fix: use module permission from app_config in app.go (#12997)

simapp/app.go

@@ -121,17 +121,6 @@ var (
 		vesting.AppModuleBasic{},
 		nftmodule.AppModuleBasic{},
 	)
-
-	// module account permissions
-	maccPerms = map[string][]string{
-		authtypes.FeeCollectorName:     nil,
-		distrtypes.ModuleName:          nil,
-		minttypes.ModuleName:           {authtypes.Minter},
-		stakingtypes.BondedPoolName:    {authtypes.Burner, authtypes.Staking},
-		stakingtypes.NotBondedPoolName: {authtypes.Burner, authtypes.Staking},
-		govtypes.ModuleName:            {authtypes.Burner},
-		nft.ModuleName:                 nil,
-	}
 )
 
 var (
@@ -386,10 +375,30 @@ func (app *SimApp) RegisterAPIRoutes(apiSvr *api.Server, apiConfig config.APICon
 }
 
 // GetMaccPerms returns a copy of the module account permissions
+//
+// NOTE: This is solely to be used for testing purposes.
 func GetMaccPerms() map[string][]string {
-	dupMaccPerms := make(map[string][]string)
-	for k, v := range maccPerms {
-		dupMaccPerms[k] = v
+	dup := make(map[string][]string)
+	for _, perms := range moduleAccPerms {
+		dup[perms.Account] = perms.Permissions
 	}
-	return dupMaccPerms
+
+	return dup
+}
+
+// BlockedAddresses returns all the app's blocked account addresses.
+func BlockedAddresses() map[string]bool {
+	result := make(map[string]bool)
+
+	if len(blockAccAddrs) > 0 {
+		for _, addr := range blockAccAddrs {
+			result[addr] = true
+		}
+	} else {
+		for addr := range GetMaccPerms() {
+			result[addr] = true
+		}
+	}
+
+	return result
 }

simapp/app_config.go

@@ -47,171 +47,176 @@ import (
 	upgradetypes "github.com/cosmos/cosmos-sdk/x/upgrade/types"
 )
 
-// Alternatively the AppConfig can be defined as a YAML or a JSON file.
-// e.g. https://github.com/cosmos/cosmos-sdk/blob/91b1d83f1339e235a1dfa929ecc00084101a19e3/simapp/app.yaml
+var (
+	// module account permissions
+	moduleAccPerms = []*authmodulev1.ModuleAccountPermission{
+		{Account: authtypes.FeeCollectorName},
+		{Account: distrtypes.ModuleName},
+		{Account: minttypes.ModuleName, Permissions: []string{authtypes.Minter}},
+		{Account: stakingtypes.BondedPoolName, Permissions: []string{authtypes.Burner, stakingtypes.ModuleName}},
+		{Account: stakingtypes.NotBondedPoolName, Permissions: []string{authtypes.Burner, stakingtypes.ModuleName}},
+		{Account: govtypes.ModuleName, Permissions: []string{authtypes.Burner}},
+		{Account: nft.ModuleName},
+	}
 
-var AppConfig = appconfig.Compose(&appv1alpha1.Config{
-	Modules: []*appv1alpha1.ModuleConfig{
-		{
-			Name: "runtime",
-			Config: appconfig.WrapAny(&runtimev1alpha1.Module{
-				AppName: "SimApp",
-				// During begin block slashing happens after distr.BeginBlocker so that
-				// there is nothing left over in the validator fee pool, so as to keep the
-				// CanWithdrawInvariant invariant.
-				// NOTE: staking module is required if HistoricalEntries param > 0
-				// NOTE: capability module's beginblocker must come before any modules using capabilities (e.g. IBC)
-				BeginBlockers: []string{
-					upgradetypes.ModuleName,
-					capabilitytypes.ModuleName,
-					minttypes.ModuleName,
-					distrtypes.ModuleName,
-					slashingtypes.ModuleName,
-					evidencetypes.ModuleName,
-					stakingtypes.ModuleName,
-					authtypes.ModuleName,
-					banktypes.ModuleName,
-					govtypes.ModuleName,
-					crisistypes.ModuleName,
-					genutiltypes.ModuleName,
-					authz.ModuleName,
-					feegrant.ModuleName,
-					nft.ModuleName,
-					group.ModuleName,
-					paramstypes.ModuleName,
-					vestingtypes.ModuleName,
-				},
-				EndBlockers: []string{
-					crisistypes.ModuleName,
-					govtypes.ModuleName,
-					stakingtypes.ModuleName,
-					capabilitytypes.ModuleName,
-					authtypes.ModuleName,
-					banktypes.ModuleName,
-					distrtypes.ModuleName,
-					slashingtypes.ModuleName,
-					minttypes.ModuleName,
-					genutiltypes.ModuleName,
-					evidencetypes.ModuleName,
-					authz.ModuleName,
-					feegrant.ModuleName,
-					nft.ModuleName,
-					group.ModuleName,
-					paramstypes.ModuleName,
-					upgradetypes.ModuleName,
-					vestingtypes.ModuleName,
-				},
-				OverrideStoreKeys: []*runtimev1alpha1.StoreKeyConfig{
-					{
-						ModuleName: authtypes.ModuleName,
-						KvStoreKey: "acc",
+	// blocked account addresses
+	blockAccAddrs = []string{
+		authtypes.FeeCollectorName,
+		distrtypes.ModuleName,
+		minttypes.ModuleName,
+		stakingtypes.BondedPoolName,
+		stakingtypes.NotBondedPoolName,
+		nft.ModuleName,
+		// We allow the following module accounts to receive funds:
+		// govtypes.ModuleName
+	}
+
+	// application configuration (used by depinject)
+	AppConfig = appconfig.Compose(&appv1alpha1.Config{
+		Modules: []*appv1alpha1.ModuleConfig{
+			{
+				Name: "runtime",
+				Config: appconfig.WrapAny(&runtimev1alpha1.Module{
+					AppName: "SimApp",
+					// During begin block slashing happens after distr.BeginBlocker so that
+					// there is nothing left over in the validator fee pool, so as to keep the
+					// CanWithdrawInvariant invariant.
+					// NOTE: staking module is required if HistoricalEntries param > 0
+					// NOTE: capability module's beginblocker must come before any modules using capabilities (e.g. IBC)
+					BeginBlockers: []string{
+						upgradetypes.ModuleName,
+						capabilitytypes.ModuleName,
+						minttypes.ModuleName,
+						distrtypes.ModuleName,
+						slashingtypes.ModuleName,
+						evidencetypes.ModuleName,
+						stakingtypes.ModuleName,
+						authtypes.ModuleName,
+						banktypes.ModuleName,
+						govtypes.ModuleName,
+						crisistypes.ModuleName,
+						genutiltypes.ModuleName,
+						authz.ModuleName,
+						feegrant.ModuleName,
+						nft.ModuleName,
+						group.ModuleName,
+						paramstypes.ModuleName,
+						vestingtypes.ModuleName,
 					},
-				},
-			}),
+					EndBlockers: []string{
+						crisistypes.ModuleName,
+						govtypes.ModuleName,
+						stakingtypes.ModuleName,
+						capabilitytypes.ModuleName,
+						authtypes.ModuleName,
+						banktypes.ModuleName,
+						distrtypes.ModuleName,
+						slashingtypes.ModuleName,
+						minttypes.ModuleName,
+						genutiltypes.ModuleName,
+						evidencetypes.ModuleName,
+						authz.ModuleName,
+						feegrant.ModuleName,
+						nft.ModuleName,
+						group.ModuleName,
+						paramstypes.ModuleName,
+						upgradetypes.ModuleName,
+						vestingtypes.ModuleName,
+					},
+					OverrideStoreKeys: []*runtimev1alpha1.StoreKeyConfig{
+						{
+							ModuleName: authtypes.ModuleName,
+							KvStoreKey: "acc",
+						},
+					},
+				}),
+			},
+			{
+				Name: authtypes.ModuleName,
+				Config: appconfig.WrapAny(&authmodulev1.Module{
+					Bech32Prefix:             "cosmos",
+					ModuleAccountPermissions: moduleAccPerms,
+				}),
+			},
+			{
+				Name:   vestingtypes.ModuleName,
+				Config: appconfig.WrapAny(&vestingmodulev1.Module{}),
+			},
+			{
+				Name: banktypes.ModuleName,
+				Config: appconfig.WrapAny(&bankmodulev1.Module{
+					BlockedModuleAccountsOverride: blockAccAddrs,
+				}),
+			},
+			{
+				Name:   stakingtypes.ModuleName,
+				Config: appconfig.WrapAny(&stakingmodulev1.Module{}),
+			},
+			{
+				Name:   slashingtypes.ModuleName,
+				Config: appconfig.WrapAny(&slashingmodulev1.Module{}),
+			},
+			{
+				Name:   paramstypes.ModuleName,
+				Config: appconfig.WrapAny(&paramsmodulev1.Module{}),
+			},
+			{
+				Name:   "tx",
+				Config: appconfig.WrapAny(&txmodulev1.Module{}),
+			},
+			{
+				Name:   genutiltypes.ModuleName,
+				Config: appconfig.WrapAny(&genutilmodulev1.Module{}),
+			},
+			{
+				Name:   authz.ModuleName,
+				Config: appconfig.WrapAny(&authzmodulev1.Module{}),
+			},
+			{
+				Name:   upgradetypes.ModuleName,
+				Config: appconfig.WrapAny(&upgrademodulev1.Module{}),
+			},
+			{
+				Name:   distrtypes.ModuleName,
+				Config: appconfig.WrapAny(&distrmodulev1.Module{}),
+			},
+			{
+				Name: capabilitytypes.ModuleName,
+				Config: appconfig.WrapAny(&capabilitymodulev1.Module{
+					SealKeeper: true,
+				}),
+			},
+			{
+				Name:   evidencetypes.ModuleName,
+				Config: appconfig.WrapAny(&evidencemodulev1.Module{}),
+			},
+			{
+				Name:   minttypes.ModuleName,
+				Config: appconfig.WrapAny(&mintmodulev1.Module{}),
+			},
+			{
+				Name: group.ModuleName,
+				Config: appconfig.WrapAny(&groupmodulev1.Module{
+					MaxExecutionPeriod: durationpb.New(time.Second * 1209600),
+					MaxMetadataLen:     255,
+				}),
+			},
+			{
+				Name:   nft.ModuleName,
+				Config: appconfig.WrapAny(&nftmodulev1.Module{}),
+			},
+			{
+				Name:   feegrant.ModuleName,
+				Config: appconfig.WrapAny(&feegrantmodulev1.Module{}),
+			},
+			{
+				Name:   govtypes.ModuleName,
+				Config: appconfig.WrapAny(&govmodulev1.Module{}),
+			},
+			{
+				Name:   crisistypes.ModuleName,
+				Config: appconfig.WrapAny(&crisismodulev1.Module{}),
+			},
 		},
-		{
-			Name: authtypes.ModuleName,
-			Config: appconfig.WrapAny(&authmodulev1.Module{
-				Bech32Prefix: "cosmos",
-				ModuleAccountPermissions: []*authmodulev1.ModuleAccountPermission{
-					{Account: authtypes.FeeCollectorName},
-					{Account: distrtypes.ModuleName},
-					{Account: minttypes.ModuleName, Permissions: []string{authtypes.Minter}},
-					{Account: stakingtypes.BondedPoolName, Permissions: []string{authtypes.Burner, stakingtypes.ModuleName}},
-					{Account: stakingtypes.NotBondedPoolName, Permissions: []string{authtypes.Burner, stakingtypes.ModuleName}},
-					{Account: govtypes.ModuleName, Permissions: []string{authtypes.Burner}},
-					{Account: nft.ModuleName},
-				},
-			}),
-		},
-		{
-			Name:   vestingtypes.ModuleName,
-			Config: appconfig.WrapAny(&vestingmodulev1.Module{}),
-		},
-		{
-			Name: banktypes.ModuleName,
-			Config: appconfig.WrapAny(&bankmodulev1.Module{
-				BlockedModuleAccountsOverride: []string{
-					authtypes.FeeCollectorName,
-					distrtypes.ModuleName,
-					minttypes.ModuleName,
-					stakingtypes.BondedPoolName,
-					stakingtypes.NotBondedPoolName,
-					govtypes.ModuleName,
-					nft.ModuleName,
-					// We allow the following module accounts to receive funds:
-					// govtypes.ModuleName
-				},
-			}),
-		},
-		{
-			Name:   stakingtypes.ModuleName,
-			Config: appconfig.WrapAny(&stakingmodulev1.Module{}),
-		},
-		{
-			Name:   slashingtypes.ModuleName,
-			Config: appconfig.WrapAny(&slashingmodulev1.Module{}),
-		},
-		{
-			Name:   paramstypes.ModuleName,
-			Config: appconfig.WrapAny(&paramsmodulev1.Module{}),
-		},
-		{
-			Name:   "tx",
-			Config: appconfig.WrapAny(&txmodulev1.Module{}),
-		},
-		{
-			Name:   genutiltypes.ModuleName,
-			Config: appconfig.WrapAny(&genutilmodulev1.Module{}),
-		},
-		{
-			Name:   authz.ModuleName,
-			Config: appconfig.WrapAny(&authzmodulev1.Module{}),
-		},
-		{
-			Name:   upgradetypes.ModuleName,
-			Config: appconfig.WrapAny(&upgrademodulev1.Module{}),
-		},
-		{
-			Name:   distrtypes.ModuleName,
-			Config: appconfig.WrapAny(&distrmodulev1.Module{}),
-		},
-		{
-			Name: capabilitytypes.ModuleName,
-			Config: appconfig.WrapAny(&capabilitymodulev1.Module{
-				SealKeeper: true,
-			}),
-		},
-		{
-			Name:   evidencetypes.ModuleName,
-			Config: appconfig.WrapAny(&evidencemodulev1.Module{}),
-		},
-		{
-			Name:   minttypes.ModuleName,
-			Config: appconfig.WrapAny(&mintmodulev1.Module{}),
-		},
-		{
-			Name: group.ModuleName,
-			Config: appconfig.WrapAny(&groupmodulev1.Module{
-				MaxExecutionPeriod: durationpb.New(time.Second * 1209600),
-				MaxMetadataLen:     255,
-			}),
-		},
-		{
-			Name:   nft.ModuleName,
-			Config: appconfig.WrapAny(&nftmodulev1.Module{}),
-		},
-		{
-			Name:   feegrant.ModuleName,
-			Config: appconfig.WrapAny(&feegrantmodulev1.Module{}),
-		},
-		{
-			Name:   govtypes.ModuleName,
-			Config: appconfig.WrapAny(&govmodulev1.Module{}),
-		},
-		{
-			Name:   crisistypes.ModuleName,
-			Config: appconfig.WrapAny(&crisismodulev1.Module{}),
-		},
-	},
-})
+	})
+)

simapp/app_legacy.go

@@ -304,6 +304,15 @@ func NewSimApp(
 	*/
 	app.GroupKeeper = groupkeeper.NewKeeper(keys[group.StoreKey], appCodec, app.MsgServiceRouter(), app.AccountKeeper, groupConfig)
 
+	// get skipUpgradeHeights from the app options
+	skipUpgradeHeights := map[int64]bool{}
+	for _, h := range cast.ToIntSlice(appOpts.Get(server.FlagUnsafeSkipUpgrades)) {
+		skipUpgradeHeights[int64(h)] = true
+	}
+	homePath := cast.ToString(appOpts.Get(flags.FlagHome))
+	// set the governance module account as the authority for conducting upgrades
+	app.UpgradeKeeper = upgradekeeper.NewKeeper(skipUpgradeHeights, keys[upgradetypes.StoreKey], appCodec, homePath, app.BaseApp, authtypes.NewModuleAddress(govtypes.ModuleName).String())
+
 	// Register the proposal types
 	// Deprecated: Avoid adding new handlers, instead use the new proposal flow
 	// by granting the governance module the right to execute the message.
@@ -328,15 +337,6 @@ func NewSimApp(
 		),
 	)
 
-	// get skipUpgradeHeights from the app options
-	skipUpgradeHeights := map[int64]bool{}
-	for _, h := range cast.ToIntSlice(appOpts.Get(server.FlagUnsafeSkipUpgrades)) {
-		skipUpgradeHeights[int64(h)] = true
-	}
-	homePath := cast.ToString(appOpts.Get(flags.FlagHome))
-	// set the governance module account as the authority for conducting upgrades
-	app.UpgradeKeeper = upgradekeeper.NewKeeper(skipUpgradeHeights, keys[upgradetypes.StoreKey], appCodec, homePath, app.BaseApp, authtypes.NewModuleAddress(govtypes.ModuleName).String())
-
 	// RegisterUpgradeHandlers is used for registering any on-chain upgrades
 	app.RegisterUpgradeHandlers()
 
@@ -642,6 +642,8 @@ func (app *SimApp) RegisterTendermintService(clientCtx client.Context) {
 }
 
 // GetMaccPerms returns a copy of the module account permissions
+//
+// NOTE: This is solely to be used for testing purposes.
 func GetMaccPerms() map[string][]string {
 	dupMaccPerms := make(map[string][]string)
 	for k, v := range maccPerms {
@@ -654,7 +656,7 @@ func GetMaccPerms() map[string][]string {
 // ModuleAccountAddrsLegacy returns all the app's module account addresses.
 func ModuleAccountAddrsLegacy() map[string]bool {
 	modAccAddrs := make(map[string]bool)
-	for acc := range maccPerms {
+	for acc := range GetMaccPerms() {
 		modAccAddrs[authtypes.NewModuleAddress(acc).String()] = true
 	}
 

simapp/app_test.go

@@ -2,6 +2,7 @@ package simapp
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"testing"
 
@@ -46,11 +47,11 @@ func TestSimAppExportAndBlockedAddrs(t *testing.T) {
 		AppOpts: simtestutil.NewAppOptionsWithFlagHome(DefaultNodeHome),
 	})
 
-	for acc := range maccPerms {
+	for acc := range BlockedAddresses() {
 		require.True(
 			t,
 			app.BankKeeper.BlockedAddr(app.AccountKeeper.GetModuleAddress(acc)),
-			"ensure that blocked addresses are properly set in bank keeper",
+			fmt.Sprintf("ensure that blocked addresses are properly set in bank keeper: %s should be blocked", acc),
 		)
 	}
 
@@ -63,11 +64,6 @@ func TestSimAppExportAndBlockedAddrs(t *testing.T) {
 	require.NoError(t, err, "ExportAppStateAndValidators should not have an error")
 }
 
-func TestGetMaccPerms(t *testing.T) {
-	dup := GetMaccPerms()
-	require.Equal(t, maccPerms, dup, "duplicated module account permissions differed from actual module account permissions")
-}
-
 func TestRunMigrations(t *testing.T) {
 	db := dbm.NewMemDB()
 	logger := log.NewTMLogger(log.NewSyncWriter(os.Stdout))

x/bank/module.go

@@ -12,7 +12,6 @@ import (
 	gwruntime "github.com/grpc-ecosystem/grpc-gateway/runtime"
 	"github.com/spf13/cobra"
 	abci "github.com/tendermint/tendermint/abci/types"
-	"github.com/tendermint/tendermint/crypto"
 
 	"github.com/cosmos/cosmos-sdk/client"
 	"github.com/cosmos/cosmos-sdk/codec"
@@ -232,10 +231,9 @@ func provideModule(in bankInputs) bankOutputs {
 	// Default behavior for blockedAddresses is to regard any module mentioned in
 	// AccountKeeper's module account permissions as blocked.
 	blockedAddresses := make(map[string]bool)
-	if len(in.Config.BlockedModuleAccountsOverride) != 0 {
+	if len(in.Config.BlockedModuleAccountsOverride) > 0 {
 		for _, moduleName := range in.Config.BlockedModuleAccountsOverride {
-			addr := sdk.AccAddress(crypto.AddressHash([]byte(moduleName)))
-			blockedAddresses[addr.String()] = true
+			blockedAddresses[authtypes.NewModuleAddress(moduleName).String()] = true
 		}
 	} else {
 		for _, permission := range in.AccountKeeper.GetModulePermissions() {