[DRAFT] CCQ: Cross-Chain Query Integration

Dockerfile.const

@@ -2,13 +2,18 @@
 FROM cli-gen as cli-export
 FROM node:18-alpine@sha256:44aaf1ccc80eaed6572a0f2ef7d6b5a2982d54481e4255480041ac92221e2f11 as const-build
 
-# fetch scripts/guardian-set-init.sh deps
-RUN apk update && apk add bash g++ make python3 curl jq findutils
-
 # Support additional root CAs
 COPY README.md cert.pem* /certs/
 # Alpine
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/cert.pem; fi
+# Node
+ENV NODE_EXTRA_CA_CERTS=/certs/cert.pem
+ENV NODE_OPTIONS=--use-openssl-ca
+# npm
+RUN if [ -e /certs/cert.pem ]; then npm config set cafile /certs/cert.pem; fi
+
+# fetch scripts/guardian-set-init.sh deps
+RUN apk update && apk add bash g++ make python3 curl jq findutils
 
 # Copy and link CLI
 COPY --from=cli-export clients/js /cli

Tiltfile

@@ -72,7 +72,7 @@ config.define_bool("wormchain", False, "Enable a wormchain node")
 config.define_bool("ibc_relayer", False, "Enable IBC relayer between cosmos chains")
 config.define_bool("redis", False, "Enable a redis instance")
 config.define_bool("generic_relayer", False, "Enable the generic relayer off-chain component")
-
+config.define_bool("query_server", False, "Enable cross-chain query server")
 
 cfg = config.parse()
 num_guardians = int(cfg.get("num", "1"))
@@ -97,6 +97,7 @@ ibc_relayer = cfg.get("ibc_relayer", ci)
 btc = cfg.get("btc", False)
 redis = cfg.get('redis', ci)
 generic_relayer = cfg.get("generic_relayer", ci)
+query_server = cfg.get("query_server", ci)
 
 if ci:
     guardiand_loglevel = cfg.get("guardiand_loglevel", "warn")
@@ -584,6 +585,12 @@ if ci_tests:
         trigger_mode = trigger_mode,
         resource_deps = [], # uses devnet-consts.json, but wormchain/contracts/tools/test_accountant.sh handles waiting for guardian, not having deps gets the build earlier
     )
+    k8s_resource(
+        "query-ci-tests",
+        labels = ["ci"],
+        trigger_mode = trigger_mode,
+        resource_deps = [], # node/hack/query/test/test_query.sh handles waiting for guardian, not having deps gets the build earlier
+    )
 
 if terra_classic:
     docker_build(
@@ -893,3 +900,16 @@ if aptos:
         labels = ["aptos"],
         trigger_mode = trigger_mode,
     )
+
+if query_server:
+    k8s_yaml_with_ns("devnet/query-server.yaml")
+
+    k8s_resource(
+        "query-server",
+        resource_deps = ["guardian"],
+        port_forwards = [
+            port_forward(6069, name = "REST [:6069]", host = webHost)
+        ],
+        labels = ["query-server"],
+        trigger_mode = trigger_mode
+    )

devnet/node.yaml

@@ -7,6 +7,9 @@ metadata:
     app: guardian
 spec:
   ports:
+    - port: 8996
+      name: ccq-p2p
+      protocol: UDP
     - port: 8999
       name: p2p
       protocol: UDP
@@ -160,7 +163,11 @@ spec:
             - /tmp/data
             - --publicRpcLogDetail
             - "full"
-          # - --chainGovernorEnabled=true
+            # - --chainGovernorEnabled=true
+            - --ccqEnabled=true
+            - --ccqAllowedRequesters=beFA429d57cD18b7F8A4d91A2da9AB4AF05d0FBe,25021A4FCAf61F2EADC8202D3833Df48B2Fa0D54
+            - --ccqAllowedPeers=12D3KooWSnju8zhywCYVi2JwTqky1sySPnmtYLsHHzc4WerMnDQH
+            # - --logLevel=debug
           securityContext:
             capabilities:
               add:
@@ -171,6 +178,9 @@ spec:
               port: 6060
               path: /readyz
           ports:
+            - containerPort: 8996
+              name: ccq-p2p
+              protocol: UDP
             - containerPort: 8999
               name: p2p
               protocol: UDP

devnet/query-server.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: query-server
+  labels:
+    app: query-server
+spec:
+  ports:
+    - name: rest
+      port: 6069
+      protocol: TCP
+  selector:
+    app: query-server
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: query-server
+spec:
+  selector:
+    matchLabels:
+      app: query-server
+  serviceName: query-server
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: query-server
+    spec:
+      containers:
+        - name: query-server
+          image: guardiand-image
+          command:
+            - /guardiand
+            - query-server
+            - --env
+            - dev
+            - --nodeKey
+            - node/cmd/ccq/ccq.p2p.key
+            - --signerKey
+            - node/cmd/ccq/ccq.signing.key
+            - --listenAddr
+            - "[::]:6069"
+            - --permFile
+            - "node/cmd/ccq/devnet.config.json"
+            - --ethRPC
+            - http://eth-devnet:8545
+            - --ethContract
+            - "0xC89Ce4735882C9F0f0FE26686c53074E09B0D550"
+            # Hardcoded devnet bootstrap (generated from deterministic key in guardiand)
+            - --bootstrap
+            - /dns4/guardian-0.guardian/udp/8996/quic/p2p/12D3KooWL3XJ9EMCyZvmmGXL2LMiVBtrVa2BuESsJiXkSj7333Jw
+            - --logLevel=info
+          ports:
+            - containerPort: 6069
+              name: rest
+              protocol: TCP
+          readinessProbe:
+            tcpSocket:
+              port: rest

devnet/tests.yaml

@@ -72,3 +72,28 @@ spec:
                 - "/app/accountant/success"
             initialDelaySeconds: 5
             periodSeconds: 5
+---
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: query-ci-tests
+spec:
+  backoffLimit: 0
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: query-ci-tests
+          image: guardiand-image
+          command:
+            - /bin/sh
+            - -c
+            - "cd /app/node/hack/query/test && bash test_query.sh && touch success"
+          readinessProbe:
+            exec:
+              command:
+                - test
+                - -e
+                - "/app/node/hack/query/test/success"
+            initialDelaySeconds: 5
+            periodSeconds: 5

ethereum/contracts/query/QueryDemo.sol

@@ -0,0 +1,103 @@
+// contracts/query/QueryDemo.sol
+// SPDX-License-Identifier: Apache 2
+
+pragma solidity ^0.8.0;
+
+import "../libraries/external/BytesLib.sol";
+import "../interfaces/IWormhole.sol";
+import "@openzeppelin/contracts/access/Ownable.sol";
+import "@openzeppelin/contracts/utils/Context.sol";
+import "./QueryResponse.sol";
+
+/// @dev QueryDemo is a library that implements the parsing and verification of Cross Chain Query (CCQ) responses.
+contract QueryDemo is Context, QueryResponse {
+    using BytesLib for bytes;
+
+    struct ChainEntry {
+        uint16 chainID;
+        address contractAddress;
+        uint256 counter;
+        uint256 blockNum;
+        uint256 blockTime;
+    }
+
+    address private immutable owner;
+    address private immutable wormhole;
+    uint16 private immutable myChainID;
+    mapping(uint16 => ChainEntry) private counters;
+    uint16[] private foreignChainIDs;
+
+    bytes4 GetMyCounter = bytes4(hex"916d5743");
+
+    constructor(address _owner, address _wormhole, uint16 _myChainID) {
+        owner = _owner;
+        wormhole = _wormhole;  
+        myChainID = _myChainID;
+        counters[_myChainID] = ChainEntry(_myChainID, address(this), 0, 0, 0);
+    }
+
+    // updateRegistration should be used to add the other chains and to set / update contract addresses.
+    function updateRegistration(uint16 _chainID, address _contractAddress) public onlyOwner {
+        if (counters[_chainID].chainID == 0) {
+            foreignChainIDs.push(_chainID);
+            counters[_chainID].chainID = _chainID;
+        }
+
+        counters[_chainID].contractAddress = _contractAddress;
+    }
+
+    // getMyCounter (call signature 916d5743) returns the counter value for this chain. It is meant to be used in a cross chain query.
+    function getMyCounter() public view returns (uint256) {
+        return counters[myChainID].counter;
+    }
+
+    // getState() returns this chain's view of all the counters. It is meant to be used in the front end.
+    function getState() public view returns (ChainEntry[] memory) {
+        ChainEntry[] memory ret = new ChainEntry[](foreignChainIDs.length + 1);
+        ret[0] = counters[myChainID];
+        for (uint idx=0; idx<foreignChainIDs.length; idx++) {
+            ret[idx+1] = counters[foreignChainIDs[idx]];
+        }      
+
+        return ret;
+    }
+
+    // updateCounters takes the cross chain query response for the two other counters, stores the results for the other chains, and updates the counter for this chain.
+    function updateCounters(bytes memory response, IWormhole.Signature[] memory signatures) public {
+        uint256 adjustedBlockTime;
+        ParsedQueryResponse memory r = parseAndVerifyQueryResponse(address(wormhole), response, signatures);
+        require(r.responses.length == foreignChainIDs.length, "unexpected number of results");
+        for (uint idx=0; idx<r.responses.length; idx++) {
+            require(counters[r.responses[idx].chainId].chainID == foreignChainIDs[idx], "unexpected foreign chain ID");
+            EthCallQueryResponse memory eqr = parseEthCallQueryResponse(r.responses[idx]);
+            require(eqr.blockNum > counters[r.responses[idx].chainId].blockNum, "update is obsolete");
+            // wormhole time is in microseconds, timestamp is in seconds
+            adjustedBlockTime = eqr.blockTime / 1_000_000;
+            require(adjustedBlockTime > block.timestamp - 300, "update is stale");
+            require(eqr.result.length == 1, "result mismatch");
+            require(eqr.result[0].contractAddress == counters[r.responses[idx].chainId].contractAddress, "contract address is wrong");
+
+            // TODO: Is there an easier way to verify that the call data is correct!
+            bytes memory callData = eqr.result[0].callData;
+            bytes4 result;
+            assembly {
+                    result := mload(add(callData, 32))
+            }
+            require(result == GetMyCounter, "unexpected callData");
+
+            require(eqr.result[0].result.length == 32, "result is not a uint256");
+            counters[r.responses[idx].chainId].blockNum = eqr.blockNum;
+            counters[r.responses[idx].chainId].blockTime = adjustedBlockTime;
+            counters[r.responses[idx].chainId].counter = abi.decode(eqr.result[0].result, (uint256));
+        }
+
+        counters[myChainID].blockNum = block.number;
+        counters[myChainID].blockTime = block.timestamp;
+        counters[myChainID].counter += 1;
+    }
+
+    modifier onlyOwner() {
+        require(owner == _msgSender(), "caller is not the owner");
+        _;
+    }
+}