smartcontract: add changelog entry for mgroup allowlist PDAs

martinsander00 · martinsander00 · commit d0c573c7b76a · 2026-02-09T13:28:00.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file.
   - Record successful GetConfig gRPC calls to ClickHouse for device telemetry tracking
 - Onchain programs
   - Enforce that `CloseAccessPass` only closes AccessPass accounts when `connection_count == 0`, preventing closure while active connections are present.
+  - Move multicast group allowlists from unbounded vecs in AccessPass to dedicated `MGroupAllowlistEntry` PDAs, with self-migration on subscribe
 - Monitor
   - Add sol-balance watcher to track SOL balances for configured accounts and export Prometheus metrics for alerting
 - E2E tests
diff --git a/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/publisher/add.rs b/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/publisher/add.rs
@@ -84,7 +84,6 @@ pub fn process_add_multicastgroup_pub_allowlist(
         return Err(DoubleZeroError::NotAllowed.into());
     }
 
-    // Create AccessPass if it doesn't exist (with empty allowlist vecs)
     if accesspass_account.data_is_empty() {
         let (expected_pda_account, bump_seed) =
             get_accesspass_pda(program_id, &value.client_ip, &value.user_payer);
@@ -128,7 +127,6 @@ pub fn process_add_multicastgroup_pub_allowlist(
         );
     }
 
-    // Create the MGroupAllowlistEntry PDA (skip if already exists)
     if mgroup_al_entry_account.data_is_empty() {
         let (expected_pda, bump_seed) = get_mgroup_allowlist_entry_pda(
             program_id,
diff --git a/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/subscriber/add.rs b/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/subscriber/add.rs
@@ -85,7 +85,6 @@ pub fn process_add_multicastgroup_sub_allowlist(
         return Err(DoubleZeroError::NotAllowed.into());
     }
 
-    // Create AccessPass if it doesn't exist (with empty allowlist vecs)
     if accesspass_account.data_is_empty() {
         let (expected_pda_account, bump_seed) =
             get_accesspass_pda(program_id, &value.client_ip, &value.user_payer);
@@ -129,7 +128,6 @@ pub fn process_add_multicastgroup_sub_allowlist(
         );
     }
 
-    // Create the MGroupAllowlistEntry PDA (skip if already exists)
     if mgroup_al_entry_account.data_is_empty() {
         let (expected_pda, bump_seed) = get_mgroup_allowlist_entry_pda(
             program_id,
diff --git a/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/subscribe.rs b/smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/subscribe.rs
@@ -22,6 +22,65 @@ use solana_program::{
     pubkey::Pubkey,
 };
 use std::{fmt, net::Ipv4Addr};
+
+/// Check if an access pass is allowed for a multicast group (PDA-first with Vec fallback + self-migration).
+/// Returns true if the Vec was modified and the access pass needs to be written back.
+#[allow(clippy::too_many_arguments)]
+pub(crate) fn check_and_migrate_allowlist<'a>(
+    program_id: &Pubkey,
+    accesspass_account: &AccountInfo<'a>,
+    mgroup_account: &AccountInfo<'a>,
+    al_entry_account: &AccountInfo<'a>,
+    payer_account: &AccountInfo<'a>,
+    system_program: &AccountInfo<'a>,
+    allowlist_type: MGroupAllowlistType,
+    allowlist_vec: &mut Vec<Pubkey>,
+) -> Result<bool, solana_program::program_error::ProgramError> {
+    let (expected_pda, bump) = get_mgroup_allowlist_entry_pda(
+        program_id,
+        accesspass_account.key,
+        mgroup_account.key,
+        allowlist_type as u8,
+    );
+    if is_valid_mgroup_allowlist_entry(al_entry_account, &expected_pda, program_id) {
+        // PDA exists -> allowed (fast path)
+        Ok(false)
+    } else if allowlist_vec.contains(mgroup_account.key) {
+        // Found in Vec -> self-migrate: create PDA + swap_remove from Vec
+        assert_eq!(
+            al_entry_account.key, &expected_pda,
+            "Invalid MGroupAllowlistEntry PDA for {:?}",
+            allowlist_type
+        );
+        let al_entry = MGroupAllowlistEntry {
+            account_type: AccountType::MGroupAllowlistEntry,
+            bump_seed: bump,
+            allowlist_type,
+        };
+        try_acc_create(
+            &al_entry,
+            al_entry_account,
+            payer_account,
+            system_program,
+            program_id,
+            &[
+                SEED_PREFIX,
+                SEED_MGROUP_ALLOWLIST,
+                &accesspass_account.key.to_bytes(),
+                &mgroup_account.key.to_bytes(),
+                &[allowlist_type as u8],
+                &[bump],
+            ],
+        )?;
+        if let Some(pos) = allowlist_vec.iter().position(|k| k == mgroup_account.key) {
+            allowlist_vec.swap_remove(pos);
+        }
+        Ok(true)
+    } else {
+        Err(DoubleZeroError::NotAllowed.into())
+    }
+}
+
 #[derive(BorshSerialize, BorshDeserializeIncremental, PartialEq, Clone)]
 pub struct MulticastGroupSubscribeArgs {
     #[incremental(default = Ipv4Addr::UNSPECIFIED)]
@@ -126,100 +185,34 @@ pub fn process_subscribe_multicastgroup(
     // Check if the user is in the allowlist (PDA-first with Vec fallback + self-migration)
     let mut accesspass_modified = false;
     if value.publisher {
-        let (expected_pda, bump) = get_mgroup_allowlist_entry_pda(
+        accesspass_modified |= check_and_migrate_allowlist(
             program_id,
-            accesspass_account.key,
-            mgroup_account.key,
-            MGroupAllowlistType::Publisher as u8,
-        );
-        if is_valid_mgroup_allowlist_entry(mgroup_pub_al_entry, &expected_pda, program_id) {
-            // PDA exists -> allowed (fast path)
-        } else if accesspass.mgroup_pub_allowlist.contains(mgroup_account.key) {
-            // Found in Vec -> self-migrate: create PDA + swap_remove from Vec
-            assert_eq!(
-                mgroup_pub_al_entry.key, &expected_pda,
-                "Invalid MGroupAllowlistEntry PDA for publisher"
-            );
-            let al_entry = MGroupAllowlistEntry {
-                account_type: AccountType::MGroupAllowlistEntry,
-                bump_seed: bump,
-                allowlist_type: MGroupAllowlistType::Publisher,
-            };
-            try_acc_create(
-                &al_entry,
-                mgroup_pub_al_entry,
-                payer_account,
-                system_program,
-                program_id,
-                &[
-                    SEED_PREFIX,
-                    SEED_MGROUP_ALLOWLIST,
-                    &accesspass_account.key.to_bytes(),
-                    &mgroup_account.key.to_bytes(),
-                    &[MGroupAllowlistType::Publisher as u8],
-                    &[bump],
-                ],
-            )?;
-            if let Some(pos) = accesspass
-                .mgroup_pub_allowlist
-                .iter()
-                .position(|k| k == mgroup_account.key)
-            {
-                accesspass.mgroup_pub_allowlist.swap_remove(pos);
-                accesspass_modified = true;
-            }
-        } else {
+            accesspass_account,
+            mgroup_account,
+            mgroup_pub_al_entry,
+            payer_account,
+            system_program,
+            MGroupAllowlistType::Publisher,
+            &mut accesspass.mgroup_pub_allowlist,
+        )
+        .inspect_err(|_| {
             msg!("{:?}", accesspass);
-            return Err(DoubleZeroError::NotAllowed.into());
-        }
+        })?;
     }
     if value.subscriber {
-        let (expected_pda, bump) = get_mgroup_allowlist_entry_pda(
+        accesspass_modified |= check_and_migrate_allowlist(
             program_id,
-            accesspass_account.key,
-            mgroup_account.key,
-            MGroupAllowlistType::Subscriber as u8,
-        );
-        if is_valid_mgroup_allowlist_entry(mgroup_sub_al_entry, &expected_pda, program_id) {
-            // PDA exists -> allowed (fast path)
-        } else if accesspass.mgroup_sub_allowlist.contains(mgroup_account.key) {
-            // Found in Vec -> self-migrate: create PDA + swap_remove from Vec
-            assert_eq!(
-                mgroup_sub_al_entry.key, &expected_pda,
-                "Invalid MGroupAllowlistEntry PDA for subscriber"
-            );
-            let al_entry = MGroupAllowlistEntry {
-                account_type: AccountType::MGroupAllowlistEntry,
-                bump_seed: bump,
-                allowlist_type: MGroupAllowlistType::Subscriber,
-            };
-            try_acc_create(
-                &al_entry,
-                mgroup_sub_al_entry,
-                payer_account,
-                system_program,
-                program_id,
-                &[
-                    SEED_PREFIX,
-                    SEED_MGROUP_ALLOWLIST,
-                    &accesspass_account.key.to_bytes(),
-                    &mgroup_account.key.to_bytes(),
-                    &[MGroupAllowlistType::Subscriber as u8],
-                    &[bump],
-                ],
-            )?;
-            if let Some(pos) = accesspass
-                .mgroup_sub_allowlist
-                .iter()
-                .position(|k| k == mgroup_account.key)
-            {
-                accesspass.mgroup_sub_allowlist.swap_remove(pos);
-                accesspass_modified = true;
-            }
-        } else {
+            accesspass_account,
+            mgroup_account,
+            mgroup_sub_al_entry,
+            payer_account,
+            system_program,
+            MGroupAllowlistType::Subscriber,
+            &mut accesspass.mgroup_sub_allowlist,
+        )
+        .inspect_err(|_| {
             msg!("{:?}", accesspass);
-            return Err(DoubleZeroError::NotAllowed.into());
-        }
+        })?;
     }
 
     // Write back the accesspass if we migrated entries from Vec to PDA
diff --git a/smartcontract/programs/doublezero-serviceability/src/processors/user/create_subscribe.rs b/smartcontract/programs/doublezero-serviceability/src/processors/user/create_subscribe.rs
@@ -1,16 +1,15 @@
 use crate::{
     error::DoubleZeroError,
-    pda::{get_accesspass_pda, get_mgroup_allowlist_entry_pda, get_user_old_pda, get_user_pda},
-    seeds::{SEED_MGROUP_ALLOWLIST, SEED_PREFIX, SEED_USER},
+    pda::{get_accesspass_pda, get_user_old_pda, get_user_pda},
+    processors::multicastgroup::subscribe::check_and_migrate_allowlist,
+    seeds::{SEED_PREFIX, SEED_USER},
     serializer::{try_acc_create, try_acc_write},
     state::{
         accesspass::{AccessPass, AccessPassStatus, AccessPassType},
         accounttype::AccountType,
         device::{Device, DeviceStatus},
         globalstate::GlobalState,
-        mgroup_allowlist_entry::{
-            is_valid_mgroup_allowlist_entry, MGroupAllowlistEntry, MGroupAllowlistType,
-        },
+        mgroup_allowlist_entry::MGroupAllowlistType,
         multicastgroup::{MulticastGroup, MulticastGroupStatus},
         user::*,
     },
@@ -188,98 +187,34 @@ pub fn process_create_subscribe_user(
 
     // Check if the user is in the allowlist (PDA-first with Vec fallback + self-migration)
     if value.publisher {
-        let (expected_pda, bump) = get_mgroup_allowlist_entry_pda(
+        check_and_migrate_allowlist(
             program_id,
-            accesspass_account.key,
-            mgroup_account.key,
-            MGroupAllowlistType::Publisher as u8,
-        );
-        if is_valid_mgroup_allowlist_entry(mgroup_pub_al_entry, &expected_pda, program_id) {
-            // PDA exists -> allowed (fast path)
-        } else if accesspass.mgroup_pub_allowlist.contains(mgroup_account.key) {
-            // Found in Vec -> self-migrate: create PDA + swap_remove from Vec
-            assert_eq!(
-                mgroup_pub_al_entry.key, &expected_pda,
-                "Invalid MGroupAllowlistEntry PDA for publisher"
-            );
-            let al_entry = MGroupAllowlistEntry {
-                account_type: AccountType::MGroupAllowlistEntry,
-                bump_seed: bump,
-                allowlist_type: MGroupAllowlistType::Publisher,
-            };
-            try_acc_create(
-                &al_entry,
-                mgroup_pub_al_entry,
-                payer_account,
-                system_program,
-                program_id,
-                &[
-                    SEED_PREFIX,
-                    SEED_MGROUP_ALLOWLIST,
-                    &accesspass_account.key.to_bytes(),
-                    &mgroup_account.key.to_bytes(),
-                    &[MGroupAllowlistType::Publisher as u8],
-                    &[bump],
-                ],
-            )?;
-            if let Some(pos) = accesspass
-                .mgroup_pub_allowlist
-                .iter()
-                .position(|k| k == mgroup_account.key)
-            {
-                accesspass.mgroup_pub_allowlist.swap_remove(pos);
-            }
-        } else {
+            accesspass_account,
+            mgroup_account,
+            mgroup_pub_al_entry,
+            payer_account,
+            system_program,
+            MGroupAllowlistType::Publisher,
+            &mut accesspass.mgroup_pub_allowlist,
+        )
+        .inspect_err(|_| {
             msg!("{} -> {:?}", accesspass_account.key, accesspass);
-            return Err(DoubleZeroError::NotAllowed.into());
-        }
+        })?;
     }
     if value.subscriber {
-        let (expected_pda, bump) = get_mgroup_allowlist_entry_pda(
+        check_and_migrate_allowlist(
             program_id,
-            accesspass_account.key,
-            mgroup_account.key,
-            MGroupAllowlistType::Subscriber as u8,
-        );
-        if is_valid_mgroup_allowlist_entry(mgroup_sub_al_entry, &expected_pda, program_id) {
-            // PDA exists -> allowed (fast path)
-        } else if accesspass.mgroup_sub_allowlist.contains(mgroup_account.key) {
-            // Found in Vec -> self-migrate: create PDA + swap_remove from Vec
-            assert_eq!(
-                mgroup_sub_al_entry.key, &expected_pda,
-                "Invalid MGroupAllowlistEntry PDA for subscriber"
-            );
-            let al_entry = MGroupAllowlistEntry {
-                account_type: AccountType::MGroupAllowlistEntry,
-                bump_seed: bump,
-                allowlist_type: MGroupAllowlistType::Subscriber,
-            };
-            try_acc_create(
-                &al_entry,
-                mgroup_sub_al_entry,
-                payer_account,
-                system_program,
-                program_id,
-                &[
-                    SEED_PREFIX,
-                    SEED_MGROUP_ALLOWLIST,
-                    &accesspass_account.key.to_bytes(),
-                    &mgroup_account.key.to_bytes(),
-                    &[MGroupAllowlistType::Subscriber as u8],
-                    &[bump],
-                ],
-            )?;
-            if let Some(pos) = accesspass
-                .mgroup_sub_allowlist
-                .iter()
-                .position(|k| k == mgroup_account.key)
-            {
-                accesspass.mgroup_sub_allowlist.swap_remove(pos);
-            }
-        } else {
+            accesspass_account,
+            mgroup_account,
+            mgroup_sub_al_entry,
+            payer_account,
+            system_program,
+            MGroupAllowlistType::Subscriber,
+            &mut accesspass.mgroup_sub_allowlist,
+        )
+        .inspect_err(|_| {
             msg!("{} -> {:?}", accesspass_account.key, accesspass);
-            return Err(DoubleZeroError::NotAllowed.into());
-        }
+        })?;
     }
 
     let mut device = Device::try_from(device_account)?;

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,6 @@ pub fn process_add_multicastgroup_pub_allowlist(`
`84`	`84`	`return Err(DoubleZeroError::NotAllowed.into());`
`85`	`85`	`}`
`86`	`86`
`87`		`- // Create AccessPass if it doesn't exist (with empty allowlist vecs)`
`88`	`87`	`if accesspass_account.data_is_empty() {`
`89`	`88`	`let (expected_pda_account, bump_seed) =`
`90`	`89`	`get_accesspass_pda(program_id, &value.client_ip, &value.user_payer);`
`@@ -128,7 +127,6 @@ pub fn process_add_multicastgroup_pub_allowlist(`
`128`	`127`	`);`
`129`	`128`	`}`
`130`	`129`
`131`		`- // Create the MGroupAllowlistEntry PDA (skip if already exists)`
`132`	`130`	`if mgroup_al_entry_account.data_is_empty() {`
`133`	`131`	`let (expected_pda, bump_seed) = get_mgroup_allowlist_entry_pda(`
`134`	`132`	`program_id,`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,6 @@ pub fn process_add_multicastgroup_sub_allowlist(`
`85`	`85`	`return Err(DoubleZeroError::NotAllowed.into());`
`86`	`86`	`}`
`87`	`87`
`88`		`- // Create AccessPass if it doesn't exist (with empty allowlist vecs)`
`89`	`88`	`if accesspass_account.data_is_empty() {`
`90`	`89`	`let (expected_pda_account, bump_seed) =`
`91`	`90`	`get_accesspass_pda(program_id, &value.client_ip, &value.user_payer);`
`@@ -129,7 +128,6 @@ pub fn process_add_multicastgroup_sub_allowlist(`
`129`	`128`	`);`
`130`	`129`	`}`
`131`	`130`
`132`		`- // Create the MGroupAllowlistEntry PDA (skip if already exists)`
`133`	`131`	`if mgroup_al_entry_account.data_is_empty() {`
`134`	`132`	`let (expected_pda, bump_seed) = get_mgroup_allowlist_entry_pda(`
`135`	`133`	`program_id,`