6 Parties and authority

Daml is designed for distributed applications involving mutually distrusting parties. In a well-constructed contract model, all parties have strong guarantees that nobody cheats or circumvents the rules laid out by templates and choices.

In this section you will learn about Daml’s authorization rules and how to develop contract models that give all parties the required guarantees. In particular, you’ll learn how to:

  • Pass authority from one contract to another
  • Write advanced choices
  • Reason through Daml’s Authorization model

Hint

Remember that you can load all the code for this section into a folder called 6_Parties by running daml new 6_Parties --template daml-intro-6

Preventing IOU revocation

The SimpleIou contract from 4 Transforming data using choices and 5 Adding constraints to a contract has one major problem: The contract is only signed by the issuer. The signatories are the parties with the power to create and archive contracts. If Alice gave Bob a SimpleIou for $100 in exchange for some goods, she could just archive it after receiving the goods. Bob would have a record of such actions, but would have to resort to off-ledger means to get his money back.

template SimpleIou
  with
    issuer : Party
    owner : Party
    cash : Cash
  where
    signatory issuer
simple_iou_test = do
  alice <- allocateParty "Alice"
  bob <- allocateParty "Bob"

  -- Alice and Bob enter into a trade.
  -- Alice transfers the payment as a SimpleIou.
  iou <- submit alice do
    createCmd SimpleIou with
      issuer = alice
      owner = bob
      cash = Cash with
        amount = 100.0
        currency = "USD"

  passTime (days 1)
  -- Bob delivers the goods.

  passTime (minutes 10)
  -- Alice just deletes the payment.
  submit alice do
    archiveCmd iou

For a party to have any guarantees that only those transformations specified in the choices are actually followed, they either need to be a signatory themselves, or trust one of the signatories to not agree to transactions that archive and re-create contracts in unexpected ways. To make the SimpleIou safe for Bob, you need to add him as a signatory.

template Iou
  with
    issuer : Party
    owner : Party
    cash : Cash
  where
    signatory issuer, owner

    controller owner can
      Transfer
        : ContractId Iou
        with
          newOwner : Party
        do
          assertMsg "newOwner cannot be equal to owner." (owner /= newOwner)
          create this with
            owner = newOwner

There’s a new problem here: There is no way for Alice to issue or transfer this Iou to Bob. To get an Iou with Bob’s signature as owner onto the ledger, his authority is needed.

iou_test = do
  alice <- allocateParty "Alice"
  bob <- allocateParty "Bob"

  -- Alice and Bob enter into a trade.
  -- Alice wants to give Bob an Iou, but she can't without Bob's authority.
  submitMustFail alice do
    createCmd Iou with
      issuer = alice
      owner = bob
      cash = Cash with
        amount = 100.0
        currency = "USD"

  -- She can issue herself an Iou.
  iou <- submit alice do
    createCmd Iou with
      issuer = alice
      owner = alice
      cash = Cash with
        amount = 100.0
        currency = "USD"

  -- However, she can't transfer it to Bob.
  submitMustFail alice do
    exerciseCmd iou Transfer with
      newOwner = bob

This may seem awkward, but notice that the ensure clause is gone from the Iou again. The above Iou can contain negative values so Bob should be glad that Alice cannot put his signature on any Iou.

You’ll now learn a couple of common ways of building issuance and transfer workflows for the above Iou, before diving into the authorization model in full.

Use propose-accept workflows for one-off authorization

If there is no standing relationship between Alice and Bob, Alice can propose the issuance of an Iou to Bob, giving him the choice to accept. You can do so by introducing a proposal contract IouProposal:

template IouProposal
  with
    iou : Iou
  where
    signatory iou.issuer

    controller iou.owner can
      IouProposal_Accept
        : ContractId Iou
        do
          create iou

Note how we have used the fact that templates are records here to store the Iou in a single field.

  iouProposal <- submit alice do
    createCmd IouProposal with
      iou = Iou with
        issuer = alice
        owner = bob
        cash = Cash with
          amount = 100.0
          currency = "USD"

  submit bob do
    exerciseCmd iouProposal IouProposal_Accept

The IouProposal contract carries the authorithy of iou.issuer by virtue of them being a signatory. By exercising the IouProposal_Accept choice, Bob adds his authority to that of Alice, which is why an Iou with both signatories can be created in the context of that choice.

The choice is called IouProposal_Accept, not Accept, because propose-accept patterns are very common. In fact, you’ll see another one just below. As each choice defines a record type, you cannot have two choices of the same name in scope. It’s a good idea to qualify choice names to ensure uniqueness.

The above solves issuance, but not transfers. You can solve transfers exactly the same way, though, by creating a TransferProposal:

template IouTransferProposal
  with
    iou : Iou
    newOwner : Party
  where
    signatory (signatory iou)

    controller iou.owner can
      IouTransferProposal_Cancel
        : ContractId Iou
        do
          create iou

    controller newOwner can
      IouTransferProposal_Reject
        : ContractId Iou
        do
          create iou

      IouTransferProposal_Accept
        : ContractId Iou
        do
          create iou with
            owner = newOwner

In addition to defining the signatories of a contract, signatory can also be used to extract the signatories from another contract. Instead of writing signatory (signatory iou), you could write signatory iou.issuer, iou.owner.

Note also how newOwner is given multiple choices using a single controller newOwner can block. The IouProposal had a single signatory so it could be cancelled easily by archiving it. Without a Cancel choice, the newOwner could abuse an open TransferProposal as an option. The triple Accept, Reject, Cancel is common to most proposal templates.

To allow an iou.owner to create such a proposal, you need to give them the choice to propose a transfer on the Iou contract. The choice looks just like the above Transfer choice, except that a IouTransferProposal is created instead of an Iou:

      ProposeTransfer
        : ContractId IouTransferProposal
        with
          newOwner : Party
        do
          assertMsg "newOwner cannot be equal to owner." (owner /= newOwner)
          create IouTransferProposal with
            iou = this
            newOwner

Bob can now transfer his Iou. The transfer workflow can even be used for issuance:

  charlie <- allocateParty "Charlie"

  -- Alice issues an Iou using a transfer proposal.
  tpab <- submit alice do
    createCmd IouTransferProposal with
      newOwner = bob
      iou = Iou with
        issuer = alice
        owner = alice
        cash = Cash with
          amount = 100.0
          currency = "USD"

  -- Bob accepts the transfer from Alice.
  iou2 <- submit bob do
    exerciseCmd tpab IouTransferProposal_Accept

  -- Bob offers Charlie a transfer.
  tpbc <- submit bob do
    exerciseCmd iou2 ProposeTransfer with
      newOwner = charlie

  -- Charlie accepts the transfer from Bob.
  submit charlie do
    exerciseCmd tpbc IouTransferProposal_Accept

Use role contracts for ongoing authorization

Many actions, like the issuance of assets or their transfer, can be pre-agreed. You can represent this succinctly in Daml through relationship or role contracts.

Jointly, an owner and newOwner can transfer an asset, as demonstrated in the script above. In 7 Composing choices, you will see how to compose the ProposeTransfer and IouTransferProposal_Accept choices into a single new choice, but for now, here is a different way. You can give them the joint right to transfer an IOU:

    choice Mutual_Transfer
      : ContractId Iou
      with
        newOwner : Party
      controller owner, newOwner
      do
        create this with
          owner = newOwner

Up to now, the controllers of choices were known from the current contract. Here, the newOwner variable is part of the choice arguments, not the Iou.

The above syntax is an alternative to controller c can, which allows for this. Such choices live outside any controller c can block. They declared using the choice keyword, and have an extra clause controller c, which takes the place of controller c can, and has access to the choice arguments.

This is also the first time we have shown a choice with more than one controller. If multiple controllers are specified, the authority of all the controllers is needed. Here, neither owner, nor newOwner can execute a transfer unilaterally, hence the name Mutual_Transfer.

template IouSender
  with
    sender : Party
    receiver : Party
  where
    signatory receiver

    controller sender can
      nonconsuming Send_Iou
        : ContractId Iou
        with
          iouCid : ContractId Iou
        do
          iou <- fetch iouCid
          assert (iou.cash.amount > 0.0)
          assert (sender == iou.owner)
          exercise iouCid Mutual_Transfer with
            newOwner = receiver

The above IouSender contract now gives one party, the sender the right to send Iou contracts with positive amounts to a receiver. The nonconsuming keyword on the choice Send_Iou changes the behaviour of the choice so that the contract it’s exercised on does not get archived when the choice is exercised. That way the sender can use the contract to send multiple Ious.

Here it is in action:

  -- Bob allows Alice to send him Ious.
  sab <- submit bob do
    createCmd IouSender with
      sender = alice
      receiver = bob

  -- Charlie allows Bob to send him Ious.
  sbc <- submit charlie do
    createCmd IouSender with
      sender = bob
      receiver = charlie

  -- Alice can now send the Iou she issued herself earlier.
  iou4 <- submit alice do
    exerciseCmd sab Send_Iou with
      iouCid = iou

  -- Bob sends it on to Charlie.
  submit bob do
    exerciseCmd sbc Send_Iou with
      iouCid = iou4

Daml’s authorization model

Hopefully, the above will have given you a good intuition for how authority is passed around in Daml. In this section you’ll learn about the formal authorization model to allow you to reason through your contract models. This will allow you to construct them in such a way that you don’t run into authorization errors at runtime, or, worse still, allow malicious transactions.

In Choices in the Ledger Model you learned that a transaction is, equivalently, a tree of transactions, or a forest of actions, where each transaction is a list of actions, and each action has a child-transaction called its consequences.

Each action has a set of required authorizers – the parties that must authorize that action – and each transaction has a set of authorizers – the parties that did actually authorize the transaction.

The authorization rule is that the required authorizers of every action are a subset of the authorizers of the parent transaction.

The required authorizers of actions are:

  • The required authorizers of an exercise action are the controllers on the corresponding choice. Remember that Archive and archive are just an implicit choice with the signatories as controllers.
  • The required authorizers of a create action are the signatories of the contract.
  • The required authorizers of a fetch action (which also includes fetchByKey) are somewhat dynamic and covered later.

The authorizers of transactions are:

  • The root transaction of a commit is authorized by the submitting party.
  • The consequences of an exercise action are authorized by the actors of that action plus the signatories of the contract on which the action was taken.

An authorization example

Consider the transaction from the script above where Bob sends an Iou to Charlie using a Send_Iou contract. It is authorized as follows, ignoring fetches:

  • Bob submits the transaction so he’s the authorizer on the root transaction.
  • The root transaction has a single action, which is to exercise Send_Iou on a IouSender contract with Bob as sender and Charlie as receiver. Since the controller of that choice is the sender, Bob is the required authorizer.
  • The consequences of the Send_Iou action are authorized by its actors, Bob, as well as signatories of the contract on which the action was taken. That’s Charlie in this case, so the consequences are authorized by both Bob and Charlie.
  • The consequences contain a single action, which is a Mutual_Transfer with Charlie as newOwner on an Iou with issuer Alice and owner Bob. The required authorizers of the action are the owner, Bob, and the newOwner, Charlie, which matches the parent’s authorizers.
  • The consequences of Mutual_Transfer are authorized by the actors (Bob and Charlie), as well as the signatories on the Iou (Alice and Bob).
  • The single action on the consequences, the creation of an Iou with issuer Alice and owner Charlie has required authorizers Alice and Charlie, which is a proper subset of the parent’s authorizers.

You can see the graph of this transaction in the transaction view of the IDE:

TX #12 1970-01-01T00:00:00Z (Parties:269:3)
#12:0
│   known to (since): 'Bob' (#12), 'Charlie' (#12)
└─> 'Bob' exercises Send_Iou on #10:0 (Parties:IouSender)
          with
            iouCid = #11:3
    children:
    #12:1
    │   known to (since): 'Bob' (#12), 'Charlie' (#12)
    └─> fetch #11:3 (Parties:Iou)

    #12:2
    │   known to (since): 'Bob' (#12), 'Alice' (#12), 'Charlie' (#12)
    └─> 'Bob', 'Charlie' exercises Mutual_Transfer on #11:3 (Parties:Iou)
                         with
                           newOwner = 'Charlie'
        children:
        #12:3
        │   known to (since): 'Charlie' (#12), 'Alice' (#12), 'Bob' (#12)
        └─> create Parties:Iou
            with
              issuer = 'Alice';
              owner = 'Charlie';
              cash =
                (Parties:Cash with
                   currency = "USD"; amount = 100.0)

Note that authority is not automatically transferred transitively.

template NonTransitive
  with
    partyA : Party
    partyB : Party
  where
    signatory partyA

    controller partyA can
      TryA
        : ContractId NonTransitive
        do
          create NonTransitive with
            partyA = partyB
            partyB = partyA

    controller partyB can
      TryB
        : ContractId NonTransitive
          with
            other : ContractId NonTransitive
        do
          exercise other TryA
  nt1 <- submit alice do
    createCmd NonTransitive with
      partyA = alice
      partyB = bob
  nt2 <- submit alice do
    createCmd NonTransitive with
      partyA = alice
      partyB = bob

  submitMustFail bob do
    exerciseCmd nt1 TryB with
      other = nt2

The consequences of TryB are authorized by both Alice and Bob, but the action TryA only has Alice as an actor and Alice is the only signatory on the contract.

Therefore, the consequences of TryA are only authorized by Alice. Bob’s authority is now missing to create the flipped NonTransitive so the transaction fails.

Next up

In 7 Composing choices you will put everything you have learned together to build a simple asset holding and trading model akin to that in the IOU Quickstart Tutorial. In that context you’ll learn a bit more about the Update action and how to use it to compose transactions, as well as about privacy on Daml ledgers.