|
package light
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"sort"
|
|
"sync"
|
|
"time"
|
|
|
|
tmsync "github.com/tendermint/tendermint/internal/libs/sync"
|
|
"github.com/tendermint/tendermint/libs/log"
|
|
tmmath "github.com/tendermint/tendermint/libs/math"
|
|
"github.com/tendermint/tendermint/light/provider"
|
|
"github.com/tendermint/tendermint/light/store"
|
|
"github.com/tendermint/tendermint/types"
|
|
)
|
|
|
|
type mode byte
|
|
|
|
const (
|
|
sequential mode = iota + 1
|
|
skipping
|
|
|
|
defaultPruningSize = 1000
|
|
|
|
// For verifySkipping, we need an algorithm to find what height to check
|
|
// next to see if it has sufficient validator set overlap. The most
|
|
// intuitive method is to take the halfway point i.e. if you trusted block
|
|
// 1 and were not able to verify block 128 then your next try would be 64.
|
|
//
|
|
// However, because this implementation caches all the prior results, instead of always taking halfpoints
|
|
// it is more efficient to re-check cached blocks. Take this simple example. Say
|
|
// you failed to verify 64 but were able to verify block 32. Following a strict half-way policy,
|
|
// you would start over again and try verify to block 128. If this failed
|
|
// then the halfway point between 32 and 128 is 80. But you already have
|
|
// block 64. Instead of requesting and waiting for another block it is far
|
|
// better to try again with block 64. This is of course not directly in the
|
|
// middle. In fact, no matter how the algrorithm plays out, the blocks in
|
|
// cache are always going to be a little less than the halfway point (
|
|
// maximum 1/8 less). To account for this we add a heuristic, bumping the
|
|
// next height to 9/16 instead of 1/2
|
|
verifySkippingNumerator = 9
|
|
verifySkippingDenominator = 16
|
|
|
|
// 10s should cover most of the clients.
|
|
// References:
|
|
// - http://vancouver-webpages.com/time/web.html
|
|
// - https://blog.codinghorror.com/keeping-time-on-the-pc/
|
|
defaultMaxClockDrift = 10 * time.Second
|
|
|
|
// 10s is sufficient for most networks.
|
|
defaultMaxBlockLag = 10 * time.Second
|
|
)
|
|
|
|
// Option sets a parameter for the light client.
|
|
type Option func(*Client)
|
|
|
|
// SequentialVerification option configures the light client to sequentially
|
|
// check the blocks (every block, in ascending height order). Note this is
|
|
// much slower than SkippingVerification, albeit more secure.
|
|
func SequentialVerification() Option {
|
|
return func(c *Client) {
|
|
c.verificationMode = sequential
|
|
}
|
|
}
|
|
|
|
// SkippingVerification option configures the light client to skip blocks as
|
|
// long as {trustLevel} of the old validator set signed the new header. The
|
|
// verifySkipping algorithm from the specification is used for finding the minimal
|
|
// "trust path".
|
|
//
|
|
// trustLevel - fraction of the old validator set (in terms of voting power),
|
|
// which must sign the new header in order for us to trust it. NOTE this only
|
|
// applies to non-adjacent headers. For adjacent headers, sequential
|
|
// verification is used.
|
|
func SkippingVerification(trustLevel tmmath.Fraction) Option {
|
|
return func(c *Client) {
|
|
c.verificationMode = skipping
|
|
c.trustLevel = trustLevel
|
|
}
|
|
}
|
|
|
|
// PruningSize option sets the maximum amount of light blocks that the light
|
|
// client stores. When Prune() is run, all light blocks that are earlier than
|
|
// the h amount of light blocks will be removed from the store.
|
|
// Default: 1000. A pruning size of 0 will not prune the light client at all.
|
|
func PruningSize(h uint16) Option {
|
|
return func(c *Client) {
|
|
c.pruningSize = h
|
|
}
|
|
}
|
|
|
|
// Logger option can be used to set a logger for the client.
|
|
func Logger(l log.Logger) Option {
|
|
return func(c *Client) {
|
|
c.logger = l
|
|
}
|
|
}
|
|
|
|
// MaxClockDrift defines how much new header's time can drift into
|
|
// the future relative to the light clients local time. Default: 10s.
|
|
func MaxClockDrift(d time.Duration) Option {
|
|
return func(c *Client) {
|
|
c.maxClockDrift = d
|
|
}
|
|
}
|
|
|
|
// MaxBlockLag represents the maximum time difference between the realtime
|
|
// that a block is received and the timestamp of that block.
|
|
// One can approximate it to the maximum block production time
|
|
//
|
|
// As an example, say the light client received block B at a time
|
|
// 12:05 (this is the real time) and the time on the block
|
|
// was 12:00. Then the lag here is 5 minutes.
|
|
// Default: 10s
|
|
func MaxBlockLag(d time.Duration) Option {
|
|
return func(c *Client) {
|
|
c.maxBlockLag = d
|
|
}
|
|
}
|
|
|
|
// Client represents a light client, connected to a single chain, which gets
|
|
// light blocks from a primary provider, verifies them either sequentially or by
|
|
// skipping some and stores them in a trusted store (usually, a local FS).
|
|
//
|
|
// Default verification: SkippingVerification(DefaultTrustLevel)
|
|
type Client struct {
|
|
chainID string
|
|
trustingPeriod time.Duration // see TrustOptions.Period
|
|
verificationMode mode
|
|
trustLevel tmmath.Fraction
|
|
maxClockDrift time.Duration
|
|
maxBlockLag time.Duration
|
|
|
|
// Mutex for locking during changes of the light clients providers
|
|
providerMutex tmsync.Mutex
|
|
// Primary provider of new headers.
|
|
primary provider.Provider
|
|
// Providers used to "witness" new headers.
|
|
witnesses []provider.Provider
|
|
|
|
// Where trusted light blocks are stored.
|
|
trustedStore store.Store
|
|
// Highest trusted light block from the store (height=H).
|
|
latestTrustedBlock *types.LightBlock
|
|
|
|
// See PruningSize option
|
|
pruningSize uint16
|
|
|
|
logger log.Logger
|
|
}
|
|
|
|
// NewClient returns a new light client. It returns an error if it fails to
|
|
// obtain the light block from the primary or they are invalid (e.g. trust
|
|
// hash does not match with the one from the headers).
|
|
//
|
|
// Witnesses are providers, which will be used for cross-checking the primary
|
|
// provider. At least one witness must be given when skipping verification is
|
|
// used (default). A witness can become a primary iff the current primary is
|
|
// unavailable.
|
|
//
|
|
// See all Option(s) for the additional configuration.
|
|
func NewClient(
|
|
ctx context.Context,
|
|
chainID string,
|
|
trustOptions TrustOptions,
|
|
primary provider.Provider,
|
|
witnesses []provider.Provider,
|
|
trustedStore store.Store,
|
|
options ...Option) (*Client, error) {
|
|
|
|
// Check whether the trusted store already has a trusted block. If so, then create
|
|
// a new client from the trusted store instead of the trust options.
|
|
lastHeight, err := trustedStore.LastLightBlockHeight()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if lastHeight > 0 {
|
|
return NewClientFromTrustedStore(
|
|
chainID, trustOptions.Period, primary, witnesses, trustedStore, options...,
|
|
)
|
|
}
|
|
|
|
// Validate trust options
|
|
if err := trustOptions.ValidateBasic(); err != nil {
|
|
return nil, fmt.Errorf("invalid TrustOptions: %w", err)
|
|
}
|
|
|
|
// Validate the number of witnesses.
|
|
if len(witnesses) < 1 {
|
|
return nil, ErrNoWitnesses
|
|
}
|
|
|
|
c := &Client{
|
|
chainID: chainID,
|
|
trustingPeriod: trustOptions.Period,
|
|
verificationMode: skipping,
|
|
trustLevel: DefaultTrustLevel,
|
|
maxClockDrift: defaultMaxClockDrift,
|
|
maxBlockLag: defaultMaxBlockLag,
|
|
primary: primary,
|
|
witnesses: witnesses,
|
|
trustedStore: trustedStore,
|
|
pruningSize: defaultPruningSize,
|
|
logger: log.NewNopLogger(),
|
|
}
|
|
|
|
for _, o := range options {
|
|
o(c)
|
|
}
|
|
|
|
// Validate trust level.
|
|
if err := ValidateTrustLevel(c.trustLevel); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Use the trusted hash and height to fetch the first weakly-trusted block
|
|
// from the primary provider. Assert that all the witnesses have the same block
|
|
if err := c.initializeWithTrustOptions(ctx, trustOptions); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
// NewClientFromTrustedStore initializes an existing client from the trusted store.
|
|
// It does not check that the providers have the same trusted block.
|
|
func NewClientFromTrustedStore(
|
|
chainID string,
|
|
trustingPeriod time.Duration,
|
|
primary provider.Provider,
|
|
witnesses []provider.Provider,
|
|
trustedStore store.Store,
|
|
options ...Option) (*Client, error) {
|
|
|
|
c := &Client{
|
|
chainID: chainID,
|
|
trustingPeriod: trustingPeriod,
|
|
verificationMode: skipping,
|
|
trustLevel: DefaultTrustLevel,
|
|
maxClockDrift: defaultMaxClockDrift,
|
|
maxBlockLag: defaultMaxBlockLag,
|
|
primary: primary,
|
|
witnesses: witnesses,
|
|
trustedStore: trustedStore,
|
|
pruningSize: defaultPruningSize,
|
|
logger: log.NewNopLogger(),
|
|
}
|
|
|
|
for _, o := range options {
|
|
o(c)
|
|
}
|
|
|
|
// Validate the number of witnesses.
|
|
if len(c.witnesses) < 1 {
|
|
return nil, ErrNoWitnesses
|
|
}
|
|
|
|
// Validate trust level.
|
|
if err := ValidateTrustLevel(c.trustLevel); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Check that the trusted store has at least one block and
|
|
if err := c.restoreTrustedLightBlock(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
// restoreTrustedLightBlock loads the latest trusted light block from the store
|
|
func (c *Client) restoreTrustedLightBlock() error {
|
|
lastHeight, err := c.trustedStore.LastLightBlockHeight()
|
|
if err != nil {
|
|
return fmt.Errorf("can't get last trusted light block height: %w", err)
|
|
}
|
|
if lastHeight <= 0 {
|
|
return errors.New("trusted store is empty")
|
|
}
|
|
|
|
trustedBlock, err := c.trustedStore.LightBlock(lastHeight)
|
|
if err != nil {
|
|
return fmt.Errorf("can't get last trusted light block: %w", err)
|
|
}
|
|
c.latestTrustedBlock = trustedBlock
|
|
c.logger.Info("restored trusted light block", "height", lastHeight)
|
|
|
|
return nil
|
|
}
|
|
|
|
// initializeWithTrustOptions fetches the weakly-trusted light block from
|
|
// primary provider, matches it to the trusted hash, and sets it as the
|
|
// lastTrustedBlock. It then asserts that all witnesses have the same light block.
|
|
func (c *Client) initializeWithTrustOptions(ctx context.Context, options TrustOptions) error {
|
|
// 1) Fetch and verify the light block. Note that we do not verify the time of the first block
|
|
l, err := c.lightBlockFromPrimary(ctx, options.Height)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// 2) Assert that the hashes match
|
|
if !bytes.Equal(l.Header.Hash(), options.Hash) {
|
|
return fmt.Errorf("expected header's hash %X, but got %X", options.Hash, l.Hash())
|
|
}
|
|
|
|
// 3) Ensure that +2/3 of validators signed correctly. This also sanity checks that the
|
|
// chain ID is the same.
|
|
err = l.ValidatorSet.VerifyCommitLight(c.chainID, l.Commit.BlockID, l.Height, l.Commit)
|
|
if err != nil {
|
|
return fmt.Errorf("invalid commit: %w", err)
|
|
}
|
|
|
|
// 4) Cross-verify with witnesses to ensure everybody has the same state.
|
|
if err := c.compareFirstHeaderWithWitnesses(ctx, l.SignedHeader); err != nil {
|
|
return err
|
|
}
|
|
|
|
// 5) Persist both of them and continue.
|
|
return c.updateTrustedLightBlock(l)
|
|
}
|
|
|
|
// TrustedLightBlock returns a trusted light block at the given height (0 - the latest).
|
|
//
|
|
// It returns an error if:
|
|
// - there are some issues with the trusted store, although that should not
|
|
// happen normally;
|
|
// - negative height is passed;
|
|
// - header has not been verified yet and is therefore not in the store
|
|
//
|
|
// Safe for concurrent use by multiple goroutines.
|
|
func (c *Client) TrustedLightBlock(height int64) (*types.LightBlock, error) {
|
|
height, err := c.compareWithLatestHeight(height)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return c.trustedStore.LightBlock(height)
|
|
}
|
|
|
|
func (c *Client) compareWithLatestHeight(height int64) (int64, error) {
|
|
latestHeight, err := c.LastTrustedHeight()
|
|
if err != nil {
|
|
return 0, fmt.Errorf("can't get last trusted height: %w", err)
|
|
}
|
|
if latestHeight == -1 {
|
|
return 0, errors.New("no headers exist")
|
|
}
|
|
|
|
switch {
|
|
case height > latestHeight:
|
|
return 0, fmt.Errorf("unverified header/valset requested (latest: %d)", latestHeight)
|
|
case height == 0:
|
|
return latestHeight, nil
|
|
case height < 0:
|
|
return 0, errors.New("negative height")
|
|
}
|
|
|
|
return height, nil
|
|
}
|
|
|
|
// Update attempts to advance the state by downloading the latest light
|
|
// block and verifying it. It returns a new light block on a successful
|
|
// update. Otherwise, it returns nil (plus an error, if any).
|
|
func (c *Client) Update(ctx context.Context, now time.Time) (*types.LightBlock, error) {
|
|
lastTrustedHeight, err := c.LastTrustedHeight()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("can't get last trusted height: %w", err)
|
|
}
|
|
|
|
if lastTrustedHeight == -1 {
|
|
// no light blocks yet => wait
|
|
return nil, nil
|
|
}
|
|
|
|
latestBlock, err := c.lightBlockFromPrimary(ctx, 0)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if latestBlock.Height > lastTrustedHeight {
|
|
err = c.verifyLightBlock(ctx, latestBlock, now)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
c.logger.Info("advanced to new state", "height", latestBlock.Height, "hash", latestBlock.Hash())
|
|
return latestBlock, nil
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
// VerifyLightBlockAtHeight fetches the light block at the given height
|
|
// and verifies it. It returns the block immediately if it exists in
|
|
// the trustedStore (no verification is needed).
|
|
//
|
|
// height must be > 0.
|
|
//
|
|
// It returns provider.ErrlightBlockNotFound if light block is not found by
|
|
// primary.
|
|
//
|
|
// It will replace the primary provider if an error from a request to the provider occurs
|
|
func (c *Client) VerifyLightBlockAtHeight(ctx context.Context, height int64, now time.Time) (*types.LightBlock, error) {
|
|
if height <= 0 {
|
|
return nil, errors.New("negative or zero height")
|
|
}
|
|
|
|
// Check if the light block is already verified.
|
|
h, err := c.TrustedLightBlock(height)
|
|
if err == nil {
|
|
c.logger.Debug("header has already been verified", "height", height, "hash", h.Hash())
|
|
// Return already trusted light block
|
|
return h, nil
|
|
}
|
|
|
|
// Request the light block from primary
|
|
l, err := c.lightBlockFromPrimary(ctx, height)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return l, c.verifyLightBlock(ctx, l, now)
|
|
}
|
|
|
|
// VerifyHeader verifies a new header against the trusted state. It returns
|
|
// immediately if newHeader exists in trustedStore (no verification is
|
|
// needed). Else it performs one of the two types of verification:
|
|
//
|
|
// SequentialVerification: verifies that 2/3 of the trusted validator set has
|
|
// signed the new header. If the headers are not adjacent, **all** intermediate
|
|
// headers will be requested. Intermediate headers are not saved to database.
|
|
//
|
|
// SkippingVerification(trustLevel): verifies that {trustLevel} of the trusted
|
|
// validator set has signed the new header. If it's not the case and the
|
|
// headers are not adjacent, verifySkipping is performed and necessary (not all)
|
|
// intermediate headers will be requested. See the specification for details.
|
|
// Intermediate headers are not saved to database.
|
|
// https://github.com/tendermint/spec/blob/master/spec/consensus/light-client.md
|
|
//
|
|
// If the header, which is older than the currently trusted header, is
|
|
// requested and the light client does not have it, VerifyHeader will perform:
|
|
// a) verifySkipping verification if nearest trusted header is found & not expired
|
|
// b) backwards verification in all other cases
|
|
//
|
|
// It returns ErrOldHeaderExpired if the latest trusted header expired.
|
|
//
|
|
// If the primary provides an invalid header (ErrInvalidHeader), it is rejected
|
|
// and replaced by another provider until all are exhausted.
|
|
//
|
|
// If, at any moment, a LightBlock is not found by the primary provider as part of
|
|
// verification then the provider will be replaced by another and the process will
|
|
// restart.
|
|
func (c *Client) VerifyHeader(ctx context.Context, newHeader *types.Header, now time.Time) error {
|
|
if newHeader == nil {
|
|
return errors.New("nil header")
|
|
}
|
|
if newHeader.Height <= 0 {
|
|
return errors.New("negative or zero height")
|
|
}
|
|
|
|
// Check if newHeader already verified.
|
|
l, err := c.TrustedLightBlock(newHeader.Height)
|
|
if err == nil {
|
|
// Make sure it's the same header.
|
|
if !bytes.Equal(l.Hash(), newHeader.Hash()) {
|
|
return fmt.Errorf("existing trusted header %X does not match newHeader %X", l.Hash(), newHeader.Hash())
|
|
}
|
|
c.logger.Debug("header has already been verified",
|
|
"height", newHeader.Height, "hash", newHeader.Hash())
|
|
return nil
|
|
}
|
|
|
|
// Request the header and the vals.
|
|
l, err = c.lightBlockFromPrimary(ctx, newHeader.Height)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to retrieve light block from primary to verify against: %w", err)
|
|
}
|
|
|
|
if !bytes.Equal(l.Hash(), newHeader.Hash()) {
|
|
return fmt.Errorf("header from primary %X does not match newHeader %X", l.Hash(), newHeader.Hash())
|
|
}
|
|
|
|
return c.verifyLightBlock(ctx, l, now)
|
|
}
|
|
|
|
func (c *Client) verifyLightBlock(ctx context.Context, newLightBlock *types.LightBlock, now time.Time) error {
|
|
c.logger.Info("verify light block", "height", newLightBlock.Height, "hash", newLightBlock.Hash())
|
|
|
|
var (
|
|
verifyFunc func(ctx context.Context, trusted *types.LightBlock, new *types.LightBlock, now time.Time) error
|
|
err error
|
|
)
|
|
|
|
switch c.verificationMode {
|
|
case sequential:
|
|
verifyFunc = c.verifySequential
|
|
case skipping:
|
|
verifyFunc = c.verifySkippingAgainstPrimary
|
|
default:
|
|
panic(fmt.Sprintf("Unknown verification mode: %b", c.verificationMode))
|
|
}
|
|
|
|
firstBlockHeight, err := c.FirstTrustedHeight()
|
|
if err != nil {
|
|
return fmt.Errorf("can't get first light block height: %w", err)
|
|
}
|
|
|
|
switch {
|
|
// Verifying forwards
|
|
case newLightBlock.Height >= c.latestTrustedBlock.Height:
|
|
err = verifyFunc(ctx, c.latestTrustedBlock, newLightBlock, now)
|
|
|
|
// Verifying backwards
|
|
case newLightBlock.Height < firstBlockHeight:
|
|
var firstBlock *types.LightBlock
|
|
firstBlock, err = c.trustedStore.LightBlock(firstBlockHeight)
|
|
if err != nil {
|
|
return fmt.Errorf("can't get first light block: %w", err)
|
|
}
|
|
err = c.backwards(ctx, firstBlock.Header, newLightBlock.Header)
|
|
|
|
// Verifying between first and last trusted light block. In this situation
|
|
// we find the closest block prior to the target height then perform
|
|
// verification forwards.
|
|
default:
|
|
var closestBlock *types.LightBlock
|
|
closestBlock, err = c.trustedStore.LightBlockBefore(newLightBlock.Height)
|
|
if err != nil {
|
|
return fmt.Errorf("can't get signed header before height %d: %w", newLightBlock.Height, err)
|
|
}
|
|
err = verifyFunc(ctx, closestBlock, newLightBlock, now)
|
|
}
|
|
if err != nil {
|
|
c.logger.Error("failed to verify", "err", err)
|
|
return err
|
|
}
|
|
|
|
// Once verified, save and return
|
|
return c.updateTrustedLightBlock(newLightBlock)
|
|
}
|
|
|
|
// see VerifyHeader
|
|
func (c *Client) verifySequential(
|
|
ctx context.Context,
|
|
trustedBlock *types.LightBlock,
|
|
newLightBlock *types.LightBlock,
|
|
now time.Time) error {
|
|
|
|
var (
|
|
verifiedBlock = trustedBlock
|
|
interimBlock *types.LightBlock
|
|
err error
|
|
trace = []*types.LightBlock{trustedBlock}
|
|
)
|
|
|
|
for height := trustedBlock.Height + 1; height <= newLightBlock.Height; height++ {
|
|
// 1) Fetch interim light block if needed.
|
|
if height == newLightBlock.Height { // last light block
|
|
interimBlock = newLightBlock
|
|
} else { // intermediate light blocks
|
|
interimBlock, err = c.lightBlockFromPrimary(ctx, height)
|
|
if err != nil {
|
|
return ErrVerificationFailed{From: verifiedBlock.Height, To: height, Reason: err}
|
|
}
|
|
}
|
|
|
|
// 2) Verify them
|
|
c.logger.Debug("verify adjacent newLightBlock against verifiedBlock",
|
|
"trustedHeight", verifiedBlock.Height,
|
|
"trustedHash", verifiedBlock.Hash(),
|
|
"newHeight", interimBlock.Height,
|
|
"newHash", interimBlock.Hash())
|
|
|
|
err = VerifyAdjacent(verifiedBlock.SignedHeader, interimBlock.SignedHeader, interimBlock.ValidatorSet,
|
|
c.trustingPeriod, now, c.maxClockDrift)
|
|
if err != nil {
|
|
err := ErrVerificationFailed{From: verifiedBlock.Height, To: interimBlock.Height, Reason: err}
|
|
|
|
switch errors.Unwrap(err).(type) {
|
|
case ErrInvalidHeader:
|
|
// If the target header is invalid, return immediately.
|
|
if err.To == newLightBlock.Height {
|
|
c.logger.Debug("target header is invalid", "err", err)
|
|
return err
|
|
}
|
|
|
|
// If some intermediate header is invalid, remove the primary and try again.
|
|
c.logger.Info("primary sent invalid header -> removing", "err", err, "primary", c.primary)
|
|
|
|
replacementBlock, removeErr := c.findNewPrimary(ctx, newLightBlock.Height, true)
|
|
if removeErr != nil {
|
|
c.logger.Debug("failed to replace primary. Returning original error", "err", removeErr)
|
|
return err
|
|
}
|
|
|
|
if !bytes.Equal(replacementBlock.Hash(), newLightBlock.Hash()) {
|
|
c.logger.Debug("replaced primary but new primary has a different block to the initial one")
|
|
return err
|
|
}
|
|
|
|
// attempt to verify header again
|
|
height--
|
|
|
|
continue
|
|
default:
|
|
return err
|
|
}
|
|
}
|
|
|
|
// 3) Update verifiedBlock
|
|
verifiedBlock = interimBlock
|
|
|
|
// 4) Add verifiedBlock to trace
|
|
trace = append(trace, verifiedBlock)
|
|
}
|
|
|
|
// Compare header with the witnesses to ensure it's not a fork.
|
|
// More witnesses we have, more chance to notice one.
|
|
//
|
|
// CORRECTNESS ASSUMPTION: there's at least 1 correct full node
|
|
// (primary or one of the witnesses).
|
|
return c.detectDivergence(ctx, trace, now)
|
|
}
|
|
|
|
// see VerifyHeader
|
|
//
|
|
// verifySkipping finds the middle light block between a trusted and new light block,
|
|
// reiterating the action until it verifies a light block. A cache of light blocks
|
|
// requested from source is kept such that when a verification is made, and the
|
|
// light client tries again to verify the new light block in the middle, the light
|
|
// client does not need to ask for all the same light blocks again.
|
|
//
|
|
// If this function errors, it should always wrap it in a `ErrVerifcationFailed`
|
|
// struct so that the calling function can determine where it failed and handle
|
|
// it accordingly.
|
|
func (c *Client) verifySkipping(
|
|
ctx context.Context,
|
|
source provider.Provider,
|
|
trustedBlock *types.LightBlock,
|
|
newLightBlock *types.LightBlock,
|
|
now time.Time) ([]*types.LightBlock, error) {
|
|
|
|
var (
|
|
// The block cache is ordered in height from highest to lowest. We start
|
|
// with the newLightBlock and for any height requested in between we add
|
|
// it.
|
|
blockCache = []*types.LightBlock{newLightBlock}
|
|
depth = 0
|
|
|
|
verifiedBlock = trustedBlock
|
|
trace = []*types.LightBlock{trustedBlock}
|
|
)
|
|
|
|
for {
|
|
c.logger.Debug("verify non-adjacent newHeader against verifiedBlock",
|
|
"trustedHeight", verifiedBlock.Height,
|
|
"trustedHash", verifiedBlock.Hash(),
|
|
"newHeight", blockCache[depth].Height,
|
|
"newHash", blockCache[depth].Hash())
|
|
|
|
// Verify the untrusted header. This function is equivalent to
|
|
// ValidAndVerified in the spec
|
|
err := Verify(verifiedBlock.SignedHeader, verifiedBlock.ValidatorSet, blockCache[depth].SignedHeader,
|
|
blockCache[depth].ValidatorSet, c.trustingPeriod, now, c.maxClockDrift, c.trustLevel)
|
|
switch err.(type) {
|
|
case nil:
|
|
// If we have verified the last header then depth will be 0 and we
|
|
// can return a success along with the trace of intermediate headers
|
|
if depth == 0 {
|
|
trace = append(trace, newLightBlock)
|
|
return trace, nil
|
|
}
|
|
// If not, update the lower bound to the previous upper bound
|
|
verifiedBlock = blockCache[depth]
|
|
// Remove the light block at the lower bound in the header cache - it will no longer be needed
|
|
blockCache = blockCache[:depth]
|
|
// Reset the cache depth so that we start from the upper bound again
|
|
depth = 0
|
|
// add verifiedBlock to the trace
|
|
trace = append(trace, verifiedBlock)
|
|
|
|
case ErrNewValSetCantBeTrusted:
|
|
// the light block current passed validation, but the validator
|
|
// set is too different to verify it. We keep the block because it
|
|
// may become valuable later on.
|
|
//
|
|
// If we have reached the end of the cache we need to request a
|
|
// completely new block else we recycle a previously requested one.
|
|
// In both cases we are taking a block with a closer height to the
|
|
// previously verified one in the hope that it has a better chance
|
|
// of having a similar validator set
|
|
if depth == len(blockCache)-1 {
|
|
// schedule what the next height we need to fetch is
|
|
pivotHeight := c.schedule(verifiedBlock.Height, blockCache[depth].Height)
|
|
interimBlock, providerErr := source.LightBlock(ctx, pivotHeight)
|
|
if providerErr != nil {
|
|
return nil, ErrVerificationFailed{From: verifiedBlock.Height, To: pivotHeight, Reason: providerErr}
|
|
}
|
|
blockCache = append(blockCache, interimBlock)
|
|
}
|
|
depth++
|
|
|
|
// for any verification error we abort the operation and return the error
|
|
default:
|
|
return nil, ErrVerificationFailed{From: verifiedBlock.Height, To: blockCache[depth].Height, Reason: err}
|
|
}
|
|
}
|
|
}
|
|
|
|
// schedule works out the next height to attempt sequential verification
|
|
func (c *Client) schedule(lastVerifiedHeight, lastFailedHeight int64) int64 {
|
|
return lastVerifiedHeight +
|
|
(lastFailedHeight-lastVerifiedHeight)*verifySkippingNumerator/verifySkippingDenominator
|
|
}
|
|
|
|
// verifySkippingAgainstPrimary does verifySkipping plus it compares new header with
|
|
// witnesses and replaces primary if it sends the light client an invalid header
|
|
func (c *Client) verifySkippingAgainstPrimary(
|
|
ctx context.Context,
|
|
trustedBlock *types.LightBlock,
|
|
newLightBlock *types.LightBlock,
|
|
now time.Time) error {
|
|
|
|
trace, err := c.verifySkipping(ctx, c.primary, trustedBlock, newLightBlock, now)
|
|
if err == nil {
|
|
// Success! Now compare the header with the witnesses to ensure it's not a fork.
|
|
// More witnesses we have, more chance to notice one.
|
|
//
|
|
// CORRECTNESS ASSUMPTION: there's at least 1 correct full node
|
|
// (primary or one of the witnesses).
|
|
if cmpErr := c.detectDivergence(ctx, trace, now); cmpErr != nil {
|
|
return cmpErr
|
|
}
|
|
}
|
|
|
|
var e = &ErrVerificationFailed{}
|
|
// all errors from verify skipping should be `ErrVerificationFailed`
|
|
// if it's not we just return the error directly
|
|
if !errors.As(err, e) {
|
|
return err
|
|
}
|
|
|
|
replace := true
|
|
switch e.Reason.(type) {
|
|
// Verification returned an invalid header
|
|
case ErrInvalidHeader:
|
|
// If it was the target header, return immediately.
|
|
if e.To == newLightBlock.Height {
|
|
c.logger.Debug("target header is invalid", "err", err)
|
|
return err
|
|
}
|
|
|
|
// If some intermediate header is invalid, remove the primary and try
|
|
// again.
|
|
|
|
// An intermediate header expired. We can no longer validate it as there is
|
|
// no longer the ability to punish invalid blocks as evidence of misbehavior
|
|
case ErrOldHeaderExpired:
|
|
return err
|
|
|
|
// This happens if there was a problem in finding the next block or a
|
|
// context was canceled.
|
|
default:
|
|
if errors.Is(e.Reason, context.Canceled) || errors.Is(e.Reason, context.DeadlineExceeded) {
|
|
return e.Reason
|
|
}
|
|
|
|
if !c.providerShouldBeRemoved(e.Reason) {
|
|
replace = false
|
|
}
|
|
}
|
|
|
|
// if we've reached here we're attempting to retry verification with a
|
|
// different provider
|
|
c.logger.Info("primary returned error", "err", e, "primary", c.primary, "replace", replace)
|
|
|
|
replacementBlock, removeErr := c.findNewPrimary(ctx, newLightBlock.Height, replace)
|
|
if removeErr != nil {
|
|
c.logger.Error("failed to replace primary. Returning original error", "err", removeErr)
|
|
return e.Reason
|
|
}
|
|
|
|
if !bytes.Equal(replacementBlock.Hash(), newLightBlock.Hash()) {
|
|
c.logger.Debug("replaced primary but new primary has a different block to the initial one. Returning original error")
|
|
return e.Reason
|
|
}
|
|
|
|
// attempt to verify the header again from the trusted block
|
|
return c.verifySkippingAgainstPrimary(ctx, trustedBlock, replacementBlock, now)
|
|
}
|
|
|
|
// LastTrustedHeight returns a last trusted height. -1 and nil are returned if
|
|
// there are no trusted headers.
|
|
//
|
|
// Safe for concurrent use by multiple goroutines.
|
|
func (c *Client) LastTrustedHeight() (int64, error) {
|
|
return c.trustedStore.LastLightBlockHeight()
|
|
}
|
|
|
|
// FirstTrustedHeight returns a first trusted height. -1 and nil are returned if
|
|
// there are no trusted headers.
|
|
//
|
|
// Safe for concurrent use by multiple goroutines.
|
|
func (c *Client) FirstTrustedHeight() (int64, error) {
|
|
return c.trustedStore.FirstLightBlockHeight()
|
|
}
|
|
|
|
// ChainID returns the chain ID the light client was configured with.
|
|
//
|
|
// Safe for concurrent use by multiple goroutines.
|
|
func (c *Client) ChainID() string {
|
|
return c.chainID
|
|
}
|
|
|
|
// Primary returns the primary provider.
|
|
//
|
|
// NOTE: provider may be not safe for concurrent access.
|
|
func (c *Client) Primary() provider.Provider {
|
|
c.providerMutex.Lock()
|
|
defer c.providerMutex.Unlock()
|
|
return c.primary
|
|
}
|
|
|
|
// Witnesses returns the witness providers.
|
|
//
|
|
// NOTE: providers may be not safe for concurrent access.
|
|
func (c *Client) Witnesses() []provider.Provider {
|
|
c.providerMutex.Lock()
|
|
defer c.providerMutex.Unlock()
|
|
return c.witnesses
|
|
}
|
|
|
|
// AddProvider adds a providers to the light clients set
|
|
//
|
|
// NOTE: The light client does not check for uniqueness
|
|
func (c *Client) AddProvider(p provider.Provider) {
|
|
c.providerMutex.Lock()
|
|
defer c.providerMutex.Unlock()
|
|
c.witnesses = append(c.witnesses, p)
|
|
}
|
|
|
|
// Cleanup removes all the data (headers and validator sets) stored. Note: the
|
|
// client must be stopped at this point.
|
|
func (c *Client) Cleanup() error {
|
|
c.logger.Info("removing all light blocks")
|
|
c.latestTrustedBlock = nil
|
|
return c.trustedStore.Prune(0)
|
|
}
|
|
|
|
func (c *Client) updateTrustedLightBlock(l *types.LightBlock) error {
|
|
c.logger.Debug("updating trusted light block", "light_block", l)
|
|
|
|
if err := c.trustedStore.SaveLightBlock(l); err != nil {
|
|
return fmt.Errorf("failed to save trusted header: %w", err)
|
|
}
|
|
|
|
if c.pruningSize > 0 {
|
|
if err := c.trustedStore.Prune(c.pruningSize); err != nil {
|
|
return fmt.Errorf("prune: %w", err)
|
|
}
|
|
}
|
|
|
|
if c.latestTrustedBlock == nil || l.Height > c.latestTrustedBlock.Height {
|
|
c.latestTrustedBlock = l
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// backwards verification (see VerifyHeaderBackwards func in the spec) verifies
|
|
// headers before a trusted header. If a sent header is invalid the primary is
|
|
// replaced with another provider and the operation is repeated.
|
|
func (c *Client) backwards(
|
|
ctx context.Context,
|
|
trustedHeader *types.Header,
|
|
newHeader *types.Header) error {
|
|
|
|
var (
|
|
verifiedHeader = trustedHeader
|
|
interimHeader *types.Header
|
|
)
|
|
|
|
for verifiedHeader.Height > newHeader.Height {
|
|
interimBlock, err := c.lightBlockFromPrimary(ctx, verifiedHeader.Height-1)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to obtain the header at height #%d: %w", verifiedHeader.Height-1, err)
|
|
}
|
|
interimHeader = interimBlock.Header
|
|
c.logger.Debug("verify newHeader against verifiedHeader",
|
|
"trustedHeight", verifiedHeader.Height,
|
|
"trustedHash", verifiedHeader.Hash(),
|
|
"newHeight", interimHeader.Height,
|
|
"newHash", interimHeader.Hash())
|
|
if err := VerifyBackwards(interimHeader, verifiedHeader); err != nil {
|
|
// verification has failed
|
|
c.logger.Info("backwards verification failed, replacing primary...", "err", err, "primary", c.primary)
|
|
|
|
// the client tries to see if it can get a witness to continue with the request
|
|
newPrimarysBlock, replaceErr := c.findNewPrimary(ctx, newHeader.Height, true)
|
|
if replaceErr != nil {
|
|
c.logger.Debug("failed to replace primary. Returning original error", "err", replaceErr)
|
|
return err
|
|
}
|
|
|
|
// before continuing we must check that they have the same target header to validate
|
|
if !bytes.Equal(newPrimarysBlock.Hash(), newHeader.Hash()) {
|
|
c.logger.Debug("replaced primary but new primary has a different block to the initial one")
|
|
// return the original error
|
|
return err
|
|
}
|
|
|
|
// try again with the new primary
|
|
return c.backwards(ctx, verifiedHeader, newPrimarysBlock.Header)
|
|
}
|
|
verifiedHeader = interimHeader
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// lightBlockFromPrimary retrieves the lightBlock from the primary provider
|
|
// at the specified height. This method also handles provider behavior as follows:
|
|
//
|
|
// 1. If the provider does not respond or does not have the block, it tries again
|
|
// with a different provider
|
|
// 2. If all providers return the same error, the light client forwards the error to
|
|
// where the initial request came from
|
|
// 3. If the provider provides an invalid light block, is deemed unreliable or returns
|
|
// any other error, the primary is permanently dropped and is replaced by a witness.
|
|
func (c *Client) lightBlockFromPrimary(ctx context.Context, height int64) (*types.LightBlock, error) {
|
|
c.providerMutex.Lock()
|
|
l, err := c.primary.LightBlock(ctx, height)
|
|
c.providerMutex.Unlock()
|
|
|
|
switch err {
|
|
case nil:
|
|
// Everything went smoothly. We reset the lightBlockRequests and return the light block
|
|
return l, nil
|
|
|
|
// catch canceled contexts or deadlines
|
|
case context.Canceled, context.DeadlineExceeded:
|
|
return nil, err
|
|
|
|
case provider.ErrNoResponse, provider.ErrLightBlockNotFound, provider.ErrHeightTooHigh:
|
|
// we find a new witness to replace the primary
|
|
c.logger.Info("error from light block request from primary, replacing...",
|
|
"error", err, "height", height, "primary", c.primary)
|
|
return c.findNewPrimary(ctx, height, false)
|
|
|
|
default:
|
|
// The light client has most likely received either provider.ErrUnreliableProvider or provider.ErrBadLightBlock
|
|
// These errors mean that the light client should drop the primary and try with another provider instead
|
|
c.logger.Info("error from light block request from primary, removing...",
|
|
"error", err, "height", height, "primary", c.primary)
|
|
return c.findNewPrimary(ctx, height, true)
|
|
}
|
|
}
|
|
|
|
// NOTE: requires a providerMutex lock
|
|
func (c *Client) removeWitnesses(indexes []int) error {
|
|
// check that we will still have witnesses remaining
|
|
if len(c.witnesses) <= len(indexes) {
|
|
return ErrNoWitnesses
|
|
}
|
|
|
|
// we need to make sure that we remove witnesses by index in the reverse
|
|
// order so as to not affect the indexes themselves
|
|
sort.Ints(indexes)
|
|
for i := len(indexes) - 1; i >= 0; i-- {
|
|
c.witnesses[indexes[i]] = c.witnesses[len(c.witnesses)-1]
|
|
c.witnesses = c.witnesses[:len(c.witnesses)-1]
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
type witnessResponse struct {
|
|
lb *types.LightBlock
|
|
witnessIndex int
|
|
err error
|
|
}
|
|
|
|
// findNewPrimary concurrently sends a light block request, promoting the first witness to return
|
|
// a valid light block as the new primary. The remove option indicates whether the primary should be
|
|
// entire removed or just appended to the back of the witnesses list. This method also handles witness
|
|
// errors. If no witness is available, it returns the last error of the witness.
|
|
func (c *Client) findNewPrimary(ctx context.Context, height int64, remove bool) (*types.LightBlock, error) {
|
|
c.providerMutex.Lock()
|
|
defer c.providerMutex.Unlock()
|
|
|
|
if len(c.witnesses) <= 1 {
|
|
return nil, ErrNoWitnesses
|
|
}
|
|
|
|
var (
|
|
witnessResponsesC = make(chan witnessResponse, len(c.witnesses))
|
|
witnessesToRemove []int
|
|
lastError error
|
|
wg sync.WaitGroup
|
|
)
|
|
|
|
// send out a light block request to all witnesses
|
|
subctx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
for index := range c.witnesses {
|
|
wg.Add(1)
|
|
go func(witnessIndex int, witnessResponsesC chan witnessResponse) {
|
|
defer wg.Done()
|
|
|
|
lb, err := c.witnesses[witnessIndex].LightBlock(subctx, height)
|
|
witnessResponsesC <- witnessResponse{lb, witnessIndex, err}
|
|
}(index, witnessResponsesC)
|
|
}
|
|
|
|
// process all the responses as they come in
|
|
for i := 0; i < cap(witnessResponsesC); i++ {
|
|
response := <-witnessResponsesC
|
|
switch response.err {
|
|
// success! We have found a new primary
|
|
case nil:
|
|
cancel() // cancel all remaining requests to other witnesses
|
|
|
|
wg.Wait() // wait for all goroutines to finish
|
|
|
|
// if we are not intending on removing the primary then append the old primary to the end of the witness slice
|
|
if !remove {
|
|
c.witnesses = append(c.witnesses, c.primary)
|
|
}
|
|
|
|
// promote respondent as the new primary
|
|
c.logger.Debug("found new primary", "primary", c.witnesses[response.witnessIndex])
|
|
c.primary = c.witnesses[response.witnessIndex]
|
|
|
|
// add promoted witness to the list of witnesses to be removed
|
|
witnessesToRemove = append(witnessesToRemove, response.witnessIndex)
|
|
|
|
// remove witnesses marked as bad (the client must do this before we alter the witness slice and change the indexes
|
|
// of witnesses). Removal is done in descending order
|
|
if err := c.removeWitnesses(witnessesToRemove); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// return the light block that new primary responded with
|
|
return response.lb, nil
|
|
|
|
// catch canceled contexts or deadlines
|
|
case context.Canceled, context.DeadlineExceeded:
|
|
return nil, response.err
|
|
|
|
// process benign errors by logging them only
|
|
case provider.ErrNoResponse, provider.ErrLightBlockNotFound, provider.ErrHeightTooHigh:
|
|
lastError = response.err
|
|
c.logger.Info("error on light block request from witness",
|
|
"error", response.err, "primary", c.witnesses[response.witnessIndex])
|
|
continue
|
|
|
|
// process malevolent errors like ErrUnreliableProvider and ErrBadLightBlock by removing the witness
|
|
default:
|
|
lastError = response.err
|
|
c.logger.Error("error on light block request from witness, removing...",
|
|
"error", response.err, "primary", c.witnesses[response.witnessIndex])
|
|
witnessesToRemove = append(witnessesToRemove, response.witnessIndex)
|
|
}
|
|
}
|
|
|
|
return nil, lastError
|
|
}
|
|
|
|
// compareFirstHeaderWithWitnesses concurrently compares h with all witnesses. If any
|
|
// witness reports a different header than h, the function returns an error.
|
|
func (c *Client) compareFirstHeaderWithWitnesses(ctx context.Context, h *types.SignedHeader) error {
|
|
compareCtx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
|
|
c.providerMutex.Lock()
|
|
defer c.providerMutex.Unlock()
|
|
|
|
if len(c.witnesses) < 1 {
|
|
return ErrNoWitnesses
|
|
}
|
|
|
|
errc := make(chan error, len(c.witnesses))
|
|
for i, witness := range c.witnesses {
|
|
go c.compareNewHeaderWithWitness(compareCtx, errc, h, witness, i)
|
|
}
|
|
|
|
witnessesToRemove := make([]int, 0, len(c.witnesses))
|
|
|
|
// handle errors from the header comparisons as they come in
|
|
for i := 0; i < cap(errc); i++ {
|
|
err := <-errc
|
|
|
|
switch e := err.(type) {
|
|
case nil:
|
|
continue
|
|
case errConflictingHeaders:
|
|
c.logger.Error(`witness has a different header. Please check primary is
|
|
correct and remove witness. Otherwise, use a different primary`,
|
|
"Witness", c.witnesses[e.WitnessIndex], "ExpHeader", h.Hash(), "GotHeader", e.Block.Hash())
|
|
return err
|
|
case errBadWitness:
|
|
// If witness sent us an invalid header, then remove it
|
|
c.logger.Info("witness returned an error, removing...",
|
|
"err", err)
|
|
witnessesToRemove = append(witnessesToRemove, e.WitnessIndex)
|
|
default:
|
|
// check for canceled contexts or deadlines
|
|
if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
|
|
return err
|
|
}
|
|
|
|
// the witness either didn't respond or didn't have the block. We ignore it.
|
|
c.logger.Debug("unable to compare first header with witness, ignoring",
|
|
"err", err)
|
|
}
|
|
|
|
}
|
|
|
|
// remove all witnesses that misbehaved
|
|
return c.removeWitnesses(witnessesToRemove)
|
|
}
|
|
|
|
// providerShouldBeRemoved analyzes the nature of the error and whether the provider
|
|
// should be removed from the light clients set
|
|
func (c *Client) providerShouldBeRemoved(err error) bool {
|
|
return errors.As(err, &provider.ErrUnreliableProvider{}) ||
|
|
errors.As(err, &provider.ErrBadLightBlock{}) ||
|
|
errors.Is(err, provider.ErrConnectionClosed)
|
|
}
|