WIP: CCQ

wormhole-foundation · May 25, 2023 · b290e30 · b290e30
1 parent 821d66e
commit b290e30
Show file tree

Hide file tree

Showing 12 changed files with 1,086 additions and 229 deletions.
diff --git a/Dockerfile.const b/Dockerfile.const
@@ -1,13 +1,18 @@
 # syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
 FROM node:16-alpine@sha256:004dbac84fed48e20f9888a23e32fa7cf83c2995e174a78d41d9a9dd1e051a20 as const-build
 
-# fetch scripts/guardian-set-init.sh deps
-RUN apk update && apk add bash g++ make python3 curl jq findutils
-
 # Support additional root CAs
 COPY README.md cert.pem* /certs/
 # Alpine
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/cert.pem; fi
+# Node
+ENV NODE_EXTRA_CA_CERTS=/certs/cert.pem
+ENV NODE_OPTIONS=--use-openssl-ca
+# npm
+RUN if [ -e /certs/cert.pem ]; then npm config set cafile /certs/cert.pem; fi
+
+# fetch scripts/guardian-set-init.sh deps
+RUN apk update && apk add bash g++ make python3 curl jq findutils
 
 # install CLI deps & build
 WORKDIR /clients/js

diff --git a/devnet/node.yaml b/devnet/node.yaml
@@ -78,7 +78,9 @@ spec:
             # - --bscRPC
             # - ws://eth-devnet2:8545
             - --polygonRPC
-            - ws://eth-devnet:8545
+            - wss://ws-matic-mainnet.chainstacklabs.com
+            - --polygonContract
+            - "0x7A4B5a56256163F07b2C80A7cA55aBE66c4ec4d7"
             - --avalancheRPC
             - ws://eth-devnet:8545
             - --auroraRPC
@@ -167,8 +169,8 @@ spec:
             - /tmp/data
             - --publicRpcLogDetail
             - "full"
-          # - --chainGovernorEnabled=true
-          #            - --logLevel=debug
+            # - --chainGovernorEnabled=true
+            # - --logLevel=debug
           securityContext:
             capabilities:
               add:

diff --git a/node/cmd/guardiand/node.go b/node/cmd/guardiand/node.go
diff --git a/node/cmd/guardiand/query.go b/node/cmd/guardiand/query.go
@@ -0,0 +1,84 @@
+package guardiand
+
+import (
+	"context"
+
+	"github.com/benbjohnson/clock"
+	gossipv1 "github.com/certusone/wormhole/node/pkg/proto/gossip/v1"
+	"github.com/ethereum/go-ethereum/common"
+	ethcrypto "github.com/ethereum/go-ethereum/crypto"
+	"github.com/wormhole-foundation/wormhole/sdk/vaa"
+	"go.uber.org/zap"
+	"google.golang.org/protobuf/proto"
+)
+
+// TODO: should this use a different standard of signing messages, like https://eips.ethereum.org/EIPS/eip-712
+var queryRequestPrefix = []byte("query_request_00000000000000000000|")
+
+func queryRequestDigest(b []byte) common.Hash {
+	return ethcrypto.Keccak256Hash(append(queryRequestPrefix, b...))
+}
+
+var allowedRequestor = common.BytesToAddress(common.Hex2Bytes("beFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe"))
+
+// Multiplex observation requests to the appropriate chain
+func handleQueryRequests(
+	ctx context.Context,
+	clock clock.Clock,
+	logger *zap.Logger,
+	signedQueryReqC <-chan *gossipv1.SignedQueryRequest,
+	chainQueryReqC map[vaa.ChainID]chan *gossipv1.QueryRequest,
+) {
+	qLogger := logger.With(zap.String("component", "queryHandler"))
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case signedQueryRequest := <-signedQueryReqC:
+			// requestor validation happens here
+			// request type validation is currently handled by the watcher
+			// in the future, it may be worthwhile to catch certain types of 
+			// invalid requests here for tracking purposes
+			requestorAddr := common.BytesToAddress(signedQueryRequest.RequestorAddr)
+			if requestorAddr != allowedRequestor {
+				qLogger.Error("invalid requestor", zap.String("requestor", requestorAddr.Hex()))
+				continue
+			}
+
+			digest := queryRequestDigest(signedQueryRequest.QueryRequest)
+
+			signerBytes, err := ethcrypto.Ecrecover(digest.Bytes(), signedQueryRequest.Signature)
+			if err != nil {
+				qLogger.Error("failed to recover public key", zap.String("requestor", requestorAddr.Hex()))
+				continue
+			}
+
+			signerAddress := common.BytesToAddress(ethcrypto.Keccak256(signerBytes[1:])[12:])
+			if signerAddress != requestorAddr {
+				qLogger.Error("requestor signer mismatch", zap.String("requestor", requestorAddr.Hex()), zap.String("signer", signerAddress.Hex()))
+				continue
+			}
+
+			var queryRequest gossipv1.QueryRequest
+			err = proto.Unmarshal(signedQueryRequest.QueryRequest, &queryRequest)
+			if err != nil {
+				qLogger.Error("received invalid message",
+					zap.String("requestor", requestorAddr.Hex()))
+				continue
+			}
+
+			if channel, ok := chainQueryReqC[vaa.ChainID(queryRequest.ChainId)]; ok {
+				select {
+				// TODO: is pointer fine here?
+				case channel <- &queryRequest:
+				default:
+					qLogger.Warn("failed to send query request to watcher",
+						zap.Uint16("chain_id", uint16(queryRequest.ChainId)))
+				}
+			} else {
+				qLogger.Error("unknown chain ID for query request",
+					zap.Uint16("chain_id", uint16(queryRequest.ChainId)))
+			}
+		}
+	}
+}
diff --git a/node/cmd/spy/spy.go b/node/cmd/spy/spy.go
@@ -466,6 +466,9 @@ func runSpy(cmd *cobra.Command, args []string) {
 	// Inbound observation requests
 	obsvReqC := make(chan *gossipv1.ObservationRequest, 50)
 
+	// Inbound observation requests
+	queryReqC := make(chan *gossipv1.SignedQueryRequest, 50)
+
 	// Inbound signed VAAs
 	signedInC := make(chan *gossipv1.SignedVAAWithQuorum, 50)
 
@@ -502,6 +505,18 @@ func runSpy(cmd *cobra.Command, args []string) {
 		}
 	}()
 
+	// Ignore query requests
+	// Note: without this, the whole program hangs on query requests
+	go func() {
+		for {
+			select {
+			case <-rootCtx.Done():
+				return
+			case <-queryReqC:
+			}
+		}
+	}()
+
 	// Log signed VAAs
 	go func() {
 		for {
@@ -553,6 +568,7 @@ func runSpy(cmd *cobra.Command, args []string) {
 				nil,
 				components,
 				nil, // ibc feature string
+				queryReqC,
 			)); err != nil {
 			return err
 		}

diff --git a/node/hack/query/dev.guardian.key b/node/hack/query/dev.guardian.key
@@ -0,0 +1,8 @@
+-----BEGIN WORMHOLE GUARDIAN PRIVATE KEY-----
+PublicKey: 0xbeFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe
+Description: auto-generated deterministic devnet key
+
+CiDPsSMDoZzeWAu03XcWObDSa8aDU2RVcajP9RarLuEToBAB
+=VN/A
+-----END WORMHOLE GUARDIAN PRIVATE KEY-----
+