mirrors/tendermint
1
0
Fork 0
mirror of https://github.com/tendermint/tendermint.git synced 2026-04-07 09:19:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
docs-staging
tendermint/light/client.go
Cyrus Goh 5182ffee25 docs: master → docs-staging (#5990) 
* Makefile: always pull image in proto-gen-docker. (#5953)

The `proto-gen-docker` target didn't pull an updated Docker image, and would use a local image if present which could be outdated and produce wrong results.

* test: fix TestPEXReactorRunning data race (#5955)

Fixes #5941.

Not entirely sure that this will fix the problem (couldn't reproduce), but in any case this is an artifact of a hack in the P2P transport refactor to make it work with the legacy P2P stack, and will be removed when the refactor is done anyway.

* test/fuzz: move fuzz tests into this repo (#5918)

Co-authored-by: Emmanuel T Odeke <emmanuel@orijtech.com>

Closes #5907

- add init-corpus to blockchain reactor
- remove validator-set FromBytes test
now that we have proto, we don't need to test it! bye amino
- simplify mempool test
do we want to test remote ABCI app?
- do not recreate mux on every crash in jsonrpc test
- update p2p pex reactor test
- remove p2p/listener test
the API has changed + I did not understand what it's tested anyway
- update secretconnection test
- add readme and makefile
- list inputs in readme
- add nightly workflow
- remove blockchain fuzz test
EncodeMsg / DecodeMsg no longer exist

* docker: dont login when in PR (#5961)

* docker: release Linux/ARM64 image (#5925)

Co-authored-by: Marko <marbar3778@yahoo.com>

* p2p: make PeerManager.DialNext() and EvictNext() block (#5947)

See #5936 and #5938 for background.

The plan was initially to have `DialNext()` and `EvictNext()` return a channel. However, implementing this became unnecessarily complicated and error-prone. As an example, the channel would be both consumed and populated (via method calls) by the same driving method (e.g. `Router.dialPeers()`) which could easily cause deadlocks where a method call blocked while sending on the channel that the caller itself was responsible for consuming (but couldn't since it was busy making the method call). It would also require a set of goroutines in the peer manager that would interact with the goroutines in the router in non-obvious ways, and fully populating the channel on startup could cause deadlocks with other startup tasks. Several issues like these made the solution hard to reason about.

I therefore simply made `DialNext()` and `EvictNext()` block until the next peer was available, using internal triggers to wake these methods up in a non-blocking fashion when any relevant state changes occurred. This proved much simpler to reason about, since there are no goroutines in the peer manager (except for trivial retry timers), nor any blocking channel sends, and it instead relies entirely on the existing goroutine structure of the router for concurrency. This also happens to be the same pattern used by the `Transport.Accept()` API, following Go stdlib conventions, so all router goroutines end up using a consistent pattern as well.

* libs/log: format []byte as hexidecimal string (uppercased) (#5960)

Closes: #5806 

Co-authored-by: Lanie Hei <heixx011@umn.edu>

* docs: log level docs (#5945)

## Description

add section on configuring log levels

Closes: #XXX

* .github: fix fuzz-nightly job (#5965)

outputs is a property of the job, not an individual step.

* e2e: add control over the log level of nodes (#5958)

* mempool: fix reactor tests (#5967)

## Description

Update the faux router to either drop channel errors or handle them based on an argument. This prevents deadlocks in tests where we try to send an error on the mempool channel but there is no reader.

Closes: #5956

* p2p: improve peerStore prototype (#5954)

This improves the `peerStore` prototype by e.g.:

* Using a database with Protobuf for persistence, but also keeping full peer set in memory for performance.
* Simplifying the API, by taking/returning struct copies for safety, and removing errors for in-memory operations.
* Caching the ranked peer set, as a temporary solution until a better data structure is implemented.
* Adding `PeerManagerOptions.MaxPeers` and pruning the peer store (based on rank) when it's full.
* Rewriting `PeerAddress` to be independent of `url.URL`, normalizing it and tightening semantics.

* p2p: simplify PeerManager upgrade logic (#5962)

Follow-up from #5947, branched off of #5954.

This simplifies the upgrade logic by adding explicit eviction requests, which can also be useful for other use-cases (e.g. if we need to ban a peer that's misbehaving). Changes:

* Add `evict` map which queues up peers to explicitly evict.
* `upgrading` now only tracks peers that we're upgrading via dialing (`DialNext` → `Dialed`/`DialFailed`).
* `Dialed` will unmark `upgrading`, and queue `evict` if still beyond capacity.
* `Accepted` will pick a random lower-scored peer to upgrade to, if appropriate, and doesn't care about `upgrading` (the dial will fail later, since it's already connected).
* `EvictNext` will return a peer scheduled in `evict` if any, otherwise if beyond capacity just evict the lowest-scored peer.

This limits all of the `upgrading` logic to `DialNext`, `Dialed`, and `DialFailed`, making it much simplier, and it should generally do the right thing in all cases I can think of.

* p2p: add PeerManager.Advertise() (#5957)

Adds a naïve `PeerManager.Advertise()` method that the new PEX reactor can use to fetch addresses to advertise, as well as some other `FIXME`s on address advertisement.

* blockchain v0: fix waitgroup data race (#5970)

## Description

Fixes the data race in usage of `WaitGroup`. Specifically, the case where we invoke `Wait` _before_ the first delta `Add` call when the current waitgroup counter is zero. See https://golang.org/pkg/sync/#WaitGroup.Add.

Still not sure how this manifests itself in a test since the reactor has to be stopped virtually immediately after being started (I think?).

Regardless, this is the appropriate fix.

closes: #5968

* tests: fix `make test` (#5966)

## Description
 
- bump deadlock dep to master
  - fixes `make test` since we now use `deadlock.Once`

Closes: #XXX

* terminate go-fuzz gracefully (w/ SIGINT) (#5973)

and preserve exit code.

```
2021/01/26 03:34:49 workers: 2, corpus: 4 (8m28s ago), crashers: 0, restarts: 1/9976, execs: 11013732 (21596/sec), cover: 121, uptime: 8m30s
make: *** [fuzz-mempool] Terminated
Makefile:5: recipe for target 'fuzz-mempool' failed
Error: Process completed with exit code 124.
```

https://github.com/tendermint/tendermint/runs/1766661614

`continue-on-error` should make GH ignore any error codes.

* p2p: add prototype PEX reactor for new stack (#5971)

This adds a prototype PEX reactor for the new P2P stack.

* proto/p2p: rename PEX messages and fields (#5974)

Fixes #5899 by renaming a bunch of P2P Protobuf entities (while maintaining wire compatibility):

* `Message` to `PexMessage` (as it's only used for PEX messages).
* `PexAddrs` to `PexResponse`.
* `PexResponse.Addrs` to `PexResponse.Addresses`.
* `NetAddress` to `PexAddress` (as it's only used by PEX).

* p2p: resolve PEX addresses in PEX reactor (#5980)

This changes the new prototype PEX reactor to resolve peer address URLs into IP/port PEX addresses itself. Branched off of #5974.

I've spent some time thinking about address handling in the P2P stack. We currently use `PeerAddress` URLs everywhere, except for two places: when dialing a peer, and when exchanging addresses via PEX. We had two options:

1. Resolve addresses to endpoints inside `PeerManager`. This would introduce a lot of added complexity: we would have to track connection statistics per endpoint, have goroutines that asynchronously resolve and refresh these endpoints, deal with resolve scheduling before dialing (which is trickier than it sounds since it involves multiple goroutines in the peer manager and router and messes with peer rating order), handle IP address visibility issues, and so on.

2. Resolve addresses to endpoints (IP/port) only where they're used: when dialing, and in PEX. Everywhere else we use URLs.

I went with 2, because this significantly simplifies the handling of hostname resolution, and because I really think the PEX reactor should migrate to exchanging URLs instead of IP/port numbers anyway -- this allows operators to use DNS names for validators (and can easily migrate them to new IPs and/or load balance requests), and also allows different protocols (e.g. QUIC and `MemoryTransport`). Happy to discuss this.

* test/p2p: close transports to avoid goroutine leak failures (#5982)

* mempool: fix TestReactorNoBroadcastToSender (#5984)

## Description

Looks like I missed a test in the original PR when fixing the tests.

Closes: #5956

* mempool: fix mempool tests timeout (#5988)

* p2p: use stopCtx when dialing peers in Router (#5983)

This ensures we don't leak dial goroutines when shutting down the router.

* docs: fix typo in state sync example (#5989)

Co-authored-by: Erik Grinaker <erik@interchain.berlin>
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Co-authored-by: Marko <marbar3778@yahoo.com>
Co-authored-by: odidev <odidev@puresoftware.com>
Co-authored-by: Lanie Hei <heixx011@umn.edu>
Co-authored-by: Callum Waters <cmwaters19@gmail.com>
Co-authored-by: Aleksandr Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Sergey <52304443+c29r3@users.noreply.github.com>
2021-01-26 11:46:21 -08:00

1036 lines
33 KiB
Go
Raw Permalink Blame History

package light
import (
"bytes"
"context"
"errors"
"fmt"
"time"
"github.com/tendermint/tendermint/libs/log"
tmmath "github.com/tendermint/tendermint/libs/math"
tmsync "github.com/tendermint/tendermint/libs/sync"
"github.com/tendermint/tendermint/light/provider"
"github.com/tendermint/tendermint/light/store"
"github.com/tendermint/tendermint/types"
)
type mode byte
const (
sequential mode = iota + 1
skipping
defaultPruningSize = 1000
defaultMaxRetryAttempts = 10
// For verifySkipping, when using the cache of headers from the previous batch,
// they will always be at a height greater than 1/2 (normal verifySkipping) so to
// find something in between the range, 9/16 is used.
verifySkippingNumerator = 9
verifySkippingDenominator = 16
// 10s should cover most of the clients.
// References:
// - http://vancouver-webpages.com/time/web.html
// - https://blog.codinghorror.com/keeping-time-on-the-pc/
defaultMaxClockDrift = 10 * time.Second
)
// Option sets a parameter for the light client.
type Option func(*Client)
// SequentialVerification option configures the light client to sequentially
// check the blocks (every block, in ascending height order). Note this is
// much slower than SkippingVerification, albeit more secure.
func SequentialVerification() Option {
return func(c *Client) {
c.verificationMode = sequential
}
}
// SkippingVerification option configures the light client to skip blocks as
// long as {trustLevel} of the old validator set signed the new header. The
// verifySkipping algorithm from the specification is used for finding the minimal
// "trust path".
//
// trustLevel - fraction of the old validator set (in terms of voting power),
// which must sign the new header in order for us to trust it. NOTE this only
// applies to non-adjacent headers. For adjacent headers, sequential
// verification is used.
func SkippingVerification(trustLevel tmmath.Fraction) Option {
return func(c *Client) {
c.verificationMode = skipping
c.trustLevel = trustLevel
}
}
// PruningSize option sets the maximum amount of light blocks that the light
// client stores. When Prune() is run, all light blocks that are earlier than
// the h amount of light blocks will be removed from the store.
// Default: 1000. A pruning size of 0 will not prune the light client at all.
func PruningSize(h uint16) Option {
return func(c *Client) {
c.pruningSize = h
}
}
// ConfirmationFunction option can be used to prompt to confirm an action. For
// example, remove newer headers if the light client is being reset with an
// older header. No confirmation is required by default!
func ConfirmationFunction(fn func(action string) bool) Option {
return func(c *Client) {
c.confirmationFn = fn
}
}
// Logger option can be used to set a logger for the client.
func Logger(l log.Logger) Option {
return func(c *Client) {
c.logger = l
}
}
// MaxRetryAttempts option can be used to set max attempts before replacing
// primary with a witness.
func MaxRetryAttempts(max uint16) Option {
return func(c *Client) {
c.maxRetryAttempts = max
}
}
// MaxClockDrift defines how much new header's time can drift into
// the future. Default: 10s.
func MaxClockDrift(d time.Duration) Option {
return func(c *Client) {
c.maxClockDrift = d
}
}
// Client represents a light client, connected to a single chain, which gets
// light blocks from a primary provider, verifies them either sequentially or by
// skipping some and stores them in a trusted store (usually, a local FS).
//
// Default verification: SkippingVerification(DefaultTrustLevel)
type Client struct {
chainID string
trustingPeriod time.Duration // see TrustOptions.Period
verificationMode mode
trustLevel tmmath.Fraction
maxRetryAttempts uint16 // see MaxRetryAttempts option
maxClockDrift time.Duration
// Mutex for locking during changes of the light clients providers
providerMutex tmsync.Mutex
// Primary provider of new headers.
primary provider.Provider
// Providers used to "witness" new headers.
witnesses []provider.Provider
// Where trusted light blocks are stored.
trustedStore store.Store
// Highest trusted light block from the store (height=H).
latestTrustedBlock *types.LightBlock
// See RemoveNoLongerTrustedHeadersPeriod option
pruningSize uint16
// See ConfirmationFunction option
confirmationFn func(action string) bool
quit chan struct{}
logger log.Logger
}
// NewClient returns a new light client. It returns an error if it fails to
// obtain the light block from the primary or they are invalid (e.g. trust
// hash does not match with the one from the headers).
//
// Witnesses are providers, which will be used for cross-checking the primary
// provider. At least one witness must be given when skipping verification is
// used (default). A witness can become a primary iff the current primary is
// unavailable.
//
// See all Option(s) for the additional configuration.
func NewClient(
ctx context.Context,
chainID string,
trustOptions TrustOptions,
primary provider.Provider,
witnesses []provider.Provider,
trustedStore store.Store,
options ...Option) (*Client, error) {
if err := trustOptions.ValidateBasic(); err != nil {
return nil, fmt.Errorf("invalid TrustOptions: %w", err)
}
c, err := NewClientFromTrustedStore(chainID, trustOptions.Period, primary, witnesses, trustedStore, options...)
if err != nil {
return nil, err
}
if c.latestTrustedBlock != nil {
c.logger.Info("Checking trusted light block using options")
if err := c.checkTrustedHeaderUsingOptions(ctx, trustOptions); err != nil {
return nil, err
}
}
if c.latestTrustedBlock == nil || c.latestTrustedBlock.Height < trustOptions.Height {
c.logger.Info("Downloading trusted light block using options")
if err := c.initializeWithTrustOptions(ctx, trustOptions); err != nil {
return nil, err
}
}
return c, err
}
// NewClientFromTrustedStore initializes existing client from the trusted store.
//
// See NewClient
func NewClientFromTrustedStore(
chainID string,
trustingPeriod time.Duration,
primary provider.Provider,
witnesses []provider.Provider,
trustedStore store.Store,
options ...Option) (*Client, error) {
c := &Client{
chainID: chainID,
trustingPeriod: trustingPeriod,
verificationMode: skipping,
trustLevel: DefaultTrustLevel,
maxRetryAttempts: defaultMaxRetryAttempts,
maxClockDrift: defaultMaxClockDrift,
primary: primary,
witnesses: witnesses,
trustedStore: trustedStore,
pruningSize: defaultPruningSize,
confirmationFn: func(action string) bool { return true },
quit: make(chan struct{}),
logger: log.NewNopLogger(),
}
for _, o := range options {
o(c)
}
// Validate the number of witnesses.
if len(c.witnesses) < 1 {
return nil, ErrNoWitnesses
}
// Validate trust level.
if err := ValidateTrustLevel(c.trustLevel); err != nil {
return nil, err
}
if err := c.restoreTrustedLightBlock(); err != nil {
return nil, err
}
return c, nil
}
// restoreTrustedLightBlock loads the latest trusted light block from the store
func (c *Client) restoreTrustedLightBlock() error {
lastHeight, err := c.trustedStore.LastLightBlockHeight()
if err != nil {
return fmt.Errorf("can't get last trusted light block height: %w", err)
}
if lastHeight > 0 {
trustedBlock, err := c.trustedStore.LightBlock(lastHeight)
if err != nil {
return fmt.Errorf("can't get last trusted light block: %w", err)
}
c.latestTrustedBlock = trustedBlock
c.logger.Info("Restored trusted light block", "height", lastHeight)
}
return nil
}
// if options.Height:
//
// 1) ahead of trustedLightBlock.Height => fetch light blocks (same height as
// trustedLightBlock) from primary provider and check it's hash matches the
// trustedLightBlock's hash (if not, remove trustedLightBlock and all the light blocks
// before)
//
// 2) equals trustedLightBlock.Height => check options.Hash matches the
// trustedLightBlock's hash (if not, remove trustedLightBlock and all the light blocks
// before)
//
// 3) behind trustedLightBlock.Height => remove all the light blocks between
// options.Height and trustedLightBlock.Height, update trustedLightBlock, then
// check options.Hash matches the trustedLightBlock's hash (if not, remove
// trustedLightBlock and all the light blocks before)
//
// The intuition here is the user is always right. I.e. if she decides to reset
// the light client with an older header, there must be a reason for it.
func (c *Client) checkTrustedHeaderUsingOptions(ctx context.Context, options TrustOptions) error {
var primaryHash []byte
switch {
case options.Height > c.latestTrustedBlock.Height:
h, err := c.lightBlockFromPrimary(ctx, c.latestTrustedBlock.Height)
if err != nil {
return err
}
primaryHash = h.Hash()
case options.Height == c.latestTrustedBlock.Height:
primaryHash = options.Hash
case options.Height < c.latestTrustedBlock.Height:
c.logger.Info("Client initialized with old header (trusted is more recent)",
"old", options.Height,
"trustedHeight", c.latestTrustedBlock.Height,
"trustedHash", c.latestTrustedBlock.Hash())
action := fmt.Sprintf(
"Rollback to %d (%X)? Note this will remove newer light blocks up to %d (%X)",
options.Height, options.Hash,
c.latestTrustedBlock.Height, c.latestTrustedBlock.Hash())
if c.confirmationFn(action) {
// remove all the headers (options.Height, trustedHeader.Height]
err := c.cleanupAfter(options.Height)
if err != nil {
return fmt.Errorf("cleanupAfter(%d): %w", options.Height, err)
}
c.logger.Info("Rolled back to older header (newer headers were removed)",
"old", options.Height)
} else {
return nil
}
primaryHash = options.Hash
}
if !bytes.Equal(primaryHash, c.latestTrustedBlock.Hash()) {
c.logger.Info("Prev. trusted header's hash (h1) doesn't match hash from primary provider (h2)",
"h1", c.latestTrustedBlock.Hash(), "h2", primaryHash)
action := fmt.Sprintf(
"Prev. trusted header's hash %X doesn't match hash %X from primary provider. Remove all the stored light blocks?",
c.latestTrustedBlock.Hash(), primaryHash)
if c.confirmationFn(action) {
err := c.Cleanup()
if err != nil {
return fmt.Errorf("failed to cleanup: %w", err)
}
} else {
return errors.New("refused to remove the stored light blocks despite hashes mismatch")
}
}
return nil
}
// initializeWithTrustOptions fetches the weakly-trusted light block from
// primary provider.
func (c *Client) initializeWithTrustOptions(ctx context.Context, options TrustOptions) error {
// 1) Fetch and verify the light block.
l, err := c.lightBlockFromPrimary(ctx, options.Height)
if err != nil {
return err
}
// NOTE: - Verify func will check if it's expired or not.
// - h.Time is not being checked against time.Now() because we don't
// want to add yet another argument to NewClient* functions.
if err := l.ValidateBasic(c.chainID); err != nil {
return err
}
if !bytes.Equal(l.Hash(), options.Hash) {
return fmt.Errorf("expected header's hash %X, but got %X", options.Hash, l.Hash())
}
// 2) Ensure that +2/3 of validators signed correctly.
err = l.ValidatorSet.VerifyCommitLight(c.chainID, l.Commit.BlockID, l.Height, l.Commit)
if err != nil {
return fmt.Errorf("invalid commit: %w", err)
}
// 3) Cross-verify with witnesses to ensure everybody has the same state.
if err := c.compareFirstHeaderWithWitnesses(ctx, l.SignedHeader); err != nil {
return err
}
// 4) Persist both of them and continue.
return c.updateTrustedLightBlock(l)
}
// TrustedLightBlock returns a trusted light block at the given height (0 - the latest).
//
// It returns an error if:
// - there are some issues with the trusted store, although that should not
// happen normally;
// - negative height is passed;
// - header has not been verified yet and is therefore not in the store
//
// Safe for concurrent use by multiple goroutines.
func (c *Client) TrustedLightBlock(height int64) (*types.LightBlock, error) {
height, err := c.compareWithLatestHeight(height)
if err != nil {
return nil, err
}
return c.trustedStore.LightBlock(height)
}
func (c *Client) compareWithLatestHeight(height int64) (int64, error) {
latestHeight, err := c.LastTrustedHeight()
if err != nil {
return 0, fmt.Errorf("can't get last trusted height: %w", err)
}
if latestHeight == -1 {
return 0, errors.New("no headers exist")
}
switch {
case height > latestHeight:
return 0, fmt.Errorf("unverified header/valset requested (latest: %d)", latestHeight)
case height == 0:
return latestHeight, nil
case height < 0:
return 0, errors.New("negative height")
}
return height, nil
}
// Update attempts to advance the state by downloading the latest light
// block and verifying it. It returns a new light block on a successful
// update. Otherwise, it returns nil (plus an error, if any).
func (c *Client) Update(ctx context.Context, now time.Time) (*types.LightBlock, error) {
lastTrustedHeight, err := c.LastTrustedHeight()
if err != nil {
return nil, fmt.Errorf("can't get last trusted height: %w", err)
}
if lastTrustedHeight == -1 {
// no light blocks yet => wait
return nil, nil
}
latestBlock, err := c.lightBlockFromPrimary(ctx, 0)
if err != nil {
return nil, err
}
if latestBlock.Height > lastTrustedHeight {
err = c.verifyLightBlock(ctx, latestBlock, now)
if err != nil {
return nil, err
}
c.logger.Info("Advanced to new state", "height", latestBlock.Height, "hash", latestBlock.Hash())
return latestBlock, nil
}
return nil, nil
}
// VerifyLightBlockAtHeight fetches the light block at the given height
// and verifies it. It returns the block immediately if it exists in
// the trustedStore (no verification is needed).
//
// height must be > 0.
//
// It returns provider.ErrlightBlockNotFound if light block is not found by
// primary.
//
// It will replace the primary provider if an error from a request to the provider occurs
func (c *Client) VerifyLightBlockAtHeight(ctx context.Context, height int64, now time.Time) (*types.LightBlock, error) {
if height <= 0 {
return nil, errors.New("negative or zero height")
}
// Check if the light block is already verified.
h, err := c.TrustedLightBlock(height)
if err == nil {
c.logger.Info("Header has already been verified", "height", height, "hash", h.Hash())
// Return already trusted light block
return h, nil
}
// Request the light block from primary
l, err := c.lightBlockFromPrimary(ctx, height)
if err != nil {
return nil, err
}
return l, c.verifyLightBlock(ctx, l, now)
}
// VerifyHeader verifies a new header against the trusted state. It returns
// immediately if newHeader exists in trustedStore (no verification is
// needed). Else it performs one of the two types of verification:
//
// SequentialVerification: verifies that 2/3 of the trusted validator set has
// signed the new header. If the headers are not adjacent, **all** intermediate
// headers will be requested. Intermediate headers are not saved to database.
//
// SkippingVerification(trustLevel): verifies that {trustLevel} of the trusted
// validator set has signed the new header. If it's not the case and the
// headers are not adjacent, verifySkipping is performed and necessary (not all)
// intermediate headers will be requested. See the specification for details.
// Intermediate headers are not saved to database.
// https://github.com/tendermint/spec/blob/master/spec/consensus/light-client.md
//
// If the header, which is older than the currently trusted header, is
// requested and the light client does not have it, VerifyHeader will perform:
// a) verifySkipping verification if nearest trusted header is found & not expired
// b) backwards verification in all other cases
//
// It returns ErrOldHeaderExpired if the latest trusted header expired.
//
// If the primary provides an invalid header (ErrInvalidHeader), it is rejected
// and replaced by another provider until all are exhausted.
//
// If, at any moment, a LightBlock is not found by the primary provider as part of
// verification then the provider will be replaced by another and the process will
// restart.
func (c *Client) VerifyHeader(ctx context.Context, newHeader *types.Header, now time.Time) error {
if newHeader == nil {
return errors.New("nil header")
}
if newHeader.Height <= 0 {
return errors.New("negative or zero height")
}
// Check if newHeader already verified.
l, err := c.TrustedLightBlock(newHeader.Height)
if err == nil {
// Make sure it's the same header.
if !bytes.Equal(l.Hash(), newHeader.Hash()) {
return fmt.Errorf("existing trusted header %X does not match newHeader %X", l.Hash(), newHeader.Hash())
}
c.logger.Info("Header has already been verified",
"height", newHeader.Height, "hash", newHeader.Hash())
return nil
}
// Request the header and the vals.
l, err = c.lightBlockFromPrimary(ctx, newHeader.Height)
if err != nil {
return fmt.Errorf("failed to retrieve light block from primary to verify against: %w", err)
}
if !bytes.Equal(l.Hash(), newHeader.Hash()) {
return fmt.Errorf("light block header %X does not match newHeader %X", l.Hash(), newHeader.Hash())
}
return c.verifyLightBlock(ctx, l, now)
}
func (c *Client) verifyLightBlock(ctx context.Context, newLightBlock *types.LightBlock, now time.Time) error {
c.logger.Info("VerifyHeader", "height", newLightBlock.Height, "hash", newLightBlock.Hash())
var (
verifyFunc func(ctx context.Context, trusted *types.LightBlock, new *types.LightBlock, now time.Time) error
err error
)
switch c.verificationMode {
case sequential:
verifyFunc = c.verifySequential
case skipping:
verifyFunc = c.verifySkippingAgainstPrimary
default:
panic(fmt.Sprintf("Unknown verification mode: %b", c.verificationMode))
}
firstBlockHeight, err := c.FirstTrustedHeight()
if err != nil {
return fmt.Errorf("can't get first light block height: %w", err)
}
switch {
// Verifying forwards
case newLightBlock.Height >= c.latestTrustedBlock.Height:
err = verifyFunc(ctx, c.latestTrustedBlock, newLightBlock, now)
// Verifying backwards
case newLightBlock.Height < firstBlockHeight:
var firstBlock *types.LightBlock
firstBlock, err = c.trustedStore.LightBlock(firstBlockHeight)
if err != nil {
return fmt.Errorf("can't get first light block: %w", err)
}
err = c.backwards(ctx, firstBlock.Header, newLightBlock.Header)
// Verifying between first and last trusted light block
default:
var closestBlock *types.LightBlock
closestBlock, err = c.trustedStore.LightBlockBefore(newLightBlock.Height)
if err != nil {
return fmt.Errorf("can't get signed header before height %d: %w", newLightBlock.Height, err)
}
err = verifyFunc(ctx, closestBlock, newLightBlock, now)
}
if err != nil {
c.logger.Error("Can't verify", "err", err)
return err
}
// Once verified, save and return
return c.updateTrustedLightBlock(newLightBlock)
}
// see VerifyHeader
func (c *Client) verifySequential(
ctx context.Context,
trustedBlock *types.LightBlock,
newLightBlock *types.LightBlock,
now time.Time) error {
var (
verifiedBlock = trustedBlock
interimBlock *types.LightBlock
err error
trace = []*types.LightBlock{trustedBlock}
)
for height := trustedBlock.Height + 1; height <= newLightBlock.Height; height++ {
// 1) Fetch interim light block if needed.
if height == newLightBlock.Height { // last light block
interimBlock = newLightBlock
} else { // intermediate light blocks
interimBlock, err = c.lightBlockFromPrimary(ctx, height)
if err != nil {
return ErrVerificationFailed{From: verifiedBlock.Height, To: height, Reason: err}
}
}
// 2) Verify them
c.logger.Debug("Verify adjacent newLightBlock against verifiedBlock",
"trustedHeight", verifiedBlock.Height,
"trustedHash", verifiedBlock.Hash(),
"newHeight", interimBlock.Height,
"newHash", interimBlock.Hash())
err = VerifyAdjacent(verifiedBlock.SignedHeader, interimBlock.SignedHeader, interimBlock.ValidatorSet,
c.trustingPeriod, now, c.maxClockDrift)
if err != nil {
err := ErrVerificationFailed{From: verifiedBlock.Height, To: interimBlock.Height, Reason: err}
switch errors.Unwrap(err).(type) {
case ErrInvalidHeader:
// If the target header is invalid, return immediately.
if err.To == newLightBlock.Height {
c.logger.Debug("Target header is invalid", "err", err)
return err
}
// If some intermediate header is invalid, replace the primary and try
// again.
c.logger.Error("primary sent invalid header -> replacing", "err", err, "primary", c.primary)
replaceErr := c.replacePrimaryProvider()
if replaceErr != nil {
c.logger.Error("Can't replace primary", "err", replaceErr)
// return original error
return err
}
replacementBlock, fErr := c.lightBlockFromPrimary(ctx, newLightBlock.Height)
if fErr != nil {
c.logger.Error("Can't fetch light block from primary", "err", fErr)
// return original error
return err
}
if !bytes.Equal(replacementBlock.Hash(), newLightBlock.Hash()) {
c.logger.Error("Replacement provider has a different light block",
"newHash", newLightBlock.Hash(),
"replHash", replacementBlock.Hash())
// return original error
return err
}
// attempt to verify header again
height--
continue
default:
return err
}
}
// 3) Update verifiedBlock
verifiedBlock = interimBlock
// 4) Add verifiedBlock to trace
trace = append(trace, verifiedBlock)
}
// Compare header with the witnesses to ensure it's not a fork.
// More witnesses we have, more chance to notice one.
//
// CORRECTNESS ASSUMPTION: there's at least 1 correct full node
// (primary or one of the witnesses).
return c.detectDivergence(ctx, trace, now)
}
// see VerifyHeader
//
// verifySkipping finds the middle light block between a trusted and new light block,
// reiterating the action until it verifies a light block. A cache of light blocks
// requested from source is kept such that when a verification is made, and the
// light client tries again to verify the new light block in the middle, the light
// client does not need to ask for all the same light blocks again.
func (c *Client) verifySkipping(
ctx context.Context,
source provider.Provider,
trustedBlock *types.LightBlock,
newLightBlock *types.LightBlock,
now time.Time) ([]*types.LightBlock, error) {
var (
blockCache = []*types.LightBlock{newLightBlock}
depth = 0
verifiedBlock = trustedBlock
trace = []*types.LightBlock{trustedBlock}
)
for {
c.logger.Debug("Verify non-adjacent newHeader against verifiedBlock",
"trustedHeight", verifiedBlock.Height,
"trustedHash", verifiedBlock.Hash(),
"newHeight", blockCache[depth].Height,
"newHash", blockCache[depth].Hash())
err := Verify(verifiedBlock.SignedHeader, verifiedBlock.ValidatorSet, blockCache[depth].SignedHeader,
blockCache[depth].ValidatorSet, c.trustingPeriod, now, c.maxClockDrift, c.trustLevel)
switch err.(type) {
case nil:
// Have we verified the last header
if depth == 0 {
trace = append(trace, newLightBlock)
return trace, nil
}
// If not, update the lower bound to the previous upper bound
verifiedBlock = blockCache[depth]
// Remove the light block at the lower bound in the header cache - it will no longer be needed
blockCache = blockCache[:depth]
// Reset the cache depth so that we start from the upper bound again
depth = 0
// add verifiedBlock to the trace
trace = append(trace, verifiedBlock)
case ErrNewValSetCantBeTrusted:
// do add another header to the end of the cache
if depth == len(blockCache)-1 {
pivotHeight := verifiedBlock.Height + (blockCache[depth].Height-verifiedBlock.
Height)*verifySkippingNumerator/verifySkippingDenominator
interimBlock, providerErr := source.LightBlock(ctx, pivotHeight)
if providerErr != nil {
return nil, ErrVerificationFailed{From: verifiedBlock.Height, To: pivotHeight, Reason: providerErr}
}
blockCache = append(blockCache, interimBlock)
}
depth++
default:
return nil, ErrVerificationFailed{From: verifiedBlock.Height, To: blockCache[depth].Height, Reason: err}
}
}
}
// verifySkippingAgainstPrimary does verifySkipping plus it compares new header with
// witnesses and replaces primary if it sends the light client an invalid header
func (c *Client) verifySkippingAgainstPrimary(
ctx context.Context,
trustedBlock *types.LightBlock,
newLightBlock *types.LightBlock,
now time.Time) error {
trace, err := c.verifySkipping(ctx, c.primary, trustedBlock, newLightBlock, now)
switch errors.Unwrap(err).(type) {
case ErrInvalidHeader:
// If the target header is invalid, return immediately.
invalidHeaderHeight := err.(ErrVerificationFailed).To
if invalidHeaderHeight == newLightBlock.Height {
c.logger.Debug("Target header is invalid", "err", err)
return err
}
// If some intermediate header is invalid, replace the primary and try
// again.
c.logger.Error("primary sent invalid header -> replacing", "err", err, "primary", c.primary)
replaceErr := c.replacePrimaryProvider()
if replaceErr != nil {
c.logger.Error("Can't replace primary", "err", replaceErr)
// return original error
return err
}
replacementBlock, fErr := c.lightBlockFromPrimary(ctx, newLightBlock.Height)
if fErr != nil {
c.logger.Error("Can't fetch light block from primary", "err", fErr)
// return original error
return err
}
if !bytes.Equal(replacementBlock.Hash(), newLightBlock.Hash()) {
c.logger.Error("Replacement provider has a different light block",
"newHash", newLightBlock.Hash(),
"replHash", replacementBlock.Hash())
// return original error
return err
}
// attempt to verify the header again
return c.verifySkippingAgainstPrimary(ctx, trustedBlock, replacementBlock, now)
case nil:
// Compare header with the witnesses to ensure it's not a fork.
// More witnesses we have, more chance to notice one.
//
// CORRECTNESS ASSUMPTION: there's at least 1 correct full node
// (primary or one of the witnesses).
if cmpErr := c.detectDivergence(ctx, trace, now); cmpErr != nil {
return cmpErr
}
default:
return err
}
return nil
}
// LastTrustedHeight returns a last trusted height. -1 and nil are returned if
// there are no trusted headers.
//
// Safe for concurrent use by multiple goroutines.
func (c *Client) LastTrustedHeight() (int64, error) {
return c.trustedStore.LastLightBlockHeight()
}
// FirstTrustedHeight returns a first trusted height. -1 and nil are returned if
// there are no trusted headers.
//
// Safe for concurrent use by multiple goroutines.
func (c *Client) FirstTrustedHeight() (int64, error) {
return c.trustedStore.FirstLightBlockHeight()
}
// ChainID returns the chain ID the light client was configured with.
//
// Safe for concurrent use by multiple goroutines.
func (c *Client) ChainID() string {
return c.chainID
}
// Primary returns the primary provider.
//
// NOTE: provider may be not safe for concurrent access.
func (c *Client) Primary() provider.Provider {
c.providerMutex.Lock()
defer c.providerMutex.Unlock()
return c.primary
}
// Witnesses returns the witness providers.
//
// NOTE: providers may be not safe for concurrent access.
func (c *Client) Witnesses() []provider.Provider {
c.providerMutex.Lock()
defer c.providerMutex.Unlock()
return c.witnesses
}
// Cleanup removes all the data (headers and validator sets) stored. Note: the
// client must be stopped at this point.
func (c *Client) Cleanup() error {
c.logger.Info("Removing all light blocks")
c.latestTrustedBlock = nil
return c.trustedStore.Prune(0)
}
// cleanupAfter deletes all headers & validator sets after +height+. It also
// resets latestTrustedBlock to the latest header.
func (c *Client) cleanupAfter(height int64) error {
prevHeight := c.latestTrustedBlock.Height
for {
h, err := c.trustedStore.LightBlockBefore(prevHeight)
if err == store.ErrLightBlockNotFound || (h != nil && h.Height <= height) {
break
} else if err != nil {
return fmt.Errorf("failed to get header before %d: %w", prevHeight, err)
}
err = c.trustedStore.DeleteLightBlock(h.Height)
if err != nil {
c.logger.Error("can't remove a trusted header & validator set", "err", err,
"height", h.Height)
}
prevHeight = h.Height
}
c.latestTrustedBlock = nil
err := c.restoreTrustedLightBlock()
if err != nil {
return err
}
return nil
}
func (c *Client) updateTrustedLightBlock(l *types.LightBlock) error {
if err := c.trustedStore.SaveLightBlock(l); err != nil {
return fmt.Errorf("failed to save trusted header: %w", err)
}
if c.pruningSize > 0 {
if err := c.trustedStore.Prune(c.pruningSize); err != nil {
return fmt.Errorf("prune: %w", err)
}
}
if c.latestTrustedBlock == nil || l.Height > c.latestTrustedBlock.Height {
c.latestTrustedBlock = l
}
return nil
}
// backwards verification (see VerifyHeaderBackwards func in the spec) verifies
// headers before a trusted header. If a sent header is invalid the primary is
// replaced with another provider and the operation is repeated.
func (c *Client) backwards(
ctx context.Context,
trustedHeader *types.Header,
newHeader *types.Header) error {
var (
verifiedHeader = trustedHeader
interimHeader *types.Header
)
for verifiedHeader.Height > newHeader.Height {
interimBlock, err := c.lightBlockFromPrimary(ctx, verifiedHeader.Height-1)
if err != nil {
return fmt.Errorf("failed to obtain the header at height #%d: %w", verifiedHeader.Height-1, err)
}
interimHeader = interimBlock.Header
c.logger.Debug("Verify newHeader against verifiedHeader",
"trustedHeight", verifiedHeader.Height,
"trustedHash", verifiedHeader.Hash(),
"newHeight", interimHeader.Height,
"newHash", interimHeader.Hash())
if err := VerifyBackwards(interimHeader, verifiedHeader); err != nil {
c.logger.Error("primary sent invalid header -> replacing", "err", err, "primary", c.primary)
if replaceErr := c.replacePrimaryProvider(); replaceErr != nil {
c.logger.Error("Can't replace primary", "err", replaceErr)
// return original error
return fmt.Errorf("verify backwards from %d to %d failed: %w",
verifiedHeader.Height, interimHeader.Height, err)
}
// we need to verify the header at the same height again
continue
}
verifiedHeader = interimHeader
}
return nil
}
// NOTE: requires a providerMutex locked.
func (c *Client) removeWitness(idx int) {
switch len(c.witnesses) {
case 0:
panic(fmt.Sprintf("wanted to remove %d element from empty witnesses slice", idx))
case 1:
c.witnesses = make([]provider.Provider, 0)
default:
c.witnesses[idx] = c.witnesses[len(c.witnesses)-1]
c.witnesses = c.witnesses[:len(c.witnesses)-1]
}
}
// replaceProvider takes the first alternative provider and promotes it as the
// primary provider.
func (c *Client) replacePrimaryProvider() error {
c.providerMutex.Lock()
defer c.providerMutex.Unlock()
if len(c.witnesses) <= 1 {
return ErrNoWitnesses
}
c.primary = c.witnesses[0]
c.witnesses = c.witnesses[1:]
c.logger.Info("Replacing primary with the first witness", "new_primary", c.primary)
return nil
}
// lightBlockFromPrimary retrieves the lightBlock from the primary provider
// at the specified height. Handles dropout by the primary provider by swapping
// with an alternative provider.
func (c *Client) lightBlockFromPrimary(ctx context.Context, height int64) (*types.LightBlock, error) {
c.providerMutex.Lock()
l, err := c.primary.LightBlock(ctx, height)
c.providerMutex.Unlock()
if err != nil {
c.logger.Debug("Error on light block request from primary", "error", err, "primary", c.primary)
replaceErr := c.replacePrimaryProvider()
if replaceErr != nil {
return nil, fmt.Errorf("%v. Tried to replace primary but: %w", err.Error(), replaceErr)
}
// replace primary and request a light block again
return c.lightBlockFromPrimary(ctx, height)
}
return l, err
}
// compareFirstHeaderWithWitnesses compares h with all witnesses. If any
// witness reports a different header than h, the function returns an error.
func (c *Client) compareFirstHeaderWithWitnesses(ctx context.Context, h *types.SignedHeader) error {
compareCtx, cancel := context.WithCancel(ctx)
defer cancel()
if len(c.witnesses) < 1 {
return ErrNoWitnesses
}
errc := make(chan error, len(c.witnesses))
for i, witness := range c.witnesses {
go c.compareNewHeaderWithWitness(compareCtx, errc, h, witness, i)
}
witnessesToRemove := make([]int, 0, len(c.witnesses))
// handle errors from the header comparisons as they come in
for i := 0; i < cap(errc); i++ {
err := <-errc
switch e := err.(type) {
case nil:
continue
case errConflictingHeaders:
c.logger.Error(fmt.Sprintf(`Witness #%d has a different header. Please check primary is correct
and remove witness. Otherwise, use the different primary`, e.WitnessIndex), "witness", c.witnesses[e.WitnessIndex])
return err
case errBadWitness:
// If witness sent us an invalid header, then remove it. If it didn't
// respond or couldn't find the block, then we ignore it and move on to
// the next witness.
if _, ok := e.Reason.(provider.ErrBadLightBlock); ok {
c.logger.Info("Witness sent us invalid header / vals -> removing it", "witness", c.witnesses[e.WitnessIndex])
witnessesToRemove = append(witnessesToRemove, e.WitnessIndex)
}
}
}
for _, idx := range witnessesToRemove {
c.removeWitness(idx)
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink