From 951a286d201ed2b81c83a29c7fa6abf99b9cadd8 Mon Sep 17 00:00:00 2001 From: Alin Tomescu Date: Thu, 9 Jan 2025 14:11:23 -1000 Subject: [PATCH] no more default devnet VK; it should now be set manually via GenesisConfiguration during (re)deployment --- aptos-move/e2e-move-tests/README.md | 9 ++++ .../src/tests/keyless_feature_gating.rs | 42 +++++++++++++------ aptos-move/vm-genesis/src/lib.rs | 23 +++++----- crates/aptos-genesis/src/lib.rs | 6 +-- crates/aptos-genesis/src/mainnet.rs | 2 +- 5 files changed, 54 insertions(+), 28 deletions(-) create mode 100644 aptos-move/e2e-move-tests/README.md diff --git a/aptos-move/e2e-move-tests/README.md b/aptos-move/e2e-move-tests/README.md new file mode 100644 index 00000000000000..f025e0ca31a9be --- /dev/null +++ b/aptos-move/e2e-move-tests/README.md @@ -0,0 +1,9 @@ +# e2e-move-tests + +## Keyless + +To run the keyless VM tests: + +``` +cargo test -- keyless +``` diff --git a/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs b/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs index 08d283cd67feb7..5816043649c818 100644 --- a/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs +++ b/aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs @@ -16,6 +16,7 @@ use aptos_types::{ }, AnyKeylessPublicKey, Configuration, EphemeralCertificate, FederatedKeylessPublicKey, Groth16VerificationKey, KeylessPublicKey, KeylessSignature, TransactionAndProof, + DEVNET_VERIFICATION_KEY, }, on_chain_config::FeatureFlag, transaction::{ @@ -35,7 +36,7 @@ use move_core_types::{ }, }; -/// Initializes an Aptos VM and sets the keyless configuration via script (the VK is already set in genesis). +/// Initializes an Aptos VM and sets the keyless configuration via script. fn init_feature_gating( enabled_features: Vec, disabled_features: Vec, @@ -46,6 +47,12 @@ fn init_feature_gating( // initialize JWKs let core_resources = run_jwk_and_config_script(&mut h); + // initialize default VK + run_upgrade_vk_script( + &mut h, + core_resources.clone(), + Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()), + ); (h, recipient, core_resources) } @@ -256,6 +263,14 @@ fn test_federated_keyless_at_jwk_addr() { let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap(); + // Step 0: Make sure the default VK is installed + let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap()); + run_upgrade_vk_script( + &mut h, + core_resources.clone(), + Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()), + ); + // Step 1: Make sure TXN validation fails if JWKs are not installed at jwk_addr. let (sig, pk) = get_sample_groth16_sig_and_pk(); let sender = create_federated_keyless_account(&mut h, jwk_addr, pk); @@ -280,7 +295,7 @@ fn test_federated_keyless_at_jwk_addr() { // Step 1: Make sure TXN validation succeeds once JWKs are installed at jwk_addr. let iss = get_sample_iss(); let jwk = get_sample_jwk(); - let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk); + let _ = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk); let txn = spend_keyless_account(&mut h, sig, &sender, *recipient.address()); let output = h.run_raw(txn); @@ -308,7 +323,14 @@ fn test_federated_keyless_override_at_0x1() { let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap(); let iss = get_sample_iss(); let jwk = secure_test_rsa_jwk(); // this will be the wrong JWK - let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk); + let core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk); + + // Step 0: Make sure the default VK is installed + run_upgrade_vk_script( + &mut h, + core_resources.clone(), + Groth16VerificationKey::from(DEVNET_VERIFICATION_KEY.clone()), + ); // Step 1: Make sure the TXN does not validate, since the wrong JWK is installed at JWK addr let (sig, pk) = get_sample_groth16_sig_and_pk(); @@ -441,7 +463,7 @@ fn create_and_spend_keyless_account( spend_keyless_account(h, sig, &account, recipient) } -/// Sets the keyless configuration (Note: the VK is already set in genesis.) +/// Sets the keyless configuration fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account { let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap()); @@ -475,16 +497,14 @@ fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account { .sign(); // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource - // because it does not (yet) work with resource groups. This is okay, because the VK will be - // there from genesis. + // because it does not (yet) work with resource groups. assert_success!(h.run(txn)); core_resources } -/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK -/// (Note: the VK is already set in genesis.) +/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK. fn install_federated_jwks_and_set_keyless_config( h: &mut MoveHarness, jwk_owner: AccountAddress, @@ -524,8 +544,7 @@ fn federated_keyless_init_config(h: &mut MoveHarness, core_resources: Account) { .sign(); // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource - // because it does not (yet) work with resource groups. This is okay, because the VK will be - // there from genesis. + // because it does not (yet) work with resource groups. assert_success!(h.run(txn)); } @@ -557,8 +576,7 @@ fn federated_keyless_install_jwk( .sign(); // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource - // because it does not (yet) work with resource groups. This is okay, because the VK will be - // there from genesis. + // because it does not (yet) work with resource groups. assert_success!(h.run(txn)); } diff --git a/aptos-move/vm-genesis/src/lib.rs b/aptos-move/vm-genesis/src/lib.rs index 239713079c6165..ea57e7b377de2b 100644 --- a/aptos-move/vm-genesis/src/lib.rs +++ b/aptos-move/vm-genesis/src/lib.rs @@ -27,8 +27,7 @@ use aptos_types::{ secure_test_rsa_jwk, }, keyless::{ - self, test_utils::get_sample_iss, Groth16VerificationKey, DEVNET_VERIFICATION_KEY, - KEYLESS_ACCOUNT_MODULE_NAME, + self, test_utils::get_sample_iss, Groth16VerificationKey, KEYLESS_ACCOUNT_MODULE_NAME, }, move_utils::as_move_value::AsMoveValue, on_chain_config::{ @@ -111,7 +110,7 @@ pub struct GenesisConfiguration { pub randomness_config_override: Option, pub jwk_consensus_config_override: Option, pub initial_jwks: Vec, - pub keyless_groth16_vk_override: Option, + pub keyless_groth16_vk: Option, } pub static GENESIS_KEYPAIR: Lazy<(Ed25519PrivateKey, Ed25519PublicKey)> = Lazy::new(|| { @@ -312,7 +311,7 @@ pub fn encode_genesis_change_set( &module_storage, chain_id, genesis_config.initial_jwks.clone(), - genesis_config.keyless_groth16_vk_override.clone(), + genesis_config.keyless_groth16_vk.clone(), ); set_genesis_end(&mut session, &module_storage); @@ -686,7 +685,7 @@ fn initialize_keyless_accounts( module_storage: &impl AptosModuleStorage, chain_id: ChainId, mut initial_jwks: Vec, - vk_override: Option, + vk: Option, ) { let config = keyless::Configuration::new_for_devnet(); exec_function( @@ -700,9 +699,8 @@ fn initialize_keyless_accounts( config.as_move_value(), ]), ); - if !chain_id.is_mainnet() { - let vk = - vk_override.unwrap_or_else(|| Groth16VerificationKey::from(&*DEVNET_VERIFICATION_KEY)); + + if vk.is_some() { exec_function( session, module_storage, @@ -711,10 +709,11 @@ fn initialize_keyless_accounts( vec![], serialize_values(&vec![ MoveValue::Signer(CORE_CODE_ADDRESS), - vk.as_move_value(), + vk.unwrap().as_move_value(), ]), ); - + } + if !chain_id.is_mainnet() { let additional_jwk_patch = IssuerJWK { issuer: get_sample_iss(), jwk: JWK::RSA(secure_test_rsa_jwk()), @@ -1255,7 +1254,7 @@ pub fn generate_test_genesis( randomness_config_override: None, jwk_consensus_config_override: None, initial_jwks: vec![], - keyless_groth16_vk_override: None, + keyless_groth16_vk: None, }, &OnChainConsensusConfig::default_for_genesis(), &OnChainExecutionConfig::default_for_genesis(), @@ -1307,7 +1306,7 @@ fn mainnet_genesis_config() -> GenesisConfiguration { randomness_config_override: None, jwk_consensus_config_override: None, initial_jwks: vec![], - keyless_groth16_vk_override: None, + keyless_groth16_vk: None, } } diff --git a/crates/aptos-genesis/src/lib.rs b/crates/aptos-genesis/src/lib.rs index 8fed37e85cfa66..7f6624af564367 100644 --- a/crates/aptos-genesis/src/lib.rs +++ b/crates/aptos-genesis/src/lib.rs @@ -79,7 +79,7 @@ pub struct GenesisInfo { pub randomness_config_override: Option, pub jwk_consensus_config_override: Option, pub initial_jwks: Vec, - pub keyless_groth16_vk_override: Option, + pub keyless_groth16_vk: Option, } impl GenesisInfo { @@ -120,7 +120,7 @@ impl GenesisInfo { randomness_config_override: genesis_config.randomness_config_override.clone(), jwk_consensus_config_override: genesis_config.jwk_consensus_config_override.clone(), initial_jwks: genesis_config.initial_jwks.clone(), - keyless_groth16_vk_override: genesis_config.keyless_groth16_vk_override.clone(), + keyless_groth16_vk: genesis_config.keyless_groth16_vk_override.clone(), }) } @@ -157,7 +157,7 @@ impl GenesisInfo { randomness_config_override: self.randomness_config_override.clone(), jwk_consensus_config_override: self.jwk_consensus_config_override.clone(), initial_jwks: self.initial_jwks.clone(), - keyless_groth16_vk_override: self.keyless_groth16_vk_override.clone(), + keyless_groth16_vk: self.keyless_groth16_vk.clone(), }, &self.consensus_config, &self.execution_config, diff --git a/crates/aptos-genesis/src/mainnet.rs b/crates/aptos-genesis/src/mainnet.rs index 37ece1845d719c..e78e619694ee24 100644 --- a/crates/aptos-genesis/src/mainnet.rs +++ b/crates/aptos-genesis/src/mainnet.rs @@ -144,7 +144,7 @@ impl MainnetGenesisInfo { randomness_config_override: self.randomness_config_override.clone(), jwk_consensus_config_override: self.jwk_consensus_config_override.clone(), initial_jwks: vec![], - keyless_groth16_vk_override: None, + keyless_groth16_vk: None, }, ) }