Add permission check to account

aptos-move/framework/aptos-framework/sources/account.move

@@ -169,6 +169,8 @@ module aptos_framework::account {
     const ENO_SIGNER_CAPABILITY_OFFERED: u64 = 19;
     // This account has exceeded the allocated GUIDs it can create. It should be impossible to reach this number for real applications.
     const EEXCEEDED_MAX_GUID_CREATION_NUM: u64 = 20;
+    // Try to rotate auth key via a permissioned signer.
+    const EROTATION_WITH_PERMISSIONED_SIGNER: u64 = 20;
 
     /// Explicitly separate the GUID space between Object and Account to prevent accidental overlap.
     const MAX_GUID_CREATION_NUM: u64 = 0x4000000000000;
@@ -282,6 +284,10 @@ module aptos_framework::account {
             vector::length(&new_auth_key) == 32,
             error::invalid_argument(EMALFORMED_AUTHENTICATION_KEY)
         );
+        assert!(
+            !permissioned_signer::is_permissioned_signer(account),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         let account_resource = borrow_global_mut<Account>(addr);
         account_resource.authentication_key = new_auth_key;
     }
@@ -334,6 +340,10 @@ module aptos_framework::account {
     ) acquires Account, OriginatingAddress {
         let addr = signer::address_of(account);
         assert!(exists_at(addr), error::not_found(EACCOUNT_DOES_NOT_EXIST));
+        assert!(
+            !permissioned_signer::is_permissioned_signer(account),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         let account_resource = borrow_global_mut<Account>(addr);
 
         // Verify the given `from_public_key_bytes` matches this account's current authentication key.
@@ -389,6 +399,10 @@ module aptos_framework::account {
         new_public_key_bytes: vector<u8>,
         cap_update_table: vector<u8>
     ) acquires Account, OriginatingAddress {
+        assert!(
+            !permissioned_signer::is_permissioned_signer(delegate_signer),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         assert!(exists_at(rotation_cap_offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST));
 
         // Check that there exists a rotation capability offer at the offerer's account resource for the delegate.
@@ -448,6 +462,10 @@ module aptos_framework::account {
         account_public_key_bytes: vector<u8>,
         recipient_address: address,
     ) acquires Account {
+        assert!(
+            !permissioned_signer::is_permissioned_signer(account),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         let addr = signer::address_of(account);
         assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
 
@@ -547,6 +565,10 @@ module aptos_framework::account {
         account_public_key_bytes: vector<u8>,
         recipient_address: address
     ) acquires Account {
+        assert!(
+            !permissioned_signer::is_permissioned_signer(account),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         let source_address = signer::address_of(account);
         assert!(exists_at(recipient_address), error::not_found(EACCOUNT_DOES_NOT_EXIST));
 
@@ -604,6 +626,10 @@ module aptos_framework::account {
     /// Return an authorized signer of the offerer, if there's an existing signer capability offer for `account`
     /// at the offerer's address.
     public fun create_authorized_signer(account: &signer, offerer_address: address): signer acquires Account {
+        assert!(
+            !permissioned_signer::is_permissioned_signer(account),
+            error::permission_denied(EROTATION_WITH_PERMISSIONED_SIGNER)
+        );
         assert!(exists_at(offerer_address), error::not_found(EOFFERER_ADDRESS_DOES_NOT_EXIST));
 
         // Check if there's an existing signer capability offer from the offerer.