fix: add whitelist code

input-output-hk · Oct 12, 2023 · 78fefc0 · 78fefc0
1 parent 32332e4
commit 78fefc0
Show file tree

Hide file tree

Showing 19 changed files with 522 additions and 25 deletions.
diff --git a/jormungandr-lib/src/interfaces/config/mod.rs b/jormungandr-lib/src/interfaces/config/mod.rs
@@ -6,7 +6,7 @@ mod secret;
 pub use log::{Log, LogEntry, LogOutput};
 pub use mempool::{LogMaxEntries, Mempool, PersistentLog, PoolMaxEntries};
 pub use node::{
-    Bootstrap, Connection, Cors, CorsOrigin, JRpc, LayersConfig, NodeConfig, NodeId, P2p, Policy, PreferredListConfig,
-    Rest, Tls, TopicsOfInterest, TrustedPeer,
+    Bootstrap, Connection, Cors, CorsOrigin, JRpc, LayersConfig, NodeConfig, NodeId, P2p, Policy,
+    PreferredListConfig, Rest, Tls, TopicsOfInterest, TrustedPeer,
 };
 pub use secret::{Bft, GenesisPraos, NodeSecret};
diff --git a/jormungandr-lib/src/interfaces/config/node.rs b/jormungandr-lib/src/interfaces/config/node.rs
@@ -196,7 +196,6 @@ pub struct P2p {
     pub layers: Option<LayersConfig>,
 }
 
-
 /// Bootstrap contains meta data for initial startup
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Bootstrap {

diff --git a/jormungandr/src/network/p2p/comm.rs b/jormungandr/src/network/p2p/comm.rs
@@ -658,6 +658,11 @@ impl Peers {
         }
     }
 
+    pub async fn get_peer_addr(&self, peer: &NodeId) -> Option<SocketAddr> {
+        let mut map = self.inner().await;
+        map.peer_comms(peer).map(|peer| peer.remote_addr())
+    }
+
     pub async fn refresh_peer_on_gossip(&self, peer: &NodeId) -> bool {
         let timestamp = SystemTime::now();
         let mut map = self.inner().await;

diff --git a/jormungandr/src/network/p2p/comm/peer_map.rs b/jormungandr/src/network/p2p/comm/peer_map.rs
@@ -265,7 +265,7 @@ impl PeerMap {
             .iter()
             .map(|(&id, data)| PeerInfo {
                 id,
-                addr: None,
+                addr: Some(data.comms.remote_addr),
                 stats: data.stats.clone(),
             })
             .collect()

diff --git a/jormungandr/src/network/subscription.rs b/jormungandr/src/network/subscription.rs
@@ -8,11 +8,11 @@ use crate::{
 };
 use chain_network::data as net_data;
 use chain_network::error::{Code, Error};
-use jormungandr_lib::interfaces::FragmentOrigin;
-
+use futures::executor;
 use futures::future::BoxFuture;
 use futures::prelude::*;
 use futures::ready;
+use jormungandr_lib::interfaces::FragmentOrigin;
 
 use std::error::Error as _;
 use std::mem;
@@ -24,7 +24,7 @@ fn filter_gossip_node(node: &Gossip, config: &Configuration) -> bool {
     if config.allow_private_addresses {
         node.has_valid_address()
     } else {
-        node.is_global()
+        !node.is_global()
     }
 }
 
@@ -165,6 +165,12 @@ impl FragmentProcessor {
         }
     }
 
+    fn get_ingress_addr(&self) -> Option<std::net::SocketAddr> {
+        let state = self.global_state.clone();
+        let node_id = self.node_id;
+        executor::block_on(state.peers.get_peer_addr(&node_id))
+    }
+
     fn refresh_stat(&mut self) {
         let state = self.global_state.clone();
         let node_id = self.node_id;
@@ -301,7 +307,22 @@ impl Sink<net_data::Fragment> for FragmentProcessor {
             e
         })?;
         tracing::debug!(hash = %fragment.hash(), "received fragment");
-        self.buffered_fragments.push(fragment);
+        if let Some(whitelist) = &self.global_state.config.whitelist {
+            match self.get_ingress_addr() {
+                Some(ingress_addr) => {
+                    if whitelist.contains(&ingress_addr) {
+                        self.buffered_fragments.push(fragment);
+                    } else {
+                        tracing::info!("dropping fragments from {}", ingress_addr);
+                    }
+                }
+                None => tracing::warn!("unable to resolve address of ingress client"),
+            }
+        } else {
+            // if no whitelist config, normal behaviour, no filtering
+            self.buffered_fragments.push(fragment);
+        }
+
         Ok(())
     }
 

diff --git a/jormungandr/src/settings/start/config.rs b/jormungandr/src/settings/start/config.rs
@@ -11,7 +11,7 @@ use multiaddr::Multiaddr;
 use serde::{de::Error as _, Deserialize, Deserializer, Serialize, Serializer};
 use tracing::level_filters::LevelFilter;
 
-use std::path::PathBuf;
+use std::{net::SocketAddr, path::PathBuf};
 
 #[derive(Debug, Deserialize)]
 #[serde(deny_unknown_fields)]
@@ -132,7 +132,7 @@ pub struct Connection {
     pub allow_private_addresses: bool,
 
     /// contains addrs of nodes which we can accept fragments from
-    //pub whitelist: Option<Vec<SocketAddr>>,
+    pub whitelist: Option<Vec<SocketAddr>>,
 
     /// interval to start gossiping with new nodes, changing the value will
     /// affect the bandwidth. The more often the node will gossip the more

diff --git a/jormungandr/src/settings/start/mod.rs b/jormungandr/src/settings/start/mod.rs
@@ -298,7 +298,8 @@ fn generate_network(
     }
 
     let trusted_peers = p2p
-        .bootstrap.trusted_peers
+        .bootstrap
+        .trusted_peers
         .as_ref()
         .map_or_else(Vec::new, |peers| resolve_trusted_peers(peers));
 
@@ -350,19 +351,24 @@ fn generate_network(
             rings,
         },
         max_connections: p2p
-            .connection.max_connections
+            .connection
+            .max_connections
             .unwrap_or(network::DEFAULT_MAX_CONNECTIONS),
         max_client_connections: p2p
-            .connection.max_client_connections
+            .connection
+            .max_client_connections
             .unwrap_or(network::DEFAULT_MAX_CLIENT_CONNECTIONS),
         timeout: std::time::Duration::from_secs(15),
         allow_private_addresses: p2p.connection.allow_private_addresses,
+        whitelist: p2p.connection.whitelist,
         gossip_interval: p2p
-            .connection.gossip_interval
+            .connection
+            .gossip_interval
             .map(|d| d.into())
             .unwrap_or_else(|| std::time::Duration::from_secs(10)),
         network_stuck_check: p2p
-            .connection.network_stuck_check
+            .connection
+            .network_stuck_check
             .map(Into::into)
             .unwrap_or(crate::topology::DEFAULT_NETWORK_STUCK_INTERVAL),
         max_bootstrap_attempts: p2p.bootstrap.max_bootstrap_attempts,

diff --git a/jormungandr/src/settings/start/network.rs b/jormungandr/src/settings/start/network.rs
@@ -86,6 +86,8 @@ pub struct Configuration {
     /// Whether to allow non-public IP addresses in gossip
     pub allow_private_addresses: bool,
 
+    pub whitelist: Option<Vec<SocketAddr>>,
+
     pub gossip_interval: Duration,
 
     pub network_stuck_check: Duration,

diff --git a/testing/hersir/src/builder/settings.rs b/testing/hersir/src/builder/settings.rs
@@ -136,7 +136,7 @@ impl Settings {
     ) where
         RNG: RngCore + CryptoRng,
     {
-        let mut blockchain_configuration = &mut self.block0.blockchain_configuration;
+        let blockchain_configuration = &mut self.block0.blockchain_configuration;
 
         // TODO blockchain_configuration.block0_date = ;
         blockchain_configuration.linear_fees = blockchain.linear_fee();

diff --git a/testing/hersir/src/builder/spawn_params.rs b/testing/hersir/src/builder/spawn_params.rs
@@ -26,6 +26,8 @@ pub struct SpawnParams {
     log_level: Option<LogLevel>,
     max_bootstrap_attempts: Option<usize>,
     max_connections: Option<u32>,
+    allow_private_addresses: Option<bool>,
+    whitelist: Option<Vec<SocketAddr>>,
     max_inbound_connections: Option<u32>,
     mempool: Option<Mempool>,
     network_stuck_check: Option<Duration>,
@@ -57,6 +59,8 @@ impl SpawnParams {
             log_level: None,
             max_bootstrap_attempts: None,
             max_connections: None,
+            allow_private_addresses: None,
+            whitelist: None,
             max_inbound_connections: None,
             mempool: None,
             network_stuck_check: None,
@@ -136,6 +140,16 @@ impl SpawnParams {
         self
     }
 
+    pub fn allow_private_addresses(mut self, switch: bool) -> Self {
+        self.allow_private_addresses = Some(switch);
+        self
+    }
+
+    pub fn whitelist(mut self, nodes: Vec<SocketAddr>) -> Self {
+        self.whitelist = Some(nodes);
+        self
+    }
+
     pub fn max_inbound_connections(mut self, max_inbound_connections: u32) -> Self {
         self.max_inbound_connections = Some(max_inbound_connections);
         self
@@ -271,6 +285,14 @@ impl SpawnParams {
             node_config.p2p.connection.max_inbound_connections = Some(*max_inbound_connections);
         }
 
+        if let Some(allow_private_addresses) = &self.allow_private_addresses {
+            node_config.p2p.connection.allow_private_addresses = *allow_private_addresses;
+        }
+
+        if let Some(whitelist) = &self.whitelist {
+            node_config.p2p.connection.whitelist = Some(whitelist.clone());
+        }
+
         if let Some(max_connections) = &self.max_connections {
             node_config.p2p.connection.max_connections = Some(*max_connections);
         }

diff --git a/testing/jormungandr-automation/src/jormungandr/configuration/node_config_builder.rs b/testing/jormungandr-automation/src/jormungandr/configuration/node_config_builder.rs
@@ -2,8 +2,8 @@
 
 use jormungandr_lib::{
     interfaces::{
-        Bootstrap, Connection,Cors, JRpc, LayersConfig, Log, Mempool, NodeConfig, P2p, Policy, Rest, Tls,
-        TopicsOfInterest, TrustedPeer,
+        Bootstrap, Connection, Cors, JRpc, LayersConfig, Log, Mempool, NodeConfig, P2p, Policy,
+        Rest, Tls, TopicsOfInterest, TrustedPeer,
     },
     time::Duration,
 };

diff --git a/testing/jormungandr-automation/src/jormungandr/legacy/config/configuration_builder.rs b/testing/jormungandr-automation/src/jormungandr/legacy/config/configuration_builder.rs
@@ -80,7 +80,8 @@ impl LegacyNodeConfigConverter {
 
         let trusted_peers: Vec<TrustedPeer> = source
             .p2p
-            .bootstrap.trusted_peers
+            .bootstrap
+            .trusted_peers
             .iter()
             .map(|peer| {
                 let id = NodeId::from(
@@ -116,6 +117,7 @@ impl LegacyNodeConfigConverter {
                 policy: source.p2p.policy.clone(),
                 layers: source.p2p.layers.clone(),
                 public_id: None,
+                whitelist: source.p2p.connection.whitelist.clone(),
             },
             mempool: source.mempool.clone(),
             bootstrap_from_trusted_peers: source.bootstrap_from_trusted_peers,
@@ -126,7 +128,8 @@ impl LegacyNodeConfigConverter {
     fn build_node_config_after_0_12_0(&self, source: &NewestNodeConfig) -> NodeConfig {
         let trusted_peers: Vec<TrustedPeer> = source
             .p2p
-            .bootstrap.trusted_peers
+            .bootstrap
+            .trusted_peers
             .iter()
             .map(|peer| TrustedPeer {
                 id: None,
@@ -155,6 +158,7 @@ impl LegacyNodeConfigConverter {
                 policy: source.p2p.policy.clone(),
                 layers: source.p2p.layers.clone(),
                 public_id: None,
+                whitelist: source.p2p.connection.whitelist.clone(),
             },
             mempool: source.mempool.clone(),
             bootstrap_from_trusted_peers: source.bootstrap_from_trusted_peers,
@@ -172,7 +176,8 @@ impl LegacyNodeConfigConverter {
         let mut rng = OsRng;
         let trusted_peers: Vec<TrustedPeer> = source
             .p2p
-            .bootstrap.trusted_peers
+            .bootstrap
+            .trusted_peers
             .iter()
             .map(|peer| {
                 let id = {
@@ -215,6 +220,7 @@ impl LegacyNodeConfigConverter {
                 policy: source.p2p.policy.clone(),
                 layers: None,
                 public_id: None,
+                whitelist: source.p2p.connection.whitelist.clone(),
             },
             mempool: source.mempool.clone(),
             bootstrap_from_trusted_peers: source.bootstrap_from_trusted_peers,

diff --git a/testing/jormungandr-automation/src/jormungandr/legacy/config/mod.rs b/testing/jormungandr-automation/src/jormungandr/legacy/config/mod.rs
@@ -34,6 +34,8 @@ pub struct P2p {
 
     pub allow_private_addresses: bool,
 
+    pub whitelist: Option<Vec<SocketAddr>>,
+
     #[serde(skip_serializing_if = "Option::is_none")]
     pub topics_of_interest: Option<TopicsOfInterest>,
 

diff --git a/testing/jormungandr-integration-tests/src/jormungandr/genesis/fragments.rs b/testing/jormungandr-integration-tests/src/jormungandr/genesis/fragments.rs
@@ -119,7 +119,7 @@ pub fn test_all_fragments() {
     );
 
     let mut new_stake_pool = stake_pool.clone();
-    let mut stake_pool_info = new_stake_pool.info_mut();
+    let stake_pool_info = new_stake_pool.info_mut();
     stake_pool_info.serial = 100u128;
 
     time::wait_for_epoch(1, jormungandr.rest());

diff --git a/testing/jormungandr-integration-tests/src/jormungandr/genesis/pool_update.rs b/testing/jormungandr-integration-tests/src/jormungandr/genesis/pool_update.rs
@@ -24,7 +24,7 @@ pub fn update_pool_fees_is_not_allowed() {
     let stake_pool = stake_pools.get(0).unwrap();
 
     let mut new_stake_pool = stake_pool.clone();
-    let mut stake_pool_info = new_stake_pool.info_mut();
+    let stake_pool_info = new_stake_pool.info_mut();
     stake_pool_info.rewards = TaxType::zero();
 
     // 6. send pool update certificate

diff --git a/testing/jormungandr-integration-tests/src/jormungandr/legacy.rs b/testing/jormungandr-integration-tests/src/jormungandr/legacy.rs
@@ -163,7 +163,7 @@ pub fn test_legacy_node_all_fragments() {
     );
 
     let mut new_stake_pool = first_stake_pool.clone();
-    let mut stake_pool_info = new_stake_pool.info_mut();
+    let stake_pool_info = new_stake_pool.info_mut();
 
     stake_pool_info.reward_account = Some(AccountIdentifier::Single(
         second_stake_pool_owner

diff --git a/testing/jormungandr-integration-tests/src/networking/p2p/mod.rs b/testing/jormungandr-integration-tests/src/networking/p2p/mod.rs
@@ -1,4 +1,5 @@
 pub mod connections;
+pub mod public_traffic;
 pub mod quarantine;
 pub mod stats;