Add Paras authorize_code_hash + apply_authorized_code feature (#7592)

Closes: #7574
Relates to: #7591

## Motivation

This feature is useful when triggering a `Paras` pallet call from a
different chain than the one where the `Paras` pallet is deployed. For
example, we may want to send `Paras::force_set_current_code(para, code)`
from the Collectives and/or AssetHub to the relay chain (because the
relaychain governance will be migrated to the AssetHub as a part of
AHM).

The primary reason for this approach is to avoid transferring the entire
`new_code` Wasm blob between chains. Instead, we authorize the
`code_hash` using `root` via `fn
authorize_force_set_current_code_hash(new_authorization, expire_at)`.
This authorization can later be applied by anyone using
`Paras::apply_authorized_force_set_current_code(para, new_code)`. If
`expire_at` is reached without the authorization being used, it is
automatically removed.

## Usage

This feature is intended for use in two scenarios:

- The D-Day scenario, where we can restart AssetHub from Collectives —
see the PoC: #8141
- Using `force_set_current_code` for any parachain from migrated
governance to AssetHub (AHM)

## TODO
- [x] ~cover also `add_trusted_validation_code` or
`force_schedule_code_upgrade` - see comment bellow:
#7592 (comment)
no see other
[comment](#7592 (comment))


## Open questions

- [ ] ~Do we need something like `poke_authorized_code_hash`? E.g. in
case that we authorize code hash, but nobody would apply it and the
parachain starts working with old/other_new code? Is this possible?~
- [ ] Do we need something similar for `frame_system` pallet and
`set_code` / `set_code_without_checks`?
- [ ] Can we achieve the same with `pallet-whitelist`?
- [ ] Do we have other extrinsics over chains which has `code`
attribute?
- [x] Do we need to add `validate_unsigned` for `apply_authorized_code`?

---------

Co-authored-by: cmd[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Bastian Köcher <git@kchr.de>
Co-authored-by: Kian Paimani <5588131+kianenigma@users.noreply.github.com>
Co-authored-by: Adrian Catangiu <adrian@parity.io>

Author: 5 people

polkadot/runtime/common/src/assigned_slots/mod.rs

@@ -734,6 +734,7 @@ mod tests {
 		type AssignCoretime = ();
 		type Fungible = Balances;
 		type CooldownRemovalMultiplier = ConstUint<1>;
+		type AuthorizeCurrentCodeOrigin = EnsureRoot<Self::AccountId>;
 	}
 
 	impl parachains_shared::Config for Test {

polkadot/runtime/common/src/integration_tests.rs

@@ -216,6 +216,7 @@ impl paras::Config for Test {
 	type AssignCoretime = ();
 	type Fungible = Balances;
 	type CooldownRemovalMultiplier = ConstUint<1>;
+	type AuthorizeCurrentCodeOrigin = EnsureRoot<Self::AccountId>;
 }
 
 parameter_types! {

polkadot/runtime/common/src/paras_registrar/mock.rs

@@ -131,6 +131,7 @@ impl paras::Config for Test {
 	type AssignCoretime = ();
 	type Fungible = Balances;
 	type CooldownRemovalMultiplier = ConstUint<1>;
+	type AuthorizeCurrentCodeOrigin = frame_system::EnsureRoot<u64>;
 }
 
 impl configuration::Config for Test {

polkadot/runtime/parachains/src/mock.rs

@@ -40,7 +40,7 @@ use frame_support::{
 	PalletId,
 };
 use frame_support_test::TestRandomness;
-use frame_system::limits;
+use frame_system::{limits, EnsureRoot};
 use polkadot_primitives::{
 	AuthorityDiscoveryId, Balance, BlockNumber, CandidateHash, Moment, SessionIndex, UpwardMessage,
 	ValidationCode, ValidatorIndex,
@@ -249,6 +249,7 @@ impl crate::paras::Config for Test {
 	type AssignCoretime = ();
 	type Fungible = Balances;
 	type CooldownRemovalMultiplier = ConstUint<1>;
+	type AuthorizeCurrentCodeOrigin = EnsureRoot<AccountId>;
 }
 
 impl crate::dmp::Config for Test {}

polkadot/runtime/parachains/src/paras/benchmarking.rs

@@ -282,6 +282,44 @@ mod benchmarks {
 		Ok(())
 	}
 
+	#[benchmark]
+	fn authorize_force_set_current_code_hash() {
+		let para_id = ParaId::from(1000);
+		let code = ValidationCode(vec![0; 32]);
+		let new_code_hash = code.hash();
+		let valid_period = BlockNumberFor::<T>::from(1_000_000_u32);
+
+		#[extrinsic_call]
+		_(RawOrigin::Root, para_id, new_code_hash, valid_period);
+
+		assert_last_event::<T>(
+			Event::CodeAuthorized {
+				para_id,
+				code_hash: new_code_hash,
+				expire_at: frame_system::Pallet::<T>::block_number().saturating_add(valid_period),
+			}
+			.into(),
+		);
+	}
+
+	#[benchmark]
+	fn apply_authorized_force_set_current_code(c: Linear<MIN_CODE_SIZE, MAX_CODE_SIZE>) {
+		let code = ValidationCode(vec![0; c as usize]);
+		let para_id = ParaId::from(1000);
+		let expire_at =
+			frame_system::Pallet::<T>::block_number().saturating_add(BlockNumberFor::<T>::from(c));
+		AuthorizedCodeHash::<T>::insert(
+			&para_id,
+			AuthorizedCodeHashAndExpiry::from((code.hash(), expire_at)),
+		);
+		generate_disordered_pruning::<T>();
+
+		#[extrinsic_call]
+		_(RawOrigin::Root, para_id, code);
+
+		assert_last_event::<T>(Event::CurrentCodeUpdated(para_id).into());
+	}
+
 	impl_benchmark_test_suite!(
 		Pallet,
 		crate::mock::new_test_ext(Default::default()),