initial pepper service for keyless accounts

[zjma]

Description

TODOs

• Rename oidb/pepper to oidb/pepper-service
• Rename oidb/ to keyless/

Test Plan

[trunk-io]

⏱️ 24h 48m total CI duration on this PR

Job	Cumulative Duration	Recent Runs
windows-build	10h 46m	🟩 🟩 🟩 🟩 🟩 (+26 more)
rust-unit-tests	5h 55m	🟥 🟥 🟥 🟥 🟩 (+25 more)
run-tests-main-branch	3h 22m	🟥 🟥 🟥 🟥 🟥 (+26 more)
rust-lints	1h 32m	🟥 🟥 🟥 🟥 🟩 (+25 more)
check-dynamic-deps	1h 3m	🟩 🟩 🟩 🟩 🟩 (+26 more)
general-lints	1h 1m	🟩 🟩 🟩 🟩 🟩 (+25 more)
check	35m	🟩 🟩 🟩 🟩 🟩 (+26 more)
semgrep/ci	15m	🟩 🟩 🟩 🟩 🟩 (+26 more)
file_change_determinator	6m	🟩 🟩 🟩 🟩 🟩 (+26 more)
file_change_determinator	5m	🟩 🟩 🟩 🟩 🟩 (+26 more)
permission-check	4m	🟩 🟩 🟩 🟩 🟩 (+26 more)
permission-check	2m	🟩 🟩 🟩 🟩 🟩 (+26 more)
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+26 more)
permission-check	1m	🟩 🟩 🟩 🟩 🟩 (+26 more)

🚨 2 jobs on the last run were significantly faster/slower than expected

Job	Duration	vs 7d avg	Delta
run-tests-main-branch	6m	4m
windows-build	12m	20m

_{settings ⋅ feedback ⋅ docs ⋅ learn more about trunk.io}

[gedigi]

should there be any data validation (e.g. max/expected sizes) throughout this function? there's a lot of deserialization and parsing with user-controlled input which could potentially be expensive.

[zjma]

@heliuchuan let's not use *_mod_order as it accepts any byte string, ircc.
Reverse the byte string and use deserialize_compressed instead.

[zjma]

nvm, what's from envvar will be a 256-bit seed and we need to derive sk from the seed.

[aluon]

The dev_setup.sh changes look good to me

[aluon]

Could you also update usage() to describe what the -k flag is used for?

[zjma]

The current dev_setup change is actually a hack... (I'm surprised you didn't hate it lol, because below it's even trying to --break-system-packages)

I could not figure out how to use existing dockerfile templates for pepper service, and the current dockerfile for pepper service is quick and dirty.

I will figure out the right way to docker build and revert this part. But if you are ok with the hack, i guess i can keep using the hack until i figure out?

[aluon]

I think it's fine if this is just a quick hack

How is this image going to be built? If we want to use the GitHub workflows to automate this we probably want to do something similar to the other Dockerfiles for caching

[alinush]

What is this? Can you add a comment? Is this the JWK? If so, why are you calling it a decoding key?

[zjma]

they are required by the jsonwebtoken library to parse jwt without verifing sig (its default behavior is to parse and verify both in one call, but we don't want it).

It's JWK, but the library call it DecodingKey...

I found another library jwt with API that makes more sense, but yet to replace this.

[alinush]

I see. No worries, just move the statics inside the function if that's the only place where they are used?

Plus, in the end we will need to unify the JWT logic so that we can use the same calls in both the prover service, pepper service and the Rust authenticator.

[zjma]

fixed

[alinush]

Is this even used anywhere?

[zjma]

no, since we are not doing encryption at the moment.

[alinush]

Will it be used?

[zjma]

now i remember this can be gone, given EphemeralPublicKey in main.

[zjma]

fixed

[sionescu]

Let's make this @aptos-labs/prod-eng.

[alinush]

@aluon said to use devinfra. Should I change it to prod-eng or add prod-eng next to it?

[sionescu]

@aluon do we need a different team here ?

[alinush]

Also @aluon, there seems to be an error regarding the devinfra team not existing.

[aluon]

Let's set this to aptos-labs/prod-eng for now. I was thinking we could create a devinfra team so we can add other folks but I'm not sure why it's erroring

[sionescu]

Ok.

[alinush]

@zjma this was not resolved. Can you change @aptos-labs/devinfra to @aptos-labs/prod-eng?

[zjma]

i didn't add this diff... why is it even in this PR?

[zjma]

anyway fixed

[alinush]

Can you add comments? What is this?

[zjma]

this is for showing some metadata at /about.
e.g. the commit SHA1

[alinush]

Why are you not returning the proof here? @heliuchuan will want to verify the proof in the SDK.

[zjma]

because the proof is empty?

[alinush]

For BLS, sure, but when you change the scheme, will you put the proof inside pepper_hexlified?

[zjma]

in that case, pepper should be bcs::to_bytes(some_struct_that_include_output_and_proof)?

[alinush]

Sure, but the problem with this PR is that we do not have clean separation between structs and their serialization.

e.g., why is PepperResponse containing hex strings? It should have Vec<u8>'s and the serialization code (BCS, JSON) will decide the format.

[zjma]

fixed

[alinush]

This is not even used...

[zjma]

fixed

[alinush]

Please add comments and explain these fields.

Not sure why there are two things here.

There is just one pepper.

[zjma]

fixed

[alinush]

We will likely move most of this into crates/aptos-crypto and types over time.

[alinush]

Stamping assuming you've addressed the request/response formatting issues. Don't have time to look right now.

[heliuchuan]

stamp request response lgtm

v0 sennddddd

note eventually i think we should use axum over hyper

[heliuchuan]

let's set this to "*" for now

[zjma]

fixed

[github-actions]

✅ Forge suite realistic_env_max_load success on 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6

two traffics test: inner traffic : committed: 7979 txn/s, latency: 4918 ms, (p50: 4800 ms, p90: 5700 ms, p99: 10400 ms), latency samples: 3439100
two traffics test : committed: 100 txn/s, latency: 1880 ms, (p50: 1800 ms, p90: 2000 ms, p99: 6100 ms), latency samples: 1820
Latency breakdown for phase 0: ["QsBatchToPos: max: 0.230, avg: 0.203", "QsPosToProposal: max: 0.320, avg: 0.268", "ConsensusProposalToOrdered: max: 0.455, avg: 0.422", "ConsensusOrderedToCommit: max: 0.296, avg: 0.272", "ConsensusProposalToCommit: max: 0.738, avg: 0.694"]
Max round gap was 1 [limit 4] at version 1652910. Max no progress secs was 4.41434 [limit 15] at version 1652910.
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking

[github-actions]

✅ Forge suite compat success on aptos-node-v1.9.5 ==> 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6

Compatibility test results for aptos-node-v1.9.5 ==> 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6 (PR)
1. Check liveness of validators at old version: aptos-node-v1.9.5
compatibility::simple-validator-upgrade::liveness-check : committed: 6988 txn/s, latency: 4726 ms, (p50: 4800 ms, p90: 7300 ms, p99: 7800 ms), latency samples: 244600
2. Upgrading first Validator to new version: 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6
compatibility::simple-validator-upgrade::single-validator-upgrade : committed: 689 txn/s, latency: 35500 ms, (p50: 38700 ms, p90: 53700 ms, p99: 56400 ms), latency samples: 56500
3. Upgrading rest of first batch to new version: 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6
compatibility::simple-validator-upgrade::half-validator-upgrade : committed: 229 txn/s, submitted: 543 txn/s, expired: 313 txn/s, latency: 38004 ms, (p50: 41800 ms, p90: 56900 ms, p99: 61400 ms), latency samples: 19315
4. upgrading second batch to new version: 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6
compatibility::simple-validator-upgrade::rest-validator-upgrade : committed: 2330 txn/s, latency: 12640 ms, (p50: 12300 ms, p90: 17800 ms, p99: 18400 ms), latency samples: 111880
5. check swarm health
Compatibility test for aptos-node-v1.9.5 ==> 477f395cdbd35d3a7e4228bfcdf480a4082c9fe6 passed
Test Ok

• Grafana dashboard
• Humio Logs
• Axiom Logs
• Test runner output
• Test run is land-blocking