiles to the on-chain bytecode before + /// publishing the package (currently the default behavior) + #[clap(long, conflicts_with = "skip_dependency_verification")] + verify_deps: bool, + /// Also publish transitive dependencies that have not already been published. #[clap(long)] with_unpublished_dependencies: bool, @@ -465,11 +470,16 @@ pub enum SuiClientCommands { #[clap(long)] verify_compatibility: bool, - /// Publish the package without checking whether compiling dependencies from source results - /// in bytecode matching the dependencies found on-chain. + /// Upgrade the package without checking whether dependency source code compiles to the on-chain + /// bytecode #[clap(long)] skip_dependency_verification: bool, + /// Check that the dependency source code compiles to the on-chain bytecode before + /// upgrading the package (currently the default behavior) + #[clap(long, conflicts_with = "skip_dependency_verification")] + verify_deps: bool, + /// Also publish transitive dependencies that have not already been published. #[clap(long)] with_unpublished_dependencies: bool, @@ -872,6 +882,7 @@ impl SuiClientCommands { upgrade_capability, build_config, skip_dependency_verification, + verify_deps, verify_compatibility, with_unpublished_dependencies, opts, @@ -897,7 +908,6 @@ impl SuiClientCommands { ); check_protocol_version_and_warn(&client).await?; - let package_path = package_path .canonicalize() @@ -920,13 +930,16 @@ impl SuiClientCommands { .get_active_env() .map(|e| e.alias.clone()) .ok(); + let verify = + check_dep_verification_flags(skip_dependency_verification, verify_deps)?; + let upgrade_result = upgrade_package( client.read_api(), build_config.clone(), &package_path, upgrade_capability, with_unpublished_dependencies, - skip_dependency_verification, + !verify, env_alias, ) .await; @@ -1001,6 +1014,7 @@ impl SuiClientCommands { package_path, build_config, skip_dependency_verification, + verify_deps, with_unpublished_dependencies, opts, } => { @@ -1025,7 +1039,6 @@ impl SuiClientCommands { let chain_id = client.read_api().get_chain_identifier().await.ok(); check_protocol_version_and_warn(&client).await?; - let package_path = package_path .canonicalize() @@ -1043,12 +1056,15 @@ impl SuiClientCommands { } else { None }; + let verify = + check_dep_verification_flags(skip_dependency_verification, verify_deps)?; + let compile_result = compile_package( client.read_api(), build_config.clone(), &package_path, with_unpublished_dependencies, - skip_dependency_verification, + !verify, ) .await; // Restore original ID, then check result. @@ -1713,6 +1729,28 @@ impl SuiClientCommands { } } +/// Process the `--skip-dependency-verification` and `--verify-dependencies` flags for a publish or +/// upgrade command. Prints deprecation warnings as appropriate and returns true if the +/// dependencies should be verified +fn check_dep_verification_flags( + skip_dependency_verification: bool, + verify_dependencies: bool, +) -> anyhow::Result { + match (skip_dependency_verification, verify_dependencies) { + (true, true) => bail!("[error]: --skip_dependency_verification and --verify_dependencies are mutually exclusive"), + + (false, false) => { + eprintln!("{}: In a future release, dependency source code will no longer be verified by default during publication and upgrade. \ + You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. \ + You can also manually verify dependencies using `sui client verify-source`.", + "[warning]".bold().yellow()); + Ok(true) + }, + + _ => Ok(verify_dependencies), + } +} + fn compile_package_simple( build_config: MoveBuildConfig, package_path: &Path, diff --git a/crates/sui/tests/cli_tests.rs b/crates/sui/tests/cli_tests.rs index 8a9bd44335f37..3605a45c4540e 100644 --- a/crates/sui/tests/cli_tests.rs +++ b/crates/sui/tests/cli_tests.rs @@ -245,6 +245,7 @@ async fn test_ptb_publish_and_complex_arg_resolution() -> Result<(), anyhow::Err package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } @@ -524,6 +525,7 @@ async fn test_move_call_args_linter_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -788,6 +790,7 @@ async fn test_package_publish_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -858,6 +861,7 @@ async fn test_package_management_on_publish_command() -> Result<(), anyhow::Erro build_config: build_config.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -928,6 +932,7 @@ async fn test_delete_shared_object() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1032,6 +1037,7 @@ async fn test_receive_argument() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1156,6 +1162,7 @@ async fn test_receive_argument_by_immut_ref() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1280,6 +1287,7 @@ async fn test_receive_argument_by_mut_ref() -> Result<(), anyhow::Error> { build_config, skip_dependency_verification: false, with_unpublished_dependencies: false, + verify_deps: true, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } .execute(context) @@ -1406,6 +1414,7 @@ async fn test_package_publish_command_with_unpublished_dependency_succeeds( build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1475,6 +1484,7 @@ async fn test_package_publish_command_with_unpublished_dependency_fails( build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1518,6 +1528,7 @@ async fn test_package_publish_command_non_zero_unpublished_dep_fails() -> Result build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1570,6 +1581,7 @@ async fn test_package_publish_command_failure_invalid() -> Result<(), anyhow::Er build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1609,6 +1621,7 @@ async fn test_package_publish_nonexistent_dependency() -> Result<(), anyhow::Err build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1649,6 +1662,7 @@ async fn test_package_publish_test_flag() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1701,6 +1715,7 @@ async fn test_package_upgrade_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1772,6 +1787,7 @@ async fn test_package_upgrade_command() -> Result<(), anyhow::Error> { opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1837,6 +1853,7 @@ async fn test_package_management_on_upgrade_command() -> Result<(), anyhow::Erro build_config: build_config.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1891,6 +1908,7 @@ async fn test_package_management_on_upgrade_command() -> Result<(), anyhow::Erro opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1971,6 +1989,7 @@ async fn test_package_management_on_upgrade_command_conflict() -> Result<(), any build_config: build_config_publish.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -2039,6 +2058,7 @@ async fn test_package_management_on_upgrade_command_conflict() -> Result<(), any opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -3808,6 +3828,7 @@ async fn test_clever_errors() -> Result<(), anyhow::Error> { package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } diff --git a/crates/sui/tests/shell_tests.rs b/crates/sui/tests/shell_tests.rs index c899913138294..0c14d530cb179 100644 --- a/crates/sui/tests/shell_tests.rs +++ b/crates/sui/tests/shell_tests.rs @@ -48,6 +48,7 @@ async fn test_shell_snapshot(path: &Path) -> datatest_stable::Result<()> { "PATH", format!("{}:{}", get_sui_bin_path(), std::env::var("PATH")?), ) + .env("RUST_BACKTRACE", "0") .current_dir(sandbox) .arg(path.file_name().unwrap()); diff --git a/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh b/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh index 71a79d247fa6d..e656cbe2988f1 100644 --- a/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh +++ b/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 sui client --client.config $CONFIG \ - publish simple \ + publish simple --verify-deps \ --json | jq '.effects.status' sui move --client.config $CONFIG \ diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md new file mode 100644 index 0000000000000..9ce8de01e74c1 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md @@ -0,0 +1,2 @@ +This test suite checks that the deprecation warnings for dependency verification during publication and the +associated flags `--skip-dependency-verification` and `--verify-deps` are working correctly. diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh new file mode 100644 index 0000000000000..182edbe6abb53 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh @@ -0,0 +1,10 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps` + +echo "=== publish ===" | tee /dev/stderr +sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps + +echo "=== upgrade ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml new file mode 100644 index 0000000000000..bdaa4f5cb5000 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml @@ -0,0 +1,10 @@ +[package] +name = "dependency" +edition = "2024.beta" + +[dependencies] +# Sui = { local = "FRAMEWORK_DIR", override = true } + +[addresses] +dependency = "0x0" + diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move new file mode 100644 index 0000000000000..c9961ef898541 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move @@ -0,0 +1,6 @@ +// Copyright (c) Mysten Labs, Inc. +// SPDX-License-Identifier: Apache-2.0 + +module dependency::dependency; + +public fun f(): u64 { 0 } diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml new file mode 100644 index 0000000000000..75849203259ac --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml @@ -0,0 +1,10 @@ +[package] +name = "example" +edition = "2024.beta" # edition = "legacy" to use legacy (pre-2024) Move + +[dependencies] +# Sui = { local = "FRAMEWORK_DIR" } +dependency = { local = "../dependency" } + +[addresses] +example = "0x0" diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move new file mode 100644 index 0000000000000..00a2a573e99ae --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move @@ -0,0 +1,9 @@ +// Copyright (c) Mysten Labs, Inc. +// SPDX-License-Identifier: Apache-2.0 + +/// Module: example +module example::example; + +use dependency::dependency::f; + +public fun g(): u64 { f() } diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh new file mode 100644 index 0000000000000..85f24a03f7ebd --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that we get a deprecation warning when upgrading without any dependency verification flags + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh new file mode 100644 index 0000000000000..c4eb3d6c857d0 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --skip-dependency-verification has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh new file mode 100644 index 0000000000000..4681b6d8817a9 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --verify-deps has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --verify-deps \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --verify-deps \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap index d3afab6c23ec4..fc4994ae909d1 100644 --- a/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap +++ b/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap @@ -7,7 +7,7 @@ description: tests/shell_tests/with_network/move_build_bytecode_with_address_res # SPDX-License-Identifier: Apache-2.0 sui client --client.config $CONFIG \ - publish simple \ + publish simple --verify-deps \ --json | jq '.effects.status' sui move --client.config $CONFIG \ diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap new file mode 100644 index 0000000000000..331048d94bf41 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap @@ -0,0 +1,36 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps` + +echo "=== publish ===" | tee /dev/stderr +sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps + +echo "=== upgrade ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps + +----- results ----- +success: false +exit_code: 2 +----- stdout ----- +=== publish === +=== upgrade === + +----- stderr ----- +=== publish === +error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps' + +Usage: sui client publish --skip-dependency-verification + +For more information, try '--help'. +=== upgrade === +error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps' + +Usage: sui client upgrade --upgrade-capability --skip-dependency-verification + +For more information, try '--help'. diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap new file mode 100644 index 0000000000000..a79f682b03c29 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap @@ -0,0 +1,95 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that we get a deprecation warning when upgrading without any dependency verification flags + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should warn) === +=== upgrade package (should warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. +=== try to upgrade with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +BUILDING dependency +Successfully verified dependencies on-chain against source. +=== publish package v0 (should warn) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== upgrade package (should warn) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== modify dependency === +=== try to publish with modified dep (should fail) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +=== try to upgrade with modified dep (should fail) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap new file mode 100644 index 0000000000000..5d93285c6999f --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap @@ -0,0 +1,85 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --skip-dependency-verification has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should NOT warn) === +=== upgrade package (should NOT warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should succeed) === +=== try to upgrade with modified dep (should succeed) === +{ + "status": "success" +} + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +BUILDING dependency +Skipping dependency verification +=== publish package v0 (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== upgrade package (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== modify dependency === +=== try to publish with modified dep (should succeed) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== try to upgrade with modified dep (should succeed) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap new file mode 100644 index 0000000000000..99298f46778d5 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap @@ -0,0 +1,90 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --verify-deps has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --verify-deps \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --verify-deps \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should NOT warn) === +=== upgrade package (should NOT warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. +=== try to upgrade with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +BUILDING dependency +Successfully verified dependencies on-chain against source. +=== publish package v0 (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== upgrade package (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== modify dependency === +=== try to publish with modified dep (should fail) === +INCLUDING DEPENDENCY dependency +BUILDING example +=== try to upgrade with modified dep (should fail) === +INCLUDING DEPENDENCY dependency +BUILDING example