Implement ADR 026

[dauTT]

Description

closes #6998

Implemented all the points of ADR 026:

1. Require Tendermint light clients (ICS 07) to be created with the following additional flags
   i. allow_governance_override_after_expiry (boolean, default false)
2. Require Tendermint light clients (ICS 07) to expose the following additional internal query functions
   i. Expired() boolean, which returns whether or not the client has passed the trusting period since the last update (in which case no headers can be validated)
3. Require Tendermint light clients (ICS 07) to expose the following additional state mutation functions
   i. Unfreeze(), which unfreezes a light client after misbehaviour and clears any frozen height previously set
4. Require Tendermint light clients (ICS 07) & solo machine clients (ICS 06) to be created with the following additional flags
   i. allow_governance_override_after_misbehaviour (boolean, default false)
5. Add a new governance proposal type, ClientUpdateProposal, in the x/ibc module
   i. Extend the base Proposal with a client identifier (string) and a header (bytes, encoded in a client-type-specific format)
   ii. If this governance proposal passes, the client is updated with the provided header, if and only if:
   a. allow_governance_override_after_expiry is true and the client has expired (Expired() returns true)
   b. allow_governance_override_after_misbehaviour is true and the client has been frozen (Frozen() returns true)
   a. In this case, additionally, the client is unfrozen by calling Unfreeze()

TODO:

• Add NewSubmitClientUpdateProposalCmd

---

Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.

• Targeted PR against correct branch (see CONTRIBUTING.md)
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Code follows the module structure standards.
• Wrote unit and integration tests
• Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• Added relevant godoc comments.
• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer
• Review Codecov Report in the comment section below once CI passes

[codecov]

Codecov Report

Merging #7029 into master will increase coverage by 0.21%.
The diff coverage is 98.69%.

@@            Coverage Diff             @@
##           master    #7029      +/-   ##
==========================================
+ Coverage   54.66%   54.88%   +0.21%     
==========================================
  Files         571      575       +4     
  Lines       39302    39435     +133     
==========================================
+ Hits        21486    21644     +158     
+ Misses      16039    16012      -27     
- Partials     1777     1779       +2     

[lgtm-com]

This pull request introduces 1 alert when merging 0ec9447 into 4c762db - view on LGTM.com

new alerts:

• 1 for Useless assignment to field

[dauTT]

Note: Due to issue #6476, I could not run the command make proto-gen with the latest code in the master. So I used an outdated version of scripts/protocgen.sh (commit: 69bbb8b327c3cfb967d969bcadeb9b0aef144df6) to autogenerate the pb.go files while merging the master branch with my own. Hopefully I didn't introduce any major bug by using this approach.

[cwgoes]

Thanks, mostly solid, a few questions on the proposal handler.

[fedekunze]

Thanks @dauTT! Left a few comments but implementation-wise looks great 🙂

[AdityaSripal]

Great work @dauTT !! There are still some implementation issues that I've marked.

I don't understand how you're expiration recovery mechanism would work without some way to update the clientTime before lite.Verify is being called. WIll look into why your test case on this is passing

[AdityaSripal]

This is incorrect behaviour from my understanding.

Suppose AllowGovernanceOverrideAfterExpiry = false and AllowGovernanceOverrideAfterMisbehaviour = true

And the client is frozen AND expired, then the correct behaviour is to reject the proposal since client is still expired even if it gets unfrozen.

Similarly, when AllowGovernanceOverrideAfterExpire = true and AllowGovernanceOverrideAfterMisbehaviour = false

And the client is frozen AND expired, then the update proposal should fail since the client is still frozen.

cc: @cwgoes

[AdityaSripal]

This code will allow the proposal to pass in the above cases

[cwgoes]

When we change this above, we should end up with two separate paths (UpdateClient will be called here, but not in the above path)

[AdityaSripal]

So figured out why your expired test cases were passing. Update logic uses ctx.BlockTime() for the current timestamp, which in your tests is always within trusting period of the last stored consensus state.

Once you fix the tests you should see them fail. As @cwgoes mentioned, you'll need some sort of flag in update logic to handle the case where we are overriding.

If override = true, then you need to override the trusted time so that it passes the lite.Verify checks.

Specifically you'll need to change this line:
https://github.com/cosmos/cosmos-sdk/blob/master/x/ibc/07-tendermint/types/update.go#L118

to something like:

Time: newHeader.Time

only when override = true. If override = false, keep as is.

EDIT: This solution will not work because all the time checks are taken care of in lite.Verify if the updating header time is also expired. Can we assume that header.TIme is always going to be within Trusting period of ctx.BlockTime? I assume not

[AdityaSripal]

Here it is possible for tc.clientState.Timestamp != suite.consensusState.Time

This is confusing, change both to be in sync for each test case as I have shown above

[dauTT]

There is a check that I want to add to prevent the above situation:

However, If I do add the check many existing tests will fail. So I am considering to open a new PR for this. But let see, perhaps is not that difficult to fix all the tests.

[colin-axner]

this is ready for review again. Still needs some more tests, but 95% done

[fedekunze]

Looks good! Left a few comments but the logic itself is clean and simpler to understand

[fedekunze]

nit, can we use switch for all the conditions here and move the contents to private functions? It's kinda hard to follow the logic, especially the last section were we should be checking for expired client

[colin-axner]

can you do a switch on a struct? Otherwise I'm not sure how to do this

[colin-axner]

I tried doing a switch on the client state but got:
cannot switch on cs (type ClientState) (struct containing []*ics23.ProofSpec cannot be compared)

[fedekunze]

switch {
case cs.IsFrozen():
// logic
case !cs.AllowUpdateAfterExpiry, !cs.IsExpired(consensusState.Timestamp, ctx.BlockTime()):
    return nil, nil, sdkerrors.Wrap(clienttypes.ErrUpdateClientFailed, "client cannot be updated with proposal")
case cs.IsExpired(consensusState.Timestamp, ctx.BlockTime()):
// logic
default:
// error invalid case? 
}

[colin-axner]

ah I see, this will be much better. I modified the suggestion above a little in the latest commit, let me know if you think it needs any changes

[fedekunze]

I feel the expiry should be checked with another condition? Using switch here would help readability

[colin-axner]

This check is implicit based on the possible conditions. I can add an if condition, it would just be redundant. Do you have any proposed alternative layout?

[AdityaSripal]

Mostly nits, just have one substantial request on tendermint proposal_handle_test.go

Will ACK once that request is addressed and the rest of tests are complete. Great work everyone!!

[AdityaSripal]

If this case is hit, refreezing is still possible. Doesn't need to block the PR, but something to be noted

[colin-axner]

yup was planning to update docs for this

[AdityaSripal]

Should we check that NewPublicKey != CurrentPublicKey?

[colin-axner]

seems reasonable to me

[colin-axner]

should this be checked on regular updates as well? cc @cwgoes

[colin-axner]

on a related note, should the sequence set in consensus state == header.GetSequence() or should it be header.GetSequence + 1 like in update.go?

[cwgoes]

I think we can check that newPublicKey != currentPublicKey, there's no reason to pass a proposal if you have access to the current public key.

This is a bit of a special case, since we're resetting the sequence, I think having it be equal is fine.

[AdityaSripal]

The structure of this test is confusing and difficult to understand imo. I suggest a clearer approach

[AdityaSripal]

Suggested change

	malleate func()
	expPassUnfreeze bool // expected result using a header for unfreezing
	expPassUnexpire bool // expected result using a header for unexpiring
	AllowUpdateAfterExpiry bool
	AllowUpdateAfterMisbehaviour bool
	expPassUnfreeze bool // expected result using a header for unfreezing
	expPassUnexpire bool // expected result using a header for unexpiring

[AdityaSripal]

This means you only need 4 test-case structs to test each possible configuration

[AdityaSripal]

Here with each test case construct the clientState with the provided override flags.

1. Test UpdateProposal against a valid clientstate (this is optional, you can remove this step)
2. Freeze the client and provide the update header and see if you get the expected result
3. Unfreeze and expire the client and provide the update header and see if you get the expected result
4. Freeze and expire the client and provide the update header and see if you get the expected result

This would be much clearer imo, and require less test-case structs

[colin-axner]

I don't understand this reduction. Each of the test cases in one of the four categories have varying results for the combo of expPassUnfreeze and expPassUnexpire? Trying to program this logic into the suite.Run becomes messy and harder to reason about imo. I don't think I can cleanly reduce the test cases to 4 without dropping some testing logic (not testing unexpiry headers on frozen clients etc). I think it is important to test weaker headers on test cases expected to have stronger headers to ensure they don't pass.

I can abstract the clientState to be constructed on the override flags. I think any other improvement can be done in a followup (or you can push directly) because I don't follow.

[cwgoes]

ACK modulo outstanding comments

This logic is definitely much cleaner, thanks @colin-axner 🎉.

[cwgoes]

I think we can check that newPublicKey != currentPublicKey, there's no reason to pass a proposal if you have access to the current public key.

This is a bit of a special case, since we're resetting the sequence, I think having it be equal is fine.

addressed

[fedekunze]

ACK. Final minor comments and pending switch condition from the previous review

[fedekunze]

Suggested change

	if clientType == exported.Localhost {
	if clientType == exported.Localhost || p.ClientId == exported.ClientTypeLocalHost {

[fedekunze]

nit break down and use named fields

[fedekunze]

Suggested change

	if err := header.ValidateBasic(); err != nil {
	return err
	}
	return nil
	return header.ValidateBasic()

[fedekunze]

Suggested change

[fedekunze]

Suggested change

	var (
	header exported.Header
	)
	var header exported.Header

[fedekunze]

nit, can you add ADR26 to the ibc/spec readme references?

[fedekunze]

nit, create h3 subsections (eg ### Localhost Client Proposal)

[colin-axner]

I was thinking this should just be moved to each clients own spec when we add them

[fedekunze]

return cs.unfreezeClient(...)?

[colin-axner]

I think it's fine for now. unexpire is needed because it is called twice