message validation

[synzhu]

• Implements a single topic validator that handles deserializing the message, extracting the sender ID, and then runs all application level MessageValidators on the message.
• Deprecates the OriginID field on the Message struct. Instead, the network layer, upon receiving a message, can simply deduce the OriginID based on the sender's peer ID.

closes https://github.com/dapperlabs/flow-go/issues/5804

[huitseeker]

Thanks! I like that TopicValidator is called systematically. I think there's a small "bug" in calling the inner validators, see inline.

[huitseeker]

If we just deprecate this, we're not removing the field and are still allowing its use.

Which means, technically, that we could still have OriginID claims in this field, which would still be ser/deser-ialized, and that we should still report if different from the result of the validation logic.

Is it possible to just remove this field and mark the release that would include this PR as breaking? I think it's worth it.

/cc @ramtinms @vishalchangrani for advice on the Message format change.

[synzhu]

Yes, although I'm hoping we can eventually remove all of these fields except Payload, and I think this is something that can wait until later and we can remove them all in one fell swoop.

[huitseeker]

OK. Do we have an issue for that?

[synzhu]

Not exactly, but it is part of https://github.com/dapperlabs/flow-go/issues/5847

[vishalchangrani]

As long as the network layer is passing the application layer the origin ID (which we are), it doesn't matter if we remove the field now or later.

[huitseeker]

Not a fan of the log fatal here.

This would be triggered by an independent modification of TopicValidator that e.g. made it return before populating the data in some cases. We should definitely log a spectacular Error, but why not behave like the above failure cases and return?

[synzhu]

We can, but personally I would consider it a bug if the validator returned ValidationAccept without populating the data. At the bare minimum, the validator should check that the message can be deserialized properly and that the origin id can be extracted. If it cannot do even this, then we should definitely reject the message.

[huitseeker]

My issue is neither with checking that the validation data is here, nor with considering this a bug. We should certainly transmit the message that "something is rotten in the state of Denmark" far and wide.

My issue is with crashing the node based on the input of one (externally controlled) message. A validator that accepts without populating the data has a bug, yes, but should its impact be to lose the entire blockchain?

[codecov-commenter]

Codecov Report

Merging #1289 (abc4ae0) into master (a783037) will increase coverage by 0.02%.
The diff coverage is 45.45%.

@@            Coverage Diff             @@
##           master    #1289      +/-   ##
==========================================
+ Coverage   54.70%   54.73%   +0.02%     
==========================================
  Files         502      501       -1     
  Lines       31769    31743      -26     
==========================================
- Hits        17380    17373       -7     
+ Misses      12026    12011      -15     
+ Partials     2363     2359       -4     

Flag	Coverage Δ
unittests	54.73% <45.45%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
network/p2p/libp2pUtils.go	59.74% <ø> (+5.48%)	⬆️
network/p2p/middleware.go	0.00% <0.00%> (ø)
network/p2p/readSubscription.go	0.00% <0.00%> (ø)
network/p2p/libp2pNode.go	67.08% <71.42%> (-0.01%)	⬇️
engine/collection/synchronization/engine.go	62.90% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a783037...abc4ae0. Read the comment docs.

[huitseeker]

This is swallowing the immediate return that should happen on absence of validation data. Otherwise looks good.

[huitseeker]

Thanks a bunch for all your work on this, it looks great!

[vishalchangrani]

Since we only care about Accept or Reject, we will be better served with this Validator function instead of the Extended version.

[synzhu]

Since we only care about Accept or Reject, we will be better served with this Validator function instead of the Extended version.

We actually do care about Ignore as well. Currently there is no usecase which simply Ignore, but there could be in the future.

The topic validator should take the validation result from multiple MessageValidators and compute an "aggregate" result which is then returned to Libp2p.

[vishalchangrani]

Since we only care about Accept or Reject, we will be better served with this Validator function instead of the Extended version.

We actually do care about Ignore as well. Currently there is no usecase which simply Ignore, but there could be in the future.

The topic validator should take the validation result from multiple MessageValidators and compute an "aggregate" result which is then returned to Libp2p.

Since we only care about Accept or Reject, we will be better served with this Validator function instead of the Extended version.

We actually do care about Ignore as well. Currently there is no usecase which simply Ignore, but there could be in the future.

The topic validator should take the validation result from multiple MessageValidators and compute an "aggregate" result which is then returned to Libp2p.

correct - and when we do have a use case in the future we can then switch over to the extended version. This seems like a premature generalization. But I went ahead and approved since that is not a big deal one way or the other.

[synzhu]

bors merge

[bors]

Build succeeded:

• Integration Tests (1.15)
• Integration Tests (1.16)
• Lint
• Unit Tests (1.15)
• Unit Tests (1.16)