Skip to content

Commit

Permalink
Merge pull request #48 from MinaFoundation/optional-verify-sign
Browse files Browse the repository at this point in the history
PM-1321 Optional verify sign
  • Loading branch information
piotr-iohk authored Mar 14, 2024
2 parents 2c329d8 + 9636687 commit eec11cc
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 18 deletions.
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,13 @@ If the `CONFIG_FILE` environment variable is not set, the program will fall back
5. **Local File System Configuration**:
- `CONFIG_FILESYSTEM_PATH` - Set this to the path where you want the local file system to point.

6. **Test settings**

These settings are useful for debugging or testing under controlled conditions. Always revert to secure and sensible defaults before moving to a production environment to maintain the security and reliability of your system.

- `VERIFY_SIGNATURE_DISABLED` - set to `1` to disable signature verification on submission. It is `0` by default.
- `REQUESTS_PER_PK_HOURLY` - set to arbitrarily high value if you want more requests accepted from a single submitter per hour. Default is `120`.

### Important Notes

- At least one of the following storage options is required: `AwsS3`, `AwsKeyspaces`, or `LocalFileSystem`. Multi-storage configuration is also supported, allowing for a combination of these storage options.
Expand Down
4 changes: 4 additions & 0 deletions src/cmd/delegation_backend/main_bpu.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ func main() {
app.Log = log
awsctx := AwsContext{}
kc := KeyspaceContext{}
app.VerifySignatureDisabled = appCfg.VerifySignatureDisabled
if app.VerifySignatureDisabled {
log.Warnf("Signature verification is disabled, it is not recommended to run the delegation backend in this mode!")
}

// Storage backend setup
if appCfg.Aws != nil {
Expand Down
3 changes: 3 additions & 0 deletions src/delegation_backend/app_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ func LoadEnv(log logging.EventLogger) AppConfig {
}
} else {
networkName := getEnvChecked("CONFIG_NETWORK_NAME", log)
verifySignatureDisabled := boolEnvChecked("VERIFY_SIGNATURE_DISABLED", log)

delegationWhitelistDisabled := boolEnvChecked("DELEGATION_WHITELIST_DISABLED", log)
var gsheetId, delegationWhitelistList, delegationWhitelistColumn string
Expand Down Expand Up @@ -128,6 +129,7 @@ func LoadEnv(log logging.EventLogger) AppConfig {
config.DelegationWhitelistList = delegationWhitelistList
config.DelegationWhitelistColumn = delegationWhitelistColumn
config.DelegationWhitelistDisabled = delegationWhitelistDisabled
config.VerifySignatureDisabled = verifySignatureDisabled
}

return config
Expand Down Expand Up @@ -189,6 +191,7 @@ type AppConfig struct {
DelegationWhitelistList string `json:"delegation_whitelist_list"`
DelegationWhitelistColumn string `json:"delegation_whitelist_column"`
DelegationWhitelistDisabled bool `json:"delegation_whitelist_disabled,omitempty"`
VerifySignatureDisabled bool `json:"verify_signature_disabled,omitempty"`
Aws *AwsConfig `json:"aws,omitempty"`
AwsKeyspaces *AwsKeyspacesConfig `json:"aws_keyspaces,omitempty"`
LocalFileSystem *LocalFileSystemConfig `json:"filesystem,omitempty"`
Expand Down
39 changes: 21 additions & 18 deletions src/delegation_backend/submit.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,13 @@ type AwsContext struct {
}

type App struct {
Log *logging.ZapEventLogger
SubmitCounter *AttemptCounter
Whitelist *WhitelistMVar
WhitelistDisabled bool
Save func(ObjectsToSave)
Now nowFunc
Log *logging.ZapEventLogger
SubmitCounter *AttemptCounter
Whitelist *WhitelistMVar
WhitelistDisabled bool
VerifySignatureDisabled bool
Save func(ObjectsToSave)
Now nowFunc
}

type SubmitH struct {
Expand Down Expand Up @@ -178,19 +179,21 @@ func (h *SubmitH) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return
}

payload, err := req.Data.MakeSignPayload()
if err != nil {
h.app.Log.Errorf("Error while making sign payload: %v", err)
w.WriteHeader(500)
writeErrorResponse(h.app, &w, "Unexpected server error")
return
}
if !h.app.VerifySignatureDisabled {
payload, err := req.Data.MakeSignPayload()
if err != nil {
h.app.Log.Errorf("Error while making sign payload: %v", err)
w.WriteHeader(500)
writeErrorResponse(h.app, &w, "Unexpected server error")
return
}

hash := blake2b.Sum256(payload)
if !verifySig(&req.Submitter, &req.Sig, hash[:], NetworkId()) {
w.WriteHeader(401)
writeErrorResponse(h.app, &w, "Invalid signature")
return
hash := blake2b.Sum256(payload)
if !verifySig(&req.Submitter, &req.Sig, hash[:], NetworkId()) {
w.WriteHeader(401)
writeErrorResponse(h.app, &w, "Invalid signature")
return
}
}

passesAttemptLimit := h.app.SubmitCounter.RecordAttempt(req.Submitter)
Expand Down

0 comments on commit eec11cc

Please sign in to comment.