multi+server.go: add initial permissions for some peers #9458
Conversation
|
Important Review skippedAuto reviews are limited to specific labels. 🏷️ Labels to auto review (1)
Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
| // is allowed according to our banning heuristic. This is here because | ||
| // we do not learn the remote node's public static key until we've | ||
| // received and validated Act 3. | ||
| remoteKey := brontideConn.RemotePub() |
There was a problem hiding this comment.
Alternatively, shouldAccept could receive the pubkey and return false if it's nil so we don't need two separate rejection blocks.
There was a problem hiding this comment.
Think this is fine as-is, would rather the server not have to take public key pointers
| // NewPendingOpenChan is called after the pending-open channel has been | ||
| // committed to the database. This may transition a restricted-access peer to a | ||
| // temporary-access peer. | ||
| func (s *server) NewPendingOpenChan(remoteHex string) error { |
There was a problem hiding this comment.
Ideally the ban logic could be separated into its own type altogether and so we could add extensive test coverage through unit tests.
There was a problem hiding this comment.
Can you elaborate? Do you mean like a new struct/pkg?
There was a problem hiding this comment.
If possible would be nice to decouple the peer banning logic from the server to its own type (struct) so we can cover it with tests separately.
There was a problem hiding this comment.
at least unify the two different ban-logics we currently have in place (proofOfChannel, banManager). Can we unit-test those functions?
|
|
||
| // The banScoreMtx cannot be held when the | ||
| // below DisconnectPeer call occurs. | ||
| return s.DisconnectPeer(remotePub) |
There was a problem hiding this comment.
iiuc we could end up demoting more than one peer at the same time.
There was a problem hiding this comment.
IIUC when we decrement s.numRestricted when we disconnect and then remove the peer. But the banScoreMtx is lifted in between so it could be that if we reach the ceiling then concurrent calls to this function would still see the same counts. Doesn't seem to be an issue to me, more just a remark.
There was a problem hiding this comment.
unit-tests for those function would be very nice
| newStatus := peerSlotStatus{ | ||
| state: protected, | ||
| } | ||
| s.peerScores[remoteHex] = newStatus |
There was a problem hiding this comment.
I don't think we really need the peerScores map either, we can just have a function returning the status based on channel state counts.
There was a problem hiding this comment.
prefer to keep as-is for now in case we actually start scoring
| s.banScoreMtx.Unlock() | ||
|
|
||
| // This should not be possible. | ||
| return fmt.Errorf("invalid peer access status") |
There was a problem hiding this comment.
nit: should we add the status to the error?
There was a problem hiding this comment.
It's unreachable code, only added for completeness
Crypt-iQ
force-pushed
the
banning_010072025
branch
from
77c8555 to
cbd7d60
Compare
Crypt-iQ
force-pushed
the
banning_010072025
branch
from
cbd7d60 to
15e16ae
Compare
| // NewPendingOpenChan is called after the pending-open channel has been | ||
| // committed to the database. This may transition a restricted-access peer to a | ||
| // temporary-access peer. | ||
| func (s *server) NewPendingOpenChan(remoteHex string) error { |
There was a problem hiding this comment.
If possible would be nice to decouple the peer banning logic from the server to its own type (struct) so we can cover it with tests separately.
|
|
||
| // The banScoreMtx cannot be held when the | ||
| // below DisconnectPeer call occurs. | ||
| return s.DisconnectPeer(remotePub) |
There was a problem hiding this comment.
IIUC when we decrement s.numRestricted when we disconnect and then remove the peer. But the banScoreMtx is lifted in between so it could be that if we reach the ceiling then concurrent calls to this function would still see the same counts. Doesn't seem to be an issue to me, more just a remark.
|
I tested the code in a different way and found that the demotion logic for |
Crypt-iQ
force-pushed
the
banning_010072025
branch
2 times, most recently
from
bd212b6 to
72ec6df
Compare
We introduce a new func FetchPermAndTempPeers that returns two maps. The first map indicates the nodes that will have "protected" access to the server. The second map indicates the nodes that have "temporary" access to the server. This will be used in a future commit in the server.go code.
This signal will be used in the server.go code to potentially demote temporary-access peers to restricted-access peers.
Here we introduce the server caches that will determine the access control status of our peers. Peers that have had their funding transaction confirm with us are protected. Peers that only have pending-open channels with us are temporary access and can have their access revoked. The rest of the peers are granted restricted access. The channelPeers map contains protected-access peers and the pendingChannelPeers map contains temporary-access peers.
This modifies the various channelnotifier notification functions to instead hit the server and then call the notification routine. This allows us to accurately modify the server's maps.
Crypt-iQ
force-pushed
the
banning_010072025
branch
from
72ec6df to
5a7b753
Compare
| // NewPendingOpenChan is called after the pending-open channel has been | ||
| // committed to the database. This may transition a restricted-access peer to a | ||
| // temporary-access peer. | ||
| func (s *server) NewPendingOpenChan(remoteHex string) error { |
There was a problem hiding this comment.
at least unify the two different ban-logics we currently have in place (proofOfChannel, banManager). Can we unit-test those functions?
|
|
||
| // The banScoreMtx cannot be held when the | ||
| // below DisconnectPeer call occurs. | ||
| return s.DisconnectPeer(remotePub) |
There was a problem hiding this comment.
unit-tests for those function would be very nice
| // NewOpenChan is called when a pending-open channel becomes an open channel | ||
| // (i.e. the funding transaction has confirmed). If the remote peer is a | ||
| // temporary-access peer, it will be promoted to a protected-access peer. | ||
| func (s *server) NewOpenChan(remoteHex string) error { |
There was a problem hiding this comment.
I don't think that we can unit-test this because it is a server method and we can't really abstract this?
| @@ -510,7 +511,7 @@ type Config struct { | |||
|
|
|||
| // NotifyOpenChannelEvent informs the ChannelNotifier when channels | |||
| // transition from pending open to open. | |||
| NotifyOpenChannelEvent func(wire.OutPoint) | |||
| NotifyOpenChannelEvent func(wire.OutPoint, string) error | |||
There was a problem hiding this comment.
add an alias type for the pubkey instead ?
This patch adds initial access permissions in the server for some peers:
protectedaccess.temporarystatus.restrictedstatus.In the future, we can tune this criteria. Some of the
discoveryban code has also been moved toserver.goso that it is somewhat unified.