How do you upgrade NEAR smart contracts? - nearprotocol

If I've deployed a smart contract on NEAR, how do I upgrade it to a new version? How can I tell if an existing smart contract can still be upgraded or has been frozen?

In addition to the answer Erik already provided, I want to mention that even when there is no full-access keys on the account, the contract code can be re-deployed by the contract implementation itself (obviously, it should have a built-in support for that). You may also want to combine that with DAO to make the upgrade process backed by a voting process.

Upgrading is done with access keys. If you want to be upgrading, you keep a full access key to the account, which allows you to deploy or delete/recreate/deploy.
Anyone can view the upgradeability of a contract (eg whether it can still be changed by the original owner) by viewing its keys to make sure that all full access keys have been removed using:
NEAR_ENV=mainnet near keys contract_name.near

Related

Is a Apple Provisioning Profile a private/secret file?

I just created a *.provisionprofile through the Apple developer portal and I am not sure if I can add this to my Git repo. The documentation refers to this at multiple locations, but I am unable to find further information if this file is something that can be shared.
Is this a file that contains private information?
Private, at least to the general public. You'd need to deploy it in your team's CI so your team would be able to see it too, but there's no risk of them getting access to your account with it. There's also the risk of others using it to generate a malicious copy of your app, but actually deploying it to a device requires more workaround. They can't just push it to App Store without breaking into your account, at which point they could just generate a new profile.

Debugging permission denied in Cloud Firestore SDK (Golang)

I am experienced in working with AWS but this is my first foray onto Google cloud and I am stuck on how to debug it properly. I am building a simple experimental setup, using Cloud Firestore to store some data and planning to do some small API functions to query it.
I am inputting my information from a Go app, which I built using the official SDK for Go. Everything builds fine, but when I run it I see nothing other than rpc error: code = PermissionDenied desc = Missing or insufficient permissions..
I have tried setting the authentication to open in the Firestore rules console (allow read, write: if true), but I still see the same error, so it seems to be an issue with the credentials I have generated rather than Firestore itself.
The credentials in question were generated in the main Google Cloud Console, under Service Accounts. I've saved it out as a JSON file and am loading this into the app via option.WithCredentialsFile() which is then passed into the NewFirestoreWriter() constructor.
It's far from obvious, to me at least, exactly how to configure the permissions on the Service Account as it seems to work quite differently from Amazon IAM. I was expecting to find a way to add on specific actions related to Firestore but I can't find anything at all like that once the service account is created. Under Permissions, it looks like I can associate other accounts with the service account, which seems to be the other way around to what I want to do. Or do I need to assume another identity once I have the service account in order to do anything, a la Amazon STS? Or am I barking up the wrong tree here?
I am running locally while I am playing with the apps, planning to think about deployment later.
I guess my questions are:
Should I be using a different form of credential when making programmatic writes to Firestore?
What permissions need to be on the credential that I am using?
How do the Google Service Account permissions interact with the Firestore access rules, or are they completely separate?
Thanks in advance for your help.
I finally worked out the answer. Turns out I was reading some of the screens too fast....
The programmatic approach with the credential was fine, but the service account setup was not.
In case anyone else has a similar issue, the fix was to:
Go to "Access" under IAM (NOT identity). Coming from AWS this confused me a little because I was expecting roles to be a sublevel to identity rather than a seperate level
Click the Edit button next to the service account
Add the Cloud Datastore User and Cloud Datastore Owner roles (I'll work on trimming down permissions now it's working!). This confused me particularly because I was looking for "Firestore" or "Cloud Firestore", and there is the very similarly named "Cloud Filestore" which tripped me up.
After a few seconds, it started working.
According to https://cloud.google.com/firestore/docs/reference/libraries?_ga=2.87049368.-1865513281.1592929406#server_client_libraries,
In this environment, requests are not evaluated against your Firestore security rules
So I reset my access permissions in Firebase back to allow read, write: if false.

Bad experience with NEAR Protocol development tools [closed]

Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
During Blockchain Hackathon Kyiv 2020 we picked NEAR Protocol challenge and found several issues.
Accound and account keys are created in web wallet. Then you should run "near login" command at your server which should launch curl to web wallet and authorize near-cli app for accessing keys. However in our case keys weren't imported into server deployed at Digital Ocean with Ubuntu 20.0.4 and accessed via console. Near Discord channel didn't responded to our questions at all. Telegram devs chat support guys didn't helped much, their last offer was "copy keys from localstorage to json file and put into your server .near-credentials folder"
But after all - and that was amazing - a new key created at those remote machine with near addkey command - was added to those accoundID which was not authorized to use app!!! :D
enter image description here
https://examples.near.org/ - GITPOD links doesn't properly configured, not working with errors
https://gitpod.io/#https://github.com/near-examples/token-contract-as
https://gitpod.io/#https://github.com/near-examples/wallet-example
Excited that you chose to build on NEAR, but disheartened to hear about your subpar experience. NEAR is currently growing at an exponential rate and engineering resources certainly can be limited at times.
Unfortunately, if you created your NEAR account on a different machine than the one you want to store the credentials for that account on, running near login won't work. You could get around this by copying your private key from your browser's local storage to the remote machine's browser's local storage, then running near login on that machine but thats a little more work than what’s necessary. The easier, more straightforward path, would be to run near login on your local machine (the one that created the NEAR account) and copy the newly created .json file located in ~/.near-credentials to the target machine. I think that’s what the devs on Telegram you chatted with were referring to. Currently, that would be the easiest solution to that issue.
But after all - and that was amazing - a new key created at those remote machine with near addkey command - was added to those accoundID which was not authorized to use app!!! :D
Could you clarify what exactly happened here and how you performed this action? You should not be able to add a full access key to an account without an existing full access key.
Also, thank you for raising our attention to the two broken GitPod examples. There have been several updates recently to the near-sdk-as dependency these two projects rely on, and looks like something broke. I will make sure this is resolved ASAP!
Please let me know if you have any other questions, comments, or suggestions, and thank you so much for bearing with us as we continue to enhance our platform and developer tooling.
Near Discord channel didn't responded to our questions at all. Telegram devs chat support guys didn't helped much, their last offer was "copy keys from localstorage to json file and put into your server .near-credentials folder"
I would like to point out that there is no paid service with 24/7 support. People have their weekends to spend with their family and friends.
But after all - and that was amazing - a new key created at those remote machine with near addkey command - was added to those accoundID which was not authorized to use app!!!
Which key are you talking about? The 3 keys you have on the screenshot were sequentially used to sign the next transaction adding the new key:
ETQeNJrRiqbcuqJyrfDTh1EYAUAetXZsnuuiEH8T6mnc transaction created the account with ed25519:HBi7mgC... key.
8heaysv121qhFjktwRm9ftF4jA7dgcYRHvKkcCnhXFVT transaction signed with ed25519:HBi7mgC... key (added in (1)) adds a new ed25519:DmNJSxx... full-access key.
DUp8VJ9aoUyC6r8ira6udpgHYxsKJWi3LXkxxn5btLW2 transaction signed with ed25519:DmNJSxx... key (added in (2)) adds a new ed25519:DoMh6uC... full-access key.

Is it possible to upgrade Registry smart contract?

I am using https://yos.io/2018/10/28/upgrading-solidity-smart-contracts/ link for upgrading smart contracts which have listed Smart Contract Upgrade Mechanisms.
Is it possible to make change itself in registry smart contract and upgrade it.
The purpose of a registry contract is to store a mutable reference to the latest versions of your smart contract modules. It serves as a first point of access for your decentralized application.
So there are two options if you want to upgrade a registry contract:
have another (fixed) registry contract pointing to your (dynamic) registry contract
update the reference to your registry contract in all places that use it (i.e. the frontend application)
I hope this answers your question.

What affect on our applications will changing the Heroku API Key have?

Our organization has a number of Rails applications (websites) deployed to Heroku. A former devleoper has left the organization, and as good practice we want to change the Heroku API key associated with our account to prevent any modifications to the apps via the Heroku CLI.
I know that the Heroku API Key is used for Heroku CLI access (it gets cached in ~/.heroku/credentials), but not certain what else it is used for. Specifically, do 3rd-party add-ons in the Heroku platform (e.g. New Relic, Hoptoad/Airbrake, Sendgrid, etc) use this, and therefore require reconfiguring if the API Key is changed? Heroku throws up a fairly generic (and non-informative) error message when you click the "regenerate" button to change it.
Because the term "API Key" is so generic, want to be clear that this is the single API Key associated with each Heroku account accessible via "My Account" link. Image (and warning message) below.
Asked Heroku Support. This is what I got back:
"you can safely change your API key at any time, as we don't give it to any add-on providers. That alert is meant to remind you that if you added your API key to any application or service (ie for auto scaling, manually provision workers, etc) it will stop working until you provide it a new key."
I requested that they update the interface/documentation to make this more clear.
Also remove him from being a collaborator on all your projects so he can't push to them via git.
Out of curiousity (i'd never seen reset key in the admin) I tried it. When I then tried to use the CLI against one of my apps I was asked to reauthenticate - but i can't now get back in - doh! The same username/password works via the site. I'll ping support and report back,
UPDATE:
So it appears my problem is entirely due to the Heroku Accounts (https://github.com/ddollar/heroku-accounts) plugin that I'm using which stores a copy of the key in the ~/.heroku/accounts/ file. Support got me to remove the folder and it all works now - just something to be aware of if you reset your API key.

Resources