From 55ba9e9399ebdef7a45325d7686806cb9bdd237a Mon Sep 17 00:00:00 2001 From: "Michael D. George" Date: Fri, 7 Feb 2025 14:39:56 -0500 Subject: [PATCH] [CLI] cherry pick (#20977) Deprecation warnings for dependency verification (#21127) ## Description This adds a warning that source verification will become opt-in instead of opt-out in a future release, along with the `--verify-deps` flag that currently disables the warning. ## Test plan Several shell tests that cover the behavior with no flags, with both flags, and with each flag independently, on a package with source that has changed since publication. See the snapshot files for the tests and expected output. ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] gRPC: - [ ] JSON-RPC: - [ ] GraphQL: - [X] CLI: publication and upgrade will now warn that source verification will become opt-in in a future release; the warning can be disabled with either `--skip-dependency-verification` or the new `--verify-deps` flags - [ ] Rust SDK: --- .../tests/tests.rs | 2 + crates/sui/src/client_commands.rs | 54 +++++++++-- crates/sui/tests/cli_tests.rs | 21 ++++ crates/sui/tests/shell_tests.rs | 1 + ..._build_bytecode_with_address_resolution.sh | 2 +- .../source_verification_deprecation/README.md | 2 + .../both_flags.sh | 10 ++ .../dependency/Move.toml | 10 ++ .../dependency/sources/dependency.move | 6 ++ .../example/Move.toml | 10 ++ .../example/sources/example.move | 9 ++ .../no_flags.sh | 36 +++++++ .../skip_dep_verif.sh | 36 +++++++ .../with_dep_verif.sh | 36 +++++++ ...d_bytecode_with_address_resolution.sh.snap | 2 +- ...rification_deprecation__both_flags.sh.snap | 36 +++++++ ...verification_deprecation__no_flags.sh.snap | 95 +++++++++++++++++++ ...cation_deprecation__skip_dep_verif.sh.snap | 85 +++++++++++++++++ ...cation_deprecation__with_dep_verif.sh.snap | 90 ++++++++++++++++++ 19 files changed, 533 insertions(+), 10 deletions(-) create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh create mode 100644 crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh create mode 100644 crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap create mode 100644 crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap create mode 100644 crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap create mode 100644 crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap diff --git a/crates/sui-source-validation-service/tests/tests.rs b/crates/sui-source-validation-service/tests/tests.rs index d7fd55e2b3540..644fe1ed2657d 100644 --- a/crates/sui-source-validation-service/tests/tests.rs +++ b/crates/sui-source-validation-service/tests/tests.rs @@ -181,6 +181,7 @@ async fn run_publish( package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } @@ -208,6 +209,7 @@ async fn run_upgrade( upgrade_capability: cap.reference.object_id, build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, diff --git a/crates/sui/src/client_commands.rs b/crates/sui/src/client_commands.rs index e9ffae1ffbed3..6f5893c3dd0fc 100644 --- a/crates/sui/src/client_commands.rs +++ b/crates/sui/src/client_commands.rs @@ -360,11 +360,16 @@ pub enum SuiClientCommands { #[clap(flatten)] opts: OptsWithGas, - /// Publish the package without checking whether compiling dependencies from source results - /// in bytecode matching the dependencies found on-chain. + /// Publish the package without checking whether dependency source code compiles to the + /// on-chain bytecode #[clap(long)] skip_dependency_verification: bool, + /// Check that the dependency source code compiles to the on-chain bytecode before + /// publishing the package (currently the default behavior) + #[clap(long, conflicts_with = "skip_dependency_verification")] + verify_deps: bool, + /// Also publish transitive dependencies that have not already been published. #[clap(long)] with_unpublished_dependencies: bool, @@ -465,11 +470,16 @@ pub enum SuiClientCommands { #[clap(long)] verify_compatibility: bool, - /// Publish the package without checking whether compiling dependencies from source results - /// in bytecode matching the dependencies found on-chain. + /// Upgrade the package without checking whether dependency source code compiles to the on-chain + /// bytecode #[clap(long)] skip_dependency_verification: bool, + /// Check that the dependency source code compiles to the on-chain bytecode before + /// upgrading the package (currently the default behavior) + #[clap(long, conflicts_with = "skip_dependency_verification")] + verify_deps: bool, + /// Also publish transitive dependencies that have not already been published. #[clap(long)] with_unpublished_dependencies: bool, @@ -872,6 +882,7 @@ impl SuiClientCommands { upgrade_capability, build_config, skip_dependency_verification, + verify_deps, verify_compatibility, with_unpublished_dependencies, opts, @@ -897,7 +908,6 @@ impl SuiClientCommands { ); check_protocol_version_and_warn(&client).await?; - let package_path = package_path .canonicalize() @@ -920,13 +930,16 @@ impl SuiClientCommands { .get_active_env() .map(|e| e.alias.clone()) .ok(); + let verify = + check_dep_verification_flags(skip_dependency_verification, verify_deps)?; + let upgrade_result = upgrade_package( client.read_api(), build_config.clone(), &package_path, upgrade_capability, with_unpublished_dependencies, - skip_dependency_verification, + !verify, env_alias, ) .await; @@ -1001,6 +1014,7 @@ impl SuiClientCommands { package_path, build_config, skip_dependency_verification, + verify_deps, with_unpublished_dependencies, opts, } => { @@ -1025,7 +1039,6 @@ impl SuiClientCommands { let chain_id = client.read_api().get_chain_identifier().await.ok(); check_protocol_version_and_warn(&client).await?; - let package_path = package_path .canonicalize() @@ -1043,12 +1056,15 @@ impl SuiClientCommands { } else { None }; + let verify = + check_dep_verification_flags(skip_dependency_verification, verify_deps)?; + let compile_result = compile_package( client.read_api(), build_config.clone(), &package_path, with_unpublished_dependencies, - skip_dependency_verification, + !verify, ) .await; // Restore original ID, then check result. @@ -1713,6 +1729,28 @@ impl SuiClientCommands { } } +/// Process the `--skip-dependency-verification` and `--verify-dependencies` flags for a publish or +/// upgrade command. Prints deprecation warnings as appropriate and returns true if the +/// dependencies should be verified +fn check_dep_verification_flags( + skip_dependency_verification: bool, + verify_dependencies: bool, +) -> anyhow::Result { + match (skip_dependency_verification, verify_dependencies) { + (true, true) => bail!("[error]: --skip_dependency_verification and --verify_dependencies are mutually exclusive"), + + (false, false) => { + eprintln!("{}: In a future release, dependency source code will no longer be verified by default during publication and upgrade. \ + You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. \ + You can also manually verify dependencies using `sui client verify-source`.", + "[warning]".bold().yellow()); + Ok(true) + }, + + _ => Ok(verify_dependencies), + } +} + fn compile_package_simple( build_config: MoveBuildConfig, package_path: &Path, diff --git a/crates/sui/tests/cli_tests.rs b/crates/sui/tests/cli_tests.rs index 8a9bd44335f37..3605a45c4540e 100644 --- a/crates/sui/tests/cli_tests.rs +++ b/crates/sui/tests/cli_tests.rs @@ -245,6 +245,7 @@ async fn test_ptb_publish_and_complex_arg_resolution() -> Result<(), anyhow::Err package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } @@ -524,6 +525,7 @@ async fn test_move_call_args_linter_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -788,6 +790,7 @@ async fn test_package_publish_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -858,6 +861,7 @@ async fn test_package_management_on_publish_command() -> Result<(), anyhow::Erro build_config: build_config.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -928,6 +932,7 @@ async fn test_delete_shared_object() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1032,6 +1037,7 @@ async fn test_receive_argument() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1156,6 +1162,7 @@ async fn test_receive_argument_by_immut_ref() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1280,6 +1287,7 @@ async fn test_receive_argument_by_mut_ref() -> Result<(), anyhow::Error> { build_config, skip_dependency_verification: false, with_unpublished_dependencies: false, + verify_deps: true, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } .execute(context) @@ -1406,6 +1414,7 @@ async fn test_package_publish_command_with_unpublished_dependency_succeeds( build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1475,6 +1484,7 @@ async fn test_package_publish_command_with_unpublished_dependency_fails( build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1518,6 +1528,7 @@ async fn test_package_publish_command_non_zero_unpublished_dep_fails() -> Result build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1570,6 +1581,7 @@ async fn test_package_publish_command_failure_invalid() -> Result<(), anyhow::Er build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies, } .execute(context) @@ -1609,6 +1621,7 @@ async fn test_package_publish_nonexistent_dependency() -> Result<(), anyhow::Err build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1649,6 +1662,7 @@ async fn test_package_publish_test_flag() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1701,6 +1715,7 @@ async fn test_package_upgrade_command() -> Result<(), anyhow::Error> { build_config, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1772,6 +1787,7 @@ async fn test_package_upgrade_command() -> Result<(), anyhow::Error> { opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1837,6 +1853,7 @@ async fn test_package_management_on_upgrade_command() -> Result<(), anyhow::Erro build_config: build_config.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1891,6 +1908,7 @@ async fn test_package_management_on_upgrade_command() -> Result<(), anyhow::Erro opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -1971,6 +1989,7 @@ async fn test_package_management_on_upgrade_command_conflict() -> Result<(), any build_config: build_config_publish.clone(), opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -2039,6 +2058,7 @@ async fn test_package_management_on_upgrade_command_conflict() -> Result<(), any opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), verify_compatibility: true, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, } .execute(context) @@ -3808,6 +3828,7 @@ async fn test_clever_errors() -> Result<(), anyhow::Error> { package_path: package_path.clone(), build_config, skip_dependency_verification: false, + verify_deps: true, with_unpublished_dependencies: false, opts: OptsWithGas::for_testing(Some(gas_obj_id), rgp * TEST_ONLY_GAS_UNIT_FOR_PUBLISH), } diff --git a/crates/sui/tests/shell_tests.rs b/crates/sui/tests/shell_tests.rs index c899913138294..0c14d530cb179 100644 --- a/crates/sui/tests/shell_tests.rs +++ b/crates/sui/tests/shell_tests.rs @@ -48,6 +48,7 @@ async fn test_shell_snapshot(path: &Path) -> datatest_stable::Result<()> { "PATH", format!("{}:{}", get_sui_bin_path(), std::env::var("PATH")?), ) + .env("RUST_BACKTRACE", "0") .current_dir(sandbox) .arg(path.file_name().unwrap()); diff --git a/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh b/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh index 71a79d247fa6d..e656cbe2988f1 100644 --- a/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh +++ b/crates/sui/tests/shell_tests/with_network/move_build_bytecode_with_address_resolution/move_build_bytecode_with_address_resolution.sh @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 sui client --client.config $CONFIG \ - publish simple \ + publish simple --verify-deps \ --json | jq '.effects.status' sui move --client.config $CONFIG \ diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md new file mode 100644 index 0000000000000..9ce8de01e74c1 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/README.md @@ -0,0 +1,2 @@ +This test suite checks that the deprecation warnings for dependency verification during publication and the +associated flags `--skip-dependency-verification` and `--verify-deps` are working correctly. diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh new file mode 100644 index 0000000000000..182edbe6abb53 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh @@ -0,0 +1,10 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps` + +echo "=== publish ===" | tee /dev/stderr +sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps + +echo "=== upgrade ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml new file mode 100644 index 0000000000000..bdaa4f5cb5000 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/Move.toml @@ -0,0 +1,10 @@ +[package] +name = "dependency" +edition = "2024.beta" + +[dependencies] +# Sui = { local = "FRAMEWORK_DIR", override = true } + +[addresses] +dependency = "0x0" + diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move new file mode 100644 index 0000000000000..c9961ef898541 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/dependency/sources/dependency.move @@ -0,0 +1,6 @@ +// Copyright (c) Mysten Labs, Inc. +// SPDX-License-Identifier: Apache-2.0 + +module dependency::dependency; + +public fun f(): u64 { 0 } diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml new file mode 100644 index 0000000000000..75849203259ac --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/Move.toml @@ -0,0 +1,10 @@ +[package] +name = "example" +edition = "2024.beta" # edition = "legacy" to use legacy (pre-2024) Move + +[dependencies] +# Sui = { local = "FRAMEWORK_DIR" } +dependency = { local = "../dependency" } + +[addresses] +example = "0x0" diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move new file mode 100644 index 0000000000000..00a2a573e99ae --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/example/sources/example.move @@ -0,0 +1,9 @@ +// Copyright (c) Mysten Labs, Inc. +// SPDX-License-Identifier: Apache-2.0 + +/// Module: example +module example::example; + +use dependency::dependency::f; + +public fun g(): u64 { f() } diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh new file mode 100644 index 0000000000000..85f24a03f7ebd --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that we get a deprecation warning when upgrading without any dependency verification flags + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh new file mode 100644 index 0000000000000..c4eb3d6c857d0 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --skip-dependency-verification has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' diff --git a/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh new file mode 100644 index 0000000000000..4681b6d8817a9 --- /dev/null +++ b/crates/sui/tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh @@ -0,0 +1,36 @@ +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --verify-deps has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --verify-deps \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --verify-deps \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap index d3afab6c23ec4..fc4994ae909d1 100644 --- a/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap +++ b/crates/sui/tests/snapshots/shell_tests__with_network__move_build_bytecode_with_address_resolution__move_build_bytecode_with_address_resolution.sh.snap @@ -7,7 +7,7 @@ description: tests/shell_tests/with_network/move_build_bytecode_with_address_res # SPDX-License-Identifier: Apache-2.0 sui client --client.config $CONFIG \ - publish simple \ + publish simple --verify-deps \ --json | jq '.effects.status' sui move --client.config $CONFIG \ diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap new file mode 100644 index 0000000000000..331048d94bf41 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__both_flags.sh.snap @@ -0,0 +1,36 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/both_flags.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# test that we get an error if we supply both `--skip-dependency-verification` and `--verify-deps` + +echo "=== publish ===" | tee /dev/stderr +sui client --client.config $CONFIG publish example --skip-dependency-verification --verify-deps + +echo "=== upgrade ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade example --upgrade-capability 0x1234 --skip-dependency-verification --verify-deps + +----- results ----- +success: false +exit_code: 2 +----- stdout ----- +=== publish === +=== upgrade === + +----- stderr ----- +=== publish === +error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps' + +Usage: sui client publish --skip-dependency-verification + +For more information, try '--help'. +=== upgrade === +error: the argument '--skip-dependency-verification' cannot be used with '--verify-deps' + +Usage: sui client upgrade --upgrade-capability --skip-dependency-verification + +For more information, try '--help'. diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap new file mode 100644 index 0000000000000..a79f682b03c29 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__no_flags.sh.snap @@ -0,0 +1,95 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/no_flags.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that we get a deprecation warning when upgrading without any dependency verification flags + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should warn) === +=== upgrade package (should warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. +=== try to upgrade with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +BUILDING dependency +Successfully verified dependencies on-chain against source. +=== publish package v0 (should warn) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== upgrade package (should warn) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== modify dependency === +=== try to publish with modified dep (should fail) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example +=== try to upgrade with modified dep (should fail) === +[warning]: In a future release, dependency source code will no longer be verified by default during publication and upgrade. You can opt in to source verification using `--verify-deps` or disable this warning using `--skip-dependency-verification`. You can also manually verify dependencies using `sui client verify-source`. +INCLUDING DEPENDENCY dependency +BUILDING example diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap new file mode 100644 index 0000000000000..5d93285c6999f --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__skip_dep_verif.sh.snap @@ -0,0 +1,85 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/skip_dep_verif.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --skip-dependency-verification has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should succeed) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --skip-dependency-verification \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== try to upgrade with modified dep (should succeed) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --skip-dependency-verification \ + --json | jq '.effects.status' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should NOT warn) === +=== upgrade package (should NOT warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should succeed) === +=== try to upgrade with modified dep (should succeed) === +{ + "status": "success" +} + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +BUILDING dependency +Skipping dependency verification +=== publish package v0 (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== upgrade package (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== modify dependency === +=== try to publish with modified dep (should succeed) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification +=== try to upgrade with modified dep (should succeed) === +INCLUDING DEPENDENCY dependency +BUILDING example +Skipping dependency verification diff --git a/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap new file mode 100644 index 0000000000000..99298f46778d5 --- /dev/null +++ b/crates/sui/tests/snapshots/shell_tests__with_network__source_verification_deprecation__with_dep_verif.sh.snap @@ -0,0 +1,90 @@ +--- +source: crates/sui/tests/shell_tests.rs +description: tests/shell_tests/with_network/source_verification_deprecation/with_dep_verif.sh +--- +----- script ----- +# Copyright (c) Mysten Labs, Inc. +# SPDX-License-Identifier: Apache-2.0 + +# check that --verify-deps has the right behavior on publish and upgrade + +echo "=== munge Move.toml files ===" | tee /dev/stderr +FRAMEWORK_DIR=$(echo $CARGO_MANIFEST_DIR | sed 's#/crates/sui#/crates/sui-framework/packages/sui-framework#g') +for i in dependency/Move.toml example/Move.toml +do + cat $i | sed "s#FRAMEWORK_DIR#$FRAMEWORK_DIR#g" > Move.toml \ + && mv Move.toml $i +done + +echo "=== publish dependency ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "dependency" --verify-deps \ + --json | jq '.effects.status' + +echo "=== publish package v0 (should NOT warn) ===" | tee /dev/stderr +UPGRADE_CAP=$(sui client --client.config $CONFIG publish "example" --verify-deps \ + --json | jq -r '.objectChanges[] | select(.objectType == "0x2::package::UpgradeCap") | .objectId') + +echo "=== upgrade package (should NOT warn) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + --json | jq '.effects.status' + +echo "=== modify dependency ===" | tee /dev/stderr +cat dependency/sources/dependency.move | sed 's#0#1#g' > dependency.move +mv dependency.move dependency/sources/dependency.move + +echo "=== try to publish with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG publish "example" --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +echo "=== try to upgrade with modified dep (should fail) ===" | tee /dev/stderr +sui client --client.config $CONFIG upgrade --upgrade-capability $UPGRADE_CAP example --verify-deps \ + | sed 's/at .*::dependency::dependency/at [[package address]]::dependency::dependency/g' + +----- results ----- +success: true +exit_code: 0 +----- stdout ----- +=== munge Move.toml files === +=== publish dependency === +{ + "status": "success" +} +=== publish package v0 (should NOT warn) === +=== upgrade package (should NOT warn) === +{ + "status": "success" +} +=== modify dependency === +=== try to publish with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. +=== try to upgrade with modified dep (should fail) === +Failed to publish the Move module(s), reason: [warning] Local dependency did not match its on-chain version at [[package address]]::dependency::dependency + +This may indicate that the on-chain version(s) of your package's dependencies may behave differently than the source version(s) your package was built against. + +Fix this by rebuilding your packages with source versions matching on-chain versions of dependencies, or ignore this warning by re-running with the --skip-dependency-verification flag. + +----- stderr ----- +=== munge Move.toml files === +=== publish dependency === +BUILDING dependency +Successfully verified dependencies on-chain against source. +=== publish package v0 (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== upgrade package (should NOT warn) === +INCLUDING DEPENDENCY dependency +BUILDING example +Successfully verified dependencies on-chain against source. +=== modify dependency === +=== try to publish with modified dep (should fail) === +INCLUDING DEPENDENCY dependency +BUILDING example +=== try to upgrade with modified dep (should fail) === +INCLUDING DEPENDENCY dependency +BUILDING example