From e75d14ab28992fd966c58cbf7d0369e1eb8fbcad Mon Sep 17 00:00:00 2001 From: aki Date: Tue, 24 Dec 2019 16:03:45 +0800 Subject: [PATCH 1/3] Add white list two factor protection for eth relay module --- node/cli/src/chain_spec.rs | 10 +++++++++- node/runtime/src/lib.rs | 2 +- srml/eth-relay/src/lib.rs | 5 +++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/node/cli/src/chain_spec.rs b/node/cli/src/chain_spec.rs index d00c95be5..17dfead9e 100644 --- a/node/cli/src/chain_spec.rs +++ b/node/cli/src/chain_spec.rs @@ -200,6 +200,11 @@ pub fn darwinia_genesis( ] }); + let eth_relay_whitelist: Vec = vec![ + get_account_id_from_seed::("Alice"), + get_account_id_from_seed::("Bob"), + ]; + const ENDOWMENT: Balance = 1_000_000 * COIN; const STASH: Balance = 100 * COIN; @@ -263,7 +268,10 @@ pub fn darwinia_genesis( slash_reward_fraction: Perbill::from_percent(10), ..Default::default() }), - eth_relay: Some(EthRelayConfig { ..Default::default() }), + eth_relay: Some(EthRelayConfig { + whitelist: eth_relay_whitelist, + ..Default::default() + }), eth_backing: Some(EthBackingConfig { ring_redeem_address: hex!["dbc888d701167cbfb86486c516aafbefc3a4de6e"].into(), kton_redeem_address: hex!["dbc888d701167cbfb86486c516aafbefc3a4de6e"].into(), diff --git a/node/runtime/src/lib.rs b/node/runtime/src/lib.rs index 1e42bca85..65f8c64b9 100644 --- a/node/runtime/src/lib.rs +++ b/node/runtime/src/lib.rs @@ -450,7 +450,7 @@ construct_runtime!( Sudo: sudo, Utility: utility::{Module, Call, Event}, - EthRelay: eth_relay::{Module, Call, Storage, Event, Config}, + EthRelay: eth_relay::{Module, Call, Storage, Event, Config}, EthBacking: eth_backing, } ); diff --git a/srml/eth-relay/src/lib.rs b/srml/eth-relay/src/lib.rs index 5141dfb54..5351500e4 100644 --- a/srml/eth-relay/src/lib.rs +++ b/srml/eth-relay/src/lib.rs @@ -72,6 +72,8 @@ decl_storage! { // pub HeaderForIndex get(header_for_index): map H256 => Vec<(u64, T::Hash)>; // pub UnverifiedHeader get(unverified_header): map PrevHash => Vec
; + + pub Whitelist get(fn whitelist) config(): Vec; } add_extra_genesis { config(header): Option>; @@ -98,6 +100,7 @@ decl_module! { pub fn reset_genesis_header(origin, header: EthHeader, genesis_difficulty: u64) { let relayer = ensure_signed(origin)?; + ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); // TODO: Check authority // TODO: Just for easy testing. @@ -108,6 +111,7 @@ decl_module! { pub fn relay_header(origin, header: EthHeader) { let relayer = ensure_signed(origin)?; + ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); // 1. There must be a corresponding parent hash // 2. Update best hash if the current block number is larger than current best block's number (Chain reorg) @@ -120,6 +124,7 @@ decl_module! { pub fn check_receipt(origin, proof_record: EthReceiptProof) { let relayer = ensure_signed(origin)?; + ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); let verified_receipt = Self::verify_receipt(&proof_record)?; From d39ee69af108e2c8bfee39ceeb51530d0a983ffb Mon Sep 17 00:00:00 2001 From: aki Date: Tue, 24 Dec 2019 18:11:28 +0800 Subject: [PATCH 2/3] Whitelist can be turned on and off --- node/cli/src/chain_spec.rs | 4 ++-- srml/eth-relay/src/lib.rs | 47 +++++++++++++++++++++++++++++++++----- 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/node/cli/src/chain_spec.rs b/node/cli/src/chain_spec.rs index 17dfead9e..f7301e68d 100644 --- a/node/cli/src/chain_spec.rs +++ b/node/cli/src/chain_spec.rs @@ -200,7 +200,7 @@ pub fn darwinia_genesis( ] }); - let eth_relay_whitelist: Vec = vec![ + let eth_relay_authorities: Vec = vec![ get_account_id_from_seed::("Alice"), get_account_id_from_seed::("Bob"), ]; @@ -269,7 +269,7 @@ pub fn darwinia_genesis( ..Default::default() }), eth_relay: Some(EthRelayConfig { - whitelist: eth_relay_whitelist, + authorities: eth_relay_authorities, ..Default::default() }), eth_backing: Some(EthBackingConfig { diff --git a/srml/eth-relay/src/lib.rs b/srml/eth-relay/src/lib.rs index 5351500e4..4deaaad76 100644 --- a/srml/eth-relay/src/lib.rs +++ b/srml/eth-relay/src/lib.rs @@ -7,7 +7,7 @@ use codec::{Decode, Encode}; use rstd::{result, vec::Vec}; use sr_primitives::RuntimeDebug; use support::{decl_event, decl_module, decl_storage, dispatch::Result, ensure, traits::Get}; -use system::ensure_signed; +use system::{ensure_signed, ensure_root}; use ethash::{EthereumPatch, LightDAG}; use merkle_patricia_trie::{trie::Trie, MerklePatriciaTrie, Proof}; @@ -73,7 +73,8 @@ decl_storage! { // pub HeaderForIndex get(header_for_index): map H256 => Vec<(u64, T::Hash)>; // pub UnverifiedHeader get(unverified_header): map PrevHash => Vec
; - pub Whitelist get(fn whitelist) config(): Vec; + pub CheckAuthorities get(fn check_authorities) config(): bool = true; + pub Authorities get(fn authorities) config(): Vec; } add_extra_genesis { config(header): Option>; @@ -100,8 +101,9 @@ decl_module! { pub fn reset_genesis_header(origin, header: EthHeader, genesis_difficulty: u64) { let relayer = ensure_signed(origin)?; - ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); - // TODO: Check authority + if Self::check_authorities() { + ensure!(Self::authorities().contains(&relayer), "Your account is not on the authorities!"); + } // TODO: Just for easy testing. Self::init_genesis_header(&header, genesis_difficulty)?; @@ -111,7 +113,9 @@ decl_module! { pub fn relay_header(origin, header: EthHeader) { let relayer = ensure_signed(origin)?; - ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); + if Self::check_authorities() { + ensure!(Self::authorities().contains(&relayer), "Your account is not on the authorities!"); + } // 1. There must be a corresponding parent hash // 2. Update best hash if the current block number is larger than current best block's number (Chain reorg) @@ -124,7 +128,9 @@ decl_module! { pub fn check_receipt(origin, proof_record: EthReceiptProof) { let relayer = ensure_signed(origin)?; - ensure!(Self::whitelist().contains(&relayer), "Your account is not on the whitelist!"); + if Self::check_authorities() { + ensure!(Self::authorities().contains(&relayer), "Your account is not on the authorities!"); + } let verified_receipt = Self::verify_receipt(&proof_record)?; @@ -138,6 +144,35 @@ decl_module! { // if header confirmed then return // if header in unverified header then challenge } + + pub fn add_authority(origin, who: T::AccountId) -> Result { + let _me = ensure_root(origin)?; + + if !Self::authorities().contains(&who) { + >::mutate(|l| l.push(who)); + } + + Ok(()) + } + + pub fn remove_authority(origin, who: T::AccountId) -> Result { + let _me = ensure_root(origin)?; + + if Self::authorities().contains(&who) { + let index = Self::authorities().iter().position(|x| *x == who).ok_or("Authority - NOT EXISTED")?; + >::mutate(|l| l.remove(index)); + } + + Ok(()) + } + + pub fn toggle_check_authorities(origin) -> Result { + let _me = ensure_root(origin)?; + + CheckAuthorities::put(!Self::check_authorities()); + + Ok(()) + } } } From d9cf259b8bc26761201340a7541b27f64a6b9c58 Mon Sep 17 00:00:00 2001 From: aki Date: Wed, 25 Dec 2019 09:56:25 +0800 Subject: [PATCH 3/3] Remove useless ok_or --- srml/eth-relay/src/lib.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/srml/eth-relay/src/lib.rs b/srml/eth-relay/src/lib.rs index 4deaaad76..e341b3cae 100644 --- a/srml/eth-relay/src/lib.rs +++ b/srml/eth-relay/src/lib.rs @@ -158,9 +158,10 @@ decl_module! { pub fn remove_authority(origin, who: T::AccountId) -> Result { let _me = ensure_root(origin)?; - if Self::authorities().contains(&who) { - let index = Self::authorities().iter().position(|x| *x == who).ok_or("Authority - NOT EXISTED")?; - >::mutate(|l| l.remove(index)); + if let Some(i) = Self::authorities() + .into_iter() + .position(|who_| who_ == who) { + >::mutate(|l| l.remove(i)); } Ok(())