Sol Cerberus

Solana's watch dog

Website Website Website Crates.io

sol-cerberus-macros

Collection of usefull Anchor macros to abstract away the complexity of Sol Cerberus RBAC, integrating a full access constrol system into your program with just a few lines of code.

Installation

To install the latest version, add sol-cerberus-macros into the dependencies of your Cargo.toml file: [dependencies] sol-cerberus-macros = "*"

#[rule (Resource, Permission)] macro

The #[rule] macro annotates Anchor instructions, it checks if the current user running the instruction is allowed to access the defined Resource and Permission. For instance the following rule macro example allows access only to the roles which are allowed to access the Resource Homepage and the Permission Write:

``` declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");

pub const SOLCERBERUSAPP_ID: &'static str = "9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3";

[program]

pub mod my_program { use super::*;

#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
     Ok(())
}

} `` If some user tries to run this instruction without having the mentioned permissions, will get anUnauthorized` error.

#[solcerberusaccounts] macro

The #[sol_cerberus_accounts] macro, annotates Anchor accounts, adding all the necessary accounts to perform the permission check. A full working example using the #[rule] and #[sol_cerberus_accounts] macros would look like this:

``` declare_id!("AjO97SU3FWq652tMMzNSbmPMeM4jtKDP3nLJp9APctFA");

pub const SOLCERBERUSAPP_ID: &'static str = "9R5QMs9rEJ6BMvSF84yw91qnRBXKEBJbeQnZVX84C3";

[program]

pub mod my_program { use super::*;

#[rule(Homepage, Write)]
pub fn my_instruction(_ctx: Context<MyContext>) -> Result<()> {
     Ok(())
}

}

[solcerberusaccounts]

[derive(Accounts)]

pub struct MyContext<'info> { #[account()] pub signer: Signer<'info>, /// CHECK: Validated on CPI call pub solcerberusapp: UncheckedAccount<'info>, /// CHECK: Validated on CPI call pub solcerberusrule: Option>, /// CHECK: Validated on CPI call pub solcerberusrole: Option>, /// CHECK: Validated on CPI call pub solcerberustokenacc: Option>, /// CHECK: Validated on CPI call pub solcerberusmetadata: Option>, pub solcerberus: Program<'info, SolCerberus>, }

```

These are the accounts required by Sol Cerberus to verify user access. Hopefully in future versions of Anchor adding all those UncheckedAccounts will not be necessary because #[sol_cerberus_accounts] automatically adds all of them. But Anchor currently requires the accounts to be explicitly defined to be able to build the IDL.