Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Network Participiation Authorization #64

Open
heikoheiko opened this issue May 2, 2016 · 5 comments
Open

Network Participiation Authorization #64

heikoheiko opened this issue May 2, 2016 · 5 comments

Comments

@heikoheiko
Copy link
Contributor

Currently anyone can participate in the network and gets broadcasted all transactions and blocks, i.e. can access the full state.

Task: Add permissioning to the network access.

Solution: Contract equivalent to #63, except that we are now storing the public_keys of the network of authorized users in the value filed of users. Also we don't need begin_block. The registrar_address is still an externally owned account address(!).

Extend on_wire_protocol_start https://github.com/HydraChain/hydrachain/blob/develop/hydrachain/hdc_service.py#L488 and check if proto.peer.pub_key is authorized to connect. If not disconnect the client.

Notes: Think about bootstrapping, graceful error messages.

@4gn3s
Copy link

4gn3s commented Nov 10, 2016

Can you explain a bit more on how is_authorized is supposed to work? Can we just pass in a public key (which has been maybe verified somewhere else earlier) and check if it is registered, or do we have to send a signed message and use the public key to check if the sender actually operates the account?

@4gn3s
Copy link

4gn3s commented Nov 14, 2016

Also, can you please tell me how should I test this functionality? Is this test something I should be looking into, or are there any other tools available to test network participation?

@heikoheiko
Copy link
Contributor Author

is_authorized should be implemented as an abstract function that can be registered with the hdc_service, which is called with the pubkey and returns true or false. A concrete implementation would query a registry contract and check if the pubkey is whitelisted. Note that the pubkey needs to be the public key of the node as in the discovery protocol, not one used in the session.

For the test, it's not about preventing transactions but rather about permissioning when connecting to any node. Therefore i'd base it on this test with valid and invalid credentials.

@4gn3s
Copy link

4gn3s commented Nov 14, 2016

Thank you, what about the public key verification? Does the discovery protocol somehow check if the user of the public key also holds the private key? If so, can you point me to the code that does this?

@heikoheiko
Copy link
Contributor Author

heikoheiko commented Nov 14, 2016

Well during the handshake this is verified. I think here:
https://github.com/ethereum/pydevp2p/blob/develop/devp2p/rlpxcipher.py#L221

So this does not need to be checked in hdc_service. There you only check if the RLPxSession.remote_pubkey is whitelisted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants