使用不同签名者修改账户:Solana 中的权限控制

  • 0xE
  • 发布于 1天前
  • 阅读 203

本教程将展示如何在 Solana Anchor 中用不同签名者(Signer)初始化和更新账户,并探讨权限控制机制。

此前文章中,我们仅使用单一签名者初始化并修改账户,功能受限。现实场景中,如 Alice 向 Bob 转移积分,需允许 Alice 修改 Bob 创建的账户。本教程将展示如何在 Solana Anchor 中用不同签名者(Signer)初始化和更新账户,并探讨权限控制机制。

初始化账户

初始化账户的 Rust 代码保持不变,使用标准 Anchor 模式创建账户。

Rust 实现

use anchor_lang::prelude::*;
use std::mem::size_of;

declare_id!("26Kiu5LSV5xXDN3yGwE8L6aU59kKRKdyyKtSQv5Vu5VC");

#[program]
pub mod other_write {
    use super::*;

    pub fn initialize(ctx: Context<Initialize>) -> Result<()> {
        Ok(())
    }
}

#[derive(Accounts)]
pub struct Initialize<'info> {
    #[account(init,
              payer = signer,
              space=size_of::<MyStorage>() + 8,
              seeds = [],
              bump)]
    pub my_storage: Account<'info, MyStorage>,

    #[account(mut)]
    pub signer: Signer<'info>,

    pub system_program: Program<'info, System>,
}

#[account]
pub struct MyStorage {
    x: u64,
}

客户端调整

测试代码引入新签名者,需显式指定:

  • 创建 newKeypair 模拟新用户。
  • 空投 1 SOL 支付交易费用。
  • 显式传递 signer 公钥并配置 .signers()。

测试代码

import * as anchor from "@coral-xyz/anchor";
import { Program } from "@coral-xyz/anchor";
import { OtherWrite } from "../target/types/other_write";

// this airdrops sol to an address
async function airdropSol(publicKey, amount) {
  let airdropTx = await anchor.getProvider().connection.requestAirdrop(publicKey, amount);
  await confirmTransaction(airdropTx);
}

async function confirmTransaction(tx) {
  const latestBlockHash = await anchor.getProvider().connection.getLatestBlockhash();
  await anchor.getProvider().connection.confirmTransaction({
    blockhash: latestBlockHash.blockhash,
    lastValidBlockHeight: latestBlockHash.lastValidBlockHeight,
    signature: tx,
  });
}

describe("other_write", () => {
  anchor.setProvider(anchor.AnchorProvider.env());

  const program = anchor.workspace.OtherWrite as Program<OtherWrite>;

  it("Is initialized!", async () => {
    const newKeypair = anchor.web3.Keypair.generate();
    await airdropSol(newKeypair.publicKey, 1e9); // 1 SOL

    let seeds = [];
    const [myStorage, _bump] = anchor.web3.PublicKey.findProgramAddressSync(seeds, program.programId);

    await program.methods.initialize().accounts({
      myStorage: myStorage,
      signer: newKeypair.publicKey // ** THIS MUST BE EXPLICITLY SPECIFIED **
    }).signers([newKeypair]).rpc();
  });
});

为何两次指定签名者?

  • .accounts({ signer: ... }):指定账户结构中的 Signer 公钥,Anchor 验证其与交易签名匹配。
  • .signers([newKeypair]):提供私钥签名交易,默认签名者无需此步骤。

字段名可自定义(如 fren 替代 signer),只需 Rust 与客户端一致。

签名者验证机制

Anchor 的 Signer 类型

Signer<'info> 表示交易签名者,Anchor 自动验证其公钥与签名一致。若使用非默认签名者,需显式传递公钥,否则 Anchor 默认使用环境签名者(provider wallet)。

“未知签名者”错误

若签名与公钥不匹配,会触发错误:

  • 省略 .signers([newKeypair]):默认签名者与 newKeypair.publicKey 不符,导致 Missing signature。
  • 省略 signer: newKeypair.publicKey:Anchor 使用默认签名者,签名不匹配 newKeypair,报 unknown signer。

跨用户修改账户

以下程序展示 Alice 初始化账户,Bob 更新其值。

Rust 实现

use anchor_lang::prelude::*;
use std::mem::size_of;

declare_id!("26Kiu5LSV5xXDN3yGwE8L6aU59kKRKdyyKtSQv5Vu5VC");

#[program]
pub mod other_write {
    use super::*;

    pub fn initialize(ctx: Context&lt;Initialize>) -> Result&lt;()> {
        Ok(())
    }

    pub fn update_value(ctx: Context&lt;UpdateValue>, new_value: u64) -> Result&lt;()> {
        ctx.accounts.my_storage.x = new_value;
        Ok(())
    }
}

#[derive(Accounts)]
pub struct Initialize&lt;'info> {
    #[account(init,
              payer = fren,
              space=size_of::&lt;MyStorage>() + 8,
              seeds = [],
              bump)]
    pub my_storage: Account&lt;'info, MyStorage>,

    #[account(mut)]
    pub fren: Signer&lt;'info>, // A public key is passed here

    pub system_program: Program&lt;'info, System>,
}

#[derive(Accounts)]
pub struct UpdateValue&lt;'info> {
    #[account(mut, seeds = [], bump)]
    pub my_storage: Account&lt;'info, MyStorage>,

      // THIS FIELD MUST BE INCLUDED
    #[account(mut)]
    pub fren: Signer&lt;'info>,
}

#[account]
pub struct MyStorage {
    x: u64,
}

测试代码

import * as anchor from "@coral-xyz/anchor";
import { Program } from "@coral-xyz/anchor";
import { OtherWrite } from "../target/types/other_write";

// this airdrops sol to an address
async function airdropSol(publicKey, amount) {
  let airdropTx = await anchor.getProvider().connection.requestAirdrop(publicKey, amount);
  await confirmTransaction(airdropTx);
}

async function confirmTransaction(tx) {
  const latestBlockHash = await anchor.getProvider().connection.getLatestBlockhash();
  await anchor.getProvider().connection.confirmTransaction({
    blockhash: latestBlockHash.blockhash,
    lastValidBlockHeight: latestBlockHash.lastValidBlockHeight,
    signature: tx,
  });
}

describe("other_write", () => {
  // Configure the client to use the local cluster.
  anchor.setProvider(anchor.AnchorProvider.env());

  const program = anchor.workspace.OtherWrite as Program&lt;OtherWrite>;

  it("Is initialized!", async () => {
    const alice = anchor.web3.Keypair.generate();
    const bob = anchor.web3.Keypair.generate();

    const airdrop_alice_tx = await anchor.getProvider().connection.requestAirdrop(alice.publicKey, 1 * anchor.web3.LAMPORTS_PER_SOL);
    await confirmTransaction(airdrop_alice_tx);

    const airdrop_alice_bob = await anchor.getProvider().connection.requestAirdrop(bob.publicKey, 1 * anchor.web3.LAMPOINTS_PER_SOL);
    await confirmTransaction(airdrop_alice_bob);

    let seeds = [];
    const [myStorage, _bump] = anchor.web3.PublicKey.findProgramAddressSync(seeds, program.programId);

    // ALICE INITIALIZE ACCOUNT
    await program.methods.initialize().accounts({
      myStorage: myStorage,
      fren: alice.publicKey
    }).signers([alice]).rpc();

    // BOB WRITE TO ACCOUNT
    await program.methods.updateValue(new anchor.BN(3)).accounts({
      myStorage: myStorage,
      fren: bob.publicKey
    }).signers([bob]).rpc();

    let value = await program.account.myStorage.fetch(myStorage);
    console.log(`value stored is ${value.x}`);
  });
});

解析

  • Alice 创建账户,Bob 修改其 x 值。
  • 未限制写入权限,任何签名者均可更新。

限制账户写入权限

实际应用中,需控制谁可修改账户。以下通过积分系统示例实现权限管理。

积分系统设计

  • 每个账户初始化 10 个积分。
  • 仅“授权者”(authority)可扣除自身积分并转移给他人。

Rust 实现

use anchor_lang::prelude::*;
use std::mem::size_of;

declare_id!("At8wSp7MnVm39m1zMUNYskn4DjqwsEsxZnMXARjycKBU");

const STARTING_POINTS: u32 = 10;

#[program]
pub mod points {
    use super::*;

    pub fn initialize(ctx: Context&lt;Initialize>) -> Result&lt;()> {
        ctx.accounts.player.points = STARTING_POINTS;
        ctx.accounts.player.authority = ctx.accounts.signer.key();
        Ok(())
    }

    pub fn transfer_points(ctx: Context&lt;TransferPoints>, amount: u32) -> Result&lt;()> {
        require!(ctx.accounts.from.authority == ctx.accounts.signer.key(), Errors::SignerIsNotAuthority);
        require!(ctx.accounts.from.points >= amount, Errors::InsufficientPoints);

        ctx.accounts.from.points -= amount;
        ctx.accounts.to.points += amount;
        Ok(())
    }
}

#[error_code]
pub enum Errors {
    #[msg("SignerIsNotAuthority")]
    SignerIsNotAuthority,
    #[msg("InsufficientPoints")]
    InsufficientPoints
}

#[derive(Accounts)]
pub struct Initialize&lt;'info> {
    #[account(init,
              payer = signer,
              space = size_of::&lt;Player>() + 8,
              seeds = [&(signer.as_ref().key().to_bytes())],
              bump)]
    player: Account&lt;'info, Player>,
    #[account(mut)]
    signer: Signer&lt;'info>,
    system_program: Program&lt;'info, System>,
}

#[derive(Accounts)]
pub struct TransferPoints&lt;'info> {
    #[account(mut)]
    from: Account&lt;'info, Player>,
    #[account(mut)]
    to: Account&lt;'info, Player>,
    #[account(mut)]
    signer: Signer&lt;'info>,
}

#[account]
pub struct Player {
    points: u32,
    authority: Pubkey
}

测试代码

import * as anchor from "@coral-xyz/anchor";
import { Program } from "@coral-xyz/anchor";
import { Points } from "../target/types/points";

// this airdrops sol to an address
async function airdropSol(publicKey, amount) {
  let airdropTx = await anchor.getProvider().connection.requestAirdrop(publicKey, amount);
  await confirmTransaction(airdropTx);
}

async function confirmTransaction(tx) {
  const latestBlockHash = await anchor.getProvider().connection.getLatestBlockhash();
  await anchor.getProvider().connection.confirmTransaction({
    blockhash: latestBlockHash.blockhash,
    lastValidBlockHeight: latestBlockHash.lastValidBlockHeight,
    signature: tx,
  });
}

describe("points", () => {
  anchor.setProvider(anchor.AnchorProvider.env());
  const program = anchor.workspace.Points as Program&lt;Points>;

  it("Alice transfers points to Bob", async () => {
    const alice = anchor.web3.Keypair.generate();
    const bob = anchor.web3.Keypair.generate();

    const airdrop_alice_tx = await anchor.getProvider().connection.requestAirdrop(alice.publicKey, 1 * anchor.web3.LAMPORTS_PER_SOL);
    await confirmTransaction(airdrop_alice_tx);

    const airdrop_alice_bob = await anchor.getProvider().connection.requestAirdrop(bob.publicKey, 1 * anchor.web3.LAMPORTS_PER_SOL);
    await confirmTransaction(airdrop_alice_bob);

    let seeds_alice = [alice.publicKey.toBytes()];
    const [playerAlice, _bumpA] = anchor.web3.PublicKey.findProgramAddressSync(seeds_alice, program.programId);

    let seeds_bob = [bob.publicKey.toBytes()];
    const [playerBob, _bumpB] = anchor.web3.PublicKey.findProgramAddressSync(seeds_bob, program.programId);

    // Alice and Bob initialize their accounts
    await program.methods.initialize().accounts({
      player: playerAlice,
      signer: alice.publicKey,
    }).signers([alice]).rpc();

    await program.methods.initialize().accounts({
      player: playerBob,
      signer: bob.publicKey,
    }).signers([bob]).rpc();

    // Alice transfers 5 points to Bob. Note that this is a u32
    // so we don't need a BigNum
    await program.methods.transferPoints(5).accounts({
      from: playerAlice,
      to: playerBob,
      signer: alice.publicKey,
    }).signers([alice]).rpc();

    console.log(`Alice has ${(await program.account.player.fetch(playerAlice)).points} points`);
    console.log(`Bob has ${(await program.account.player.fetch(playerBob)).points} points`)
  });
});

设计解析

  • 账户地址:通过 seeds 以签名者公钥派生,确保唯一性,类似 Solidity mapping(address => uint)。
  • 权限控制:require! 验证签名者是 from 的 authority,防止未经授权扣款。
  • 与 Solidity 对比:类似 onlyOwner,但作用于账户而非合约。

优化:Anchor 约束

has_one 约束

替代 require!(authority == signer),用 has_one 验证字段匹配:

#[derive(Accounts)]
pub struct TransferPoints&lt;'info> {
    #[account(mut, has_one = authority @ Errors::SignerIsNotAuthority)]
    from: Account&lt;'info, Player>,
    #[account(mut)]
    to: Account&lt;'info, Player>,
    authority: Signer&lt;'info>,
}

#[account]
pub struct Player {
    points: u32,
    authority: Pubkey
}
  • 要求:字段名需一致(如 authority)。
  • 效果:若签名者公钥与 from.authority 不符,交易失败。

constraint 约束

替代积分检查:

#[derive(Accounts)]
#[instruction(amount: u32)]
pub struct TransferPoints&lt;'info> {
    #[account(mut,
              has_one = authority @ Errors::SignerIsNotAuthority,
              constraint = from.points >= amount @ Errors::InsufficientPoints)]
    from: Account&lt;'info, Player>,
    #[account(mut)]
    to: Account&lt;'info, Player>,
    authority: Signer&lt;'info>,
}
  • #[instruction(amount)]:使 amount 在约束中可见。
  • 自定义错误:使用 @ 添加错误消息,提升可读性。

【笔记配套代码】 https://github.com/0xE1337/rareskills_evm_to_solana 【参考资料】 https://learnblockchain.cn/column/119 https://www.rareskills.io/solana-tutorial

点赞 0
收藏 0
分享
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。
该文章收录于 Solana 学习开发之旅
13 订阅 35 篇文章

0 条评论

请先 登录 后评论
0xE
0xE
0x59f6...a17e
17年进入币圈,Web3 开发者。刨根问底探链上真相,品味坎坷悟 Web3 人生。

0xE

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!