New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
message validation #1289
message validation #1289
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I like that TopicValidator
is called systematically. I think there's a small "bug" in calling the inner validators, see inline.
string Type = 6; | ||
string ChannelID = 1; | ||
bytes EventID = 2; | ||
bytes OriginID = 3 [deprecated = true]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we just deprecate this, we're not removing the field and are still allowing its use.
Which means, technically, that we could still have OriginID
claims in this field, which would still be ser/deser-ialized, and that we should still report if different from the result of the validation logic.
Is it possible to just remove this field and mark the release that would include this PR as breaking? I think it's worth it.
/cc @ramtinms @vishalchangrani for advice on the Message format change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, although I'm hoping we can eventually remove all of these fields except Payload
, and I think this is something that can wait until later and we can remove them all in one fell swoop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. Do we have an issue for that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not exactly, but it is part of https://github.com/dapperlabs/flow-go/issues/5847
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as the network layer is passing the application layer the origin ID (which we are), it doesn't matter if we remove the field now or later.
network/p2p/readSubscription.go
Outdated
if !ok { | ||
r.log.Fatal().Str("raw_msg", rawMsg.String()).Msg("validator data missing") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a fan of the log fatal here.
This would be triggered by an independent modification of TopicValidator
that e.g. made it return before populating the data in some cases. We should definitely log a spectacular Error
, but why not behave like the above failure cases and return
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can, but personally I would consider it a bug if the validator returned ValidationAccept
without populating the data. At the bare minimum, the validator should check that the message can be deserialized properly and that the origin id can be extracted. If it cannot do even this, then we should definitely reject the message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My issue is neither with checking that the validation data is here, nor with considering this a bug. We should certainly transmit the message that "something is rotten in the state of Denmark" far and wide.
My issue is with crashing the node based on the input of one (externally controlled) message. A validator that accepts without populating the data has a bug, yes, but should its impact be to lose the entire blockchain?
Co-authored-by: François Garillot <4142+huitseeker@users.noreply.github.com>
Codecov Report
@@ Coverage Diff @@
## master #1289 +/- ##
==========================================
+ Coverage 54.70% 54.73% +0.02%
==========================================
Files 502 501 -1
Lines 31769 31743 -26
==========================================
- Hits 17380 17373 -7
+ Misses 12026 12011 -15
+ Partials 2363 2359 -4
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is swallowing the immediate return that should happen on absence of validation data. Otherwise looks good.
Co-authored-by: François Garillot <4142+huitseeker@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a bunch for all your work on this, it looks great!
Since we only care about |
We actually do care about Ignore as well. Currently there is no usecase which simply The topic validator should take the validation result from multiple |
correct - and when we do have a use case in the future we can then switch over to the extended version. This seems like a premature generalization. But I went ahead and approved since that is not a big deal one way or the other. |
bors merge |
MessageValidator
s on the message.OriginID
field on theMessage
struct. Instead, the network layer, upon receiving a message, can simply deduce theOriginID
based on the sender's peer ID.closes https://github.com/dapperlabs/flow-go/issues/5804