Transactor.cpp

//------------------------------------------------------------------------------
/*
    This file is part of rippled: https://github.com/ripple/rippled
    Copyright (c) 2012, 2013 Ripple Labs Inc.
 
    Permission to use, copy, modify, and/or distribute this software for any
    purpose  with  or without fee is hereby granted, provided that the above
    copyright notice and this permission notice appear in all copies.
 
    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
    ANY  SPECIAL ,  DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
//==============================================================================
 
#include <xrpld/app/main/Application.h>
#include <xrpld/app/misc/DelegateUtils.h>
#include <xrpld/app/misc/LoadFeeTrack.h>
#include <xrpld/app/tx/apply.h>
#include <xrpld/app/tx/detail/NFTokenUtils.h>
#include <xrpld/app/tx/detail/SignerEntries.h>
#include <xrpld/app/tx/detail/Transactor.h>
#include <xrpld/core/Config.h>
 
#include <xrpl/basics/Log.h>
#include <xrpl/basics/contract.h>
#include <xrpl/json/to_string.h>
#include <xrpl/ledger/CredentialHelpers.h>
#include <xrpl/ledger/View.h>
#include <xrpl/protocol/Feature.h>
#include <xrpl/protocol/Indexes.h>
#include <xrpl/protocol/Protocol.h>
#include <xrpl/protocol/TxFlags.h>
#include <xrpl/protocol/UintTypes.h>
 
namespace ripple {
 
NotTEC
preflight0(PreflightContext const& ctx, std::uint32_t flagMask)
{
    if (isPseudoTx(ctx.tx) && ctx.tx.isFlag(tfInnerBatchTxn))
    {
        JLOG(ctx.j.warn()) << "Pseudo transactions cannot contain the "
                              "tfInnerBatchTxn flag.";
        return temINVALID_FLAG;
    }
 
    if (!isPseudoTx(ctx.tx) || ctx.tx.isFieldPresent(sfNetworkID))
    {
        uint32_t nodeNID = ctx.app.config().NETWORK_ID;
        std::optional<uint32_t> txNID = ctx.tx[~sfNetworkID];
 
        if (nodeNID <= 1024)
        {
            // legacy networks have ids less than 1024, these networks cannot
            // specify NetworkID in txn
            if (txNID)
                return telNETWORK_ID_MAKES_TX_NON_CANONICAL;
        }
        else
        {
            // new networks both require the field to be present and require it
            // to match
            if (!txNID)
                return telREQUIRES_NETWORK_ID;
 
            if (*txNID != nodeNID)
                return telWRONG_NETWORK;
        }
    }
 
    auto const txID = ctx.tx.getTransactionID();
 
    if (txID == beast::zero)
    {
        JLOG(ctx.j.warn())
            << "applyTransaction: transaction id may not be zero";
        return temINVALID;
    }
 
    if (ctx.tx.getFlags() & flagMask)
    {
        JLOG(ctx.j.debug())
            << ctx.tx.peekAtField(sfTransactionType).getFullText()
            << ": invalid flags.";
        return temINVALID_FLAG;
    }
 
    return tesSUCCESS;
}
 
namespace detail {
 
NotTEC
preflightCheckSigningKey(STObject const& sigObject, beast::Journal j)
{
    if (auto const spk = sigObject.getFieldVL(sfSigningPubKey);
        !spk.empty() && !publicKeyType(makeSlice(spk)))
    {
        JLOG(j.debug()) << "preflightCheckSigningKey: invalid signing key";
        return temBAD_SIGNATURE;
    }
    return tesSUCCESS;
}
 
std::optional<NotTEC>
preflightCheckSimulateKeys(
    ApplyFlags flags,
    STObject const& sigObject,
    beast::Journal j)
{
    if (flags & tapDRY_RUN)  // simulation
    {
        std::optional<Slice> const signature = sigObject[~sfTxnSignature];
        if (signature && !signature->empty())
        {
            // NOTE: This code should never be hit because it's checked in the
            // `simulate` RPC
            return temINVALID;  // LCOV_EXCL_LINE
        }
 
        if (!sigObject.isFieldPresent(sfSigners))
        {
            // no signers, no signature - a valid simulation
            return tesSUCCESS;
        }
 
        for (auto const& signer : sigObject.getFieldArray(sfSigners))
        {
            if (signer.isFieldPresent(sfTxnSignature) &&
                !signer[sfTxnSignature].empty())
            {
                // NOTE: This code should never be hit because it's
                // checked in the `simulate` RPC
                return temINVALID;  // LCOV_EXCL_LINE
            }
        }
 
        Slice const signingPubKey = sigObject[sfSigningPubKey];
        if (!signingPubKey.empty())
        {
            // trying to single-sign _and_ multi-sign a transaction
            return temINVALID;
        }
        return tesSUCCESS;
    }
    return {};
}
 
}  // namespace detail
 
NotTEC
Transactor::preflight1(PreflightContext const& ctx, std::uint32_t flagMask)
{
    // This is inappropriate in preflight0, because only Change transactions
    // skip this function, and those do not allow an sfTicketSequence field.
    if (ctx.tx.isFieldPresent(sfTicketSequence) &&
        !ctx.rules.enabled(featureTicketBatch))
    {
        return temMALFORMED;
    }
 
    if (ctx.tx.isFieldPresent(sfDelegate))
    {
        if (!ctx.rules.enabled(featurePermissionDelegation))
            return temDISABLED;
 
        if (ctx.tx[sfDelegate] == ctx.tx[sfAccount])
            return temBAD_SIGNER;
    }
 
    if (auto const ret = preflight0(ctx, flagMask))
        return ret;
 
    auto const id = ctx.tx.getAccountID(sfAccount);
    if (id == beast::zero)
    {
        JLOG(ctx.j.warn()) << "preflight1: bad account id";
        return temBAD_SRC_ACCOUNT;
    }
 
    // No point in going any further if the transaction fee is malformed.
    auto const fee = ctx.tx.getFieldAmount(sfFee);
    if (!fee.native() || fee.negative() || !isLegalAmount(fee.xrp()))
    {
        JLOG(ctx.j.debug()) << "preflight1: invalid fee";
        return temBAD_FEE;
    }
 
    if (auto const ret = detail::preflightCheckSigningKey(ctx.tx, ctx.j))
        return ret;
 
    // An AccountTxnID field constrains transaction ordering more than the
    // Sequence field.  Tickets, on the other hand, reduce ordering
    // constraints.  Because Tickets and AccountTxnID work against one
    // another the combination is unsupported and treated as malformed.
    //
    // We return temINVALID for such transactions.
    if (ctx.tx.getSeqProxy().isTicket() &&
        ctx.tx.isFieldPresent(sfAccountTxnID))
        return temINVALID;
 
    if (ctx.tx.isFlag(tfInnerBatchTxn) && !ctx.rules.enabled(featureBatch))
        return temINVALID_FLAG;
 
    XRPL_ASSERT(
        ctx.tx.isFlag(tfInnerBatchTxn) == ctx.parentBatchId.has_value() ||
            !ctx.rules.enabled(featureBatch),
        "Inner batch transaction must have a parent batch ID.");
 
    return tesSUCCESS;
}
 
NotTEC
Transactor::preflight2(PreflightContext const& ctx)
{
    if (auto const ret =
            detail::preflightCheckSimulateKeys(ctx.flags, ctx.tx, ctx.j))
        // Skips following checks if the transaction is being simulated,
        // regardless of success or failure
        return *ret;
 
    auto const sigValid = checkValidity(
        ctx.app.getHashRouter(), ctx.tx, ctx.rules, ctx.app.config());
    if (sigValid.first == Validity::SigBad)
    {
        JLOG(ctx.j.debug()) << "preflight2: bad signature. " << sigValid.second;
        return temINVALID;  // LCOV_EXCL_LINE
    }
    return tesSUCCESS;
}
 
//------------------------------------------------------------------------------
 
Transactor::Transactor(ApplyContext& ctx)
    : ctx_(ctx)
    , sink_(ctx.journal, to_short_string(ctx.tx.getTransactionID()) + " ")
    , j_(sink_)
    , account_(ctx.tx.getAccountID(sfAccount))
{
}
 
bool
Transactor::validDataLength(
    std::optional<Slice> const& slice,
    std::size_t maxLength)
{
    if (!slice)
        return true;
    return !slice->empty() && slice->length() <= maxLength;
}
 
std::uint32_t
Transactor::getFlagsMask(PreflightContext const& ctx)
{
    return tfUniversalMask;
}
 
NotTEC
Transactor::preflightSigValidated(PreflightContext const& ctx)
{
    return tesSUCCESS;
}
 
TER
Transactor::checkPermission(ReadView const& view, STTx const& tx)
{
    auto const delegate = tx[~sfDelegate];
    if (!delegate)
        return tesSUCCESS;
 
    auto const delegateKey = keylet::delegate(tx[sfAccount], *delegate);
    auto const sle = view.read(delegateKey);
 
    if (!sle)
        return tecNO_DELEGATE_PERMISSION;
 
    return checkTxPermission(sle, tx);
}
 
XRPAmount
Transactor::calculateBaseFee(ReadView const& view, STTx const& tx)
{
    // Returns the fee in fee units.
 
    // The computation has two parts:
    //  * The base fee, which is the same for most transactions.
    //  * The additional cost of each multisignature on the transaction.
    XRPAmount const baseFee = view.fees().base;
 
    // Each signer adds one more baseFee to the minimum required fee
    // for the transaction.
    std::size_t const signerCount =
        tx.isFieldPresent(sfSigners) ? tx.getFieldArray(sfSigners).size() : 0;
 
    return baseFee + (signerCount * baseFee);
}
 
// Returns the fee in fee units, not scaled for load.
XRPAmount
Transactor::calculateOwnerReserveFee(ReadView const& view, STTx const& tx)
{
    // Assumption: One reserve increment is typically much greater than one base
    // fee.
    // This check is in an assert so that it will come to the attention of
    // developers if that assumption is not correct. If the owner reserve is not
    // significantly larger than the base fee (or even worse, smaller), we will
    // need to rethink charging an owner reserve as a transaction fee.
    // TODO: This function is static, and I don't want to add more parameters.
    // When it is finally refactored to be in a context that has access to the
    // Application, include "app().overlay().networkID() > 2 ||" in the
    // condition.
    XRPL_ASSERT(
        view.fees().increment > view.fees().base * 100,
        "ripple::Transactor::calculateOwnerReserveFee : Owner reserve is "
        "reasonable");
    return view.fees().increment;
}
 
XRPAmount
Transactor::minimumFee(
    Application& app,
    XRPAmount baseFee,
    Fees const& fees,
    ApplyFlags flags)
{
    return scaleFeeLoad(baseFee, app.getFeeTrack(), fees, flags & tapUNLIMITED);
}
 
TER
Transactor::checkFee(PreclaimContext const& ctx, XRPAmount baseFee)
{
    if (!ctx.tx[sfFee].native())
        return temBAD_FEE;
 
    auto const feePaid = ctx.tx[sfFee].xrp();
 
    if (ctx.flags & tapBATCH)
    {
        if (feePaid == beast::zero)
            return tesSUCCESS;
 
        JLOG(ctx.j.trace()) << "Batch: Fee must be zero.";
        return temBAD_FEE;  // LCOV_EXCL_LINE
    }
 
    if (!isLegalAmount(feePaid) || feePaid < beast::zero)
        return temBAD_FEE;
 
    // Only check fee is sufficient when the ledger is open.
    if (ctx.view.open())
    {
        auto const feeDue =
            minimumFee(ctx.app, baseFee, ctx.view.fees(), ctx.flags);
 
        if (feePaid < feeDue)
        {
            JLOG(ctx.j.trace())
                << "Insufficient fee paid: " << to_string(feePaid) << "/"
                << to_string(feeDue);
            return telINSUF_FEE_P;
        }
    }
 
    if (feePaid == beast::zero)
        return tesSUCCESS;
 
    auto const id = ctx.tx.isFieldPresent(sfDelegate)
        ? ctx.tx.getAccountID(sfDelegate)
        : ctx.tx.getAccountID(sfAccount);
    auto const sle = ctx.view.read(keylet::account(id));
    if (!sle)
        return terNO_ACCOUNT;
 
    auto const balance = (*sle)[sfBalance].xrp();
 
    if (balance < feePaid)
    {
        JLOG(ctx.j.trace())
            << "Insufficient balance:" << " balance=" << to_string(balance)
            << " paid=" << to_string(feePaid);
 
        if ((balance > beast::zero) && !ctx.view.open())
        {
            // Closed ledger, non-zero balance, less than fee
            return tecINSUFF_FEE;
        }
 
        return terINSUF_FEE_B;
    }
 
    return tesSUCCESS;
}
 
TER
Transactor::payFee()
{
    auto const feePaid = ctx_.tx[sfFee].xrp();
 
    if (ctx_.tx.isFieldPresent(sfDelegate))
    {
        // Delegated transactions are paid by the delegated account.
        auto const delegate = ctx_.tx.getAccountID(sfDelegate);
        auto const delegatedSle = view().peek(keylet::account(delegate));
        if (!delegatedSle)
            return tefINTERNAL;  // LCOV_EXCL_LINE
 
        delegatedSle->setFieldAmount(
            sfBalance, delegatedSle->getFieldAmount(sfBalance) - feePaid);
        view().update(delegatedSle);
    }
    else
    {
        auto const sle = view().peek(keylet::account(account_));
        if (!sle)
            return tefINTERNAL;  // LCOV_EXCL_LINE
 
        // Deduct the fee, so it's not available during the transaction.
        // Will only write the account back if the transaction succeeds.
 
        mSourceBalance -= feePaid;
        sle->setFieldAmount(sfBalance, mSourceBalance);
 
        // VFALCO Should we call view().rawDestroyXRP() here as well?
    }
 
    return tesSUCCESS;
}
 
NotTEC
Transactor::checkSeqProxy(
    ReadView const& view,
    STTx const& tx,
    beast::Journal j)
{
    auto const id = tx.getAccountID(sfAccount);
 
    auto const sle = view.read(keylet::account(id));
 
    if (!sle)
    {
        JLOG(j.trace())
            << "applyTransaction: delay: source account does not exist "
            << toBase58(id);
        return terNO_ACCOUNT;
    }
 
    SeqProxy const t_seqProx = tx.getSeqProxy();
    SeqProxy const a_seq = SeqProxy::sequence((*sle)[sfSequence]);
 
    if (t_seqProx.isSeq())
    {
        if (tx.isFieldPresent(sfTicketSequence) &&
            view.rules().enabled(featureTicketBatch))
        {
            JLOG(j.trace()) << "applyTransaction: has both a TicketSequence "
                               "and a non-zero Sequence number";
            return temSEQ_AND_TICKET;
        }
        if (t_seqProx != a_seq)
        {
            if (a_seq < t_seqProx)
            {
                JLOG(j.trace())
                    << "applyTransaction: has future sequence number "
                    << "a_seq=" << a_seq << " t_seq=" << t_seqProx;
                return terPRE_SEQ;
            }
            // It's an already-used sequence number.
            JLOG(j.trace()) << "applyTransaction: has past sequence number "
                            << "a_seq=" << a_seq << " t_seq=" << t_seqProx;
            return tefPAST_SEQ;
        }
    }
    else if (t_seqProx.isTicket())
    {
        // Bypass the type comparison. Apples and oranges.
        if (a_seq.value() <= t_seqProx.value())
        {
            // If the Ticket number is greater than or equal to the
            // account sequence there's the possibility that the
            // transaction to create the Ticket has not hit the ledger
            // yet.  Allow a retry.
            JLOG(j.trace()) << "applyTransaction: has future ticket id "
                            << "a_seq=" << a_seq << " t_seq=" << t_seqProx;
            return terPRE_TICKET;
        }
 
        // Transaction can never succeed if the Ticket is not in the ledger.
        if (!view.exists(keylet::ticket(id, t_seqProx)))
        {
            JLOG(j.trace())
                << "applyTransaction: ticket already used or never created "
                << "a_seq=" << a_seq << " t_seq=" << t_seqProx;
            return tefNO_TICKET;
        }
    }
 
    return tesSUCCESS;
}
 
NotTEC
Transactor::checkPriorTxAndLastLedger(PreclaimContext const& ctx)
{
    auto const id = ctx.tx.getAccountID(sfAccount);
 
    auto const sle = ctx.view.read(keylet::account(id));
 
    if (!sle)
    {
        JLOG(ctx.j.trace())
            << "applyTransaction: delay: source account does not exist "
            << toBase58(id);
        return terNO_ACCOUNT;
    }
 
    if (ctx.tx.isFieldPresent(sfAccountTxnID) &&
        (sle->getFieldH256(sfAccountTxnID) !=
         ctx.tx.getFieldH256(sfAccountTxnID)))
        return tefWRONG_PRIOR;
 
    if (ctx.tx.isFieldPresent(sfLastLedgerSequence) &&
        (ctx.view.seq() > ctx.tx.getFieldU32(sfLastLedgerSequence)))
        return tefMAX_LEDGER;
 
    if (ctx.view.txExists(ctx.tx.getTransactionID()))
        return tefALREADY;
 
    return tesSUCCESS;
}
 
TER
Transactor::consumeSeqProxy(SLE::pointer const& sleAccount)
{
    XRPL_ASSERT(
        sleAccount, "ripple::Transactor::consumeSeqProxy : non-null account");
    SeqProxy const seqProx = ctx_.tx.getSeqProxy();
    if (seqProx.isSeq())
    {
        // Note that if this transaction is a TicketCreate, then
        // the transaction will modify the account root sfSequence
        // yet again.
        sleAccount->setFieldU32(sfSequence, seqProx.value() + 1);
        return tesSUCCESS;
    }
    return ticketDelete(
        view(), account_, getTicketIndex(account_, seqProx), j_);
}
 
// Remove a single Ticket from the ledger.
TER
Transactor::ticketDelete(
    ApplyView& view,
    AccountID const& account,
    uint256 const& ticketIndex,
    beast::Journal j)
{
    // Delete the Ticket, adjust the account root ticket count, and
    // reduce the owner count.
    SLE::pointer const sleTicket = view.peek(keylet::ticket(ticketIndex));
    if (!sleTicket)
    {
        // LCOV_EXCL_START
        JLOG(j.fatal()) << "Ticket disappeared from ledger.";
        return tefBAD_LEDGER;
        // LCOV_EXCL_STOP
    }
 
    std::uint64_t const page{(*sleTicket)[sfOwnerNode]};
    if (!view.dirRemove(keylet::ownerDir(account), page, ticketIndex, true))
    {
        // LCOV_EXCL_START
        JLOG(j.fatal()) << "Unable to delete Ticket from owner.";
        return tefBAD_LEDGER;
        // LCOV_EXCL_STOP
    }
 
    // Update the account root's TicketCount.  If the ticket count drops to
    // zero remove the (optional) field.
    auto sleAccount = view.peek(keylet::account(account));
    if (!sleAccount)
    {
        // LCOV_EXCL_START
        JLOG(j.fatal()) << "Could not find Ticket owner account root.";
        return tefBAD_LEDGER;
        // LCOV_EXCL_STOP
    }
 
    if (auto ticketCount = (*sleAccount)[~sfTicketCount])
    {
        if (*ticketCount == 1)
            sleAccount->makeFieldAbsent(sfTicketCount);
        else
            ticketCount = *ticketCount - 1;
    }
    else
    {
        // LCOV_EXCL_START
        JLOG(j.fatal()) << "TicketCount field missing from account root.";
        return tefBAD_LEDGER;
        // LCOV_EXCL_STOP
    }
 
    // Update the Ticket owner's reserve.
    adjustOwnerCount(view, sleAccount, -1, j);
 
    // Remove Ticket from ledger.
    view.erase(sleTicket);
    return tesSUCCESS;
}
 
// check stuff before you bother to lock the ledger
void
Transactor::preCompute()
{
    XRPL_ASSERT(
        account_ != beast::zero,
        "ripple::Transactor::preCompute : nonzero account");
}
 
TER
Transactor::apply()
{
    preCompute();
 
    // If the transactor requires a valid account and the transaction doesn't
    // list one, preflight will have already a flagged a failure.
    auto const sle = view().peek(keylet::account(account_));
 
    // sle must exist except for transactions
    // that allow zero account.
    XRPL_ASSERT(
        sle != nullptr || account_ == beast::zero,
        "ripple::Transactor::apply : non-null SLE or zero account");
 
    if (sle)
    {
        mPriorBalance = STAmount{(*sle)[sfBalance]}.xrp();
        mSourceBalance = mPriorBalance;
 
        TER result = consumeSeqProxy(sle);
        if (result != tesSUCCESS)
            return result;
 
        result = payFee();
        if (result != tesSUCCESS)
            return result;
 
        if (sle->isFieldPresent(sfAccountTxnID))
            sle->setFieldH256(sfAccountTxnID, ctx_.tx.getTransactionID());
 
        view().update(sle);
    }
 
    return doApply();
}
 
NotTEC
Transactor::checkSign(
    ReadView const& view,
    ApplyFlags flags,
    AccountID const& idAccount,
    STObject const& sigObject,
    beast::Journal const j)
{
    auto const pkSigner = sigObject.getFieldVL(sfSigningPubKey);
    // Ignore signature check on batch inner transactions
    if (sigObject.isFlag(tfInnerBatchTxn) && view.rules().enabled(featureBatch))
    {
        // Defensive Check: These values are also checked in Batch::preflight
        if (sigObject.isFieldPresent(sfTxnSignature) || !pkSigner.empty() ||
            sigObject.isFieldPresent(sfSigners))
        {
            return temINVALID_FLAG;  // LCOV_EXCL_LINE
        }
        return tesSUCCESS;
    }
 
    if ((flags & tapDRY_RUN) && pkSigner.empty() &&
        !sigObject.isFieldPresent(sfSigners))
    {
        // simulate: skip signature validation when neither SigningPubKey nor
        // Signers are provided
        return tesSUCCESS;
    }
 
    // If the pk is empty and not simulate or simulate and signers,
    // then we must be multi-signing.
    if (sigObject.isFieldPresent(sfSigners))
    {
        return checkMultiSign(view, flags, idAccount, sigObject, j);
    }
 
    // Check Single Sign
    XRPL_ASSERT(
        !pkSigner.empty(), "ripple::Transactor::checkSign : non-empty signer");
 
    if (!publicKeyType(makeSlice(pkSigner)))
    {
        JLOG(j.trace()) << "checkSign: signing public key type is unknown";
        return tefBAD_AUTH;  // FIXME: should be better error!
    }
 
    // Look up the account.
    auto const idSigner = pkSigner.empty()
        ? idAccount
        : calcAccountID(PublicKey(makeSlice(pkSigner)));
    auto const sleAccount = view.read(keylet::account(idAccount));
    if (!sleAccount)
        return terNO_ACCOUNT;
 
    return checkSingleSign(view, idSigner, idAccount, sleAccount, j);
}
 
NotTEC
Transactor::checkSign(PreclaimContext const& ctx)
{
    auto const idAccount = ctx.tx.isFieldPresent(sfDelegate)
        ? ctx.tx.getAccountID(sfDelegate)
        : ctx.tx.getAccountID(sfAccount);
    return checkSign(ctx.view, ctx.flags, idAccount, ctx.tx, ctx.j);
}
 
NotTEC
Transactor::checkBatchSign(PreclaimContext const& ctx)
{
    NotTEC ret = tesSUCCESS;
    STArray const& signers{ctx.tx.getFieldArray(sfBatchSigners)};
    for (auto const& signer : signers)
    {
        auto const idAccount = signer.getAccountID(sfAccount);
 
        Blob const& pkSigner = signer.getFieldVL(sfSigningPubKey);
        if (pkSigner.empty())
        {
            if (ret = checkMultiSign(
                    ctx.view, ctx.flags, idAccount, signer, ctx.j);
                !isTesSuccess(ret))
                return ret;
        }
        else
        {
            // LCOV_EXCL_START
            if (!publicKeyType(makeSlice(pkSigner)))
                return tefBAD_AUTH;
            // LCOV_EXCL_STOP
 
            auto const idSigner = calcAccountID(PublicKey(makeSlice(pkSigner)));
            auto const sleAccount = ctx.view.read(keylet::account(idAccount));
 
            // A batch can include transactions from an un-created account ONLY
            // when the account master key is the signer
            if (!sleAccount)
            {
                if (idAccount != idSigner)
                    return tefBAD_AUTH;
 
                return tesSUCCESS;
            }
 
            if (ret = checkSingleSign(
                    ctx.view, idSigner, idAccount, sleAccount, ctx.j);
                !isTesSuccess(ret))
                return ret;
        }
    }
    return ret;
}
 
NotTEC
Transactor::checkSingleSign(
    ReadView const& view,
    AccountID const& idSigner,
    AccountID const& idAccount,
    std::shared_ptr<SLE const> sleAccount,
    beast::Journal const j)
{
    bool const isMasterDisabled = sleAccount->isFlag(lsfDisableMaster);
 
    if (view.rules().enabled(fixMasterKeyAsRegularKey))
    {
        // Signed with regular key.
        if ((*sleAccount)[~sfRegularKey] == idSigner)
        {
            return tesSUCCESS;
        }
 
        // Signed with enabled mater key.
        if (!isMasterDisabled && idAccount == idSigner)
        {
            return tesSUCCESS;
        }
 
        // Signed with disabled master key.
        if (isMasterDisabled && idAccount == idSigner)
        {
            return tefMASTER_DISABLED;
        }
 
        // Signed with any other key.
        return tefBAD_AUTH;
    }
 
    if (idSigner == idAccount)
    {
        // Signing with the master key. Continue if it is not disabled.
        if (isMasterDisabled)
            return tefMASTER_DISABLED;
    }
    else if ((*sleAccount)[~sfRegularKey] == idSigner)
    {
        // Signing with the regular key. Continue.
    }
    else if (sleAccount->isFieldPresent(sfRegularKey))
    {
        // Signing key does not match master or regular key.
        JLOG(j.trace()) << "checkSingleSign: Not authorized to use account.";
        return tefBAD_AUTH;
    }
    else
    {
        // No regular key on account and signing key does not match master key.
        // FIXME: Why differentiate this case from tefBAD_AUTH?
        JLOG(j.trace()) << "checkSingleSign: Not authorized to use account.";
        return tefBAD_AUTH_MASTER;
    }
 
    return tesSUCCESS;
}
 
NotTEC
Transactor::checkMultiSign(
    ReadView const& view,
    ApplyFlags flags,
    AccountID const& id,
    STObject const& sigObject,
    beast::Journal const j)
{
    // Get id's SignerList and Quorum.
    std::shared_ptr<STLedgerEntry const> sleAccountSigners =
        view.read(keylet::signers(id));
    // If the signer list doesn't exist the account is not multi-signing.
    if (!sleAccountSigners)
    {
        JLOG(j.trace())
            << "applyTransaction: Invalid: Not a multi-signing account.";
        return tefNOT_MULTI_SIGNING;
    }
 
    // We have plans to support multiple SignerLists in the future.  The
    // presence and defaulted value of the SignerListID field will enable that.
    XRPL_ASSERT(
        sleAccountSigners->isFieldPresent(sfSignerListID),
        "ripple::Transactor::checkMultiSign : has signer list ID");
    XRPL_ASSERT(
        sleAccountSigners->getFieldU32(sfSignerListID) == 0,
        "ripple::Transactor::checkMultiSign : signer list ID is 0");
 
    auto accountSigners =
        SignerEntries::deserialize(*sleAccountSigners, j, "ledger");
    if (!accountSigners)
        return accountSigners.error();
 
    // Get the array of transaction signers.
    STArray const& txSigners(sigObject.getFieldArray(sfSigners));
 
    // Walk the accountSigners performing a variety of checks and see if
    // the quorum is met.
 
    // Both the multiSigners and accountSigners are sorted by account.  So
    // matching multi-signers to account signers should be a simple
    // linear walk.  *All* signers must be valid or the transaction fails.
    std::uint32_t weightSum = 0;
    auto iter = accountSigners->begin();
    for (auto const& txSigner : txSigners)
    {
        AccountID const txSignerAcctID = txSigner.getAccountID(sfAccount);
 
        // Attempt to match the SignerEntry with a Signer;
        while (iter->account < txSignerAcctID)
        {
            if (++iter == accountSigners->end())
            {
                JLOG(j.trace())
                    << "applyTransaction: Invalid SigningAccount.Account.";
                return tefBAD_SIGNATURE;
            }
        }
        if (iter->account != txSignerAcctID)
        {
            // The SigningAccount is not in the SignerEntries.
            JLOG(j.trace())
                << "applyTransaction: Invalid SigningAccount.Account.";
            return tefBAD_SIGNATURE;
        }
 
        // We found the SigningAccount in the list of valid signers.  Now we
        // need to compute the accountID that is associated with the signer's
        // public key.
        auto const spk = txSigner.getFieldVL(sfSigningPubKey);
 
        // spk being non-empty in non-simulate is checked in
        // STTx::checkMultiSign
        if (!spk.empty() && !publicKeyType(makeSlice(spk)))
        {
            JLOG(j.trace())
                << "checkMultiSign: signing public key type is unknown";
            return tefBAD_SIGNATURE;
        }
 
        XRPL_ASSERT(
            (flags & tapDRY_RUN) || !spk.empty(),
            "ripple::Transactor::checkMultiSign : non-empty signer or "
            "simulation");
        AccountID const signingAcctIDFromPubKey = spk.empty()
            ? txSignerAcctID
            : calcAccountID(PublicKey(makeSlice(spk)));
 
        // Verify that the signingAcctID and the signingAcctIDFromPubKey
        // belong together.  Here are the rules:
        //
        //   1. "Phantom account": an account that is not in the ledger
        //      A. If signingAcctID == signingAcctIDFromPubKey and the
        //         signingAcctID is not in the ledger then we have a phantom
        //         account.
        //      B. Phantom accounts are always allowed as multi-signers.
        //
        //   2. "Master Key"
        //      A. signingAcctID == signingAcctIDFromPubKey, and signingAcctID
        //         is in the ledger.
        //      B. If the signingAcctID in the ledger does not have the
        //         asfDisableMaster flag set, then the signature is allowed.
        //
        //   3. "Regular Key"
        //      A. signingAcctID != signingAcctIDFromPubKey, and signingAcctID
        //         is in the ledger.
        //      B. If signingAcctIDFromPubKey == signingAcctID.RegularKey (from
        //         ledger) then the signature is allowed.
        //
        // No other signatures are allowed.  (January 2015)
 
        // In any of these cases we need to know whether the account is in
        // the ledger.  Determine that now.
        auto const sleTxSignerRoot = view.read(keylet::account(txSignerAcctID));
 
        if (signingAcctIDFromPubKey == txSignerAcctID)
        {
            // Either Phantom or Master.  Phantoms automatically pass.
            if (sleTxSignerRoot)
            {
                // Master Key.  Account may not have asfDisableMaster set.
                std::uint32_t const signerAccountFlags =
                    sleTxSignerRoot->getFieldU32(sfFlags);
 
                if (signerAccountFlags & lsfDisableMaster)
                {
                    JLOG(j.trace())
                        << "applyTransaction: Signer:Account lsfDisableMaster.";
                    return tefMASTER_DISABLED;
                }
            }
        }
        else
        {
            // May be a Regular Key.  Let's find out.
            // Public key must hash to the account's regular key.
            if (!sleTxSignerRoot)
            {
                JLOG(j.trace()) << "applyTransaction: Non-phantom signer "
                                   "lacks account root.";
                return tefBAD_SIGNATURE;
            }
 
            if (!sleTxSignerRoot->isFieldPresent(sfRegularKey))
            {
                JLOG(j.trace())
                    << "applyTransaction: Account lacks RegularKey.";
                return tefBAD_SIGNATURE;
            }
            if (signingAcctIDFromPubKey !=
                sleTxSignerRoot->getAccountID(sfRegularKey))
            {
                JLOG(j.trace())
                    << "applyTransaction: Account doesn't match RegularKey.";
                return tefBAD_SIGNATURE;
            }
        }
        // The signer is legitimate.  Add their weight toward the quorum.
        weightSum += iter->weight;
    }
 
    // Cannot perform transaction if quorum is not met.
    if (weightSum < sleAccountSigners->getFieldU32(sfSignerQuorum))
    {
        JLOG(j.trace()) << "applyTransaction: Signers failed to meet quorum.";
        return tefBAD_QUORUM;
    }
 
    // Met the quorum.  Continue.
    return tesSUCCESS;
}
 
//------------------------------------------------------------------------------
 
static void
removeUnfundedOffers(
    ApplyView& view,
    std::vector<uint256> const& offers,
    beast::Journal viewJ)
{
    int removed = 0;
 
    for (auto const& index : offers)
    {
        if (auto const sleOffer = view.peek(keylet::offer(index)))
        {
            // offer is unfunded
            offerDelete(view, sleOffer, viewJ);
            if (++removed == unfundedOfferRemoveLimit)
                return;
        }
    }
}
 
static void
removeExpiredNFTokenOffers(
    ApplyView& view,
    std::vector<uint256> const& offers,
    beast::Journal viewJ)
{
    std::size_t removed = 0;
 
    for (auto const& index : offers)
    {
        if (auto const offer = view.peek(keylet::nftoffer(index)))
        {
            nft::deleteTokenOffer(view, offer);
            if (++removed == expiredOfferRemoveLimit)
                return;
        }
    }
}
 
static void
removeExpiredCredentials(
    ApplyView& view,
    std::vector<uint256> const& creds,
    beast::Journal viewJ)
{
    for (auto const& index : creds)
    {
        if (auto const sle = view.peek(keylet::credential(index)))
            credentials::deleteSLE(view, sle, viewJ);
    }
}
 
static void
removeDeletedTrustLines(
    ApplyView& view,
    std::vector<uint256> const& trustLines,
    beast::Journal viewJ)
{
    if (trustLines.size() > maxDeletableAMMTrustLines)
    {
        JLOG(viewJ.error())
            << "removeDeletedTrustLines: deleted trustlines exceed max "
            << trustLines.size();
        return;
    }
 
    for (auto const& index : trustLines)
    {
        if (auto const sleState = view.peek({ltRIPPLE_STATE, index});
            deleteAMMTrustLine(view, sleState, std::nullopt, viewJ) !=
            tesSUCCESS)
        {
            JLOG(viewJ.error())
                << "removeDeletedTrustLines: failed to delete AMM trustline";
        }
    }
}
 
std::pair<TER, XRPAmount>
Transactor::reset(XRPAmount fee)
{
    ctx_.discard();
 
    auto const txnAcct =
        view().peek(keylet::account(ctx_.tx.getAccountID(sfAccount)));
 
    // The account should never be missing from the ledger.  But if it
    // is missing then we can't very well charge it a fee, can we?
    if (!txnAcct)
        return {tefINTERNAL, beast::zero};
 
    auto const payerSle = ctx_.tx.isFieldPresent(sfDelegate)
        ? view().peek(keylet::account(ctx_.tx.getAccountID(sfDelegate)))
        : txnAcct;
    if (!payerSle)
        return {tefINTERNAL, beast::zero};  // LCOV_EXCL_LINE
 
    auto const balance = payerSle->getFieldAmount(sfBalance).xrp();
 
    // balance should have already been checked in checkFee / preFlight.
    XRPL_ASSERT(
        balance != beast::zero && (!view().open() || balance >= fee),
        "ripple::Transactor::reset : valid balance");
 
    // We retry/reject the transaction if the account balance is zero or
    // we're applying against an open ledger and the balance is less than
    // the fee
    if (fee > balance)
        fee = balance;
 
    // Since we reset the context, we need to charge the fee and update
    // the account's sequence number (or consume the Ticket) again.
    //
    // If for some reason we are unable to consume the ticket or sequence
    // then the ledger is corrupted.  Rather than make things worse we
    // reject the transaction.
    payerSle->setFieldAmount(sfBalance, balance - fee);
    TER const ter{consumeSeqProxy(txnAcct)};
    XRPL_ASSERT(
        isTesSuccess(ter), "ripple::Transactor::reset : result is tesSUCCESS");
 
    if (isTesSuccess(ter))
    {
        view().update(txnAcct);
        if (payerSle != txnAcct)
            view().update(payerSle);
    }
 
    return {ter, fee};
}
 
// The sole purpose of this function is to provide a convenient, named
// location to set a breakpoint, to be used when replaying transactions.
void
Transactor::trapTransaction(uint256 txHash) const
{
    JLOG(j_.debug()) << "Transaction trapped: " << txHash;
}
 
//------------------------------------------------------------------------------
ApplyResult
Transactor::operator()()
{
    JLOG(j_.trace()) << "apply: " << ctx_.tx.getTransactionID();
 
    // raii classes for the current ledger rules.
    // fixUniversalNumber predate the rulesGuard and should be replaced.
    NumberSO stNumberSO{view().rules().enabled(fixUniversalNumber)};
    CurrentTransactionRulesGuard currentTransctionRulesGuard(view().rules());
 
#ifdef DEBUG
    {
        Serializer ser;
        ctx_.tx.add(ser);
        SerialIter sit(ser.slice());
        STTx s2(sit);
 
        if (!s2.isEquivalent(ctx_.tx))
        {
            // LCOV_EXCL_START
            JLOG(j_.fatal()) << "Transaction serdes mismatch";
            JLOG(j_.info()) << to_string(ctx_.tx.getJson(JsonOptions::none));
            JLOG(j_.fatal()) << s2.getJson(JsonOptions::none);
            UNREACHABLE(
                "ripple::Transactor::operator() : transaction serdes mismatch");
            // LCOV_EXCL_STOP
        }
    }
#endif
 
    if (auto const& trap = ctx_.app.trapTxID();
        trap && *trap == ctx_.tx.getTransactionID())
    {
        trapTransaction(*trap);
    }
 
    auto result = ctx_.preclaimResult;
    if (result == tesSUCCESS)
        result = apply();
 
    // No transaction can return temUNKNOWN from apply,
    // and it can't be passed in from a preclaim.
    XRPL_ASSERT(
        result != temUNKNOWN,
        "ripple::Transactor::operator() : result is not temUNKNOWN");
 
    if (auto stream = j_.trace())
        stream << "preclaim result: " << transToken(result);
 
    bool applied = isTesSuccess(result);
    auto fee = ctx_.tx.getFieldAmount(sfFee).xrp();
 
    if (ctx_.size() > oversizeMetaDataCap)
        result = tecOVERSIZE;
 
    if (isTecClaim(result) && (view().flags() & tapFAIL_HARD))
    {
        // If the tapFAIL_HARD flag is set, a tec result
        // must not do anything
        ctx_.discard();
        applied = false;
    }
    else if (
        (result == tecOVERSIZE) || (result == tecKILLED) ||
        (result == tecINCOMPLETE) || (result == tecEXPIRED) ||
        (isTecClaimHardFail(result, view().flags())))
    {
        JLOG(j_.trace()) << "reapplying because of " << transToken(result);
 
        // FIXME: This mechanism for doing work while returning a `tec` is
        //        awkward and very limiting. A more general purpose approach
        //        should be used, making it possible to do more useful work
        //        when transactions fail with a `tec` code.
        std::vector<uint256> removedOffers;
        std::vector<uint256> removedTrustLines;
        std::vector<uint256> expiredNFTokenOffers;
        std::vector<uint256> expiredCredentials;
 
        bool const doOffers =
            ((result == tecOVERSIZE) || (result == tecKILLED));
        bool const doLines = (result == tecINCOMPLETE);
        bool const doNFTokenOffers = (result == tecEXPIRED);
        bool const doCredentials = (result == tecEXPIRED);
        if (doOffers || doLines || doNFTokenOffers || doCredentials)
        {
            ctx_.visit([doOffers,
                        &removedOffers,
                        doLines,
                        &removedTrustLines,
                        doNFTokenOffers,
                        &expiredNFTokenOffers,
                        doCredentials,
                        &expiredCredentials](
                           uint256 const& index,
                           bool isDelete,
                           std::shared_ptr<SLE const> const& before,
                           std::shared_ptr<SLE const> const& after) {
                if (isDelete)
                {
                    XRPL_ASSERT(
                        before && after,
                        "ripple::Transactor::operator()::visit : non-null SLE "
                        "inputs");
                    if (doOffers && before && after &&
                        (before->getType() == ltOFFER) &&
                        (before->getFieldAmount(sfTakerPays) ==
                         after->getFieldAmount(sfTakerPays)))
                    {
                        // Removal of offer found or made unfunded
                        removedOffers.push_back(index);
                    }
 
                    if (doLines && before && after &&
                        (before->getType() == ltRIPPLE_STATE))
                    {
                        // Removal of obsolete AMM trust line
                        removedTrustLines.push_back(index);
                    }
 
                    if (doNFTokenOffers && before && after &&
                        (before->getType() == ltNFTOKEN_OFFER))
                        expiredNFTokenOffers.push_back(index);
 
                    if (doCredentials && before && after &&
                        (before->getType() == ltCREDENTIAL))
                        expiredCredentials.push_back(index);
                }
            });
        }
 
        // Reset the context, potentially adjusting the fee.
        {
            auto const resetResult = reset(fee);
            if (!isTesSuccess(resetResult.first))
                result = resetResult.first;
 
            fee = resetResult.second;
        }
 
        // If necessary, remove any offers found unfunded during processing
        if ((result == tecOVERSIZE) || (result == tecKILLED))
            removeUnfundedOffers(
                view(), removedOffers, ctx_.app.journal("View"));
 
        if (result == tecEXPIRED)
            removeExpiredNFTokenOffers(
                view(), expiredNFTokenOffers, ctx_.app.journal("View"));
 
        if (result == tecINCOMPLETE)
            removeDeletedTrustLines(
                view(), removedTrustLines, ctx_.app.journal("View"));
 
        if (result == tecEXPIRED)
            removeExpiredCredentials(
                view(), expiredCredentials, ctx_.app.journal("View"));
 
        applied = isTecClaim(result);
    }
 
    if (applied)
    {
        // Check invariants: if `tecINVARIANT_FAILED` is not returned, we can
        // proceed to apply the tx
        result = ctx_.checkInvariants(result, fee);
 
        if (result == tecINVARIANT_FAILED)
        {
            // if invariants checking failed again, reset the context and
            // attempt to only claim a fee.
            auto const resetResult = reset(fee);
            if (!isTesSuccess(resetResult.first))
                result = resetResult.first;
 
            fee = resetResult.second;
 
            // Check invariants again to ensure the fee claiming doesn't
            // violate invariants.
            if (isTesSuccess(result) || isTecClaim(result))
                result = ctx_.checkInvariants(result, fee);
        }
 
        // We ran through the invariant checker, which can, in some cases,
        // return a tef error code. Don't apply the transaction in that case.
        if (!isTecClaim(result) && !isTesSuccess(result))
            applied = false;
    }
 
    std::optional<TxMeta> metadata;
    if (applied)
    {
        // Transaction succeeded fully or (retries are not allowed and the
        // transaction could claim a fee)
 
        // The transactor and invariant checkers guarantee that this will
        // *never* trigger but if it, somehow, happens, don't allow a tx
        // that charges a negative fee.
        if (fee < beast::zero)
            Throw<std::logic_error>("fee charged is negative!");
 
        // Charge whatever fee they specified. The fee has already been
        // deducted from the balance of the account that issued the
        // transaction. We just need to account for it in the ledger
        // header.
        if (!view().open() && fee != beast::zero)
            ctx_.destroyXRP(fee);
 
        // Once we call apply, we will no longer be able to look at view()
        metadata = ctx_.apply(result);
    }
 
    if (ctx_.flags() & tapDRY_RUN)
    {
        applied = false;
    }
 
    JLOG(j_.trace()) << (applied ? "applied " : "not applied ")
                     << transToken(result);
 
    return {result, applied, metadata};
}
 
}  // namespace ripple