More cleanups - removed sudo (#39)

* We need production profile also

* Remove sudo from bulletin-polkadot

* Allow Grandpa init for owner or root (so we don't need sudo)

Author: bkontur

Cargo.lock

@@ -132,3 +132,8 @@ members = [
 # Polkadot runtime requires unwinding.
 opt-level = 3
 panic = "unwind"
+
+[profile.production]
+inherits = "release"
+lto = true
+codegen-units = 1

Cargo.toml

@@ -25,7 +25,6 @@ pallet-babe = { workspace = true }
 pallet-grandpa = { workspace = true }
 pallet-offences = { workspace = true }
 pallet-session = { workspace = true }
-pallet-sudo = { workspace = true }
 pallet-timestamp = { workspace = true }
 sp-api = { workspace = true }
 sp-block-builder = { workspace = true }
@@ -117,7 +116,6 @@ std = [
 	"pallet-grandpa/std",
 	"pallet-offences/std",
 	"pallet-session/std",
-	"pallet-sudo/std",
 	"pallet-timestamp/std",
 	"sp-api/std",
 	"sp-block-builder/std",
@@ -179,7 +177,6 @@ runtime-benchmarks = [
 	"pallet-babe/runtime-benchmarks",
 	"pallet-grandpa/runtime-benchmarks",
 	"pallet-offences/runtime-benchmarks",
-	"pallet-sudo/runtime-benchmarks",
 	"pallet-timestamp/runtime-benchmarks",
 	"sp-runtime/runtime-benchmarks",
 	"sp-storage",
@@ -219,7 +216,6 @@ try-runtime = [
 	"pallet-grandpa/try-runtime",
 	"pallet-offences/try-runtime",
 	"pallet-session/try-runtime",
-	"pallet-sudo/try-runtime",
 	"pallet-timestamp/try-runtime",
 
 	"pallet-bridge-grandpa/try-runtime",

runtimes/bulletin-polkadot/Cargo.toml

@@ -1,6 +1,6 @@
 use crate::{
 	opaque::SessionKeys, AccountId, BabeConfig, RelayerSetConfig, RuntimeGenesisConfig,
-	SessionConfig, Signature, SudoConfig, ValidatorSetConfig, BABE_GENESIS_EPOCH_CONFIG,
+	SessionConfig, Signature, ValidatorSetConfig, BABE_GENESIS_EPOCH_CONFIG,
 };
 
 use crate::{
@@ -50,7 +50,6 @@ fn session_keys(babe: BabeId, grandpa: GrandpaId) -> SessionKeys {
 fn testnet_genesis(
 	initial_authorities: Vec<(AccountId, BabeId, GrandpaId)>,
 	bridges_pallet_owner: Option<AccountId>,
-	root_key: AccountId,
 ) -> serde_json::Value {
 	let config = RuntimeGenesisConfig {
 		validator_set: ValidatorSetConfig {
@@ -69,10 +68,6 @@ fn testnet_genesis(
 			non_authority_keys: Default::default(),
 		},
 		babe: BabeConfig { epoch_config: BABE_GENESIS_EPOCH_CONFIG, ..Default::default() },
-		sudo: SudoConfig {
-			// Assign network admin rights.
-			key: Some(root_key.clone()),
-		},
 		relayer_set: RelayerSetConfig {
 			// For simplicity just make the initial relayer set match the initial validator set. In
 			// practice even if the same entities control the validators and the relayers they
@@ -106,8 +101,6 @@ pub fn get_preset(id: &PresetId) -> Option<Vec<u8>> {
 			vec![authority_keys_from_seed("Alice")],
 			// Bridges pallet owner
 			Some(get_account_id_from_seed::<sr25519::Public>("Alice")),
-			// Sudo account
-			get_account_id_from_seed::<sr25519::Public>("Alice"),
 		),
 		sp_genesis_builder::LOCAL_TESTNET_RUNTIME_PRESET => testnet_genesis(
 			// Initial PoA authorities
@@ -119,8 +112,6 @@ pub fn get_preset(id: &PresetId) -> Option<Vec<u8>> {
 			],
 			// Bridges pallet owner
 			Some(get_account_id_from_seed::<sr25519::Public>("Alice")),
-			// Sudo account
-			get_account_id_from_seed::<sr25519::Public>("Alice"),
 		),
 		_ => return None,
 	};

runtimes/bulletin-polkadot/src/genesis_config_presets.rs

@@ -8,6 +8,7 @@ extern crate alloc;
 #[cfg(feature = "std")]
 include!(concat!(env!("OUT_DIR"), "/wasm_binary.rs"));
 
+use bp_runtime::OwnedBridgeModule;
 use bridge_runtime_common::generate_bridge_reject_obsolete_headers_and_messages;
 use frame_support::{derive_impl, traits::ValidatorRegistration};
 use frame_system::EnsureRoot;
@@ -339,13 +340,6 @@ impl pallet_timestamp::Config for Runtime {
 	type WeightInfo = ();
 }
 
-// TODO: remove sudo before go live
-impl pallet_sudo::Config for Runtime {
-	type RuntimeEvent = RuntimeEvent;
-	type RuntimeCall = RuntimeCall;
-	type WeightInfo = pallet_sudo::weights::SubstrateWeight<Runtime>;
-}
-
 impl pallet_transaction_storage::Config for Runtime {
 	type RuntimeEvent = RuntimeEvent;
 	type WeightInfo = pallet_transaction_storage::weights::SubstrateWeight<Runtime>;
@@ -406,9 +400,6 @@ construct_runtime!(
 		BridgePolkadotGrandpa: pallet_bridge_grandpa = 51,
 		BridgePolkadotParachains: pallet_bridge_parachains = 52,
 		BridgePolkadotMessages: pallet_bridge_messages = 53,
-
-		// sudo
-		Sudo: pallet_sudo = 255,
 	}
 );
 
@@ -419,18 +410,6 @@ pub type Header = generic::Header<BlockNumber, BlakeTwo256>;
 /// Block type as expected by this runtime.
 pub type Block = generic::Block<Header, UncheckedExtrinsic>;
 
-fn validate_sudo(_who: &AccountId) -> TransactionValidity {
-	// TODO: make Sudo::key() accessible and uncomment this.
-	// // Only allow sudo transactions signed by the sudo account. The sudo pallet obviously checks
-	// // this, but not until transaction execution.
-	// if Sudo::key().map_or(false, |k| who == &k) {
-	// 	Ok(ValidTransaction { priority: SudoPriority::get(), ..Default::default() })
-	// } else {
-	// 	Err(InvalidTransaction::BadSigner.into())
-	// }
-	Ok(ValidTransaction { priority: SudoPriority::get(), ..Default::default() })
-}
-
 fn validate_purge_keys(who: &AccountId) -> TransactionValidity {
 	// Only allow if account has keys to purge
 	if Session::is_registered(who) {
@@ -493,9 +472,6 @@ impl TransactionExtension<RuntimeCall> for ValidateSigned {
 			RuntimeCall::TransactionStorage(inner_call) =>
 				TransactionStorage::validate_signed(who, inner_call),
 
-			// Sudo call
-			RuntimeCall::Sudo(_) => validate_sudo(who),
-
 			// Session key management
 			RuntimeCall::Session(SessionCall::set_keys { .. }) =>
 				ValidatorSet::validate_set_keys(who).map(|()| ValidTransaction {
@@ -530,6 +506,16 @@ impl TransactionExtension<RuntimeCall> for ValidateSigned {
 				..Default::default()
 			}),
 
+			// Bridge-privileged calls
+			RuntimeCall::BridgePolkadotGrandpa(BridgeGrandpaCall::initialize { .. }) =>
+				BridgePolkadotGrandpa::ensure_owner_or_root(origin.clone())
+					.map_err(|_| InvalidTransaction::BadSigner.into())
+					.map(|()| ValidTransaction {
+						priority: BridgeTxPriority::get(),
+						longevity: BridgeTxLongevity::get(),
+						..Default::default()
+					}),
+
 			// All other calls are invalid
 			_ => Err(InvalidTransaction::Call.into()),
 		}?;
@@ -551,9 +537,6 @@ impl TransactionExtension<RuntimeCall> for ValidateSigned {
 			RuntimeCall::TransactionStorage(inner_call) =>
 				TransactionStorage::pre_dispatch_signed(who, inner_call).map(|()| None),
 
-			// Sudo validation
-			RuntimeCall::Sudo(_) => validate_sudo(who).map(|_| None),
-
 			// Session key management
 			RuntimeCall::Session(SessionCall::set_keys { .. }) =>
 				ValidatorSet::pre_dispatch_set_keys(who).map(|()| None),
@@ -580,6 +563,12 @@ impl TransactionExtension<RuntimeCall> for ValidateSigned {
 				BridgeMessagesCall::receive_messages_delivery_proof { .. },
 			) => RelayerSet::validate_bridge_tx(who).map(|()| Some(who.clone())),
 
+			// Bridge-privileged calls
+			RuntimeCall::BridgePolkadotGrandpa(BridgeGrandpaCall::initialize { .. }) =>
+				BridgePolkadotGrandpa::ensure_owner_or_root(origin.clone())
+					.map_err(|_| InvalidTransaction::BadSigner.into())
+					.map(|()| Some(who.clone())),
+
 			// All other calls are invalid
 			_ => Err(InvalidTransaction::Call.into()),
 		}
@@ -646,7 +635,6 @@ mod benches {
 		[frame_benchmarking, BaselineBench::<Runtime>]
 		[frame_system, SystemBench::<Runtime>]
 		[pallet_timestamp, Timestamp]
-		[pallet_sudo, Sudo]
 		[pallet_transaction_storage, TransactionStorage]
 		[pallet_validator_set, ValidatorSet]
 		[pallet_relayer_set, RelayerSet]