Relay authentication

[cody-littley]

Why are these changes needed?

Add authentication for GetChunks() requests.

Checks

• I've made sure the tests are passing. Note that there might be a few flaky tests, in that case, please comment that they are not relevant.
• I've checked the new test coverage and the coverage percentage didn't drop.
• Testing Strategy
  • Unit tests
  • Integration tests
  • This PR is not tested :(

[jianoaix]

From the code below, this is interpreted as operator ID. It'll be helpful to document it here so the users know how to set it.

[cody-littley]

I've renamed this field to operator_id. Is that sufficient, or do you think I should add additional documentation?

[jianoaix]

How does this compare to check the authenticator from outside?

[cody-littley]

The way I have it here is wrong (it didn't pass unit tests). I removed this check and instead now make it in the outside context.

[jianoaix]

It'll be helpful to include the block number in error message

[cody-littley]

added

[jianoaix]

There are 2 RPC calls here, it'd be helpful to cache the operator state

[cody-littley]

caching added

[jianoaix]

I'd cache operatorID->G2, this is a mapping that'll not change (hence highly valuable to cache)

[cody-littley]

Done. This will break if we ever allow operators to change keys, but that's a bridge we can cross in the future.

[jianoaix]

Document how this signature should be computed

[cody-littley]

  // If this is an authenticated request, this field will hold a BLS signature by the requester
  // on the hash of this request. Relays may choose to reject unauthenticated requests.
  //
  // The following describes the schema for computing the hash of this request
  // This algorithm is implemented in golang using relay.auth.HashGetChunksRequest().
  //
  // All integers are encoded as unsigned 4 byte big endian values.
  //
  // Perform a keccak256 hash on the following data in the following order:
  // 1. the operator id
  // 2. for each chunk request:
  //    a. if the chunk request is a request by index:
  //       i. the blob key
  //       ii. the start index
  //       iii. the end index
  //    b. if the chunk request is a request by range:
  //       i. the blob key
  //       ii. each requested chunk index, in order
  bytes operator_signature = 3;

[ian-shim]

lgtm! few comments

[ian-shim]

Is this using a built-in indexer? Should we use a graph indexer instead?

[cody-littley]

Converted to use a thegraph indexer

[jianoaix]

It may just preload the cache by storing all operators's pubkeys returned from GetIndexedOperators. This will reduce num of RPCs from 2*NumOperators to 2.

[cody-littley]

Good idea. Done.

func (a *requestAuthenticator) PreloadCache() error {
	blockNumber, err := a.ics.GetCurrentBlockNumber()
	if err != nil {
		return fmt.Errorf("failed to get current block number: %w", err)
	}
	operators, err := a.ics.GetIndexedOperators(context.Background(), blockNumber)
	if err != nil {
		return fmt.Errorf("failed to get operators: %w", err)
	}

	for operatorID, operator := range operators {
		a.keyCache.Add(operatorID, operator.PubkeyG2)
	}

	return nil
}

[jianoaix]

Make it private and run in the the NewRequestAuthenticator?

[cody-littley]

change made

[ian-shim]

We can remove this, right?