zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7577 Commits
183 Branches
291 MiB
Tree: 759ccebe54
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '759ccebe54'
${ noResults }
tendermint/lite2/client.go

443 lines
13 KiB
Raw Normal View History

lite2: light client with weak subjectivity (#3989) Refs #1771 ADR: https://github.com/tendermint/tendermint/blob/master/docs/architecture/adr-044-lite-client-with-weak-subjectivity.md ## Commits: * add Verifier and VerifyCommitTrusting * add two more checks make trustLevel an option * float32 for trustLevel * check newHeader time * started writing lite Client * unify Verify methods * ensure h2.Header.bfttime < h1.Header.bfttime + tp * move trust checks into Verify function * add more comments * more docs * started writing tests * unbonding period failures * tests are green * export ErrNewHeaderTooFarIntoFuture * make golangci happy * test for non-adjusted headers * more precision * providers and stores * VerifyHeader and VerifyHeaderAtHeight funcs * fix compile errors * remove lastVerifiedHeight, persist new trusted header * sequential verification * remove TrustedStore option * started writing tests for light client * cover basic cases for linear verification * bisection tests PASS * rename BisectingVerification to SkippingVerification * refactor the code * add TrustedHeader method * consolidate sequential verification tests * consolidate skipping verification tests * rename trustedVals to trustedNextVals * start writing docs * ValidateTrustLevel func and ErrOldHeaderExpired error * AutoClient and example tests * fix errors * update doc * remove ErrNewHeaderTooFarIntoFuture This check is unnecessary given existing a) ErrOldHeaderExpired b) h2.Time > now checks. * return an error if we're at more recent height * add comments * add LastSignedHeaderHeight method to Store I think it's fine if Store tracks last height * copy over proxy from old lite package * make TrustedHeader return latest if height=0 * modify LastSignedHeaderHeight to return an error if no headers exist * copy over proxy impl * refactor proxy and start http lite client * Tx and BlockchainInfo methods * Block method * commit method * code compiles again * lite client compiles * extract updateLiteClientIfNeededTo func * move final parts * add placeholder for tests * force usage of lite http client in proxy * comment out query tests for now * explicitly mention tp: trusting period * verify nextVals in VerifyHeader * refactor bisection * move the NextValidatorsHash check into updateTrustedHeaderAndVals + update the comment * add ConsensusParams method to RPC client * add ConsensusParams to rpc/mock/client * change trustLevel type to a new cmn.Fraction type + update SkippingVerification comment * stress out trustLevel is only used for non-adjusted headers * fixes after Fede's review Co-authored-by: Federico Kunze <31522760+fedekunze@users.noreply.github.com> * compare newHeader with a header from an alternative provider * save pivot header Refs https://github.com/tendermint/tendermint/pull/3989#discussion_r349122824 * check header can still be trusted in TrustedHeader Refs https://github.com/tendermint/tendermint/pull/3989#discussion_r349101424 * lite: update Validators and Block endpoints - Block no longer contains BlockMeta - Validators now accept two additional params: page and perPage * make linter happy
5 years ago
 
  1. package lite
  2. 

  3. import (
  4. 	"bytes"
  5. 	"fmt"
  6. 	"time"
  7. 

  8. 	"github.com/pkg/errors"
  9. 

  10. 	cmn "github.com/tendermint/tendermint/libs/common"
  11. 	"github.com/tendermint/tendermint/libs/log"
  12. 	"github.com/tendermint/tendermint/lite2/provider"
  13. 	"github.com/tendermint/tendermint/lite2/store"
  14. 	"github.com/tendermint/tendermint/types"
  15. )
  16. 

  17. // TrustOptions are the trust parameters needed when a new light client

  18. // connects to the network or when an existing light client that has been

  19. // offline for longer than the trusting period connects to the network.

  20. //

  21. // The expectation is the user will get this information from a trusted source

  22. // like a validator, a friend, or a secure website. A more user friendly

  23. // solution with trust tradeoffs is that we establish an https based protocol

  24. // with a default end point that populates this information. Also an on-chain

  25. // registry of roots-of-trust (e.g. on the Cosmos Hub) seems likely in the

  26. // future.

  27. type TrustOptions struct {
  28. 	// tp: trusting period.

  29. 	//

  30. 	// Should be significantly less than the unbonding period (e.g. unbonding

  31. 	// period = 3 weeks, trusting period = 2 weeks).

  32. 	//

  33. 	// More specifically, trusting period + time needed to check headers + time

  34. 	// needed to report and punish misbehavior should be less than the unbonding

  35. 	// period.

  36. 	Period time.Duration
  37. 

  38. 	// Header's Height and Hash must both be provided to force the trusting of a

  39. 	// particular header.

  40. 	Height int64
  41. 	Hash   []byte
  42. }
  43. 

  44. type mode byte
  45. 

  46. const (
  47. 	sequential mode = iota + 1
  48. 	skipping
  49. )
  50. 

  51. // Option sets a parameter for the light client.

  52. type Option func(*Client)
  53. 

  54. // SequentialVerification option configures the light client to sequentially

  55. // check the headers. Note this is much slower than SkippingVerification,

  56. // albeit more secure.

  57. func SequentialVerification() Option {
  58. 	return func(c *Client) {
  59. 		c.verificationMode = sequential
  60. 	}
  61. }
  62. 

  63. // SkippingVerification option configures the light client to skip headers as

  64. // long as {trustLevel} of the old validator set signed the new header. The

  65. // bisection algorithm from the specification is used for finding the minimal

  66. // "trust path".

  67. //

  68. // trustLevel - fraction of the old validator set (in terms of voting power),

  69. // which must sign the new header in order for us to trust it. NOTE this only

  70. // applies to non-adjusted headers. For adjusted headers, sequential

  71. // verification is used.

  72. func SkippingVerification(trustLevel cmn.Fraction) Option {
  73. 	if err := ValidateTrustLevel(trustLevel); err != nil {
  74. 		panic(err)
  75. 	}
  76. 	return func(c *Client) {
  77. 		c.verificationMode = skipping
  78. 		c.trustLevel = trustLevel
  79. 	}
  80. }
  81. 

  82. // AlternativeSources option can be used to supply alternative providers, which

  83. // will be used for cross-checking the primary provider.

  84. func AlternativeSources(providers []provider.Provider) Option {
  85. 	return func(c *Client) {
  86. 		c.alternatives = providers
  87. 	}
  88. }
  89. 

  90. // Client represents a light client, connected to a single chain, which gets

  91. // headers from a primary provider, verifies them either sequentially or by

  92. // skipping some and stores them in a trusted store (usually, a local FS).

  93. //

  94. // Default verification: SkippingVerification(DefaultTrustLevel)

  95. type Client struct {
  96. 	chainID          string
  97. 	trustingPeriod   time.Duration // see TrustOptions.Period

  98. 	verificationMode mode
  99. 	trustLevel       cmn.Fraction
  100. 

  101. 	// Primary provider of new headers.

  102. 	primary provider.Provider
  103. 

  104. 	// Alternative providers for checking the primary for misbehavior by

  105. 	// comparing data.

  106. 	alternatives []provider.Provider
  107. 

  108. 	// Where trusted headers are stored.

  109. 	trustedStore store.Store
  110. 	// Highest trusted header from the store (height=H).

  111. 	trustedHeader *types.SignedHeader
  112. 	// Highest next validator set from the store (height=H+1).

  113. 	trustedNextVals *types.ValidatorSet
  114. 

  115. 	logger log.Logger
  116. }
  117. 

  118. // NewClient returns a new light client. It returns an error if it fails to

  119. // obtain the header & vals from the primary or they are invalid (e.g. trust

  120. // hash does not match with the one from the header).

  121. //

  122. // See all Option(s) for the additional configuration.

  123. func NewClient(
  124. 	chainID string,
  125. 	trustOptions TrustOptions,
  126. 	primary provider.Provider,
  127. 	trustedStore store.Store,
  128. 	options ...Option) (*Client, error) {
  129. 

  130. 	c := &Client{
  131. 		chainID:          chainID,
  132. 		trustingPeriod:   trustOptions.Period,
  133. 		verificationMode: skipping,
  134. 		trustLevel:       DefaultTrustLevel,
  135. 		primary:          primary,
  136. 		trustedStore:     trustedStore,
  137. 		logger:           log.NewNopLogger(),
  138. 	}
  139. 

  140. 	for _, o := range options {
  141. 		o(c)
  142. 	}
  143. 

  144. 	if err := c.initializeWithTrustOptions(trustOptions); err != nil {
  145. 		return nil, err
  146. 	}
  147. 

  148. 	return c, nil
  149. }
  150. 

  151. func (c *Client) initializeWithTrustOptions(options TrustOptions) error {
  152. 	// 1) Fetch and verify the header.

  153. 	h, err := c.primary.SignedHeader(options.Height)
  154. 	if err != nil {
  155. 		return err
  156. 	}
  157. 

  158. 	// NOTE: Verify func will check if it's expired or not.

  159. 	if err := h.ValidateBasic(c.chainID); err != nil {
  160. 		return errors.Wrap(err, "ValidateBasic failed")
  161. 	}
  162. 

  163. 	if !bytes.Equal(h.Hash(), options.Hash) {
  164. 		return errors.Errorf("expected header's hash %X, but got %X", options.Hash, h.Hash())
  165. 	}
  166. 

  167. 	// 2) Fetch and verify the next vals.

  168. 	vals, err := c.primary.ValidatorSet(options.Height + 1)
  169. 	if err != nil {
  170. 		return err
  171. 	}
  172. 

  173. 	// 3) Persist both of them and continue.

  174. 	return c.updateTrustedHeaderAndVals(h, vals)
  175. }
  176. 

  177. // SetLogger sets a logger.

  178. func (c *Client) SetLogger(l log.Logger) {
  179. 	c.logger = l
  180. }
  181. 

  182. // TrustedHeader returns a trusted header at the given height (0 - the latest)

  183. // or nil if no such header exist.

  184. // TODO: mention how many headers will be kept by the light client.

  185. // .

  186. // height must be >= 0.

  187. //

  188. // It returns an error if:

  189. //		- the header expired (ErrOldHeaderExpired). In that case, update your

  190. //		client to more recent height;

  191. //		- there are some issues with the trusted store, although that should not

  192. //		happen normally.

  193. func (c *Client) TrustedHeader(height int64, now time.Time) (*types.SignedHeader, error) {
  194. 	if height < 0 {
  195. 		return nil, errors.New("negative height")
  196. 	}
  197. 

  198. 	if height == 0 {
  199. 		var err error
  200. 		height, err = c.LastTrustedHeight()
  201. 		if err != nil {
  202. 			return nil, err
  203. 		}
  204. 	}
  205. 

  206. 	h, err := c.trustedStore.SignedHeader(height)
  207. 	if err != nil {
  208. 		return nil, err
  209. 	}
  210. 

  211. 	// Ensure header can still be trusted.

  212. 	expirationTime := h.Time.Add(c.trustingPeriod)
  213. 	if !expirationTime.After(now) {
  214. 		return nil, ErrOldHeaderExpired{expirationTime, now}
  215. 	}
  216. 

  217. 	return h, nil
  218. }
  219. 

  220. // LastTrustedHeight returns a last trusted height.

  221. func (c *Client) LastTrustedHeight() (int64, error) {
  222. 	return c.trustedStore.LastSignedHeaderHeight()
  223. }
  224. 

  225. // ChainID returns the chain ID.

  226. func (c *Client) ChainID() string {
  227. 	return c.chainID
  228. }
  229. 

  230. // VerifyHeaderAtHeight fetches the header and validators at the given height

  231. // and calls VerifyHeader.

  232. //

  233. // If the trusted header is more recent than one here, an error is returned.

  234. func (c *Client) VerifyHeaderAtHeight(height int64, now time.Time) error {
  235. 	if c.trustedHeader.Height >= height {
  236. 		return errors.Errorf("height #%d is already trusted (last: #%d)", height, c.trustedHeader.Height)
  237. 	}
  238. 

  239. 	// Request the header and the vals.

  240. 	newHeader, newVals, err := c.fetchHeaderAndValsAtHeight(height)
  241. 	if err != nil {
  242. 		return err
  243. 	}
  244. 

  245. 	return c.VerifyHeader(newHeader, newVals, now)
  246. }
  247. 

  248. // VerifyHeader verifies new header against the trusted state.

  249. //

  250. // SequentialVerification: verifies that 2/3 of the trusted validator set has

  251. // signed the new header. If the headers are not adjacent, **all** intermediate

  252. // headers will be requested.

  253. //

  254. // SkippingVerification(trustLevel): verifies that {trustLevel} of the trusted

  255. // validator set has signed the new header. If it's not the case and the

  256. // headers are not adjacent, bisection is performed and necessary (not all)

  257. // intermediate headers will be requested. See the specification for the

  258. // algorithm.

  259. //

  260. // If the trusted header is more recent than one here, an error is returned.

  261. func (c *Client) VerifyHeader(newHeader *types.SignedHeader, newVals *types.ValidatorSet, now time.Time) error {
  262. 	if c.trustedHeader.Height >= newHeader.Height {
  263. 		return errors.Errorf("height #%d is already trusted (last: #%d)", newHeader.Height, c.trustedHeader.Height)
  264. 	}
  265. 

  266. 	if len(c.alternatives) > 0 {
  267. 		if err := c.compareNewHeaderWithRandomAlternative(newHeader); err != nil {
  268. 			return err
  269. 		}
  270. 	}
  271. 

  272. 	var err error
  273. 	switch c.verificationMode {
  274. 	case sequential:
  275. 		err = c.sequence(newHeader, newVals, now)
  276. 	case skipping:
  277. 		err = c.bisection(c.trustedHeader, c.trustedNextVals, newHeader, newVals, now)
  278. 	default:
  279. 		panic(fmt.Sprintf("Unknown verification mode: %b", c.verificationMode))
  280. 	}
  281. 	if err != nil {
  282. 		return err
  283. 	}
  284. 

  285. 	// Update trusted header and vals.

  286. 	nextVals, err := c.primary.ValidatorSet(newHeader.Height + 1)
  287. 	if err != nil {
  288. 		return err
  289. 	}
  290. 	return c.updateTrustedHeaderAndVals(newHeader, nextVals)
  291. }
  292. 

  293. func (c *Client) sequence(newHeader *types.SignedHeader, newVals *types.ValidatorSet, now time.Time) error {
  294. 	// 1) Verify any intermediate headers.

  295. 	var (
  296. 		interimHeader *types.SignedHeader
  297. 		nextVals      *types.ValidatorSet
  298. 		err           error
  299. 	)
  300. 	for height := c.trustedHeader.Height + 1; height < newHeader.Height; height++ {
  301. 		interimHeader, err = c.primary.SignedHeader(height)
  302. 		if err != nil {
  303. 			return errors.Wrapf(err, "failed to obtain the header #%d", height)
  304. 		}
  305. 

  306. 		err = Verify(c.chainID, c.trustedHeader, c.trustedNextVals, interimHeader, c.trustedNextVals,
  307. 			c.trustingPeriod, now, c.trustLevel)
  308. 		if err != nil {
  309. 			return errors.Wrapf(err, "failed to verify the header #%d", height)
  310. 		}
  311. 

  312. 		// Update trusted header and vals.

  313. 		if height == newHeader.Height-1 {
  314. 			nextVals = newVals
  315. 		} else {
  316. 			nextVals, err = c.primary.ValidatorSet(height + 1)
  317. 			if err != nil {
  318. 				return errors.Wrapf(err, "failed to obtain the vals #%d", height+1)
  319. 			}
  320. 		}
  321. 		err = c.updateTrustedHeaderAndVals(interimHeader, nextVals)
  322. 		if err != nil {
  323. 			return errors.Wrapf(err, "failed to update trusted state #%d", height)
  324. 		}
  325. 	}
  326. 

  327. 	// 2) Verify the new header.

  328. 	return Verify(c.chainID, c.trustedHeader, c.trustedNextVals, newHeader, newVals, c.trustingPeriod, now, c.trustLevel)
  329. }
  330. 

  331. func (c *Client) bisection(
  332. 	lastHeader *types.SignedHeader,
  333. 	lastVals *types.ValidatorSet,
  334. 	newHeader *types.SignedHeader,
  335. 	newVals *types.ValidatorSet,
  336. 	now time.Time) error {
  337. 

  338. 	err := Verify(c.chainID, lastHeader, lastVals, newHeader, newVals, c.trustingPeriod, now, c.trustLevel)
  339. 	switch err.(type) {
  340. 	case nil:
  341. 		return nil
  342. 	case types.ErrTooMuchChange:
  343. 		// continue bisection

  344. 	default:
  345. 		return errors.Wrapf(err, "failed to verify the header #%d ", newHeader.Height)
  346. 	}
  347. 

  348. 	if newHeader.Height == c.trustedHeader.Height+1 {
  349. 		// TODO: submit evidence here

  350. 		return errors.Errorf("adjacent headers (#%d and #%d) that are not matching", lastHeader.Height, newHeader.Height)
  351. 	}
  352. 

  353. 	pivot := (c.trustedHeader.Height + newHeader.Header.Height) / 2
  354. 	pivotHeader, pivotVals, err := c.fetchHeaderAndValsAtHeight(pivot)
  355. 	if err != nil {
  356. 		return err
  357. 	}
  358. 

  359. 	// left branch

  360. 	{
  361. 		err := c.bisection(lastHeader, lastVals, pivotHeader, pivotVals, now)
  362. 		if err != nil {
  363. 			return errors.Wrapf(err, "bisection of #%d and #%d", lastHeader.Height, pivot)
  364. 		}
  365. 	}
  366. 

  367. 	// right branch

  368. 	{
  369. 		nextVals, err := c.primary.ValidatorSet(pivot + 1)
  370. 		if err != nil {
  371. 			return errors.Wrapf(err, "failed to obtain the vals #%d", pivot+1)
  372. 		}
  373. 		if !bytes.Equal(pivotHeader.NextValidatorsHash, nextVals.Hash()) {
  374. 			return errors.Errorf("expected next validator's hash %X, but got %X (height #%d)",
  375. 				pivotHeader.NextValidatorsHash,
  376. 				nextVals.Hash(),
  377. 				pivot)
  378. 		}
  379. 

  380. 		err = c.updateTrustedHeaderAndVals(pivotHeader, nextVals)
  381. 		if err != nil {
  382. 			return errors.Wrapf(err, "failed to update trusted state #%d", pivot)
  383. 		}
  384. 

  385. 		err = c.bisection(pivotHeader, nextVals, newHeader, newVals, now)
  386. 		if err != nil {
  387. 			return errors.Wrapf(err, "bisection of #%d and #%d", pivot, newHeader.Height)
  388. 		}
  389. 	}
  390. 

  391. 	return nil
  392. }
  393. 

  394. func (c *Client) updateTrustedHeaderAndVals(h *types.SignedHeader, vals *types.ValidatorSet) error {
  395. 	if !bytes.Equal(h.NextValidatorsHash, vals.Hash()) {
  396. 		return errors.Errorf("expected next validator's hash %X, but got %X", h.NextValidatorsHash, vals.Hash())
  397. 	}
  398. 

  399. 	if err := c.trustedStore.SaveSignedHeader(h); err != nil {
  400. 		return errors.Wrap(err, "failed to save trusted header")
  401. 	}
  402. 	if err := c.trustedStore.SaveValidatorSet(vals, h.Height+1); err != nil {
  403. 		return errors.Wrap(err, "failed to save trusted vals")
  404. 	}
  405. 	c.trustedHeader = h
  406. 	c.trustedNextVals = vals
  407. 	return nil
  408. }
  409. 

  410. func (c *Client) fetchHeaderAndValsAtHeight(height int64) (*types.SignedHeader, *types.ValidatorSet, error) {
  411. 	h, err := c.primary.SignedHeader(height)
  412. 	if err != nil {
  413. 		return nil, nil, errors.Wrapf(err, "failed to obtain the header #%d", height)
  414. 	}
  415. 	vals, err := c.primary.ValidatorSet(height)
  416. 	if err != nil {
  417. 		return nil, nil, errors.Wrapf(err, "failed to obtain the vals #%d", height)
  418. 	}
  419. 	return h, vals, nil
  420. }
  421. 

  422. func (c *Client) compareNewHeaderWithRandomAlternative(h *types.SignedHeader) error {
  423. 	// 1. Pick an alternative provider.

  424. 	p := c.alternatives[cmn.RandIntn(len(c.alternatives))]
  425. 

  426. 	// 2. Fetch the header.

  427. 	altHeader, err := p.SignedHeader(h.Height)
  428. 	if err != nil {
  429. 		return errors.Wrapf(err,
  430. 			"failed to obtain header #%d from alternative provider %v", h.Height, p)
  431. 	}
  432. 

  433. 	// 3. Compare hashes.

  434. 	if !bytes.Equal(h.Hash(), altHeader.Hash()) {
  435. 		// TODO: One of the providers is lying. Send the evidence to fork

  436. 		// accountability server.

  437. 		return errors.Errorf(
  438. 			"new header hash %X does not match one from alternative provider %X",
  439. 			h.Hash(), altHeader.Hash())
  440. 	}
  441. 

  442. 	return nil
  443. }