Merge pull request #6466 from oasisprotocol/martin/feature/harden-node-registration

go/registry/api: Prevent registering Observer node with 0 runtimes

Author: martintomazic

.changelog/6460.trivial.md

@@ -145,6 +145,12 @@ var (
 
 	// RuntimesRequiredRoles are the Node roles that require runtimes.
 	RuntimesRequiredRoles = node.RoleComputeWorker |
+		node.RoleObserver |
+		node.RoleKeyManager |
+		node.RoleStorageRPC
+
+	// DeprecatedRuntimesRequiredRoles are the legacy Node roles that require runtimes.
+	DeprecatedRuntimesRequiredRoles = node.RoleComputeWorker |
 		node.RoleKeyManager |
 		node.RoleStorageRPC
 
@@ -574,7 +580,11 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
 	var runtimes []*Runtime
 	switch len(n.Runtimes) {
 	case 0:
-		if n.HasRoles(RuntimesRequiredRoles) {
+		runtimesRequiredRoles := RuntimesRequiredRoles
+		if !isFeatureVersion242 {
+			runtimesRequiredRoles = DeprecatedRuntimesRequiredRoles
+		}
+		if n.HasRoles(runtimesRequiredRoles) {
 			logger.Error("RegisterNode: no runtimes in registration",
 				"node", n,
 			)

go/registry/api/api.go

@@ -116,9 +116,10 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 	}
 
 	for _, tc := range []struct {
-		n   node.Node
-		err error
-		msg string
+		n                   node.Node
+		err                 error
+		msg                 string
+		isFeatureVersion242 bool
 	}{
 		{
 			node.Node{
@@ -145,6 +146,7 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 			},
 			ErrInvalidArgument,
 			"invalid consensus validator node (missing P2P address)",
+			true,
 		},
 		{
 			node.Node{
@@ -172,6 +174,7 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 			},
 			nil,
 			"valid consensus validator node",
+			true,
 		},
 		{
 			node.Node{
@@ -202,6 +205,57 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 			},
 			ErrInvalidArgument,
 			"invalid compute worker node (nil runtime)",
+			true,
+		},
+		{
+			node.Node{
+				Versioned: cbor.NewVersioned(2),
+				ID:        nodeSigner.Public(),
+				EntityID:  entityID1,
+				Consensus: node.ConsensusInfo{
+					ID: nodeConsensusSigner.Public(),
+				},
+				TLS: node.TLSInfo{
+					PubKey: nodeTLSSigner.Public(),
+				},
+				P2P: node.P2PInfo{
+					ID:        nodeP2PSigner.Public(),
+					Addresses: []node.Address{{IP: net.IPv4(127, 0, 0, 1), Port: 9002}},
+				},
+				VRF: node.VRFInfo{
+					ID: nodeVRFSigner.Public(),
+				},
+				Roles:      node.RoleObserver,
+				Expiration: 11,
+			},
+			nil,
+			"observer without runtimes is allowed with old consensus feature version",
+			false,
+		},
+		{
+			node.Node{
+				Versioned: cbor.NewVersioned(2),
+				ID:        nodeSigner.Public(),
+				EntityID:  entityID1,
+				Consensus: node.ConsensusInfo{
+					ID: nodeConsensusSigner.Public(),
+				},
+				TLS: node.TLSInfo{
+					PubKey: nodeTLSSigner.Public(),
+				},
+				P2P: node.P2PInfo{
+					ID:        nodeP2PSigner.Public(),
+					Addresses: []node.Address{{IP: net.IPv4(127, 0, 0, 1), Port: 9002}},
+				},
+				VRF: node.VRFInfo{
+					ID: nodeVRFSigner.Public(),
+				},
+				Roles:      node.RoleObserver,
+				Expiration: 11,
+			},
+			ErrInvalidArgument,
+			"observer without runtimes is not allowed",
+			true,
 		},
 	} {
 
@@ -211,7 +265,7 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 			&tc.n,
 		)
 		require.NoError(err, "singing node")
-		_, _, err = VerifyRegisterNodeArgs(context.Background(), params, logger, signedNode, entity, time.Now(), 1, false, false, beacon.EpochTime(10), rtLookup, ndLookup, true)
+		_, _, err = VerifyRegisterNodeArgs(context.Background(), params, logger, signedNode, entity, time.Now(), 1, false, false, beacon.EpochTime(10), rtLookup, ndLookup, tc.isFeatureVersion242)
 		switch {
 		case tc.err == nil:
 			require.NoError(err, tc.msg)

go/registry/api/api_test.go

@@ -17,6 +17,7 @@ import (
 //     and platform instances are allowed.
 //   - An updated key manager policy update transaction that applies a new policy at the epoch
 //     boundary.
+//   - A stricter node registration rule where observer nodes must include runtimes.
 const Consensus242 = "consensus242"
 
 // Version242 is the Oasis Core 24.2 version.