From eaa714524e76d7bbc185a34a2e59fff5d399752f Mon Sep 17 00:00:00 2001
From: Damian Nolan <damiannolan@gmail.com>
Date: Tue, 20 Feb 2024 15:19:10 +0100
Subject: [PATCH] imp: deny selected client types from VerifyMembership rpc
 (#5871)

* chore: add client status check to verify membership rpc

* imp: deny selected client types from VerifyMembership rpc

(cherry picked from commit 4f14cfd8ea11763793d5ab4dc36c030b507726b2)
---
 modules/core/02-client/keeper/grpc_query.go    | 11 +++++++++++
 .../core/02-client/keeper/grpc_query_test.go   | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/modules/core/02-client/keeper/grpc_query.go b/modules/core/02-client/keeper/grpc_query.go
index cf2714b329e..f360076692b 100644
--- a/modules/core/02-client/keeper/grpc_query.go
+++ b/modules/core/02-client/keeper/grpc_query.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"slices"
 	"sort"
 	"strings"
 
@@ -341,6 +342,16 @@ func (k Keeper) VerifyMembership(c context.Context, req *types.QueryVerifyMember
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
 
+	clientType, _, err := types.ParseClientIdentifier(req.ClientId)
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	denyClients := []string{exported.Localhost, exported.Solomachine}
+	if slices.Contains(denyClients, clientType) {
+		return nil, status.Error(codes.InvalidArgument, errorsmod.Wrapf(types.ErrInvalidClientType, "verify membership is disabled for client types %s", denyClients).Error())
+	}
+
 	if len(req.Proof) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "empty proof")
 	}
diff --git a/modules/core/02-client/keeper/grpc_query_test.go b/modules/core/02-client/keeper/grpc_query_test.go
index 2b0eb21ba6b..78b21d1c639 100644
--- a/modules/core/02-client/keeper/grpc_query_test.go
+++ b/modules/core/02-client/keeper/grpc_query_test.go
@@ -713,6 +713,24 @@ func (suite *KeeperTestSuite) TestQueryVerifyMembershipProof() {
 			},
 			host.ErrInvalidID,
 		},
+		{
+			"localhost client ID is denied",
+			func() {
+				req = &types.QueryVerifyMembershipRequest{
+					ClientId: exported.LocalhostClientID,
+				}
+			},
+			types.ErrInvalidClientType,
+		},
+		{
+			"solomachine client ID is denied",
+			func() {
+				req = &types.QueryVerifyMembershipRequest{
+					ClientId: types.FormatClientIdentifier(exported.Solomachine, 1),
+				}
+			},
+			types.ErrInvalidClientType,
+		},
 		{
 			"empty proof",
 			func() {