Params.InstantiateDefaultPermission does not support AccessTypeAnyOfAddresses

[codehans]

The current definition of the Params type looks like this

message Params {
  option (gogoproto.goproto_stringer) = false;
  AccessConfig code_upload_access = 1 [
    (gogoproto.nullable) = false,
    (amino.dont_omitempty) = true,
    (gogoproto.moretags) = "yaml:\"code_upload_access\""
  ];
  AccessType instantiate_default_permission = 2
      [ (gogoproto.moretags) = "yaml:\"instantiate_default_permission\"" ];
}

which is only storing the AccessType, which if set to ACCESS_TYPE_ANY_OF_ADDRESSES, therefore can't store a list of addresses. Just wanted to check this wasn't intentional? Will PR a fix otherwise

[alpe]

The user that uploads a contract should define the authorization scope for the instantiation. The scope must not exceed the chain's default scope though for restricted chains. In the discussions, only Nobody and Everybody (unrestricted) made sense for us.
Can you elaborate on your use-case?

[codehans]

Thanks @alpe. We're keen to retain the permissioned contract instantiation on the chain for quality and safety reasons - and have that as the standard way that contracts are instantiated and migrated. However this introduces a delay for governance for all code changes, which isn't particularly desirable if there are urgent patches.

The plan is currently to set a CW3 multisig as the default instantiation permission for all new code, so that emergency upgrades can be performed to contracts with that also set as admin.

[alpe]

👍 Thank you for the additional details! I do understand the use-case better now. The changes to the code would require a module upgrade for the store.

[codehans]

👍 Thank you for the additional details! I do understand the use-case better now. The changes to the code would require a module upgrade for the store.

Yup for sure. I've also realised that we can achieve the same here by using the upload permissions instead. If instantiate permissions are set to AnyOfAddresses (without a list of addresses so it initialised to an empty list), and code upload is set to AnyOfAddresses with the multisig address as the only address, then any code uploaded will be granted instantiate permissions for both the uploader and the multisig, right?

[alpe]

... we can achieve the same here by using the upload permissions instead

Unfortunately not. Upload and instantiate permission are not merged. When params are set to AnyOfAddresses for instantiation an the store message does not define an AccessConfig then only the sender would be able to instantiate.

Nevertheless, the workaround is not using a mulitsig contract but the SDK multisig as contract can not upload new wasm codes.

1. set upload permission to AnyOfAddresses with your accept list, for example sdk multisig address
2. set instantiate params to AnyOfAddresses

You could pass a multisig contract address as accepted address with the upload but you can not enforce this to be set currently. When left empty the chains default would be used.

[alpe]

I have read #1584 today which may work for your use case as well.
With chain upload permissions to the multisig contract address only and an authz grant by it to a trusted grantee, you can have the instantiation permission set to your multisig contract by the grantee.

Working with authz would require less changes to wasmd.