smartcontract: replace bare asserts with validate_program_account! macro (#3490)

## Summary
- Extend the `validate_program_account!` migration from #3436 to
remaining user and multicastgroup allowlist processors
- Replaces bare `assert_eq!(account.owner, program_id)` and
`assert!(account.is_writable)` with the macro, which also adds
`data_is_empty` guards that were previously missing
- Covers `set_bgp_status`, `delete`, `closeaccount`, and all four
multicastgroup allowlist processors (publisher/subscriber add/remove)

## Lines of Code
| Section | Added | Removed |
|---------|-------|---------|
| Processors (user) | +5 | -14 |
| Processors (multicastgroup) | +35 | -26 |
| Changelog | +1 | -0 |

## Testing Verification
- All 62 doublezero-serviceability tests pass, including the BGP status,
user lifecycle, and multicast integration tests

Author: martinsander00

CHANGELOG.md

@@ -23,6 +23,7 @@ All notable changes to this project will be documented in this file.
   - Add human-readable error messages for serviceability program errors in the Go SDK, including program log extraction for enhanced debugging
   - `user get` no longer fails when no Access Pass exists; it prints a warning to stderr and continues, showing an empty access pass field
   - Replace manual account validation assertions with `validate_program_account!` macro across serviceability processor files, adding consistent `data_is_empty` checks and fixing a missing `is_writable` validation in `ResumeLink` ([#3436](https://github.com/malbeclabs/doublezero/pull/3436))
+  - Extend `validate_program_account!` migration to remaining user and multicastgroup allowlist processors (`set_bgp_status`, `delete`, `closeaccount`, publisher/subscriber `add`/`remove`)
   - Add `OutboundIcmp` target type (`= 2`) to the geolocation onchain program, enabling ICMP-based probing as an alternative to TWAMP for outbound geolocation targets
 - Geolocation
   - geoprobe-target can now store LocationOffset messages in ClickHouse

smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/publisher/add.rs

@@ -1,6 +1,7 @@
 use crate::{
     error::DoubleZeroError,
     pda::get_accesspass_pda,
+    processors::validation::validate_program_account,
     seeds::{SEED_ACCESS_PASS, SEED_PREFIX},
     serializer::{try_acc_create, try_acc_write},
     state::{
@@ -59,17 +60,17 @@ pub fn process_add_multicastgroup_pub_allowlist(
     assert!(payer_account.is_signer, "Payer must be a signer");
 
     // Check the owner of the accounts
-    assert_eq!(
-        mgroup_account.owner, program_id,
-        "Invalid PDA Account Owner"
+    validate_program_account!(
+        mgroup_account,
+        program_id,
+        writable = true,
+        "MulticastGroup"
     );
     assert_eq!(
         *system_program.unsigned_key(),
         solana_system_interface::program::ID,
         "Invalid System Program Account Owner"
     );
-    // Check if the account is writable
-    assert!(mgroup_account.is_writable, "PDA Account is not writable");
 
     // Parse the global state account
     let mgroup = MulticastGroup::try_from(mgroup_account)?;

smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/publisher/remove.rs

@@ -1,5 +1,6 @@
 use crate::{
     error::DoubleZeroError,
+    processors::validation::validate_program_account,
     serializer::try_acc_write,
     state::{accesspass::AccessPass, globalstate::GlobalState, multicastgroup::MulticastGroup},
 };
@@ -53,24 +54,26 @@ pub fn process_remove_multicast_pub_allowlist(
     assert!(payer_account.is_signer, "Payer must be a signer");
 
     // Check the owner of the accounts
-    assert_eq!(
-        mgroup_account.owner, program_id,
-        "Invalid PDA Account Owner"
+    validate_program_account!(
+        mgroup_account,
+        program_id,
+        writable = true,
+        "MulticastGroup"
     );
     if accesspass_account.data_is_empty() {
         return Err(DoubleZeroError::AccessPassNotFound.into());
     }
-    assert_eq!(
-        accesspass_account.owner, program_id,
-        "Invalid Accesspass Account Owner"
+    validate_program_account!(
+        accesspass_account,
+        program_id,
+        writable = false,
+        "AccessPass"
     );
     assert_eq!(
         *system_program.unsigned_key(),
         solana_system_interface::program::ID,
         "Invalid System Program Account Owner"
     );
-    // Check if the account is writable
-    assert!(mgroup_account.is_writable, "PDA Account is not writable");
 
     // Parse the global state account
     let mgroup = MulticastGroup::try_from(mgroup_account)?;

smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/subscriber/add.rs

@@ -1,6 +1,7 @@
 use crate::{
     error::DoubleZeroError,
     pda::get_accesspass_pda,
+    processors::validation::validate_program_account,
     seeds::{SEED_ACCESS_PASS, SEED_PREFIX},
     serializer::{try_acc_create, try_acc_write},
     state::{
@@ -60,17 +61,17 @@ pub fn process_add_multicastgroup_sub_allowlist(
     assert!(payer_account.is_signer, "Payer must be a signer");
 
     // Check the owner of the accounts
-    assert_eq!(
-        mgroup_account.owner, program_id,
-        "Invalid PDA Account Owner"
+    validate_program_account!(
+        mgroup_account,
+        program_id,
+        writable = true,
+        "MulticastGroup"
     );
     assert_eq!(
         *system_program.unsigned_key(),
         solana_system_interface::program::ID,
         "Invalid System Program Account Owner"
     );
-    // Check if the account is writable
-    assert!(mgroup_account.is_writable, "PDA Account is not writable");
 
     // Parse the global state account
     let mgroup = MulticastGroup::try_from(mgroup_account)?;

smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/allowlist/subscriber/remove.rs

@@ -1,5 +1,6 @@
 use crate::{
     error::DoubleZeroError,
+    processors::validation::validate_program_account,
     serializer::try_acc_write,
     state::{accesspass::AccessPass, globalstate::GlobalState, multicastgroup::MulticastGroup},
 };
@@ -53,24 +54,26 @@ pub fn process_remove_multicast_sub_allowlist(
     assert!(payer_account.is_signer, "Payer must be a signer");
 
     // Check the owner of the accounts
-    assert_eq!(
-        mgroup_account.owner, program_id,
-        "Invalid PDA Account Owner"
+    validate_program_account!(
+        mgroup_account,
+        program_id,
+        writable = true,
+        "MulticastGroup"
     );
     if accesspass_account.data_is_empty() {
         return Err(DoubleZeroError::AccessPassNotFound.into());
     }
-    assert_eq!(
-        accesspass_account.owner, program_id,
-        "Invalid Accesspass Account Owner"
+    validate_program_account!(
+        accesspass_account,
+        program_id,
+        writable = false,
+        "AccessPass"
     );
     assert_eq!(
         *system_program.unsigned_key(),
         solana_system_interface::program::ID,
         "Invalid System Program Account Owner"
     );
-    // Check if the account is writable
-    assert!(mgroup_account.is_writable, "PDA Account is not writable");
 
     // Parse the global state account
     let mgroup = MulticastGroup::try_from(mgroup_account)?;

smartcontract/programs/doublezero-serviceability/src/processors/user/closeaccount.rs

@@ -245,8 +245,7 @@ pub fn process_closeaccount_user(
             tenant_acc.key, &user.tenant_pk,
             "Tenant account doesn't match user's tenant"
         );
-        assert_eq!(tenant_acc.owner, program_id, "Invalid Tenant Account Owner");
-        assert!(tenant_acc.is_writable, "Tenant Account is not writable");
+        validate_program_account!(tenant_acc, program_id, writable = true, "Tenant");
 
         let mut tenant = Tenant::try_from(tenant_acc)?;
         tenant.reference_count = tenant.reference_count.saturating_sub(1);

smartcontract/programs/doublezero-serviceability/src/processors/user/delete.rs

@@ -221,10 +221,7 @@ pub fn process_delete_user(
         let owner_account = owner_account.unwrap();
 
         // Validate additional accounts
-        assert_eq!(
-            device_account.owner, program_id,
-            "Invalid Device Account Owner"
-        );
+        validate_program_account!(device_account, program_id, writable = false, "Device");
 
         if user.device_pk != *device_account.key {
             return Err(ProgramError::InvalidAccountData);
@@ -250,8 +247,7 @@ pub fn process_delete_user(
                 tenant_acc.key, &user.tenant_pk,
                 "Tenant account doesn't match user's tenant"
             );
-            assert_eq!(tenant_acc.owner, program_id, "Invalid Tenant Account Owner");
-            assert!(tenant_acc.is_writable, "Tenant Account is not writable");
+            validate_program_account!(tenant_acc, program_id, writable = true, "Tenant");
 
             let mut tenant = Tenant::try_from(tenant_acc)?;
             tenant.reference_count = tenant.reference_count.saturating_sub(1);

smartcontract/programs/doublezero-serviceability/src/processors/user/set_bgp_status.rs

@@ -1,5 +1,6 @@
 use crate::{
     error::DoubleZeroError,
+    processors::validation::validate_program_account,
     serializer::try_acc_write,
     state::{
         device::Device,
@@ -44,13 +45,9 @@ pub fn process_set_bgp_status_user(
         payer_account.is_signer,
         "Metrics publisher must be a signer"
     );
-    assert!(user_account.is_writable, "User account must be writable");
 
-    assert_eq!(user_account.owner, program_id, "Invalid user account owner");
-    assert_eq!(
-        device_account.owner, program_id,
-        "Invalid device account owner"
-    );
+    validate_program_account!(user_account, program_id, writable = true, "User");
+    validate_program_account!(device_account, program_id, writable = false, "Device");
 
     let device = Device::try_from(device_account)?;