feat: Public Kernel must check contract membership

[LHerskind]

Following the introduction of the internal keyword, the kernels must enforce that the contract itself is the caller for internal functions. This is handled for private calls in #978.

For public calls is was realised that there was no contract membership check. The current PublicCallData does not include membership witnesses, vk nor the acir_hash, so would need to be extended to include those, or clarify how the function leaf is setup.

Secondly, when doing public calls, the executor currently does not have access to the function abi, so it will not be able to provide the needed information for this check or the is_internal without extensions.

Tasks

Preview Give feedback

1. generating the function leaves in contract_tree.ts must differ between public and private
2. the public kernel should be extended with a membership check
3. explicit cpp test should be added
4. the public executor must produce the membership witnesses for membership checks.
5. Validate executed public bytecode hash #378
   C-avm +1
   
6. public executor must fetch is_internal from function abi #1304
   +0
   

---

Example, bypassing the is_internal flag for executing public functions.

If we insert false as is_internal here, we can bypass the check that is enforced by the circuits, as it enforce the check based on the inputs you give it and currently don't check the contract matches was you provided.

aztec-packages/yarn-project/aztec.js/src/contract/contract_function_interaction.ts

Lines 91 to 96 in 31d290a

	const functionData = new FunctionData(
	generateFunctionSelector(this.functionDao.name, this.functionDao.parameters),
	this.functionDao.isInternal,
	this.functionDao.functionType === FunctionType.SECRET,
	this.functionDao.name === 'constructor',
	);

---

Indifferent tree

When computing DeploymentInfo with getContractDeploymentInfo() we compute the contract leaves as follows

aztec-packages/yarn-project/circuits.js/src/contract/contract_tree/contract_tree.ts

Lines 76 to 80 in 31d290a

	const vkHash = hashVKStr(f.verificationKey!, wasm);
	// TODO
	// FIXME: https://github.com/AztecProtocol/aztec3-packages/issues/262
	// const acirHash = keccak(Buffer.from(f.bytecode, 'hex'));
	const acirHash = Buffer.alloc(32, 0);

This does not make a distinction between private and public function calls, and will compute public as if they were private function calls. For public calls, the acir_hash should be 0, and instead of the vk_hash we should use the opcodes_commitment which from the cpp seem to be referred to as bytecode_hash.

This will have an effect on how we are to perform the membership checks so is important to update.

Computing the bytecode hash

As mentioned in #378 it is not decided how the bytecode hash is represented.

[LHerskind]

@dbanks12 moving this issue to your team. Seems like a better fit since you are dealing with the kernels more than I, and need to add related fixed anyway.