[Documentation]: Group Policy delegation example

[fmorency]

Summary

In the x/group documentation 1, it is written

Managing group membership separately from decision policies results in the
least overhead and keeps membership consistent across different policies.
The pattern that is recommended is to have a single master group policy 
for a given group, and then to create separate group policies with different
decision policies and delegate the desired permissions from the master 
account to those "sub-accounts" using the x/authz module.

I would like to see an example of how to achieve such delegation as I failed to make it work on my own.

My attempt

1. Use create-group-with-policy to create a new group and a new (master) policy, where the policy address is used as the owner of the group policy

- admin: tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp
  created_at: "2023-08-25T16:59:41.034297658Z"
  id: "2"
  metadata: ""
  total_weight: "2"
  version: "2"

members:
- group_id: "2"
  member:
    added_at: "2023-08-25T16:59:41.034297658Z"
    address: tc31wquv2y58ljkqjw5a90amlk0vc00mu45v3mhq30
    metadata: Bob
    weight: "1"
- group_id: "2"
  member:
    added_at: "2023-08-25T16:59:41.034297658Z"
    address: tc3109u66fqlkyvtxuy2n9js35zlhqhml8dncuva77
    metadata: Alice
    weight: "1"

- address: tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp
  admin: tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp
  created_at: "2023-08-25T16:59:41.034297658Z"
  decision_policy:
    '@type': /cosmos.group.v1.ThresholdDecisionPolicy
    threshold: "2"
    windows:
      min_execution_period: 0s
      voting_period: 600s
  group_id: "2"
  metadata: ""
  version: "2"

2. Submit a new proposal to create a new (send token) group policy, where the master policy address is used as the owner of the send token policy. Vote and execute the proposal.

- address: tc31f6fyc0ptxh7padqr3hnrw6sm8wjfr93w6cgv39jwm00nd6kh08esyrnyes
  admin: tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp
  created_at: "2023-08-25T17:15:20.452943414Z"
  decision_policy:
    '@type': /cosmos.group.v1.ThresholdDecisionPolicy
    threshold: "1"
    windows:
      min_execution_period: 0s
      voting_period: 600s
  group_id: "2"
  metadata: ""
  version: "1"

3. Submit a new proposal to grant SendAuthorization to the send token policy on behalf of the master policy. Vote and execute the proposal.

grants:
- authorization:
    '@type': /cosmos.bank.v1beta1.SendAuthorization
    allow_list: []
    spend_limit:
    - amount: "10"
      denom: token
  expiration: null
  grantee: tc31f6fyc0ptxh7padqr3hnrw6sm8wjfr93w6cgv39jwm00nd6kh08esyrnyes
  granter: tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp

4. Submit a proposal to send some tokens from the master policy account to some user

{
    "group_policy_address": "tc31f6fyc0ptxh7padqr3hnrw6sm8wjfr93w6cgv39jwm00nd6kh08esyrnyes", 
    "messages": [
        {
            "@type": "/cosmos.bank.v1beta1.MsgSend",
            "from_address": "tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp",
            "to_address": "tc31wquv2y58ljkqjw5a90amlk0vc00mu45v3mhq30",
            "amount": [
                {
                    "denom": "token",
                    "amount": "10"
                }
            ]
        }
    ],
    "metadata": "",
    "title": "Pay Bob for stuff",
    "summary": "This is a proposal to pay 10token to Bob for stuff",
    "proposers": [ "tc31wquv2y58ljkqjw5a90amlk0vc00mu45v3mhq30" ]
}

This fails with

raw_log: 'failed to execute message; message index: 0: msg does not have group policy
  authorization; expected tc31f6fyc0ptxh7padqr3hnrw6sm8wjfr93w6cgv39jwm00nd6kh08esyrnyes,
  got tc31c799jddmlz7segvg6jrw6w2k6svwafganjdznard3tc74n7td7rq656kvp: unauthorized'

Thanks!

[julienrbrt]

Are both group policies associated to the group?

[fmorency]

Are both group policies associated to the group?

Yes, they are.

Below is everything you need to reproduce

Files

config.yml

version: 1
accounts:
- name: alice
  coins:
  - 20000token
  - 200000000stake
- name: bob
  coins:
  - 10000token
  - 100000000stake
- name: carol
  coins:
  - 10000token
  - 100000000stake
client:
  openapi:
    path: docs/static/openapi.yml
faucet:
  name: bob
  coins:
  - 5token
  - 100000stake
validators:
- name: alice
  bonded: 100000000stake

group_members.json

{
	"members": [
		{
			"address": "ALICE_ADDR",
			"weight": "1",
			"metadata": "alice"
		},
		{
			"address": "BOB_ADDR",
			"weight": "1",
			"metadata": "bob"
		}
	]
}

master_group_policy.json

{
    "@type": "/cosmos.group.v1.ThresholdDecisionPolicy",
    "threshold": "2",
    "windows": {
        "voting_period": "120h",
        "min_execution_period": "0s"
    }
}

create-send-group-policy-proposal.json

{
    "group_policy_address": "MASTER_GRP_POLICY_ADDR",
    "messages": [
        {
            "@type": "/cosmos.group.v1.MsgCreateGroupPolicy",
            "admin": "MASTER_GRP_POLICY_ADDR",
            "group_id": 1,
            "metadata": "",
            "decision_policy": {
                    "@type": "/cosmos.group.v1.ThresholdDecisionPolicy",
                    "threshold": "1",
                    "windows": {
                        "voting_period": "10m",
                        "min_execution_period": "0s"
                    }
            }
        }
    ],
    "metadata": "",
    "title": "Create send group policy",
    "summary": "New group policy on group 1. Proposer is alice.",
    "proposers": [ "ALICE_ADDR" ]
}

grant-send-access-proposal.json

{
 "group_policy_address": "MASTER_GRP_POLICY_ADDR",
 "messages": [
  {
   "@type": "/cosmos.authz.v1beta1.MsgGrant",
   "granter": "MASTER_GRP_POLICY_ADDR",
   "grantee": "SEND_GRP_POLICY_ADDR",
   "grant": {
    "expiration": null,
    "authorization": {
      "@type": "/cosmos.bank.v1beta1.SendAuthorization",
      "allow_list": null,
      "spend_limit": [{
        "amount": "10",
        "denom": "token"
      }]
    }
   }
  }
 ],
 "metadata": "",
 "proposers": [
  "ALICE_ADDR"
 ],
 "title": "Grant SendAuth",
 "summary": "Grant SendAuth to send group policy on behalf of master policy"
}

send-token-proposal.json

{
    "group_policy_address": "SEND_GRP_POLICY_ADDR",
    "messages": [
        {
            "@type": "/cosmos.bank.v1beta1.MsgSend",
            "from_address": "MASTER_GRP_POLICY_ADDR",
            "to_address": "BOB_ADDR",
            "amount": [
                {
                    "denom": "token",
                    "amount": "10"
                }
            ]
        }
    ],
    "metadata": "",
    "title": "Send Bob tokens",
    "summary": "Send Bob tokens from the master group policy. Bob is the proposer.",
    "proposers": [ "BOB_ADDR" ]
}

Playbook

$ ignite scaffold chain test-grp-policy
$ cd test-grp-policy

### Replace the `config.yml` file in `test-grp-policy` with the one described above

# Serve the chain
$ ignite chain serve

### Open a new terminal to execute the following commands

# Create the master group policy
$ test-grp-policyd tx group create-group-with-policy [CAROL_ADDR] "" "" group_members.json master_group_policy.json --group-policy-as-admin

# Verify group members and group policy
$ test-grp-policyd q group group-members 1
$ test-grp-policyd q group group-policies-by-group 1

# Submit proposal to create a new send group policy owned by the master policy
$ test-grp-policyd tx group submit-proposal create-send-group-policy-proposal.json 

# Verify send group policy has been submitted
$ test-grp-policyd q group proposal 1

# Vote and execute the proposal
$ test-grp-policyd tx group vote 1 [ALICE_ADDR] VOTE_OPTION_YES "aye"
$ test-grp-policyd tx group vote 1 [BOB_ADDR] VOTE_OPTION_YES "yes"
$ test-grp-policyd tx group exec 1 --from alice

# Verify the new send policy is assigned to the group
$ test-grp-policyd q group group-policies-by-group 1

# Submit proposal to grant SendAuth to the send policy on behalf of the master policy
$ test-grp-policyd tx group submit-proposal grant-send-access-proposal.json

# Vote and execute the proposal
$ test-grp-policyd tx group vote 2 [ALICE_ADDR] VOTE_OPTION_YES "aye"
$ test-grp-policyd tx group vote 2 [BOB_ADDR] VOTE_OPTION_YES "yes"
$ test-grp-policyd tx group exec 2 --from alice

# Verify the authorization is active
$ test-grp-policyd q authz grants-by-granter [MASTER_GRP_POLICY_ADDR]

# Send some tokens from alice to the master group policy account
$ test-grp-policyd tx bank send alice [MASTER_GRP_POLICY_ADDR] 100token

# Verify account balance
$ test-grp-policyd q bank balances [MASTER_GRP_POLICY_ADDR]

# Submit a proposal to send tokens from the master account to Bob using the send policy
$ test-grp-policyd tx group submit-proposal send-token-proposal.json

###
'failed to execute message; message index: 0: msg does not have group policy
  authorization; expected [SEND_GRP_POLICY_ADDR],
  got [MASTER_GRP_POLICY_ADDR]: unauthorized'
###

[fmorency]

The above should be complete now. I'm looking forward to understanding why it doesn't work. Thanks @julienrbrt.