feat: whitelist connection gater

changelog.md

@@ -24,6 +24,7 @@
 * [2979](https://github.com/zeta-chain/node/pull/2979) - add fungible keeper ability to lock/unlock ZRC20 tokens
 * [3012](https://github.com/zeta-chain/node/pull/3012) - integrate authenticated calls erc20 smart contract functionality into protocol
 * [3025](https://github.com/zeta-chain/node/pull/3025) - standard memo for Bitcoin inbound
+* [3028](https://github.com/zeta-chain/node/pull/3028) - whitelist connection gater
 
 ### Refactor
 

cmd/zetaclientd/start.go

@@ -13,10 +13,12 @@ import (
 	"time"
 
 	"github.com/cometbft/cometbft/crypto/secp256k1"
+	"github.com/libp2p/go-libp2p/core/peer"
 	maddr "github.com/multiformats/go-multiaddr"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"gitlab.com/thorchain/tss/go-tss/conversion"
 
 	"github.com/zeta-chain/node/pkg/authz"
 	"github.com/zeta-chain/node/pkg/chains"
@@ -204,8 +206,19 @@ func start(_ *cobra.Command, _ []string) error {
 	}
 
 	telemetryServer.SetIPAddress(cfg.PublicIP)
+
+	nodeAccounts := appContext.GetNodeAccounts()
+	whitelistedPeers := []peer.ID{}
+	for _, nodeAccount := range nodeAccounts {
+		pid, err := conversion.Bech32PubkeyToPeerID(nodeAccount.GranteePubkey.Secp256k1.String())
+		if err != nil {
+			return err
+		}
+		whitelistedPeers = append(whitelistedPeers, pid)
+	}
+
 	// Create TSS server
-	server, err := mc.SetupTSSServer(peers, priKey, preParams, appContext.Config(), tssKeyPass, true)
+	server, err := mc.SetupTSSServer(peers, priKey, preParams, appContext.Config(), tssKeyPass, true, whitelistedPeers)
 	if err != nil {
 		return fmt.Errorf("SetupTSSServer error: %w", err)
 	}

go.mod

@@ -367,5 +367,5 @@ replace (
 	github.com/bnb-chain/tss-lib => github.com/zeta-chain/tss-lib v0.0.0-20240916163010-2e6b438bd901
 	github.com/ethereum/go-ethereum => github.com/zeta-chain/go-ethereum v1.10.26-spc
 	github.com/libp2p/go-libp2p => github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4
-	gitlab.com/thorchain/tss/go-tss => github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f
+	gitlab.com/thorchain/tss/go-tss => github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949
 )

go.sum

@@ -4204,8 +4204,8 @@ github.com/zeta-chain/go-ethereum v1.10.26-spc h1:NvY4rR9yw52wfxWt7YoFsWbaIwVMyO
 github.com/zeta-chain/go-ethereum v1.10.26-spc/go.mod h1:/6CsT5Ceen2WPLI/oCA3xMcZ5sWMF/D46SjM/ayY0Oo=
 github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4 h1:FmO3HfVdZ7LzxBUfg6sVzV7ilKElQU2DZm8PxJ7KcYI=
 github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4/go.mod h1:TBv5NY/CqWYIfUstXO1fDWrt4bDoqgCw79yihqBspg8=
-github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f h1:XqUvw9a3EnDa271r5/tjRy90U2l1E8thdWzlrkbrEGE=
-github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f/go.mod h1:B1FDE6kHs8hozKSX1/iXgCdvlFbS6+FeAupoBHDK0Cc=
+github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949 h1:dBwx99+oymiyecnRGu1dnkJmYn2SAgBexBJ6nsdJt+E=
+github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949/go.mod h1:B1FDE6kHs8hozKSX1/iXgCdvlFbS6+FeAupoBHDK0Cc=
 github.com/zeta-chain/keystone/keys v0.0.0-20240826165841-3874f358c138 h1:vck/FcIIpFOvpBUm0NO17jbEtmSz/W/a5Y4jRuSJl6I=
 github.com/zeta-chain/keystone/keys v0.0.0-20240826165841-3874f358c138/go.mod h1:U494OsZTWsU75hqoriZgMdSsgSGP1mUL1jX+wN/Aez8=
 github.com/zeta-chain/protocol-contracts v1.0.2-athens3.0.20241021075719-d40d2e28467c h1:ZoFxMMZtivRLquXVq1sEVlT45UnTPMO1MSXtc88nDv4=

pkg/rpc/clients_observer.go

@@ -114,13 +114,22 @@ func (c *Clients) GetKeyGen(ctx context.Context) (types.Keygen, error) {
 }
 
 // GetAllNodeAccounts returns all node accounts
-func (c *Clients) GetAllNodeAccounts(ctx context.Context) ([]*types.NodeAccount, error) {
+func (c *Clients) GetAllNodeAccounts(ctx context.Context) ([]types.NodeAccount, error) {
 	resp, err := c.Observer.NodeAccountAll(ctx, &types.QueryAllNodeAccountRequest{})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get all node accounts")
 	}
 
-	return resp.NodeAccount, nil
+	result := make([]types.NodeAccount, len(resp.NodeAccount))
+	for i, nodeAccount := range resp.NodeAccount {
+		if nodeAccount != nil {
+			result[i] = *nodeAccount
+		} else {
+			return nil, fmt.Errorf("node account is nil")
+		}
+	}
+
+	return result, nil
 }
 
 // GetBallot returns a ballot by ID

pkg/rpc/clients_test.go

@@ -513,7 +513,7 @@ func TestZetacore_GetAllNodeAccounts(t *testing.T) {
 
 	resp, err := client.GetAllNodeAccounts(ctx)
 	require.NoError(t, err)
-	require.Equal(t, expectedOutput.NodeAccount, resp)
+	require.Equal(t, []observertypes.NodeAccount{*expectedOutput.NodeAccount[0]}, resp)
 }
 
 func TestZetacore_GetKeyGen(t *testing.T) {

zetaclient/chains/evm/observer/observer_test.go

@@ -76,6 +76,7 @@ func getAppContext(
 		chainParams,
 		"tssPubKey",
 		*sample.CrosschainFlags(),
+		[]observertypes.NodeAccount{*sample.NodeAccount()},
 	)
 	require.NoError(t, err)
 

zetaclient/chains/evm/signer/signer_test.go

@@ -260,6 +260,7 @@ func makeCtx(t *testing.T) context.Context {
 		},
 		"tssPubKey",
 		observertypes.CrosschainFlags{},
+		[]observertypes.NodeAccount{*sample.NodeAccount()},
 	)
 	require.NoError(t, err, "unable to update app context")
 

zetaclient/context/app.go

@@ -13,6 +13,7 @@ import (
 	"golang.org/x/exp/slices"
 
 	"github.com/zeta-chain/node/pkg/chains"
+	"github.com/zeta-chain/node/pkg/crypto"
 	observertypes "github.com/zeta-chain/node/x/observer/types"
 	"github.com/zeta-chain/node/zetaclient/config"
 )
@@ -37,6 +38,9 @@ type AppContext struct {
 	// keygen is the current tss keygen state
 	keygen observertypes.Keygen
 
+	// nodeAccounts is array of current node accounts
+	nodeAccounts []observertypes.NodeAccount
+
 	mu sync.RWMutex
 }
 
@@ -51,6 +55,7 @@ func New(cfg config.Config, relayerKeyPasswords map[string]string, logger zerolo
 		crosschainFlags:  observertypes.CrosschainFlags{},
 		currentTssPubKey: "",
 		keygen:           observertypes.Keygen{},
+		nodeAccounts:     []observertypes.NodeAccount{},
 
 		mu: sync.RWMutex{},
 	}
@@ -120,6 +125,27 @@ func (a *AppContext) GetKeygen() observertypes.Keygen {
 	}
 }
 
+func (a *AppContext) GetNodeAccounts() []observertypes.NodeAccount {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	// deep copy node accounts
+	nodeAccounts := []observertypes.NodeAccount{}
+	for _, nodeAccount := range a.nodeAccounts {
+		nodeAccounts = append(nodeAccounts, observertypes.NodeAccount{
+			Operator:       nodeAccount.Operator,
+			GranteeAddress: nodeAccount.GranteeAddress,
+			GranteePubkey: &crypto.PubKeySet{
+				Secp256k1: nodeAccount.GranteePubkey.Secp256k1,
+				Ed25519:   nodeAccount.GranteePubkey.Ed25519,
+			},
+			NodeStatus: nodeAccount.NodeStatus,
+		})
+	}
+
+	return nodeAccounts
+}
+
 // GetCurrentTssPubKey returns the current tss pubKey.
 func (a *AppContext) GetCurrentTssPubKey() string {
 	a.mu.RLock()
@@ -144,13 +170,16 @@ func (a *AppContext) Update(
 	freshChainParams map[int64]*observertypes.ChainParams,
 	tssPubKey string,
 	crosschainFlags observertypes.CrosschainFlags,
+	nodeAccounts []observertypes.NodeAccount,
 ) error {
 	// some sanity checks
 	switch {
 	case len(freshChains) == 0:
 		return fmt.Errorf("no chains present")
 	case len(freshChainParams) == 0:
 		return fmt.Errorf("no chain params present")
+	case len(nodeAccounts) == 0:
+		return fmt.Errorf("node accounts empty")
 	case tssPubKey == "" && a.currentTssPubKey != "":
 		// note that if we're doing a fresh start, we ALLOW an empty tssPubKey
 		return fmt.Errorf("tss pubkey is empty")
@@ -173,6 +202,7 @@ func (a *AppContext) Update(
 	a.crosschainFlags = crosschainFlags
 	a.keygen = keygen
 	a.currentTssPubKey = tssPubKey
+	a.nodeAccounts = nodeAccounts
 
 	return nil
 }

zetaclient/context/app_test.go

@@ -69,6 +69,7 @@ func TestAppContext(t *testing.T) {
 		require.Empty(t, appContext.GetCrossChainFlags())
 		require.False(t, appContext.IsInboundObservationEnabled())
 		require.False(t, appContext.IsOutboundObservationEnabled())
+		require.Empty(t, appContext.GetNodeAccounts())
 
 		// Given some data that is supposed to come from ZetaCore RPC
 		newChains := []chains.Chain{
@@ -88,8 +89,12 @@ func TestAppContext(t *testing.T) {
 			fancyL2,
 		}
 
+		nodeAccounts := []types.NodeAccount{
+			*sample.NodeAccount(),
+		}
+
 		// ACT
-		err = appContext.Update(keyGen, newChains, additionalChains, chainParams, ttsPubKey, ccFlags)
+		err = appContext.Update(keyGen, newChains, additionalChains, chainParams, ttsPubKey, ccFlags, nodeAccounts)
 
 		// ASSERT
 		require.NoError(t, err)
@@ -101,6 +106,7 @@ func TestAppContext(t *testing.T) {
 		assert.Equal(t, ccFlags, appContext.GetCrossChainFlags())
 		assert.True(t, appContext.IsInboundObservationEnabled())
 		assert.True(t, appContext.IsOutboundObservationEnabled())
+		assert.Equal(t, nodeAccounts, appContext.GetNodeAccounts())
 
 		// Check ETH Chain
 		ethChain, err := appContext.GetChain(1)
@@ -132,7 +138,7 @@ func TestAppContext(t *testing.T) {
 				{
 					name: "update with empty chains results in an error",
 					act: func(a *AppContext) error {
-						return appContext.Update(keyGen, newChains, nil, nil, ttsPubKey, ccFlags)
+						return appContext.Update(keyGen, newChains, nil, nil, ttsPubKey, ccFlags, nodeAccounts)
 					},
 					assert: func(t *testing.T, a *AppContext, err error) {
 						assert.ErrorContains(t, err, "no chain params present")
@@ -153,7 +159,7 @@ func TestAppContext(t *testing.T) {
 						chainParamsWithOpt := maps.Clone(chainParams)
 						chainParamsWithOpt[opParams.ChainId] = opParams
 
-						return a.Update(keyGen, chainsWithOpt, additionalChains, chainParamsWithOpt, ttsPubKey, ccFlags)
+						return a.Update(keyGen, chainsWithOpt, additionalChains, chainParamsWithOpt, ttsPubKey, ccFlags, nodeAccounts)
 					},
 					assert: func(t *testing.T, a *AppContext, err error) {
 						assert.ErrorIs(t, err, ErrChainNotSupported)
@@ -164,7 +170,7 @@ func TestAppContext(t *testing.T) {
 					name: "trying to add zeta chain without chain params is allowed",
 					act: func(a *AppContext) error {
 						chainsWithZeta := append(newChains, chains.ZetaChainMainnet)
-						return a.Update(keyGen, chainsWithZeta, additionalChains, chainParams, ttsPubKey, ccFlags)
+						return a.Update(keyGen, chainsWithZeta, additionalChains, chainParams, ttsPubKey, ccFlags, nodeAccounts)
 					},
 					assert: func(t *testing.T, a *AppContext, err error) {
 						assert.NoError(t, err)
@@ -186,7 +192,7 @@ func TestAppContext(t *testing.T) {
 
 						chainsWithZeta := append(newChains, chains.ZetaChainMainnet)
 
-						return a.Update(keyGen, chainsWithZeta, additionalChains, chainParamsWithZeta, ttsPubKey, ccFlags)
+						return a.Update(keyGen, chainsWithZeta, additionalChains, chainParamsWithZeta, ttsPubKey, ccFlags, nodeAccounts)
 					},
 					assert: func(t *testing.T, a *AppContext, err error) {
 						assert.NoError(t, err)
@@ -209,7 +215,7 @@ func TestAppContext(t *testing.T) {
 						updatedChainParams[maticParams.ChainId] = maticParams
 						delete(updatedChainParams, chains.ZetaChainMainnet.ChainId)
 
-						return a.Update(keyGen, newChains, additionalChains, updatedChainParams, ttsPubKey, ccFlags)
+						return a.Update(keyGen, newChains, additionalChains, updatedChainParams, ttsPubKey, ccFlags, nodeAccounts)
 					},
 					assert: func(t *testing.T, a *AppContext, err error) {
 						assert.ErrorContains(t, err, "unable to locate fresh chain 137 based on chain params")

zetaclient/orchestrator/bootstap_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/zeta-chain/node/pkg/chains"
 	"github.com/zeta-chain/node/pkg/ptr"
+	"github.com/zeta-chain/node/testutil/sample"
 	observertypes "github.com/zeta-chain/node/x/observer/types"
 	"github.com/zeta-chain/node/zetaclient/chains/base"
 	"github.com/zeta-chain/node/zetaclient/chains/interfaces"
@@ -453,6 +454,7 @@ func mustUpdateAppContext(
 		chainParams,
 		"tssPubKey",
 		app.GetCrossChainFlags(),
+		[]observertypes.NodeAccount{*sample.NodeAccount()},
 	)
 
 	require.NoError(t, err)

zetaclient/orchestrator/orchestrator_test.go

@@ -551,6 +551,7 @@ func createAppContext(t *testing.T, chainsOrParams ...any) *zctx.AppContext {
 		params,
 		"tssPubKey",
 		*ccFlags,
+		[]observertypes.NodeAccount{*sample.NodeAccount()},
 	)
 	require.NoError(t, err, "failed to update app context")
 

zetaclient/tss/tss_signer.go

@@ -148,6 +148,7 @@ func SetupTSSServer(
 	cfg config.Config,
 	tssPassword string,
 	enableMonitor bool,
+	whitelistedPeers []gopeer.ID,
 ) (*tss.TssServer, error) {
 	bootstrapPeers := peer
 	log.Info().Msgf("Peers AddrList %v", bootstrapPeers)
@@ -185,6 +186,7 @@ func SetupTSSServer(
 		preParams, // use pre-generated pre-params if non-nil
 		IP,        // for docker test
 		tssPassword,
+		whitelistedPeers,
 	)
 	if err != nil {
 		log.Error().Err(err).Msg("NewTSS error")

zetaclient/zetacore/client.go

@@ -373,6 +373,11 @@ func (c *Client) UpdateAppContext(ctx context.Context, appContext *zctx.AppConte
 
 	freshParams := make(map[int64]*observertypes.ChainParams, len(chainParams))
 
+	nodeAccounts, err := c.GetAllNodeAccounts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "unable to fetch node accounts")
+	}
+
 	// check and update chain params for each chain
 	// Note that we are EXCLUDING ZetaChain from the chainParams if it's present
 	for i := range chainParams {
@@ -402,6 +407,7 @@ func (c *Client) UpdateAppContext(ctx context.Context, appContext *zctx.AppConte
 		freshParams,
 		tss.GetTssPubkey(),
 		crosschainFlags,
+		nodeAccounts,
 	)
 }
 

zetaclient/zetacore/tx_test.go

@@ -343,6 +343,15 @@ func TestZetacore_UpdateAppContext(t *testing.T) {
 						},
 					},
 				})
+			method = "/zetachain.zetacore.observer.Query/NodeAccountAll"
+			s.ExpectUnary(method).
+				UnlimitedTimes().
+				WithPayload(observertypes.QueryAllNodeAccountRequest{}).
+				Return(observertypes.QueryAllNodeAccountResponse{
+					NodeAccount: []*observertypes.NodeAccount{
+						sample.NodeAccount(),
+					},
+				})
 		},
 	)(t)