Struct AccountKeychain

Source

pub struct AccountKeychain {
    pub keys: <Mapping<Address, Mapping<Address, AuthorizedKey>> as StorableType>::Handler,
    pub spending_limits: <Mapping<B256, Mapping<Address, SpendingLimitState>> as StorableType>::Handler,
    pub key_scopes: <Mapping<B256, KeyScope> as StorableType>::Handler,
    pub transaction_key: <Address as StorableType>::Handler,
    pub tx_origin: <Address as StorableType>::Handler,
    address: Address,
    storage: StorageCtx,
}

Fields§

§keys: <Mapping<Address, Mapping<Address, AuthorizedKey>> as StorableType>::Handler§spending_limits: <Mapping<B256, Mapping<Address, SpendingLimitState>> as StorableType>::Handler§key_scopes: <Mapping<B256, KeyScope> as StorableType>::Handler§transaction_key: <Address as StorableType>::Handler§tx_origin: <Address as StorableType>::Handler§address: Address§storage: StorageCtx

Implementations§

Source §

impl AccountKeychain

Source

pub fn new() -> Self

Creates an instance of the precompile.

Caution: This does not initialize the account, see Self::initialize.

Source

pub fn emitted_events(&self) -> &Vec<LogData>

Available on crate features test-utils only.

Source

pub fn clear_emitted_events(&mut self)

Available on crate features test-utils only.

Source

pub fn assert_emitted_events(&self, expected: Vec<impl IntoLogData>)

Available on crate features test-utils only.

Source §

impl AccountKeychain

Source

pub fn spending_limit_key(account: Address, key_id: Address) -> B256

Create a hash key for account+key scoped storage rows.

This is used to access account-key rows like spending_limits[key][token] and key_scopes[key]. The hash combines account and key_id to avoid triple nesting.

Source

fn t3_spending_limit_cap(limit: U256) -> Result<u128>

Source

pub fn initialize(&mut self) -> Result<()>

Initializes the account keychain precompile.

Source

pub fn authorize_key( &mut self, msg_sender: Address, call: authorizeKeyCall, ) -> Result<()>

Registers a new access key with signature type, expiry, and optional per-token spending limits. Only callable with the account’s main key (not a session key).

§Errors

UnauthorizedCaller — only the main key can authorize/revoke and, for contract callers on T2+, msg.sender must match tx.origin
ZeroPublicKey — keyId cannot be the zero address
ExpiryInPast — expiry must be in the future (enforced since T0)
KeyAlreadyExists — a key with this ID is already registered
KeyAlreadyRevoked — revoked keys cannot be re-authorized
InvalidSignatureType — must be Secp256k1, P256, or WebAuthn

Source

pub fn revoke_key( &mut self, msg_sender: Address, call: revokeKeyCall, ) -> Result<()>

Permanently revokes an access key. Once revoked, a key ID can never be re-authorized for this account, preventing replay of old KeyAuthorization signatures.

§Errors

UnauthorizedCaller — only the main key can authorize/revoke and, for contract callers on T2+, msg.sender must match tx.origin
KeyNotFound — no key registered with this ID

Source

pub fn update_spending_limit( &mut self, msg_sender: Address, call: updateSpendingLimitCall, ) -> Result<()>

Updates the spending limit for a key-token pair. Can also convert an unlimited key into a limited one. Delegates to load_active_key for existence/revocation/expiry checks.

§Errors

UnauthorizedCaller — the transaction wasn’t signed by the main key, or on T2+ contract callers where msg.sender != tx.origin
KeyAlreadyRevoked — the target key has been permanently revoked
KeyNotFound — no key is registered under the given keyId
KeyExpired — the key’s expiry is at or before the current block timestamp

Source

pub fn get_key(&self, call: getKeyCall) -> Result<KeyInfo>

Returns key info for the given account-key pair, or a blank entry if inexistent or revoked.

Source

pub fn get_remaining_limit(&self, call: getRemainingLimitCall) -> Result<U256>

Returns the remaining spending limit for a key-token pair.

T2+ returns zero for missing, revoked, or expired keys. Pre-T2 preserves the historical behavior of reading the raw stored remaining amount so old blocks reexecute identically.

Source

pub fn get_remaining_limit_with_period( &self, call: getRemainingLimitWithPeriodCall, ) -> Result<getRemainingLimitReturn>

Returns the remaining spending limit together with the active period end timestamp.

Missing, revoked, or expired keys report zeroed values instead of erroring.

Source

pub fn set_allowed_calls( &mut self, msg_sender: Address, call: setAllowedCallsCall, ) -> Result<()>

Root-only create-or-replace updates for one or more target call scopes.

Source

pub fn remove_allowed_calls( &mut self, msg_sender: Address, call: removeAllowedCallsCall, ) -> Result<()>

Root-only removal of one target call scope.

Source

pub fn get_allowed_calls( &self, call: getAllowedCallsCall, ) -> Result<getAllowedCallsReturn>

Returns whether an account key is call-scoped together with its configured call scopes.

isScoped = false means unrestricted. isScoped = true with an empty scopes vec means the key is scoped but currently allows no targets. Missing, revoked, or expired access keys also report scoped deny-all so this getter never exposes stale persisted scope state.

Source

pub fn get_transaction_key( &self, _call: getTransactionKeyCall, _msg_sender: Address, ) -> Result<Address>

Returns the access key used to authorize the current transaction (Address::ZERO = root key).

Source

pub fn set_transaction_key(&mut self, key_id: Address) -> Result<()>

Internal: Set the transaction key (called during transaction validation)

SECURITY CRITICAL: This must be called by the transaction validation logic BEFORE the transaction is executed, to store which key authorized the transaction.

If key_id is Address::ZERO (main key), this should store Address::ZERO
If key_id is a specific key address, this should store that key

This creates a secure channel between validation and the precompile to ensure only the main key can authorize/revoke other keys. Uses transient storage, so the key is automatically cleared after the transaction.

Source

pub fn set_tx_origin(&mut self, origin: Address) -> Result<()>

Sets the transaction origin (tx.origin) for the current transaction.

Called by the handler before transaction execution. Uses transient storage, so it’s automatically cleared after the transaction.

Source

fn apply_key_authorization_restrictions<'a>( &mut self, account: Address, key_id: Address, limits: impl IntoIterator<Item = &'a TokenLimit>, allowed_calls: Option<&[CallScope]>, ) -> Result<()>

Persists the authorization-time restrictions for a freshly created key.

T0-T2 only store raw spending limits. T3 additionally seeds periodic metadata and replaces the key’s call-scope tree in one pass.

Source

pub fn validate_call_scope_for_transaction( &self, account: Address, key_id: Address, to: &TxKind, input: &[u8], ) -> Result<()>

Validates a top-level call against scoped permissions for this key.

Validation walks the scope tree from coarse to fine:

is_scoped = false => unrestricted key
target missing from targets => target denied
target present with selectors = [] => allow any selector on that target
selector missing from selectors => selector denied
selector present with recipients = [] => allow any recipient for that selector

Source

fn replace_allowed_calls( &mut self, account_key: B256, allowed_calls: Option<&[CallScope]>, ) -> Result<()>

Replaces the full call-scope tree for an account key.

None switches the key back to unrestricted mode, while Some([]) preserves scoped mode with no targets so reads can distinguish scoped deny-all from unrestricted mode. This is the only place where an empty top-level list means deny-all; below the key level, empty child sets mean “no further restriction”.

Source

fn clear_all_target_scopes(&mut self, account_key: B256) -> Result<()>

Deletes every persisted target scope under an account key.

Source

fn remove_target_scope( &mut self, account_key: B256, target: Address, ) -> Result<()>

Deletes one target scope and all nested selector/recipient rows beneath it.

Source

fn clear_target_selectors( &mut self, account_key: B256, target: Address, ) -> Result<()>

Clears every selector scope stored under one target.

Source

fn upsert_target_scope( &mut self, account_key: B256, scope: &CallScope, ) -> Result<()>

Creates or replaces one target scope, including all nested selector rules.

Source

fn validate_call_scopes(&self, scopes: &[CallScope]) -> Result<()>

Validates a list of CallScopes.

Source

fn validate_call_scope(&self, scope: &CallScope) -> Result<()>

Validates a single CallScope.

Source

fn validate_selector_rules( &self, target: Address, rules: &[SelectorRule], ) -> Result<()>

Validates per-selector scope rules for one target before they are persisted.

recipients = [] is an explicit allow-all sentinel at the selector level. To deny a selector entirely, omit it from selectorRules or remove the target scope instead of leaving behind an empty child set via incremental mutation.

Source

fn ensure_admin_caller(&self, msg_sender: Address) -> Result<()>

Ensures admin operations are authorized for this caller.

Rules:

transaction must be signed by the main key (transaction_key == Address::ZERO)
T2+: caller must match tx.origin

§Errors

UnauthorizedCaller when called via an access key
UnauthorizedCaller on T2+ when msg.sender != tx.origin
storage read errors from transient key/origin or account metadata lookups

The T2 check prevents transaction-global root-key status from being reused by intermediate contracts (confused-deputy self-administration).

tx_origin is seeded by the handler before validation/execution. If origin is not seeded (zero), admin ops are rejected.

Source

fn load_active_key( &self, account: Address, key_id: Address, current_timestamp: u64, ) -> Result<AuthorizedKey>

Load and validate a key exists, is not revoked, and is not expired.

Returns the key if valid, or an error if:

Key doesn’t exist (expiry == 0)
Key has been revoked
Key has expired at or before current_timestamp

Source

pub fn validate_keychain_authorization( &self, account: Address, key_id: Address, current_timestamp: u64, expected_sig_type: Option<u8>, ) -> Result<AuthorizedKey>

Validate keychain authorization (existence, revocation, expiry, and optionally signature type).

§Arguments

account - The account that owns the key
key_id - The key identifier to validate
current_timestamp - Current block timestamp for expiry check
expected_sig_type - The signature type from the actual signature (0=Secp256k1, 1=P256, 2=WebAuthn). Pass None to skip validation (for backward compatibility pre-T1).

§Errors

KeyAlreadyRevoked — the key has been permanently revoked
KeyNotFound — no key is registered under the given key_id
KeyExpired — current_timestamp is at or past the key’s expiry
SignatureTypeMismatch — the key’s stored type differs from expected_sig_type

Source

pub fn effective_remaining_limit( &self, account: Address, key_id: Address, token: Address, current_timestamp: u64, ) -> Result<U256>

Computes the effective remaining limit at current_timestamp without mutating storage.

Source

fn effective_limit_state( &self, account: Address, key_id: Address, token: Address, current_timestamp: u64, ) -> Result<(U256, u64)>

Computes the effective remaining limit and period end at current_timestamp without mutating storage.

Source

pub fn verify_and_update_spending( &mut self, account: Address, key_id: Address, token: Address, amount: U256, ) -> Result<()>

Deducts amount from the key’s remaining spending limit for token, failing if exceeded.

§Errors

KeyAlreadyRevoked — the key has been permanently revoked
KeyNotFound — no key is registered under the given key_id
SpendingLimitExceeded — amount exceeds the key’s remaining limit for token

Source

pub fn refund_spending_limit( &mut self, account: Address, token: Address, amount: U256, ) -> Result<()>

Refund spending limit after a fee refund.

Restores the spending limit by the refunded amount. Should be called after a fee refund to avoid permanently reducing the spending limit. On T3, this should never restore more than the configured max in the current fee flow, but we still clamp as defense in depth in case a future caller violates that invariant.

Source

pub fn authorize_transfer( &mut self, account: Address, token: Address, amount: U256, ) -> Result<()>

Authorize a token transfer with access key spending limits.

This method checks if the transaction is using an access key, and if so, verifies and updates the spending limits for that key. Should be called before executing a transfer.

§Errors

KeyAlreadyRevoked — the session key has been permanently revoked
KeyNotFound — no key is registered for the current transaction key
SpendingLimitExceeded — amount exceeds the key’s remaining limit for token

Source

pub fn authorize_approve( &mut self, account: Address, token: Address, old_approval: U256, new_approval: U256, ) -> Result<()>

Authorize a token approval with access key spending limits.

This method checks if the transaction is using an access key, and if so, verifies and updates the spending limits for that key. Should be called before executing an approval.

§Errors

KeyAlreadyRevoked — the session key has been permanently revoked
KeyNotFound — no key is registered for the current transaction key
SpendingLimitExceeded — the approval increase exceeds the remaining limit for token

Source §

impl AccountKeychain

Source

pub fn create_precompile(cfg: &CfgEnv<TempoHardfork>) -> DynPrecompile

Creates the EVM precompile for this type.

Trait Implementations§

Source §

impl ContractStorage for AccountKeychain

Source §

fn address(&self) -> Address

Contract address.

Source §

fn storage(&self) -> &StorageCtx

Contract storage accessor.

Source §

fn storage_mut(&mut self) -> &mut StorageCtx

Contract storage mutable accessor.

Source §

fn is_initialized(&self) -> Result<bool>

Returns true if the contract has been initialized (has bytecode deployed).

Source §

impl Default for AccountKeychain

Source §

fn default() -> Self

Returns the “default value” for a type. Read more

Source §

impl Precompile for AccountKeychain

Source §

fn call(&mut self, calldata: &[u8], msg_sender: Address) -> PrecompileResult

Dispatches an EVM call to this precompile. Read more

Auto Trait Implementations§

§

impl !Freeze for AccountKeychain

§

impl !RefUnwindSafe for AccountKeychain

§

impl Send for AccountKeychain

§

impl !Sync for AccountKeychain

§

impl Unpin for AccountKeychain

§

impl UnsafeUnpin for AccountKeychain

§

impl UnwindSafe for AccountKeychain

Blanket Implementations§

Source §

impl<T> Any for T
where T: 'static + ?Sized,

Source §

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

Source §

impl<T> Borrow<T> for T
where T: ?Sized,

Source §

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

Source §

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source §

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

§

impl<T> Conv for T

§

fn conv<T>(self) -> T
where Self: Into<T>,

Converts self into T using Into<T>. Read more

§

impl<T> FmtForward for T

§

fn fmt_binary(self) -> FmtBinary<Self>
where Self: Binary,

Causes self to use its Binary implementation when Debug-formatted.

§

fn fmt_display(self) -> FmtDisplay<Self>
where Self: Display,

Causes self to use its Display implementation when Debug-formatted.

§

fn fmt_lower_exp(self) -> FmtLowerExp<Self>
where Self: LowerExp,

Causes self to use its LowerExp implementation when Debug-formatted.

§

fn fmt_lower_hex(self) -> FmtLowerHex<Self>
where Self: LowerHex,

Causes self to use its LowerHex implementation when Debug-formatted.

§

fn fmt_octal(self) -> FmtOctal<Self>
where Self: Octal,

Causes self to use its Octal implementation when Debug-formatted.

§

fn fmt_pointer(self) -> FmtPointer<Self>
where Self: Pointer,

Causes self to use its Pointer implementation when Debug-formatted.

§

fn fmt_upper_exp(self) -> FmtUpperExp<Self>
where Self: UpperExp,

Causes self to use its UpperExp implementation when Debug-formatted.

§

fn fmt_upper_hex(self) -> FmtUpperHex<Self>
where Self: UpperHex,

Causes self to use its UpperHex implementation when Debug-formatted.

§

fn fmt_list(self) -> FmtList<Self>
where &'a Self: for<'a> IntoIterator,

Formats each item in a sequence. Read more

Source §

impl<T> From<T> for T

Source §

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<TxEnv, T> FromRecoveredTx<&T> for TxEnv
where TxEnv: FromRecoveredTx<T>,

§

fn from_recovered_tx(tx: &&T, sender: Address) -> TxEnv

Builds a [TxEnv] from a transaction and a sender address.

§

impl<TxEnv, T> FromTxWithEncoded<&T> for TxEnv
where TxEnv: FromTxWithEncoded<T>,

§

fn from_encoded_tx(tx: &&T, sender: Address, encoded: Bytes) -> TxEnv

Builds a [TxEnv] from a transaction, its sender, and encoded transaction bytes.

§

impl<T> FutureExt for T

§

fn with_context(self, otel_cx: Context) -> WithContext<Self>

Attaches the provided Context to this type, returning a WithContext wrapper. Read more

§

fn with_current_context(self) -> WithContext<Self>

Attaches the current Context to this type, returning a WithContext wrapper. Read more

§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more

§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Source §

impl<T> Instrument for T

Source §

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Source §

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Source §

impl<T, U> Into for T
where U: From<T>,

Source §

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source §

impl<T> IntoEither for T

Source §

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more

Source §

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more

§

impl<T> IntoRequest<T> for T

§

fn into_request(self) -> Request<T>

Wrap the input message T in a tonic::Request

§

impl<L> LayerExt<L> for L

§

fn named_layer<S>(&self, service: S) -> Layered<<L as Layer<S>>::Service, S>
where L: Layer<S>,

Applies the layer to a service and wraps it in [Layered].

§

impl<T> Pipe for T
where T: ?Sized,

§

fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> R
where Self: Sized,

Pipes by value. This is generally the method you want to use. Read more

§

fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> R
where R: 'a,

Borrows self and passes that borrow into the pipe function. Read more

§

fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> R
where R: 'a,

Mutably borrows self and passes that borrow into the pipe function. Read more

§

fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
where Self: Borrow, B: 'a + ?Sized, R: 'a,

Borrows self, then passes self.borrow() into the pipe function. Read more

§

fn pipe_borrow_mut<'a, B, R>( &'a mut self, func: impl FnOnce(&'a mut B) -> R, ) -> R
where Self: BorrowMut, B: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.borrow_mut() into the pipe function. Read more

§

fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
where Self: AsRef, U: 'a + ?Sized, R: 'a,

Borrows self, then passes self.as_ref() into the pipe function.

§

fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
where Self: AsMut, U: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.as_mut() into the pipe function.

§

fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
where Self: Deref<Target = T>, T: 'a + ?Sized, R: 'a,

Borrows self, then passes self.deref() into the pipe function.

§

fn pipe_deref_mut<'a, T, R>( &'a mut self, func: impl FnOnce(&'a mut T) -> R, ) -> R
where Self: DerefMut<Target = T> + Deref, T: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.deref_mut() into the pipe function.

§

impl<T> Pointable for T

§

const ALIGN: usize

The alignment of pointer.

§

type Init = T

The type for initializers.

§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more

§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more

§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more

§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more

§

impl<T> PolicyExt for T
where T: ?Sized,

§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] only if self and other return Action::Follow. Read more

§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] if either self or other returns Action::Follow. Read more

Source §

impl<T> Same for T

Source §

type Output = T

Should always be Self

§

impl<T> ServiceExt for T

§

fn propagate_header(self, header: HeaderName) -> PropagateHeader<Self>
where Self: Sized,

Available on crate feature propagate-header only.

Propagate a header from the request to the response. Read more

§

fn add_extension<T>(self, value: T) -> AddExtension<Self, T>
where Self: Sized,

Available on crate feature add-extension only.

Add some shareable value to request extensions. Read more

§

fn map_request_body<F>(self, f: F) -> MapRequestBody<Self, F>
where Self: Sized,

Available on crate feature map-request-body only.

Apply a transformation to the request body. Read more

§

fn map_response_body<F>(self, f: F) -> MapResponseBody<Self, F>
where Self: Sized,

Available on crate feature map-response-body only.

Apply a transformation to the response body. Read more

§

fn compression(self) -> Compression<Self>
where Self: Sized,

Available on crate features compression-br or compression-deflate or compression-gzip or compression-zstd only.

Compresses response bodies. Read more

§

fn decompression(self) -> Decompression<Self>
where Self: Sized,

Available on crate features decompression-br or decompression-deflate or decompression-gzip or decompression-zstd only.

Decompress response bodies. Read more

§

fn trace_for_http(self) -> Trace<Self, SharedClassifier<ServerErrorsAsFailures>>
where Self: Sized,

Available on crate feature trace only.

High level tracing that classifies responses using HTTP status codes. Read more

§

fn trace_for_grpc(self) -> Trace<Self, SharedClassifier<GrpcErrorsAsFailures>>
where Self: Sized,

Available on crate feature trace only.

High level tracing that classifies responses using gRPC headers. Read more

§

fn follow_redirects(self) -> FollowRedirect<Self>
where Self: Sized,

Available on crate feature follow-redirect only.

Follow redirect resposes using the Standard policy. Read more

§

fn sensitive_headers( self, headers: impl IntoIterator<Item = HeaderName>, ) -> SetSensitiveRequestHeaders<SetSensitiveResponseHeaders<Self>>
where Self: Sized,

Available on crate feature sensitive-headers only.

Mark headers as sensitive on both requests and responses. Read more

§

fn sensitive_request_headers( self, headers: impl IntoIterator<Item = HeaderName>, ) -> SetSensitiveRequestHeaders<Self>
where Self: Sized,

Available on crate feature sensitive-headers only.

Mark headers as sensitive on requests. Read more

§

fn sensitive_response_headers( self, headers: impl IntoIterator<Item = HeaderName>, ) -> SetSensitiveResponseHeaders<Self>
where Self: Sized,

Available on crate feature sensitive-headers only.

Mark headers as sensitive on responses. Read more

§