Merge pull request #3256 from keep-network/firewall-bootstrap-nodes

Exempt bootstrap nodes from firewall validation

This PR modifies the firewall, so that bootstrap nodes are exempted from
validation, i.e. they are not required to have a stake.

Author: pdyraga

cmd/flags.go

@@ -154,6 +154,13 @@ func initEthereumFlags(cmd *cobra.Command, cfg *config.Config) {
 
 // Initialize flags for Network configuration.
 func initNetworkFlags(cmd *cobra.Command, cfg *config.Config) {
+	cmd.Flags().BoolVar(
+		&cfg.LibP2P.Bootstrap,
+		"network.bootstrap",
+		false,
+		"Run the client in bootstrap mode.",
+	)
+
 	cmd.Flags().StringSliceVar(
 		&cfg.LibP2P.Peers,
 		"network.peers",

cmd/flags_test.go

@@ -79,6 +79,13 @@ var cmdFlagsTests = map[string]struct {
 		expectedValueFromFlag: big.NewInt(1250000000000000000),
 		defaultValue:          big.NewInt(500000000000000000),
 	},
+	"network.bootstrap": {
+		readValueFunc:         func(c *config.Config) interface{} { return c.LibP2P.Bootstrap },
+		flagName:              "--network.bootstrap",
+		flagValue:             "true",
+		expectedValueFromFlag: true,
+		defaultValue:          false,
+	},
 	"network.port": {
 		readValueFunc:         func(c *config.Config) interface{} { return c.LibP2P.Port },
 		flagName:              "--network.port",

cmd/start.go

@@ -70,8 +70,19 @@ func start(cmd *cobra.Command) error {
 		return fmt.Errorf("error connecting to Ethereum node: [%v]", err)
 	}
 
+	bootstrapPeersPublicKeys, err := libp2p.ExtractPeersPublicKeys(
+		clientConfig.LibP2P.Peers,
+	)
+	if err != nil {
+		return fmt.Errorf(
+			"error extracting bootstrap peers public keys: [%v]",
+			err,
+		)
+	}
+
 	firewall := firewall.AnyApplicationPolicy(
 		[]firewall.Application{beaconChain, tbtcChain},
+		firewall.NewAllowList(bootstrapPeersPublicKeys),
 	)
 
 	netProvider, err := libp2p.Connect(
@@ -117,12 +128,16 @@ func start(cmd *cobra.Command) error {
 
 	scheduler := generator.StartScheduler()
 
+	// Monitor sortition pool only if the node is a non-bootstrap node.
+	monitorPool := !clientConfig.LibP2P.Bootstrap
+
 	err = beacon.Initialize(
 		ctx,
 		beaconChain,
 		netProvider,
 		beaconKeyStorePersistence,
 		scheduler,
+		monitorPool,
 	)
 	if err != nil {
 		return fmt.Errorf("error initializing beacon: [%v]", err)
@@ -155,6 +170,7 @@ func start(cmd *cobra.Command) error {
 		scheduler,
 		clientConfig.Tbtc,
 		metricsRegistry,
+		monitorPool,
 	)
 	if err != nil {
 		return fmt.Errorf("error initializing TBTC: [%v]", err)

configs/config.toml.SAMPLE

@@ -47,6 +47,7 @@ KeyFile = "/Users/someuser/ethereum/data/keystore/UTC--2018-03-11T01-37-33.20276
 # BalanceAlertThreshold = "0.5 ether" # 0.5 ether (default value)
 
 [network]
+Bootstrap = false
 Peers = [
 	"/ip4/127.0.0.1/tcp/3919/ipfs/16Uiu2HAmFRJtCWfdXhZEZHWb4tUpH1QMMgzH1oiamCfUuK6NgqWX",
 ]

pkg/beacon/beacon.go

@@ -33,6 +33,7 @@ func Initialize(
 	netProvider net.Provider,
 	persistence persistence.ProtectedHandle,
 	scheduler *generator.Scheduler,
+	monitorPool bool,
 ) error {
 	groupRegistry := registry.NewGroupRegistry(logger, beaconChain, persistence)
 	groupRegistry.LoadExistingGroups()
@@ -44,15 +45,20 @@ func Initialize(
 		scheduler,
 	)
 
-	err := sortition.MonitorPool(
-		ctx,
-		logger,
-		beaconChain,
-		sortition.DefaultStatusCheckTick,
-		sortition.UnconditionalJoinPolicy,
-	)
-	if err != nil {
-		return fmt.Errorf("could not set up sortition pool monitoring: [%v]", err)
+	if monitorPool {
+		err := sortition.MonitorPool(
+			ctx,
+			logger,
+			beaconChain,
+			sortition.DefaultStatusCheckTick,
+			sortition.UnconditionalJoinPolicy,
+		)
+		if err != nil {
+			return fmt.Errorf(
+				"could not set up sortition pool monitoring: [%v]",
+				err,
+			)
+		}
 	}
 
 	eventDeduplicator := event.NewDeduplicator(beaconChain)

pkg/firewall/firewall.go

@@ -26,6 +26,31 @@ func (nf *noFirewall) Validate(remotePeerPublicKey *operator.PublicKey) error {
 	return nil
 }
 
+// AllowList represents a list of operator public keys that are not checked
+// against the firewall rules and are always valid peers.
+type AllowList struct {
+	allowedPublicKeys map[string]bool
+}
+
+// NewAllowList creates a new firewall's allowlist based on the given public
+// key list.
+func NewAllowList(operatorPublicKeys []*operator.PublicKey) *AllowList {
+	allowedPublicKeys := make(map[string]bool, len(operatorPublicKeys))
+
+	for _, operatorPublicKey := range operatorPublicKeys {
+		allowedPublicKeys[operatorPublicKey.String()] = true
+	}
+
+	return &AllowList{allowedPublicKeys}
+}
+
+func (al *AllowList) Contains(operatorPublicKey *operator.PublicKey) bool {
+	return al.allowedPublicKeys[operatorPublicKey.String()]
+}
+
+// EmptyAllowList represents an empty firewall allowlist.
+var EmptyAllowList = NewAllowList([]*operator.PublicKey{})
+
 const (
 	// PositiveIsRecognizedCachePeriod is the time period the cache maintains
 	// the positive result of the last `IsRecognized` checks.
@@ -42,30 +67,38 @@ var errNotRecognized = fmt.Errorf(
 	"remote peer has not been recognized by any application",
 )
 
-func AnyApplicationPolicy(applications []Application) net.Firewall {
+func AnyApplicationPolicy(
+	applications []Application,
+	allowList *AllowList,
+) net.Firewall {
 	return &anyApplicationPolicy{
 		applications:        applications,
+		allowList:           allowList,
 		positiveResultCache: cache.NewTimeCache(PositiveIsRecognizedCachePeriod),
 		negativeResultCache: cache.NewTimeCache(NegativeIsRecognizedCachePeriod),
 	}
 }
 
 type anyApplicationPolicy struct {
 	applications        []Application
+	allowList           *AllowList
 	positiveResultCache *cache.TimeCache
 	negativeResultCache *cache.TimeCache
 }
 
 // Validate checks whether the given operator meets the conditions to join
-// the network. Validate iterates over a list of applications and if any of them
-// recognizes the operator as eligible, it can join the network. Nil is returned
-// on a successful validation, error is returned if none of the applications
-// validates the operator successfully. Due to performance reasons the results
-// of validations are stored in a cache for a certain amount of time.
+// the network. The operator can join the network if it is an allowlisted node
+// or it is a non-allowlisted node but it is recognized as eligible by any of
+// the applications. Nil is returned on a successful validation, error otherwise.
+// Due to performance reasons, the results of validations for non-allowlisted
+// nodes are stored in a cache for a certain amount of time.
 func (aap *anyApplicationPolicy) Validate(
 	remotePeerPublicKey *operator.PublicKey,
 ) error {
-	remotePeerPublicKeyHex := remotePeerPublicKey.String()
+	// If the peer is on the allowlist, consider it validated.
+	if aap.allowList.Contains(remotePeerPublicKey) {
+		return nil
+	}
 
 	// First, check in the in-memory time caches to minimize hits to the ETH client.
 	// If the Keep client with the given chain address is in the positive result
@@ -78,6 +111,8 @@ func (aap *anyApplicationPolicy) Validate(
 	aap.positiveResultCache.Sweep()
 	aap.negativeResultCache.Sweep()
 
+	remotePeerPublicKeyHex := remotePeerPublicKey.String()
+
 	if aap.positiveResultCache.Has(remotePeerPublicKeyHex) {
 		return nil
 	}