Introduce capabilities filtering for off-chain runtime calls.

[tomusdrw]

If we call into the runtime, we can pass various ExecutionContexts to identify where is it coming from.
Initially this was only affecting how we run the call (a.k.a execution strategy = native / wasm), with introduction of OffchainWorkers this also controls the APIs that are available for that part of the runtime.

Recently in #3296 we've introduced additional keystore APIs that must not be available for consensus-critical code, but are very useful for off-chain calls, like rotating the keys - they are only valid in ExecutionContext::Other.

This PR introduces a possibility to further control what APIs (Capabilties) are available for particular off-chain call and tries to make it more explicit. This will come handy to implement equivocation reporting for Grandpa/Babe, since we will be able to call into the runtime, produce, sign and submit transaction to the pool in one call. In the future we even want the off-chain call to be able to read (And possibly) write the offchain worker DB, for instance to retrieve the merkle proofs for session membership.

[marcio-diaz]

Are all of these exclusive?

[tomusdrw]

Yes.

[marcio-diaz]

Maybe rename context_other.

[bkchr]

In general looking good, but I really think that we should panic when something tries to access a function without the required capabilities. Otherwise I see us at some point debugging a problem that will have its root cause in such a function.

[tomusdrw]

Otherwise I see us at some point debugging a problem that will have its root cause in such a function.

That's why we print a warning if such function is being used. I'm really scared of panicking in the code that:

1. Is very mixed up with regular, consensus-critical runtime code (it's just RuntimeApi)
2. Is being called very frequently by the node
3. Most likely will not run in wasm sandbox, but as native code.

Any mistake in a code like this will cause the entire network to brick forever.

[bkchr]

For that exists testing, if you deploy code that panics it is your own fault. You should not use these functions from within the chain.
If you print a warning, no one will see it or just ignore it. We panic anyway when no offchain context is set, so I don't see the difference.

[tomusdrw]

If you print a warning, no one will see it or just ignore it. We panic anyway when no offchain context is set, so I don't see the difference.

Offchain workers are much better separate from other parts of the runtime code IMHO (it's one special function that is being called). Regular RuntimeApis are usually a code that is shared with consensus-crticial code.

For that exists testing, if you deploy code that panics it is your own fault. You should not use these functions from within the chain.

IMHO we've experienced multiple times that testing is never enough, and just saying: "It's your fault to brick a $1M network" is a lame excuse to introduce security measures to prevent that.

That said, I'm fine to bend to pressure as I'm also torn apart between having a clean code / easy debugging experience and catering for possible future (possibly unlikely) mistakes. Will update the code shortly.

[bkchr]

IMHO we've experienced multiple times that testing is never enough, and just saying: "It's your fault to brick a $1M network" is a lame excuse to introduce security measures to prevent that.

That is correct, but the code will fail anyway when you try to call it, as the offchain context is not set.

[bkchr]

We can also return a Result and fail in sr-io, as we do it for the other stuff as well.

done