Skip to content

Commit

Permalink
Merge pull request #6202 from spacemeshos/backport/1.6/fix-poet-pow-f…
Browse files Browse the repository at this point in the history
…allback
  • Loading branch information
poszu authored Aug 1, 2024
2 parents 334d6cc + 88813a3 commit 2d031c4
Show file tree
Hide file tree
Showing 7 changed files with 147 additions and 54 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

See [RELEASE](./RELEASE.md) for workflow instructions.

## Release v1.6.7

### Improvements

* [#6197](https://github.com/spacemeshos/go-spacemesh/pull/6197) Fix falling back to poet PoW if recertification
failed after getting a 401 on registering

## Release v1.6.6

### Improvements
Expand Down
28 changes: 13 additions & 15 deletions activation/certifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,15 @@ func (c *Certifier) Certificate(
case !errors.Is(err, sql.ErrNotFound):
return nil, fmt.Errorf("getting certificate from DB for: %w", err)
}
return c.Recertify(ctx, id, certifier, pubkey)
cert, err = c.client.Certify(ctx, id, certifier, pubkey)
if err != nil {
return nil, fmt.Errorf("certifying POST at %v: %w", certifier, err)
}

if err := certifierdb.AddCertificate(c.db, id, *cert, pubkey); err != nil {
c.logger.Warn("failed to persist poet cert", zap.Error(err))
}
return cert, nil
})

if err != nil {
Expand All @@ -126,21 +134,11 @@ func (c *Certifier) Certificate(
return cert.(*certifierdb.PoetCert), nil
}

func (c *Certifier) Recertify(
ctx context.Context,
id types.NodeID,
certifier *url.URL,
pubkey []byte,
) (*certifierdb.PoetCert, error) {
cert, err := c.client.Certify(ctx, id, certifier, pubkey)
if err != nil {
return nil, fmt.Errorf("certifying POST at %v: %w", certifier, err)
}

if err := certifierdb.AddCertificate(c.db, id, *cert, pubkey); err != nil {
c.logger.Warn("failed to persist poet cert", zap.Error(err))
func (c *Certifier) DeleteCertificate(id types.NodeID, pubkey []byte) error {
if err := certifierdb.DeleteCertificate(c.db, id, pubkey); err != nil {
return err
}
return cert, nil
return nil
}

type CertifierClient struct {
Expand Down
7 changes: 1 addition & 6 deletions activation/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,12 +163,7 @@ type certifierService interface {
pubkey []byte,
) (*certifier.PoetCert, error)

Recertify(
ctx context.Context,
id types.NodeID,
certifierAddress *url.URL,
pubkey []byte,
) (*certifier.PoetCert, error)
DeleteCertificate(id types.NodeID, pubkey []byte) error
}

type poetDbAPI interface {
Expand Down
31 changes: 15 additions & 16 deletions activation/mocks.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 20 additions & 16 deletions activation/poet.go
Original file line number Diff line number Diff line change
Expand Up @@ -451,8 +451,7 @@ func (c *poetService) authorize(
}
// Fallback to PoW
// TODO: remove this fallback once we migrate to certificates fully.

logger.Debug("querying for poet pow parameters")
logger.Info("falling back to PoW authorization")
powCtx, cancel := withConditionalTimeout(ctx, c.requestTimeout)
defer cancel()
powParams, err := c.powParams(powCtx)
Expand Down Expand Up @@ -480,6 +479,22 @@ func (c *poetService) authorize(
}}, nil
}

func (c *poetService) reauthorize(
ctx context.Context,
id types.NodeID,
challange []byte,
logger *zap.Logger,
) (*PoetAuth, error) {
if c.certifier != nil {
if _, pubkey, err := c.getCertifierInfo(ctx); err == nil {
if err := c.certifier.DeleteCertificate(id, pubkey); err != nil {
return nil, fmt.Errorf("deleting cert: %w", err)
}
}
}
return c.authorize(ctx, id, challange, c.logger)
}

func (c *poetService) Submit(
ctx context.Context,
deadline time.Time,
Expand Down Expand Up @@ -508,10 +523,10 @@ func (c *poetService) Submit(
case err == nil:
return round, nil
case errors.Is(err, ErrUnauthorized):
logger.Warn("failed to submit challenge as unathorized - recertifying", zap.Error(err))
auth.PoetCert, err = c.recertify(ctx, nodeID)
logger.Warn("failed to submit challenge as unathorized - authorizing again", zap.Error(err))
auth, err := c.reauthorize(ctx, nodeID, challenge, logger)
if err != nil {
return nil, fmt.Errorf("recertifying: %w", err)
return nil, fmt.Errorf("authorizing: %w", err)
}
return c.client.Submit(submitCtx, deadline, prefix, challenge, signature, nodeID, *auth)
}
Expand Down Expand Up @@ -560,17 +575,6 @@ func (c *poetService) Certify(ctx context.Context, id types.NodeID) (*certifier.
return c.certifier.Certificate(ctx, id, url, pubkey)
}

func (c *poetService) recertify(ctx context.Context, id types.NodeID) (*certifier.PoetCert, error) {
if c.certifier == nil {
return nil, errors.New("certifier not configured")
}
url, pubkey, err := c.getCertifierInfo(ctx)
if err != nil {
return nil, err
}
return c.certifier.Recertify(ctx, id, url, pubkey)
}

func (c *poetService) getCertifierInfo(ctx context.Context) (*url.URL, []byte, error) {
info, err := c.certifierInfoCache.get(func() (*certifierInfo, error) {
url, pubkey, err := c.client.CertifierInfo(ctx)
Expand Down
79 changes: 78 additions & 1 deletion activation/poet_client_test.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
package activation

import (
"bytes"
"context"
"errors"
"io"
"net/http"
"net/http/httptest"
Expand Down Expand Up @@ -375,8 +377,9 @@ func TestPoetClient_RecertifiesOnAuthFailure(t *testing.T) {
mCertifier.EXPECT().
Certificate(gomock.Any(), sig.NodeID(), certifierAddress, certifierPubKey).
Return(&certifier.PoetCert{Data: []byte("first")}, nil),
mCertifier.EXPECT().DeleteCertificate(sig.NodeID(), certifierPubKey),
mCertifier.EXPECT().
Recertify(gomock.Any(), sig.NodeID(), certifierAddress, certifierPubKey).
Certificate(gomock.Any(), sig.NodeID(), certifierAddress, certifierPubKey).
Return(&certifier.PoetCert{Data: []byte("second")}, nil),
)

Expand All @@ -389,6 +392,80 @@ func TestPoetClient_RecertifiesOnAuthFailure(t *testing.T) {
require.Equal(t, 2, submitCount)
}

func TestPoetClient_FallbacksToPowWhenCannotRecertify(t *testing.T) {
t.Parallel()

sig, err := signing.NewEdSigner()
require.NoError(t, err)

certifierAddress := &url.URL{Scheme: "http", Host: "certifier"}
certifierPubKey := []byte("certifier-pubkey")

mux := http.NewServeMux()
infoResp, err := protojson.Marshal(&rpcapi.InfoResponse{
ServicePubkey: []byte("pubkey"),
Certifier: &rpcapi.InfoResponse_Cerifier{
Url: certifierAddress.String(),
Pubkey: certifierPubKey,
},
})
require.NoError(t, err)
mux.HandleFunc("GET /v1/info", func(w http.ResponseWriter, r *http.Request) { w.Write(infoResp) })

powChallenge := []byte("challenge")
powResp, err := protojson.Marshal(&rpcapi.PowParamsResponse{PowParams: &rpcapi.PowParams{Challenge: powChallenge}})
require.NoError(t, err)
mux.HandleFunc("GET /v1/pow_params", func(w http.ResponseWriter, r *http.Request) { w.Write(powResp) })

submitResp, err := protojson.Marshal(&rpcapi.SubmitResponse{})
require.NoError(t, err)
submitCount := 0
mux.HandleFunc("POST /v1/submit", func(w http.ResponseWriter, r *http.Request) {
req := rpcapi.SubmitRequest{}
body, _ := io.ReadAll(r.Body)
protojson.Unmarshal(body, &req)

switch {
case submitCount == 0:
w.WriteHeader(http.StatusUnauthorized)
case submitCount == 1 && req.Certificate == nil && bytes.Equal(req.PowParams.Challenge, powChallenge):
w.Write(submitResp)
default:
w.WriteHeader(http.StatusUnauthorized)
}
submitCount++
})

ts := httptest.NewServer(mux)
defer ts.Close()

server := types.PoetServer{
Address: ts.URL,
Pubkey: types.NewBase64Enc([]byte("pubkey")),
}
cfg := PoetConfig{CertifierInfoCacheTTL: time.Hour}

ctrl := gomock.NewController(t)
mCertifier := NewMockcertifierService(ctrl)
gomock.InOrder(
mCertifier.EXPECT().
Certificate(gomock.Any(), sig.NodeID(), certifierAddress, certifierPubKey).
Return(&certifier.PoetCert{Data: []byte("first")}, nil),
mCertifier.EXPECT().DeleteCertificate(sig.NodeID(), certifierPubKey),
mCertifier.EXPECT().
Certificate(gomock.Any(), sig.NodeID(), certifierAddress, certifierPubKey).
Return(nil, errors.New("cannot recertify")),
)

client, err := NewHTTPPoetClient(server, cfg, withCustomHttpClient(ts.Client()))
require.NoError(t, err)
poet := NewPoetServiceWithClient(nil, client, cfg, zaptest.NewLogger(t), WithCertifier(mCertifier))

_, err = poet.Submit(context.Background(), time.Time{}, nil, nil, types.RandomEdSignature(), sig.NodeID())
require.NoError(t, err)
require.Equal(t, 2, submitCount)
}

func TestPoetService_CachesCertifierInfo(t *testing.T) {
t.Parallel()
type test struct {
Expand Down
13 changes: 13 additions & 0 deletions sql/localsql/certifier/db.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,19 @@ func AddCertificate(db sql.Executor, nodeID types.NodeID, cert PoetCert, cerifie
return nil
}

func DeleteCertificate(db sql.Executor, nodeID types.NodeID, certifierID []byte) error {
enc := func(stmt *sql.Statement) {
stmt.BindBytes(1, nodeID.Bytes())
stmt.BindBytes(2, certifierID)
}
if _, err := db.Exec(`
DELETE FROM poet_certificates WHERE node_id = ?1 AND certifier_id = ?2;`, enc, nil,
); err != nil {
return fmt.Errorf("deleting poet certificate for (%s; %x): %w", nodeID.ShortString(), certifierID, err)
}
return nil
}

func Certificate(db sql.Executor, nodeID types.NodeID, certifierID []byte) (*PoetCert, error) {
enc := func(stmt *sql.Statement) {
stmt.BindBytes(1, nodeID.Bytes())
Expand Down

0 comments on commit 2d031c4

Please sign in to comment.