token-2022: Add cpi guard instructions (#333)

* token2022: add cpi guard token extension

Co-authored-by: zubayr1 <write2zubayr@gmail.com>
Co-authored-by: M. Daeva <embedmad@gmail.com>

* Nits

* Fix formatting

* More nits

* Address review comments

---------

Co-authored-by: inspiration_gx <94226358+inspi-writer001@users.noreply.github.com>
Co-authored-by: zubayr1 <write2zubayr@gmail.com>
Co-authored-by: M. Daeva <embedmad@gmail.com>

Author: 4 people

programs/token-2022/src/instructions/extensions/cpi_guard/disable.rs

@@ -0,0 +1,134 @@
+use {
+    crate::instructions::{extensions::ExtensionDiscriminator, MAX_MULTISIG_SIGNERS},
+    core::{mem::MaybeUninit, slice},
+    solana_account_view::AccountView,
+    solana_address::Address,
+    solana_instruction_view::{
+        cpi::{invoke_signed_with_bounds, Signer},
+        InstructionAccount, InstructionView,
+    },
+    solana_program_error::{ProgramError, ProgramResult},
+};
+
+/// Allow all token operations to happen via CPI as normal.
+///
+/// Implicitly initializes the extension in the case where it is not
+/// present.
+///
+/// Accounts expected by this instruction:
+///
+///   0. `[writable]` The account to update.
+///   1. `[signer]` The account's owner.
+///
+///   * Multisignature authority
+///   0. `[writable]` The account to update.
+///   1. `[]`  The account's multisignature owner.
+///   2. `..2+M` `[signer]` M signer accounts.
+pub struct Disable<'a, 'b, 'c> {
+    /// The account to update.
+    pub account: &'a AccountView,
+
+    /// The account's owner.
+    pub authority: &'a AccountView,
+
+    /// The signer accounts if the authority is a multisig.
+    pub multisig_signers: &'c [&'a AccountView],
+
+    /// The token program.
+    pub token_program: &'b Address,
+}
+
+impl<'a, 'b, 'c> Disable<'a, 'b, 'c> {
+    pub const DISCRIMINATOR: u8 = 1;
+
+    /// Creates a new `Disable` instruction with a single owner/delegate
+    /// authority.
+    #[inline(always)]
+    pub fn new(
+        token_program: &'b Address,
+        account: &'a AccountView,
+        authority: &'a AccountView,
+    ) -> Self {
+        Self::with_multisig_signers(token_program, account, authority, &[])
+    }
+
+    /// Creates a new `Disable` instruction with a multisignature owner/delegate
+    /// authority and signer accounts.
+    #[inline(always)]
+    pub fn with_multisig_signers(
+        token_program: &'b Address,
+        account: &'a AccountView,
+        authority: &'a AccountView,
+        multisig_signers: &'c [&'a AccountView],
+    ) -> Self {
+        Self {
+            account,
+            authority,
+            multisig_signers,
+            token_program,
+        }
+    }
+
+    #[inline(always)]
+    pub fn invoke(&self) -> ProgramResult {
+        self.invoke_signed(&[])
+    }
+
+    #[inline(always)]
+    pub fn invoke_signed(&self, signers: &[Signer]) -> ProgramResult {
+        if self.multisig_signers.len() > MAX_MULTISIG_SIGNERS {
+            return Err(ProgramError::InvalidArgument);
+        }
+
+        let expected_accounts = 2 + self.multisig_signers.len();
+
+        // Instruction accounts.
+
+        let mut instruction_accounts =
+            [const { MaybeUninit::<InstructionAccount>::uninit() }; 2 + MAX_MULTISIG_SIGNERS];
+
+        instruction_accounts[0].write(InstructionAccount::writable(self.account.address()));
+
+        instruction_accounts[1].write(InstructionAccount::new(
+            self.authority.address(),
+            false,
+            self.multisig_signers.is_empty(),
+        ));
+
+        for (account, signer) in instruction_accounts[2..]
+            .iter_mut()
+            .zip(self.multisig_signers.iter())
+        {
+            account.write(InstructionAccount::readonly_signer(signer.address()));
+        }
+
+        // Accounts.
+
+        let mut accounts =
+            [const { MaybeUninit::<&AccountView>::uninit() }; 2 + MAX_MULTISIG_SIGNERS];
+
+        accounts[0].write(self.account);
+
+        accounts[1].write(self.authority);
+
+        for (account, signer) in accounts[2..].iter_mut().zip(self.multisig_signers.iter()) {
+            account.write(signer);
+        }
+
+        invoke_signed_with_bounds::<{ 2 + MAX_MULTISIG_SIGNERS }>(
+            &InstructionView {
+                program_id: self.token_program,
+                // SAFETY: instruction accounts has `expected_accounts` initialized.
+                accounts: unsafe {
+                    slice::from_raw_parts(instruction_accounts.as_ptr() as _, expected_accounts)
+                },
+                data: &[ExtensionDiscriminator::CpiGuard as u8, Self::DISCRIMINATOR],
+            },
+            // SAFETY: accounts has `expected_accounts` initialized.
+            unsafe {
+                slice::from_raw_parts(accounts.as_ptr() as *const &AccountView, expected_accounts)
+            },
+            signers,
+        )
+    }
+}

programs/token-2022/src/instructions/extensions/cpi_guard/enable.rs

@@ -0,0 +1,138 @@
+use {
+    crate::instructions::{extensions::ExtensionDiscriminator, MAX_MULTISIG_SIGNERS},
+    core::{mem::MaybeUninit, slice},
+    solana_account_view::AccountView,
+    solana_address::Address,
+    solana_instruction_view::{
+        cpi::{invoke_signed_with_bounds, Signer},
+        InstructionAccount, InstructionView,
+    },
+    solana_program_error::{ProgramError, ProgramResult},
+};
+
+/// Lock certain token operations from taking place within CPI for this
+/// Account, namely:
+/// * `Transfer` and `Burn` must go through a delegate.
+/// * `CloseAccount` can only return lamports to owner.
+/// * `SetAuthority` can only be used to remove an existing close authority.
+/// * `Approve` is disallowed entirely.
+///
+/// In addition, CPI Guard cannot be enabled or disabled via CPI.
+///
+/// Accounts expected by this instruction:
+///
+///   0. `[writable]` The account to update.
+///   1. `[signer]` The account's owner.
+///
+///   * Multisignature authority
+///   0. `[writable]` The account to update.
+///   1. `[]` The account's multisignature owner.
+///   2. `..2+M` `[signer]` M signer accounts.
+pub struct Enable<'a, 'b, 'c> {
+    /// The account to update.
+    pub account: &'a AccountView,
+
+    /// The account's owner.
+    pub authority: &'a AccountView,
+
+    /// The signer accounts if the authority is a multisig.
+    pub multisig_signers: &'c [&'a AccountView],
+
+    /// The token program.
+    pub token_program: &'b Address,
+}
+
+impl<'a, 'b, 'c> Enable<'a, 'b, 'c> {
+    pub const DISCRIMINATOR: u8 = 0;
+
+    /// Creates a new `Enable` instruction with a single owner/delegate
+    /// authority.
+    #[inline(always)]
+    pub fn new(
+        token_program: &'b Address,
+        account: &'a AccountView,
+        authority: &'a AccountView,
+    ) -> Self {
+        Self::with_multisig_signers(token_program, account, authority, &[])
+    }
+
+    /// Creates a new `Enable` instruction with a multisignature owner/delegate
+    /// authority and signer accounts.
+    #[inline(always)]
+    pub fn with_multisig_signers(
+        token_program: &'b Address,
+        account: &'a AccountView,
+        authority: &'a AccountView,
+        multisig_signers: &'c [&'a AccountView],
+    ) -> Self {
+        Self {
+            account,
+            authority,
+            multisig_signers,
+            token_program,
+        }
+    }
+
+    #[inline(always)]
+    pub fn invoke(&self) -> ProgramResult {
+        self.invoke_signed(&[])
+    }
+
+    #[inline(always)]
+    pub fn invoke_signed(&self, signers: &[Signer]) -> ProgramResult {
+        if self.multisig_signers.len() > MAX_MULTISIG_SIGNERS {
+            return Err(ProgramError::InvalidArgument);
+        }
+
+        let expected_accounts = 2 + self.multisig_signers.len();
+
+        // Instruction accounts.
+
+        let mut instruction_accounts =
+            [const { MaybeUninit::<InstructionAccount>::uninit() }; 2 + MAX_MULTISIG_SIGNERS];
+
+        instruction_accounts[0].write(InstructionAccount::writable(self.account.address()));
+
+        instruction_accounts[1].write(InstructionAccount::new(
+            self.authority.address(),
+            false,
+            self.multisig_signers.is_empty(),
+        ));
+
+        for (account, signer) in instruction_accounts[2..]
+            .iter_mut()
+            .zip(self.multisig_signers.iter())
+        {
+            account.write(InstructionAccount::readonly_signer(signer.address()));
+        }
+
+        // Accounts.
+
+        let mut accounts =
+            [const { MaybeUninit::<&AccountView>::uninit() }; 2 + MAX_MULTISIG_SIGNERS];
+
+        accounts[0].write(self.account);
+
+        accounts[1].write(self.authority);
+
+        for (account, signer) in accounts[2..].iter_mut().zip(self.multisig_signers.iter()) {
+            account.write(signer);
+        }
+
+        invoke_signed_with_bounds::<{ 2 + MAX_MULTISIG_SIGNERS }>(
+            &InstructionView {
+                program_id: self.token_program,
+                // SAFETY: instruction accounts has `expected_accounts` initialized.
+                accounts: unsafe {
+                    slice::from_raw_parts(instruction_accounts.as_ptr() as _, expected_accounts)
+                },
+                data: &[ExtensionDiscriminator::CpiGuard as u8, Self::DISCRIMINATOR],
+            },
+            // SAFETY: accounts has `expected_accounts` initialized.
+            unsafe {
+                slice::from_raw_parts(accounts.as_ptr() as *const &AccountView, expected_accounts)
+            },
+            signers,
+        )
+    }
+}

programs/token-2022/src/instructions/extensions/cpi_guard/mod.rs

@@ -0,0 +1,4 @@
+pub mod disable;
+pub mod enable;
+
+pub use {disable::*, enable::*};

programs/token-2022/src/instructions/extensions/mod.rs

@@ -1,3 +1,4 @@
+pub mod cpi_guard;
 pub mod default_account_state;
 pub mod group_member_pointer;
 pub mod group_pointer;
@@ -19,6 +20,7 @@ pub enum ExtensionDiscriminator {
     DefaultAccountState = 28,
     MemoTransfer = 30,
     InterestBearingMint = 33,
+    CpiGuard = 34,
     PermanentDelegate = 35,
     TransferHook = 36,
     MetadataPointer = 39,