pallet-xcm: add support to authorize aliases

[acatangiu]

Add calls to pallet-xcm for adding and removing authorization for a certain aliaser location to alias into the caller origin.

pallet-xcm also exposes an AuthorizedAliases filter implementation usable with xcm_executor::Config::Aliasers filter to easily allow runtimes to plug in the explicitly authorized aliases using the calls above.

Usually useful to allow your local account to be aliased into from a remote location also under your control (like your account on another chain).

One cool example is Alice on Para42 doing something on Asset Hub without having to transfer fees from Para42, but instead use her local Asset Hub account:

// called by Alice on Para42
pallet_xcm::send(
	Location::new(1, Parachain(1000)),
	Xcm(vec![
		AliasOrigin(AliceOnAH),
		WithdrawAsset(fees),
		PayFees(fees),
		DoWhatever
	])
);

Part of Empowered cross-chain origins.

Fixes XCM: Arbitrary Origin Aliases #722

[bkontur]

lgtm, left some small nits/questions

[acatangiu]

bot bench polkadot-pallet --subcommand=xcm --runtime=westend --pallet=pallet_xcm
bot bench polkadot-pallet --subcommand=xcm --runtime=rococo --pallet=pallet_xcm

bot bench cumulus-assets --subcommand=xcm --runtime=asset-hub-westend --pallet=pallet_xcm
bot bench cumulus-assets --subcommand=xcm --runtime=asset-hub-rococo --pallet=pallet_xcm

[acatangiu]

bot clean

[franciscoaguirre]

Should we allow this indefinitely or always require an expiry? Thinking of the case where you do trust your account on another chain but maybe that chain gets compromised and you forgot to remove your authorization. Then the parachain can impersonate your account on their chain and in turn impersonate your account on this chain.

An expiry would be annoying but would make it safer. Apps could batch this with the actual action you want to take if they know the expiry is past.

[acatangiu]

I’m personally not a fan of expiry. It’s a big UX burden and doesn’t bring any value IMO. If the aliaser is compromised then the aliasee is compromised, one cannot rely on an expiry as protection. One should immediately remove the authorisation in such an unlikely case.

The idea is worth evaluating from a UX perspective depending on the following:
A) will users authorise these relationships for repeated actions (effectively needing them alive for longer periods), or
B) will they be used for very occasional one-time actions (so for added security they should either be explicitly removed or automatically expire)

If the usage pattern is B, then an expiry actually helps UX. If it is A, it hinders UX (and adds more complexity - would need to maintain an ordered list based on expirations and manage it on each block - complex and expensive).

I say we keep it simple for now and see where it goes, we can pivot to the more expensive option if needed.

[franciscoaguirre]

I see expiry as a way to not allow users to forget that they allowed some location to impersonate them. I think it's a UX improvement to allow users to forget but still clean up after themselves.

The reason why I'm proposing this is because it's not only the location they explicitly allow that could be the problem, they open the surface area of bugs to bugs on the other chain. The main value in my opinion is that if a user on chain A allows an account from chain B to impersonate them and then forgets, a future vulnerability in chain B can't affect them anymore given that it expires.

I'd expect the usage pattern to be B, but if it is A we can still make the expiry refresh every time they make an action with it.

On the implementation side I don't see how it's so complex and expensive. You'd just keep the block number timeout and disallow aliases that are past that.

[acatangiu]

added expiry here a606607, let me know what you think

[muharem]

I do not really see the reason to make stored types and storage items private. At the end when you need to use it for some reason you just have to copy past them and create an alias storage item.

[acatangiu]

not sure what you mean..

should define this other place? or just make it pub instead of pub(crate)?

[muharem]

Yes, I would make them public

[muharem]

why not to reference the actual block number type?

[acatangiu]

had some trouble storing BlockNumberFor<T>, then realized the interface is better to be generic - once we move to relay-block-number-provider that type might change again, but u64 will always be compatible

[muharem]

two times bigger than what we really use. when we change to configurable provider, the block number type wont change

[muharem]

do you plan to address this todo in the current PR?

[acatangiu]

just pushed something, want feedback before I clean it up all the way

[muharem]

some event?

[acatangiu]

yes, still needs events

[muharem]

this might be too many reads, we should check the weight_cutoff on every iteration

[acatangiu]

do we need to in practice? iterating over even a million keys should fit in practice, no?

I'm not even sure how we could do partial iterations, how to resume from where we left off...

[muharem]

in the context of this function (may be I missing a broader picture), it looks wrong. a client passes weight_cutoff, for this stage we ignore it. we do not know how small or big the weight_cutoff.

I think we can iterate one by one and if there was no enough weight to complete, we can return RemoveExpiredAliasAuthorizations(Some(cursor)).

[muharem]

it will be useful as the Pallet's function

[muharem]

nice