[RSC-154] Rewrite Notary to accept maybe master

This commit introduces changes in notary interface to ease
testing of Notary. Now Notary contains list of master keys he
trust. If this list is empty then Notary trust everyone.
Also because of this list our Notary is now more DoS resistant.

Author: chshersh

bench/Bench/RSCoin/Local/InfraThreads.hs

@@ -53,6 +53,6 @@ notaryThread :: FilePath -> IO ()
 notaryThread benchDir =
     runRealModeUntrusted notaryLoggerName B.CADefault $
     bracket
-        (liftIO $ N.openState $ benchDir </> "notary-db")
+        (liftIO $ N.openState (benchDir </> "notary-db") [])
         (liftIO . N.closeState)
         N.serveNotary

src/Deploy/Main.hs

@@ -108,6 +108,7 @@ startNotary severity CommonParams{..} = do
                 (Just dbDir)
                 contextArgument
                 8090
+                []
     Cherepakha.mkdir workingDirDeprecated
     forkIO start
 

src/Notary/Main.hs

@@ -1,6 +1,9 @@
 module Main where
 
-import           RSCoin.Core   (initLogging)
+import           Control.Monad (when)
+import           Data.Maybe    (mapMaybe)
+
+import           RSCoin.Core   (constructPublicKey, initLogging, logWarning)
 import qualified RSCoin.Notary as N
 
 import qualified NotaryOptions as Opts
@@ -9,12 +12,16 @@ main :: IO ()
 main = do
     Opts.Options{..} <- Opts.getOptions
     initLogging cliLogSeverity
-    let dbPath =
-            if cliMemMode
-                then Nothing
-                else Just cliPath
+    let dbPath = if cliMemMode
+                 then Nothing
+                 else Just cliPath
+    let trustedKeys = mapMaybe constructPublicKey cliTrustedKeys
+    when (length trustedKeys < length cliTrustedKeys) $
+        logWarning "Not all keys were parsed!"
+
     N.launchNotaryReal
         cliLogSeverity
         dbPath
         (N.CACustomLocation cliConfigPath)
         cliWebPort
+        trustedKeys

src/Notary/NotaryOptions.hs

@@ -5,7 +5,8 @@ module NotaryOptions
         , getOptions
         ) where
 
-import           Options.Applicative    (Parser, auto, execParser, fullDesc,
+import           Data.Text              (Text)
+import           Options.Applicative    (Parser, auto, execParser, fullDesc, many,
                                          help, helper, info, long, metavar,
                                          option, progDesc, short, showDefault,
                                          switch, value, (<>))
@@ -22,6 +23,7 @@ data Options = Options
     , cliMemMode     :: Bool
     , cliWebPort     :: Int
     , cliConfigPath  :: FilePath
+    , cliTrustedKeys :: [Text]
     } deriving Show
 
 optionsParser :: FilePath -> FilePath -> Parser Options
@@ -45,7 +47,10 @@ optionsParser configDir defaultConfigPath =
         (long "config-path" <> help "Path to configuration file" <>
          value defaultConfigPath <>
          showDefault <>
-         metavar "FILEPATH")
+         metavar "FILEPATH") <*>
+    many (strOption $ long "trust-keys" <> metavar "[PUBLIC KEY]" <>
+          help "Public keys notary will trust as master keys. If not specifed \
+               \then notary will trust any key")
 
 getOptions :: IO Options
 getOptions = do

src/RSCoin/Core/Communication.hs

@@ -290,9 +290,9 @@ allocateMultisignatureAddress
     -> PartyAddress
     -> AllocationStrategy
     -> Signature
-    -> (PublicKey, Signature)
+    -> Maybe (PublicKey, Signature)
     -> m ()
-allocateMultisignatureAddress msAddr partyAddr allocStrat signature masterCheck = do
+allocateMultisignatureAddress msAddr partyAddr allocStrat signature mMasterCheck = do
     L.logInfo $ sformat
         ( "Allocate new ms address: " % build % "\n,"
         % "from party address: "      % build % "\n"
@@ -304,9 +304,9 @@ allocateMultisignatureAddress msAddr partyAddr allocStrat signature masterCheck
         partyAddr
         allocStrat
         signature
-        (pairBuilder masterCheck)
+        (pairBuilder <$> mMasterCheck)
     callNotary $ P.call (P.RSCNotary P.AllocateMultisig)
-        msAddr partyAddr allocStrat signature masterCheck
+        msAddr partyAddr allocStrat signature mMasterCheck
 
 queryNotaryCompleteMSAddresses :: WorkMode m => m [(Address, TxStrategy)]
 queryNotaryCompleteMSAddresses = do

src/RSCoin/Notary/AcidState.hs

@@ -30,18 +30,21 @@ import           Data.Acid             (AcidState, closeAcidState, makeAcidic,
 import           Data.Acid.Memory      (openMemoryState)
 import           Data.SafeCopy         (base, deriveSafeCopy)
 
-import           RSCoin.Notary.Storage (Storage)
+import           RSCoin.Core           (PublicKey)
+import           RSCoin.Notary.Storage (Storage (..))
 import qualified RSCoin.Notary.Storage as S
 
 type RSCoinNotaryState = AcidState Storage
 
 $(deriveSafeCopy 0 'base ''Storage)
 
-openState :: FilePath -> IO RSCoinNotaryState
-openState fp = openLocalStateFrom fp S.emptyNotaryStorage
+openState :: FilePath -> [PublicKey] -> IO RSCoinNotaryState
+openState fp trustedKeys =
+    openLocalStateFrom fp S.emptyNotaryStorage { _masterKeys = trustedKeys }
 
-openMemState :: IO RSCoinNotaryState
-openMemState = openMemoryState S.emptyNotaryStorage
+openMemState :: [PublicKey] -> IO RSCoinNotaryState
+openMemState trustedKeys =
+    openMemoryState S.emptyNotaryStorage { _masterKeys = trustedKeys }
 
 closeState :: RSCoinNotaryState -> IO ()
 closeState = closeAcidState

src/RSCoin/Notary/Error.hs

@@ -26,7 +26,6 @@ data NotaryError
                                    --   PeriodId supplied -- actual periodId known to Notary
     | NEBlocked                    -- ^ User has reached limit number of attempts for multisig allocation
     | NEInvalidArguments Text      -- ^ Generic exception for invalid arguments
-    | NEInvalidChain Text          -- ^ Invalid chain of certificates provided  @TODO: Deprecated
     | NEInvalidSignature           -- ^ Invalid signature provided
     | NEStrategyNotSupported Text  -- ^ Address's strategy is not supported, with name provided
     | NEUnrelatedSignature Text    -- ^ Signature provided doesn't correspond to any of address' parties
@@ -41,7 +40,6 @@ instance Buildable NotaryError where
     build (NEAddrIdNotInUtxo pId)    = bprint ("NEAddrIdNotInUtxo, notary's periodId " % int) pId
     build NEBlocked                  = "NEBlocked"
     build (NEInvalidArguments msg)   = bprint ("NEInvalidArguments: " % stext) msg
-    build (NEInvalidChain msg)       = bprint ("NEInvalidChain: " % stext) msg
     build NEInvalidSignature         = "NEInvalidSignature"
     build (NEStrategyNotSupported s) = bprint ("NEStrategyNotSupported, strategy " % stext) s
     build (NEUnrelatedSignature msg) = bprint ("NEUnrelatedSignature: " % stext) msg
@@ -56,10 +54,9 @@ instance MessagePack NotaryError where
     toObject (NEAddrIdNotInUtxo pId)    = toObj (1, pId)
     toObject NEBlocked                  = toObj (2, ())
     toObject (NEInvalidArguments msg)   = toObj (3, msg)
-    toObject (NEInvalidChain msg)       = toObj (4, msg)
-    toObject NEInvalidSignature         = toObj (5, ())
-    toObject (NEStrategyNotSupported s) = toObj (6, s)
-    toObject (NEUnrelatedSignature msg) = toObj (7, msg)
+    toObject NEInvalidSignature         = toObj (4, ())
+    toObject (NEStrategyNotSupported s) = toObj (5, s)
+    toObject (NEUnrelatedSignature msg) = toObj (6, msg)
 
     fromObject obj = do
         (i, payload) <- fromObject obj
@@ -68,8 +65,7 @@ instance MessagePack NotaryError where
             1 -> NEAddrIdNotInUtxo      <$> fromObject payload
             2 -> pure NEBlocked
             3 -> NEInvalidArguments     <$> fromObject payload
-            4 -> NEInvalidChain         <$> fromObject payload
-            5 -> pure NEInvalidSignature
-            6 -> NEStrategyNotSupported <$> fromObject payload
-            7 -> NEUnrelatedSignature   <$> fromObject payload
+            4 -> pure NEInvalidSignature
+            5 -> NEStrategyNotSupported <$> fromObject payload
+            6 -> NEUnrelatedSignature   <$> fromObject payload
             _ -> Nothing

src/RSCoin/Notary/Launcher.hs

@@ -11,7 +11,7 @@ import           Network.Wai                          (Middleware)
 import           Network.Wai.Handler.Warp             (run)
 import           Network.Wai.Middleware.RequestLogger (logStdout, logStdoutDev)
 
-import           RSCoin.Core                          (Severity (..),
+import           RSCoin.Core                          (PublicKey, Severity (..),
                                                        notaryLoggerName)
 import           RSCoin.Notary.AcidState              (RSCoinNotaryState,
                                                        closeState, openMemState,
@@ -22,11 +22,16 @@ import           RSCoin.Timed                         (ContextArgument (..),
                                                        fork_,
                                                        runRealModeUntrusted)
 
-launchNotaryReal :: Severity -> Maybe FilePath -> ContextArgument -> Int -> IO ()
-launchNotaryReal logSeverity dbPath ca webPort = do
+launchNotaryReal :: Severity
+                 -> Maybe FilePath
+                 -> ContextArgument
+                 -> Int
+                 -> [PublicKey]
+                 -> IO ()
+launchNotaryReal logSeverity dbPath ca webPort trustedKeys = do
     let openAction = maybe openMemState openState dbPath
     runRealModeUntrusted notaryLoggerName ca $
-        bracket (liftIO openAction) (liftIO . closeState) $
+        bracket (liftIO $ openAction trustedKeys) (liftIO . closeState) $
         \st -> do
             fork_ $ serveNotary st
             launchWeb webPort logSeverity st

src/RSCoin/Notary/Server.hs

@@ -181,13 +181,13 @@ handleAllocateMultisig
     -> C.PartyAddress
     -> C.AllocationStrategy
     -> C.Signature
-    -> (C.PublicKey, C.Signature)
+    -> Maybe (C.PublicKey, C.Signature)
     -> m ()
-handleAllocateMultisig st msAddr partyAddr allocStrat signature masterCheck = toServer $ do
+handleAllocateMultisig st msAddr partyAddr allocStrat signature mMasterCheck = toServer $ do
     C.logDebug "Begining allocation MS address..."
     C.logDebug $
-        sformat ("SigPair: " % build % ", Chain: " % build) signature (pairBuilder masterCheck)
-    update' st $ AllocateMSAddress msAddr partyAddr allocStrat signature masterCheck
+        sformat ("SigPair: " % build % ", Chain: " % build) signature (pairBuilder <$> mMasterCheck)
+    update' st $ AllocateMSAddress msAddr partyAddr allocStrat signature mMasterCheck
 
     -- @TODO: get query only in Debug mode
     currentMSAddresses <- query' st QueryAllMSAdresses

src/RSCoin/Notary/Storage.hs

@@ -5,7 +5,7 @@
 -- | Storage for Notary's data.
 
 module RSCoin.Notary.Storage
-        ( Storage
+        ( Storage (_masterKeys)
         , acquireSignatures
         , addSignedTransaction
         , allocateMSAddress
@@ -77,6 +77,10 @@ data Storage = Storage
       -- | Mapping between addrid and address.
     , _utxo                   :: !Utxo
 
+      -- | Trusted master keys to check for signatures in MS address allocation &
+      -- transaction signing.
+    , _masterKeys             :: ![PublicKey]  -- @TODO: replace with HashSet
+
       -- | Last periodId, known to Notary.
     , _periodId               :: !PeriodId
     } deriving (Show)
@@ -93,6 +97,7 @@ emptyNotaryStorage =
     , _periodStats            = M.empty
     , _addresses              = M.empty
     , _utxo                   = M.empty
+    , _masterKeys             = []
     , _periodId               = -1
     }
 
@@ -158,20 +163,20 @@ addSignedTransaction tx addr sg@(sigAddr, sig) = do
 -- | Allocate new multisignature address by chosen strategy and
 -- given chain of certificates.
 allocateMSAddress
-    :: MSAddress              -- ^ New multisig address itself
-    -> PartyAddress           -- ^ Address of party who call this
-    -> AllocationStrategy     -- ^ Strategy for MS address allocation
-    -> Signature              -- ^ 'Signature' of @(msAddr, argStrategy)@
-    -> (PublicKey, Signature) -- ^ Party address authorization.
-                              -- 1. cold master public key
-                              -- 2. signature of party by master key
+    :: MSAddress                    -- ^ New multisig address itself
+    -> PartyAddress                 -- ^ Address of party who call this
+    -> AllocationStrategy           -- ^ Strategy for MS address allocation
+    -> Signature                    -- ^ 'Signature' of @(msAddr, argStrategy)@
+    -> Maybe (PublicKey, Signature) -- ^ Party address authorization.
+                                    -- 1. cold master public key
+                                    -- 2. signature of party by master key
     -> Update Storage ()
 allocateMSAddress
     msAddr
     argPartyAddress
     argStrategy@AllocationStrategy{..}
     requestSig
-    (masterPk, masterSlaveSig)
+    mMasterSlavePair
   = do
       -- too many checks :( I wish I know which one we shouldn't check
       -- but order of checks matters!!!
@@ -181,18 +186,24 @@ allocateMSAddress
               TrustParty{..} -> hotTrustKey
               UserParty{..}  -> partyPk
 
-      unless (verify masterPk masterSlaveSig slavePk) $
-          throwM $ NEUnrelatedSignature "partyAddr not signed with masterPk"
+      trustedKeys <- use masterKeys
+      unless (null trustedKeys) $ case mMasterSlavePair of
+          Nothing -> throwM $ NEInvalidArguments "You should provide master pk and slave signature"
+          Just (masterPk, masterSlaveSig) -> do
+              unless (verify masterPk masterSlaveSig slavePk) $
+                  throwM $ NEUnrelatedSignature "partyAddr not signed with masterPk"
+              when (masterPk `notElem` trustedKeys) $
+                  throwM $ NEInvalidArguments "provided master pk is not a trusted key"
       unless (verify slavePk requestSig signedData) $
           throwM $ NEUnrelatedSignature $ sformat
               ("(msAddr, strategy) not signed with proper sk for pk: " % build) slavePk
-     -- @TODO: check if master in rootPks (DOS otherwise)
       when (_sigNumber <= 0) $
           throwM $ NEInvalidArguments "required number of signatures should be positive"
       when (_sigNumber > HS.size _allParties) $
           throwM $ NEInvalidArguments "required number of signatures is greater then party size"
       unless (partyToAllocation argPartyAddress `HS.member` _allParties) $
           throwM $ NEInvalidArguments "party address not in set of addresses"
+
       guardMaxAttemps partyAddr
 
       mMSAddressInfo <- uses allocationStrategyPool $ M.lookup msAddr