diff --git a/docs/docs/02-apps/01-transfer/08-authorizations.md b/docs/docs/02-apps/01-transfer/08-authorizations.md index bd7a5b9269c..9dde26c1867 100644 --- a/docs/docs/02-apps/01-transfer/08-authorizations.md +++ b/docs/docs/02-apps/01-transfer/08-authorizations.md @@ -22,6 +22,8 @@ It takes: - an `AllowList` list that specifies the list of addresses that are allowed to receive funds. If this list is empty, then all addresses are allowed to receive funds from the `TransferAuthorization`. +- an `AllowedPacketData` list that specifies the list of memo packet data keys that are allowed to send the packet. If this list is empty, then only an empty memo is allowed (a `memo` field with non-empty content will be denied). If this list includes a single element equal to `"*"`, then any content in `memo` field will be allowed. + Setting a `TransferAuthorization` is expected to fail if: - the spend limit is nil @@ -29,6 +31,7 @@ Setting a `TransferAuthorization` is expected to fail if: - the source port ID is invalid - the source channel ID is invalid - there are duplicate entries in the `AllowList` +- the `memo` field is not allowed by `AllowedPacketData` Below is the `TransferAuthorization` message: @@ -48,6 +51,9 @@ type Allocation struct { SpendLimit sdk.Coins // allow list of receivers, an empty allow list permits any receiver address AllowList []string + // allow list of packet data keys, an empty list prohibits all packet data keys; + // a list only with "*" permits any packet data key + AllowedPacketData []string } ``` diff --git a/modules/apps/transfer/types/authz.pb.go b/modules/apps/transfer/types/authz.pb.go index e05cdc401e7..22298d64b63 100644 --- a/modules/apps/transfer/types/authz.pb.go +++ b/modules/apps/transfer/types/authz.pb.go @@ -36,6 +36,9 @@ type Allocation struct { SpendLimit github_com_cosmos_cosmos_sdk_types.Coins `protobuf:"bytes,3,rep,name=spend_limit,json=spendLimit,proto3,castrepeated=github.com/cosmos/cosmos-sdk/types.Coins" json:"spend_limit"` // allow list of receivers, an empty allow list permits any receiver address AllowList []string `protobuf:"bytes,4,rep,name=allow_list,json=allowList,proto3" json:"allow_list,omitempty"` + // allow list of packet data keys, an empty list. + // an empty list prohibits all packet data keys; a list only with "*" permits any packet data key + AllowedPacketData []string `protobuf:"bytes,5,rep,name=allowed_packet_data,json=allowedPacketData,proto3" json:"allowed_packet_data,omitempty"` } func (m *Allocation) Reset() { *m = Allocation{} } @@ -99,6 +102,13 @@ func (m *Allocation) GetAllowList() []string { return nil } +func (m *Allocation) GetAllowedPacketData() []string { + if m != nil { + return m.AllowedPacketData + } + return nil +} + // TransferAuthorization allows the grantee to spend up to spend_limit coins from // the granter's account for ibc transfer on a specific channel type TransferAuthorization struct { @@ -156,33 +166,35 @@ func init() { } var fileDescriptor_b1a28b55d17325aa = []byte{ - // 408 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x52, 0x3d, 0x8f, 0xd4, 0x30, - 0x10, 0x5d, 0xb3, 0x27, 0xa4, 0x75, 0x04, 0x45, 0x04, 0x52, 0xee, 0x04, 0xd9, 0xd5, 0x4a, 0xa0, - 0x34, 0x6b, 0x13, 0x28, 0x40, 0x74, 0xb7, 0xd7, 0x5e, 0x71, 0x44, 0x54, 0x34, 0x91, 0xe3, 0x35, - 0x89, 0x85, 0x93, 0x89, 0x62, 0x27, 0x88, 0xfb, 0x15, 0xf0, 0x37, 0xa8, 0xf9, 0x11, 0x27, 0xaa, - 0x2b, 0xa9, 0xf8, 0xd8, 0xfd, 0x23, 0x28, 0xb6, 0x17, 0x16, 0x21, 0x5d, 0x95, 0xe4, 0xe5, 0xcd, - 0xcc, 0x7b, 0x6f, 0x06, 0x27, 0xb2, 0xe0, 0x94, 0xb5, 0xad, 0x92, 0x9c, 0x19, 0x09, 0x8d, 0xa6, - 0xa6, 0x63, 0x8d, 0x7e, 0x2b, 0x3a, 0x3a, 0xa4, 0x94, 0xf5, 0xa6, 0xba, 0x24, 0x6d, 0x07, 0x06, - 0xc2, 0x07, 0xb2, 0xe0, 0xe4, 0x90, 0x49, 0xf6, 0x4c, 0x32, 0xa4, 0x27, 0xc7, 0x1c, 0x74, 0x0d, - 0x3a, 0xb7, 0x5c, 0xea, 0x3e, 0x5c, 0xe1, 0xc9, 0xbd, 0x12, 0x4a, 0x70, 0xf8, 0xf8, 0xe6, 0xd1, - 0xd8, 0x71, 0x68, 0xc1, 0xb4, 0xa0, 0x43, 0x5a, 0x08, 0xc3, 0x52, 0xca, 0x41, 0x36, 0xee, 0xff, - 0xf2, 0x17, 0xc2, 0xf8, 0x54, 0x29, 0x70, 0xc3, 0xc2, 0x39, 0x0e, 0x34, 0xf4, 0x1d, 0x17, 0x79, - 0x0b, 0x9d, 0x89, 0xd0, 0x02, 0x25, 0xb3, 0x0c, 0x3b, 0xe8, 0x02, 0x3a, 0x13, 0x3e, 0xc2, 0x77, - 0x3d, 0x81, 0x57, 0xac, 0x69, 0x84, 0x8a, 0x6e, 0x59, 0xce, 0x1d, 0x87, 0x9e, 0x39, 0x30, 0x54, - 0x38, 0xd0, 0xad, 0x68, 0x36, 0xb9, 0x92, 0xb5, 0x34, 0xd1, 0x74, 0x31, 0x4d, 0x82, 0xa7, 0xc7, - 0xc4, 0x0b, 0x1e, 0xc5, 0x10, 0x2f, 0x86, 0x9c, 0x81, 0x6c, 0xd6, 0x4f, 0xae, 0xbe, 0xcf, 0x27, - 0x9f, 0x7f, 0xcc, 0x93, 0x52, 0x9a, 0xaa, 0x2f, 0x08, 0x87, 0xda, 0xbb, 0xf3, 0x8f, 0x95, 0xde, - 0xbc, 0xa3, 0xe6, 0x43, 0x2b, 0xb4, 0x2d, 0xd0, 0x19, 0xb6, 0xfd, 0xcf, 0xc7, 0xf6, 0xe1, 0x43, - 0x8c, 0x99, 0x52, 0xf0, 0x3e, 0x57, 0x52, 0x9b, 0xe8, 0x68, 0x31, 0x4d, 0x66, 0xd9, 0xcc, 0x22, - 0xe7, 0x52, 0x9b, 0xe5, 0x27, 0x84, 0xef, 0xbf, 0xf6, 0x21, 0x9e, 0xf6, 0xa6, 0x82, 0x4e, 0x5e, - 0x3a, 0xbb, 0x17, 0x38, 0x60, 0x7f, 0xcc, 0xeb, 0x08, 0x59, 0x99, 0x09, 0xb9, 0x69, 0x05, 0xe4, - 0x6f, 0x5a, 0xeb, 0xa3, 0x51, 0x75, 0x76, 0xd8, 0xe2, 0xe5, 0xe3, 0xaf, 0x5f, 0x56, 0x4b, 0x6f, - 0xd3, 0xad, 0x75, 0xef, 0xf3, 0x9f, 0xc9, 0xeb, 0x57, 0x57, 0xdb, 0x18, 0x5d, 0x6f, 0x63, 0xf4, - 0x73, 0x1b, 0xa3, 0x8f, 0xbb, 0x78, 0x72, 0xbd, 0x8b, 0x27, 0xdf, 0x76, 0xf1, 0xe4, 0xcd, 0xf3, - 0xff, 0x23, 0x90, 0x05, 0x5f, 0x95, 0x40, 0x87, 0x17, 0xb4, 0x86, 0x4d, 0xaf, 0x84, 0x1e, 0x4f, - 0xe9, 0xe0, 0x84, 0x6c, 0x2e, 0xc5, 0x6d, 0xbb, 0xd1, 0x67, 0xbf, 0x03, 0x00, 0x00, 0xff, 0xff, - 0xba, 0x7f, 0xf1, 0xfd, 0x6c, 0x02, 0x00, 0x00, + // 436 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x92, 0xcf, 0x8e, 0xd3, 0x30, + 0x10, 0xc6, 0x9b, 0xed, 0x82, 0x54, 0x57, 0x20, 0x11, 0x40, 0xca, 0xae, 0x20, 0xad, 0x2a, 0x81, + 0x72, 0xa9, 0x4d, 0xe1, 0x00, 0xe2, 0xb6, 0x5d, 0x8e, 0x7b, 0x28, 0x15, 0x27, 0x2e, 0x91, 0xe3, + 0x98, 0xd6, 0x5a, 0x27, 0x13, 0xc5, 0x93, 0x20, 0xf6, 0x29, 0xd8, 0xd7, 0xe0, 0xcc, 0x43, 0xac, + 0x38, 0xed, 0x91, 0x13, 0xa0, 0xf6, 0x45, 0x50, 0x6c, 0x17, 0x8a, 0x90, 0xf6, 0x94, 0xf8, 0x9b, + 0xcf, 0xf3, 0xe7, 0xe7, 0x21, 0x89, 0xca, 0x04, 0xe3, 0x55, 0xa5, 0x95, 0xe0, 0xa8, 0xa0, 0x34, + 0x0c, 0x6b, 0x5e, 0x9a, 0x0f, 0xb2, 0x66, 0xed, 0x8c, 0xf1, 0x06, 0xd7, 0x17, 0xb4, 0xaa, 0x01, + 0x21, 0x7c, 0xa4, 0x32, 0x41, 0xf7, 0x9d, 0x74, 0xe7, 0xa4, 0xed, 0xec, 0xf8, 0x48, 0x80, 0x29, + 0xc0, 0xa4, 0xd6, 0xcb, 0xdc, 0xc1, 0x5d, 0x3c, 0x7e, 0xb0, 0x82, 0x15, 0x38, 0xbd, 0xfb, 0xf3, + 0x6a, 0xec, 0x3c, 0x2c, 0xe3, 0x46, 0xb2, 0x76, 0x96, 0x49, 0xe4, 0x33, 0x26, 0x40, 0x95, 0x2e, + 0x3e, 0xb9, 0x3c, 0x20, 0xe4, 0x44, 0x6b, 0x70, 0xc5, 0xc2, 0x11, 0x19, 0x1a, 0x68, 0x6a, 0x21, + 0xd3, 0x0a, 0x6a, 0x8c, 0x82, 0x71, 0x90, 0x0c, 0x96, 0xc4, 0x49, 0x0b, 0xa8, 0x31, 0x7c, 0x42, + 0xee, 0x7a, 0x83, 0x58, 0xf3, 0xb2, 0x94, 0x3a, 0x3a, 0xb0, 0x9e, 0x3b, 0x4e, 0x3d, 0x75, 0x62, + 0xa8, 0xc9, 0xd0, 0x54, 0xb2, 0xcc, 0x53, 0xad, 0x0a, 0x85, 0x51, 0x7f, 0xdc, 0x4f, 0x86, 0xcf, + 0x8f, 0xa8, 0x6f, 0xb8, 0x6b, 0x86, 0xfa, 0x66, 0xe8, 0x29, 0xa8, 0x72, 0xfe, 0xec, 0xea, 0xc7, + 0xa8, 0xf7, 0xe5, 0xe7, 0x28, 0x59, 0x29, 0x5c, 0x37, 0x19, 0x15, 0x50, 0xf8, 0xe9, 0xfc, 0x67, + 0x6a, 0xf2, 0x73, 0x86, 0x9f, 0x2a, 0x69, 0xec, 0x05, 0xb3, 0x24, 0x36, 0xff, 0x59, 0x97, 0x3e, + 0x7c, 0x4c, 0x08, 0xd7, 0x1a, 0x3e, 0xa6, 0x5a, 0x19, 0x8c, 0x0e, 0xc7, 0xfd, 0x64, 0xb0, 0x1c, + 0x58, 0xe5, 0x4c, 0x19, 0x0c, 0x29, 0xb9, 0x6f, 0x0f, 0x32, 0x4f, 0x2b, 0x2e, 0xce, 0x25, 0xa6, + 0x39, 0x47, 0x1e, 0xdd, 0xb2, 0xbe, 0x7b, 0x3e, 0xb4, 0xb0, 0x91, 0x37, 0x1c, 0xf9, 0xe4, 0x32, + 0x20, 0x0f, 0xdf, 0x79, 0xe8, 0x27, 0x0d, 0xae, 0xa1, 0x56, 0x17, 0x0e, 0xcf, 0x82, 0x0c, 0xf9, + 0x1f, 0x58, 0x26, 0x0a, 0xec, 0x58, 0x09, 0xbd, 0xe9, 0xc9, 0xe8, 0x5f, 0xba, 0xf3, 0xc3, 0x6e, + 0xca, 0xe5, 0x7e, 0x8a, 0xd7, 0x4f, 0xbf, 0x7d, 0x9d, 0x4e, 0x3c, 0x16, 0xb7, 0x06, 0x3b, 0x2e, + 0xff, 0x54, 0x9e, 0xbf, 0xbd, 0xda, 0xc4, 0xc1, 0xf5, 0x26, 0x0e, 0x7e, 0x6d, 0xe2, 0xe0, 0xf3, + 0x36, 0xee, 0x5d, 0x6f, 0xe3, 0xde, 0xf7, 0x6d, 0xdc, 0x7b, 0xff, 0xf2, 0x7f, 0x64, 0x2a, 0x13, + 0xd3, 0x15, 0xb0, 0xf6, 0x15, 0x2b, 0x20, 0x6f, 0xb4, 0x34, 0xdd, 0xea, 0xed, 0xad, 0x9c, 0xe5, + 0x98, 0xdd, 0xb6, 0x1b, 0xf0, 0xe2, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0xcc, 0xb7, 0x0f, 0x97, + 0x9c, 0x02, 0x00, 0x00, } func (m *Allocation) Marshal() (dAtA []byte, err error) { @@ -205,6 +217,15 @@ func (m *Allocation) MarshalToSizedBuffer(dAtA []byte) (int, error) { _ = i var l int _ = l + if len(m.AllowedPacketData) > 0 { + for iNdEx := len(m.AllowedPacketData) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.AllowedPacketData[iNdEx]) + copy(dAtA[i:], m.AllowedPacketData[iNdEx]) + i = encodeVarintAuthz(dAtA, i, uint64(len(m.AllowedPacketData[iNdEx]))) + i-- + dAtA[i] = 0x2a + } + } if len(m.AllowList) > 0 { for iNdEx := len(m.AllowList) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.AllowList[iNdEx]) @@ -319,6 +340,12 @@ func (m *Allocation) Size() (n int) { n += 1 + l + sovAuthz(uint64(l)) } } + if len(m.AllowedPacketData) > 0 { + for _, s := range m.AllowedPacketData { + l = len(s) + n += 1 + l + sovAuthz(uint64(l)) + } + } return n } @@ -502,6 +529,38 @@ func (m *Allocation) Unmarshal(dAtA []byte) error { } m.AllowList = append(m.AllowList, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 5: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field AllowedPacketData", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAuthz + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthAuthz + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthAuthz + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.AllowedPacketData = append(m.AllowedPacketData, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipAuthz(dAtA[iNdEx:]) diff --git a/modules/apps/transfer/types/keys.go b/modules/apps/transfer/types/keys.go index 29f9261b698..0b13912cc88 100644 --- a/modules/apps/transfer/types/keys.go +++ b/modules/apps/transfer/types/keys.go @@ -30,6 +30,9 @@ const ( // DenomPrefix is the prefix used for internal SDK coin representation. DenomPrefix = "ibc" + // AllowAllPacketDataKeys holds the string key that allows all packet data keys in authz transfer messages + AllowAllPacketDataKeys = "*" + KeyTotalEscrowPrefix = "totalEscrowForDenom" ParamsKey = "params" diff --git a/modules/apps/transfer/types/transfer_authorization.go b/modules/apps/transfer/types/transfer_authorization.go index 82f40621efd..d2a10736fc7 100644 --- a/modules/apps/transfer/types/transfer_authorization.go +++ b/modules/apps/transfer/types/transfer_authorization.go @@ -2,7 +2,9 @@ package types import ( "context" + "encoding/json" "math/big" + "strings" "github.com/cosmos/gogoproto/proto" @@ -50,6 +52,11 @@ func (a TransferAuthorization) Accept(ctx context.Context, msg proto.Message) (a return authz.AcceptResponse{}, errorsmod.Wrap(ibcerrors.ErrInvalidAddress, "not allowed receiver address for transfer") } + err := validateMemo(sdk.UnwrapSDKContext(ctx), msgTransfer.Memo, allocation.AllowedPacketData) + if err != nil { + return authz.AcceptResponse{}, err + } + // If the spend limit is set to the MaxUint256 sentinel value, do not subtract the amount from the spend limit. if allocation.SpendLimit.AmountOf(msgTransfer.Token.Denom).Equal(UnboundedSpendLimit()) { return authz.AcceptResponse{Accept: true, Delete: false, Updated: nil}, nil @@ -70,10 +77,11 @@ func (a TransferAuthorization) Accept(ctx context.Context, msg proto.Message) (a }}, nil } a.Allocations[index] = Allocation{ - SourcePort: allocation.SourcePort, - SourceChannel: allocation.SourceChannel, - SpendLimit: limitLeft, - AllowList: allocation.AllowList, + SourcePort: allocation.SourcePort, + SourceChannel: allocation.SourceChannel, + SpendLimit: limitLeft, + AllowList: allocation.AllowList, + AllowedPacketData: allocation.AllowedPacketData, } return authz.AcceptResponse{Accept: true, Delete: false, Updated: &TransferAuthorization{ @@ -145,6 +153,51 @@ func isAllowedAddress(ctx sdk.Context, receiver string, allowedAddrs []string) b return false } +// validateMemo returns a nil error indicating if the memo is valid for transfer. +func validateMemo(ctx sdk.Context, memo string, allowedPacketDataList []string) error { + // if the allow list is empty, then the memo must be an empty string + if len(allowedPacketDataList) == 0 { + if len(strings.TrimSpace(memo)) != 0 { + return errorsmod.Wrapf(ErrInvalidAuthorization, "memo must be empty because allowed packet data in allocation is empty") + } + + return nil + } + + // if allowedPacketDataList has only 1 element and it equals AllowAllPacketDataKeys + // then accept all the packet data keys + if len(allowedPacketDataList) == 1 && allowedPacketDataList[0] == AllowAllPacketDataKeys { + return nil + } + + jsonObject := make(map[string]interface{}) + err := json.Unmarshal([]byte(memo), &jsonObject) + if err != nil { + return err + } + + if len(jsonObject) > len(allowedPacketDataList) { + return errorsmod.Wrapf(ErrInvalidAuthorization, "packet contains more packet data keys than packet allow list has") + } + + gasCostPerIteration := ctx.KVGasConfig().IterNextCostFlat + + for _, key := range allowedPacketDataList { + ctx.GasMeter().ConsumeGas(gasCostPerIteration, "transfer authorization") + + _, ok := jsonObject[key] + if ok { + delete(jsonObject, key) + } + } + + if len(jsonObject) != 0 { + return errorsmod.Wrapf(ErrInvalidAuthorization, "packet data not allowed") + } + + return nil +} + // UnboundedSpendLimit returns the sentinel value that can be used // as the amount for a denomination's spend limit for which spend limit updating // should be disabled. Please note that using this sentinel value means that a grantee diff --git a/modules/apps/transfer/types/transfer_authorization_test.go b/modules/apps/transfer/types/transfer_authorization_test.go index fdc877340e8..1aa07438807 100644 --- a/modules/apps/transfer/types/transfer_authorization_test.go +++ b/modules/apps/transfer/types/transfer_authorization_test.go @@ -11,6 +11,8 @@ import ( "github.com/cosmos/ibc-go/v8/testing/mock" ) +const testMemo = `{"wasm":{"contract":"osmo1c3ljch9dfw5kf52nfwpxd2zmj2ese7agnx0p9tenkrryasrle5sqf3ftpg","msg":{"osmosis_swap":{"output_denom":"uosmo","slippage":{"twap":{"slippage_percentage":"20","window_seconds":10}},"receiver":"feeabs/feeabs1efd63aw40lxf3n4mhf7dzhjkr453axurwrhrrw","on_failed_delivery":"do_nothing"}}}}` + func (suite *TypesTestSuite) TestTransferAuthorizationAccept() { var ( msgTransfer types.MsgTransfer @@ -101,6 +103,72 @@ func (suite *TypesTestSuite) TestTransferAuthorizationAccept() { suite.Require().Nil(res.Updated) }, }, + { + "success: empty AllowedPacketData and empty memo", + func() { + allowedList := []string{} + transferAuthz.Allocations[0].AllowedPacketData = allowedList + }, + func(res authz.AcceptResponse, err error) { + suite.Require().NoError(err) + + suite.Require().True(res.Accept) + suite.Require().True(res.Delete) + suite.Require().Nil(res.Updated) + }, + }, + { + "success: AllowedPacketData allows any packet", + func() { + allowedList := []string{"*"} + transferAuthz.Allocations[0].AllowedPacketData = allowedList + msgTransfer.Memo = testMemo + }, + func(res authz.AcceptResponse, err error) { + suite.Require().NoError(err) + + suite.Require().True(res.Accept) + suite.Require().True(res.Delete) + suite.Require().Nil(res.Updated) + }, + }, + { + "success: transfer memo allowed", + func() { + allowedList := []string{"wasm", "forward"} + transferAuthz.Allocations[0].AllowedPacketData = allowedList + msgTransfer.Memo = testMemo + }, + func(res authz.AcceptResponse, err error) { + suite.Require().NoError(err) + + suite.Require().True(res.Accept) + suite.Require().True(res.Delete) + suite.Require().Nil(res.Updated) + }, + }, + { + "empty AllowedPacketData but not empty memo", + func() { + allowedList := []string{} + transferAuthz.Allocations[0].AllowedPacketData = allowedList + msgTransfer.Memo = testMemo + }, + func(res authz.AcceptResponse, err error) { + suite.Require().Error(err) + }, + }, + { + "memo not allowed", + func() { + allowedList := []string{"forward"} + transferAuthz.Allocations[0].AllowedPacketData = allowedList + msgTransfer.Memo = testMemo + }, + func(res authz.AcceptResponse, err error) { + suite.Require().Error(err) + }, + }, { "test multiple coins does not overspend", func() { diff --git a/proto/ibc/applications/transfer/v1/authz.proto b/proto/ibc/applications/transfer/v1/authz.proto index 7b7a9f0846a..e7561b0708b 100644 --- a/proto/ibc/applications/transfer/v1/authz.proto +++ b/proto/ibc/applications/transfer/v1/authz.proto @@ -19,6 +19,9 @@ message Allocation { [(gogoproto.nullable) = false, (gogoproto.castrepeated) = "github.com/cosmos/cosmos-sdk/types.Coins"]; // allow list of receivers, an empty allow list permits any receiver address repeated string allow_list = 4; + // allow list of packet data keys, an empty list prohibits all packet data keys; + // a list only with "*" permits any packet data key + repeated string allowed_packet_data = 5; } // TransferAuthorization allows the grantee to spend up to spend_limit coins from