Merge pull request #5790 from oasisprotocol/peternose/trivial/remove-…

…churp-flag go/registry: Deprecate enable key manager CHURP flag
oasisprotocol · Aug 30, 2024 · 050a01f · 050a01f
2 parents 322ad47 + 84ab304
commit 050a01f
Show file tree

Hide file tree

Showing 25 changed files with 394 additions and 95 deletions.
diff --git a/.changelog/5790.trivial.md b/.changelog/5790.trivial.md
@@ -0,0 +1,4 @@
+go/registry: Deprecate enable key manager CHURP flag
+
+Removes the code previously necessary to enable the key manager CHURP
+extension.
diff --git a/go/consensus/cometbft/apps/keymanager/churp/ext.go b/go/consensus/cometbft/apps/keymanager/churp/ext.go
@@ -7,7 +7,6 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/consensus/api"
 	"github.com/oasisprotocol/oasis-core/go/consensus/api/transaction"
 	tmapi "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/api"
-	registryState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/registry/state"
 	"github.com/oasisprotocol/oasis-core/go/keymanager/churp"
 )
 
@@ -38,10 +37,6 @@ func (ext *churpExt) OnRegister(state tmapi.ApplicationState, _ tmapi.MessageDis
 
 // ExecuteTx implements api.Extension.
 func (ext *churpExt) ExecuteTx(ctx *tmapi.Context, tx *transaction.Transaction) error {
-	if enabled, err := ext.enabled(ctx); err != nil || !enabled {
-		return fmt.Errorf("keymanager: invalid method: %s", tx.Method)
-	}
-
 	switch tx.Method {
 	case churp.MethodCreate:
 		var cfg churp.CreateRequest
@@ -75,10 +70,6 @@ func (ext *churpExt) ExecuteTx(ctx *tmapi.Context, tx *transaction.Transaction)
 
 // BeginBlock implements api.Extension.
 func (ext *churpExt) BeginBlock(ctx *tmapi.Context) error {
-	if enabled, err := ext.enabled(ctx); err != nil || !enabled {
-		return nil
-	}
-
 	changed, epoch := ext.state.EpochChanged(ctx)
 	if !changed {
 		return nil
@@ -91,12 +82,3 @@ func (ext *churpExt) BeginBlock(ctx *tmapi.Context) error {
 func (*churpExt) EndBlock(*tmapi.Context) error {
 	return nil
 }
-
-func (*churpExt) enabled(ctx *tmapi.Context) (bool, error) {
-	regState := registryState.NewMutableState(ctx.State())
-	regParams, err := regState.ConsensusParameters(ctx)
-	if err != nil {
-		return false, fmt.Errorf("failed to load registry consensus parameters: %w", err)
-	}
-	return regParams.EnableKeyManagerCHURP, nil
-}
diff --git a/go/consensus/cometbft/apps/keymanager/churp/genesis.go b/go/consensus/cometbft/apps/keymanager/churp/genesis.go
@@ -1,27 +1,89 @@
 package churp
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/cometbft/cometbft/abci/types"
 
 	tmapi "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/api"
 	churpState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/keymanager/churp/state"
+	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/keymanager/common"
 	genesis "github.com/oasisprotocol/oasis-core/go/genesis/api"
 	"github.com/oasisprotocol/oasis-core/go/keymanager/churp"
 )
 
 // InitChain implements api.Extension.
-func (ext *churpExt) InitChain(ctx *tmapi.Context, _ types.RequestInitChain, _ *genesis.Document) error {
-	if enabled, err := ext.enabled(ctx); err != nil || !enabled {
+func (ext *churpExt) InitChain(ctx *tmapi.Context, _ types.RequestInitChain, doc *genesis.Document) error {
+	// Ensure compatibility with Eden genesis file.
+	st := doc.KeyManager.Churp
+	if st == nil {
 		return nil
 	}
 
+	// Insert consensus parameters.
 	state := churpState.NewMutableState(ctx.State())
-
 	if err := state.SetConsensusParameters(ctx, &churp.DefaultConsensusParameters); err != nil {
 		return fmt.Errorf("cometbft/keymanager/churp: failed to set consensus parameters: %w", err)
 	}
 
+	// Fetch runtimes.
+	epoch, err := ext.state.GetCurrentEpoch(ctx)
+	if err != nil {
+		return fmt.Errorf("cometbft/keymanager/churp: failed to get current epoch: %w", err)
+	}
+	runtimes := common.RegistryRuntimes(ctx, doc, epoch)
+
+	// Insert statuses.
+	for _, status := range st.Statuses {
+		if _, ok := runtimes[status.RuntimeID]; !ok {
+			return fmt.Errorf("cometbft/keymanager/churp: unknown key manager runtime: %s", status.RuntimeID)
+		}
+
+		// Disable handoffs for all instances.
+		status.NextHandoff = churp.HandoffsDisabled
+		status.NextChecksum = nil
+		status.Applications = nil
+
+		// Schedule the next handoff at the beginning of the next epoch.
+		if status.HandoffInterval != 0 {
+			status.NextHandoff = epoch + 1
+		}
+
+		if err := state.SetStatus(ctx, status); err != nil {
+			return fmt.Errorf("cometbft/keymanager/churp: failed to set status: %w", err)
+		}
+
+		ctx.EmitEvent(tmapi.NewEventBuilder(ext.appName).TypedAttribute(&churp.UpdateEvent{
+			Status: status,
+		}))
+	}
+
 	return nil
 }
+
+// Genesis implements Query.
+func (q *querier) Genesis(ctx context.Context) (*churp.Genesis, error) {
+	parameters, err := q.state.ConsensusParameters(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	statuses, err := q.state.AllStatuses(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Disable handoffs for all instances.
+	for _, status := range statuses {
+		status.NextHandoff = churp.HandoffsDisabled
+		status.NextChecksum = nil
+		status.Applications = nil
+	}
+
+	gen := churp.Genesis{
+		Parameters: *parameters,
+		Statuses:   statuses,
+	}
+	return &gen, nil
+}
diff --git a/go/consensus/cometbft/apps/keymanager/churp/genesis_test.go b/go/consensus/cometbft/apps/keymanager/churp/genesis_test.go
@@ -0,0 +1,193 @@
+package churp
+
+import (
+	"testing"
+
+	"github.com/cometbft/cometbft/abci/types"
+	"github.com/stretchr/testify/require"
+
+	beacon "github.com/oasisprotocol/oasis-core/go/beacon/api"
+	"github.com/oasisprotocol/oasis-core/go/common"
+	"github.com/oasisprotocol/oasis-core/go/common/cbor"
+	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
+	"github.com/oasisprotocol/oasis-core/go/common/crypto/signature"
+	"github.com/oasisprotocol/oasis-core/go/common/node"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	abciAPI "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/api"
+	churpState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/keymanager/churp/state"
+	"github.com/oasisprotocol/oasis-core/go/genesis/api"
+	keymanager "github.com/oasisprotocol/oasis-core/go/keymanager/api"
+	"github.com/oasisprotocol/oasis-core/go/keymanager/churp"
+	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
+)
+
+var (
+	kmRuntimeID common.Namespace
+	_           = kmRuntimeID.UnmarshalHex("c000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff")
+)
+
+func createTestRegistryGenesis() registry.Genesis {
+	return registry.Genesis{
+		Parameters: registry.ConsensusParameters{
+			DebugAllowTestRuntimes: true,
+			EnableRuntimeGovernanceModels: map[registry.RuntimeGovernanceModel]bool{
+				registry.GovernanceEntity: true,
+			},
+		},
+		Runtimes: []*registry.Runtime{
+			{
+				Versioned:   cbor.NewVersioned(registry.LatestRuntimeDescriptorVersion),
+				ID:          kmRuntimeID,
+				EntityID:    signature.PublicKey{},
+				Kind:        registry.KindKeyManager,
+				TEEHardware: node.TEEHardwareIntelSGX,
+				Deployments: []*registry.VersionInfo{
+					{
+						TEE: cbor.Marshal(node.SGXConstraints{
+							Enclaves: []sgx.EnclaveIdentity{{}},
+						}),
+					},
+				},
+				AdmissionPolicy: registry.RuntimeAdmissionPolicy{
+					EntityWhitelist: &registry.EntityWhitelistRuntimeAdmissionPolicy{
+						Entities: map[signature.PublicKey]registry.EntityWhitelistConfig{},
+					},
+				},
+				GovernanceModel: registry.GovernanceEntity,
+			},
+		},
+	}
+}
+
+func createTestChurpGenesis() *churp.Genesis {
+	return &churp.Genesis{
+		Parameters: churp.ConsensusParameters{
+			GasCosts: churp.DefaultGasCosts,
+		},
+		Statuses: []*churp.Status{
+			{
+				Identity: churp.Identity{
+					ID:        1,
+					RuntimeID: kmRuntimeID,
+				},
+				Threshold:       5,
+				HandoffInterval: 0,
+				NextHandoff:     churp.HandoffsDisabled,
+			},
+			{
+				Identity: churp.Identity{
+					ID:        2,
+					RuntimeID: kmRuntimeID,
+				},
+				Threshold:       10,
+				HandoffInterval: 1,
+				NextHandoff:     100,
+				NextChecksum:    &hash.Hash{1, 2, 3},
+				Applications: map[signature.PublicKey]churp.Application{
+					keymanager.InsecureRAK: {
+						Checksum:      hash.Hash{1, 2, 3},
+						Reconstructed: true,
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestInitChain(t *testing.T) {
+	appState := abciAPI.NewMockApplicationState(&abciAPI.MockApplicationStateConfig{})
+	ctx := appState.NewContext(abciAPI.ContextInitChain)
+	defer ctx.Close()
+
+	state := churpState.NewMutableState(ctx.State())
+	app := &churpExt{
+		state: appState,
+	}
+
+	// Empty state.
+	doc := api.Document{}
+	err := app.InitChain(ctx, types.RequestInitChain{}, &doc)
+	require.NoError(t, err, "failed to initialize empty state")
+
+	params, err := state.ConsensusParameters(ctx)
+	require.NoError(t, err)
+	require.Equal(t, churp.ConsensusParameters{}, *params)
+
+	statuses, err := state.AllStatuses(ctx)
+	require.NoError(t, err)
+	require.Empty(t, statuses)
+
+	// Non-empty state.
+	doc = api.Document{
+		KeyManager: keymanager.Genesis{
+			Churp: createTestChurpGenesis(),
+		},
+		Registry: createTestRegistryGenesis(),
+	}
+
+	err = app.InitChain(ctx, types.RequestInitChain{}, &doc)
+	require.NoError(t, err, "failed to initialize non-empty state")
+
+	params, err = state.ConsensusParameters(ctx)
+	require.NoError(t, err)
+	require.Equal(t, churp.DefaultConsensusParameters, *params)
+
+	statuses, err = state.AllStatuses(ctx)
+	require.NoError(t, err)
+	require.Len(t, statuses, 2)
+
+	require.Equal(t, uint8(1), statuses[0].ID)
+	require.Equal(t, uint8(5), statuses[0].Threshold)
+	require.Equal(t, beacon.EpochTime(0), statuses[0].HandoffInterval)
+	require.Equal(t, churp.HandoffsDisabled, statuses[0].NextHandoff) // Should be disabled.
+	require.Nil(t, statuses[0].NextChecksum)
+	require.Nil(t, statuses[0].Applications)
+
+	require.Equal(t, uint8(2), statuses[1].ID)
+	require.Equal(t, uint8(10), statuses[1].Threshold)
+	require.Equal(t, beacon.EpochTime(1), statuses[1].HandoffInterval)
+	require.Equal(t, beacon.EpochTime(1), statuses[1].NextHandoff) // Should be set.
+	require.Nil(t, statuses[1].NextChecksum)
+	require.Nil(t, statuses[1].Applications)
+}
+
+func TestGenesis(t *testing.T) {
+	appState := abciAPI.NewMockApplicationState(&abciAPI.MockApplicationStateConfig{})
+	ctx := appState.NewContext(abciAPI.ContextEndBlock)
+	defer ctx.Close()
+
+	state := churpState.NewMutableState(ctx.State())
+	q := NewQuery(state.ImmutableState)
+
+	// Empty state.
+	g, err := q.Genesis(ctx)
+	require.NoError(t, err)
+
+	require.Equal(t, churp.ConsensusParameters{}, g.Parameters)
+	require.Len(t, g.Statuses, 0)
+
+	// Prepare state that should be exported into the expected genesis.
+	genesis := createTestChurpGenesis()
+
+	err = state.SetConsensusParameters(ctx, &genesis.Parameters)
+	require.NoError(t, err)
+
+	for _, status := range genesis.Statuses {
+		err = state.SetStatus(ctx, status)
+		require.NoError(t, err)
+	}
+
+	// Exported genesis disables handoffs for all instances
+	for i := range genesis.Statuses {
+		genesis.Statuses[i].NextHandoff = churp.HandoffsDisabled
+		genesis.Statuses[i].NextChecksum = nil
+		genesis.Statuses[i].Applications = nil
+	}
+
+	// Non-empty state.
+	g, err = q.Genesis(ctx)
+	require.NoError(t, err)
+
+	require.Equal(t, genesis.Parameters, g.Parameters)
+	require.EqualValues(t, genesis.Statuses, g.Statuses)
+}
diff --git a/go/consensus/cometbft/apps/keymanager/churp/query.go b/go/consensus/cometbft/apps/keymanager/churp/query.go
@@ -14,6 +14,7 @@ type Query interface {
 	Status(context.Context, common.Namespace, uint8) (*churp.Status, error)
 	Statuses(context.Context, common.Namespace) ([]*churp.Status, error)
 	AllStatuses(context.Context) ([]*churp.Status, error)
+	Genesis(context.Context) (*churp.Genesis, error)
 }
 
 type querier struct {

diff --git a/go/consensus/cometbft/apps/keymanager/churp/state/state.go b/go/consensus/cometbft/apps/keymanager/churp/state/state.go
@@ -2,7 +2,6 @@ package state
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/oasisprotocol/oasis-core/go/common"
 	"github.com/oasisprotocol/oasis-core/go/common/cbor"
@@ -38,7 +37,7 @@ func (st *ImmutableState) ConsensusParameters(ctx context.Context) (*churp.Conse
 		return nil, abciAPI.UnavailableStateError(err)
 	}
 	if raw == nil {
-		return nil, fmt.Errorf("cometbft/keymanager/churp: expected consensus parameters to be present in app state")
+		return &churp.ConsensusParameters{}, nil
 	}
 
 	var params churp.ConsensusParameters

diff --git a/go/consensus/cometbft/apps/keymanager/churp/state/state_test.go b/go/consensus/cometbft/apps/keymanager/churp/state/state_test.go
@@ -26,15 +26,16 @@ func TestConsensusParameters(t *testing.T) {
 	}
 
 	// Empty state.
-	_, err := st.ConsensusParameters(ctx)
-	require.Error(t, err)
+	fetched, err := st.ConsensusParameters(ctx)
+	require.NoError(t, err)
+	require.Equal(t, &churp.ConsensusParameters{}, fetched)
 
 	// Set state.
 	err = st.SetConsensusParameters(ctx, &params)
 	require.NoError(t, err)
 
 	// New state.
-	fetched, err := st.ConsensusParameters(ctx)
+	fetched, err = st.ConsensusParameters(ctx)
 	require.NoError(t, err)
 	require.Len(t, fetched.GasCosts, 1)
 	require.Equal(t, params.GasCosts[churp.GasOpCreate], fetched.GasCosts[churp.GasOpCreate])