feat: check partial witness metadata

[pugachAG]

This PR implements check for partial state witness metadata fields (epoch_id, shard_id, height_created) after decoding complete state witness. This is needed to protect against malicious chunk producer providing incorrect metadata in the partial witness.

Large part of this PR is about moving state witness decoding (decompression + borsh-deserialization) from client to partial witness actor. This is required to implement the check, but also a nice change on its own since wintess decompression can take several dozens of milliseconds, so it is better to avoid blocking client actor.

Closes #11303.

[codecov]

Codecov Report

Attention: Patch coverage is 75.86207% with 7 lines in your changes are missing coverage. Please review.

Project coverage is 71.45%. Comparing base (936d9fd) to head (052e687).

Files	Patch %	Lines
...idation/partial_witness/partial_witness_tracker.rs	66.66%	5 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11441      +/-   ##
==========================================
- Coverage   71.47%   71.45%   -0.02%     
==========================================
  Files         785      785              
  Lines      158756   158757       +1     
  Branches   158756   158757       +1     
==========================================
- Hits       113466   113445      -21     
- Misses      40398    40423      +25     
+ Partials     4892     4889       -3     

Flag	Coverage Δ
backward-compatibility	0.24% <0.00%> (ø)
db-migration	0.24% <0.00%> (ø)
genesis-check	1.37% <0.00%> (-0.01%)	⬇️
integration-tests	37.50% <75.86%> (-0.10%)	⬇️
linux	68.96% <0.00%> (-0.01%)	⬇️
linux-nightly	70.90% <75.86%> (-0.03%)	⬇️
macos	52.27% <0.00%> (-0.27%)	⬇️
pytests	1.59% <0.00%> (-0.01%)	⬇️
sanity-checks	1.38% <0.00%> (-0.01%)	⬇️
unittests	66.17% <55.17%> (-0.01%)	⬇️
upgradability	0.28% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shreyan-gupta]

Looks good! Thanks!

[shreyan-gupta]

I checked the use case of raw_witness_size and it's being used in two places

• Validation of too large witnesses in orphan witness pool here
• Orphan witness metrics here

For the size check, we can easily just move it to the partial witness tracker module.

I'm wondering whether it makes sense to push the metrics elsewhere (example decode_state_witness fn) so that we can have a cleaner interface and skip on sending the raw sizes everywhere?

[pugachAG]

I totally agree that passing raw_witness_size around sucks as it pollutes the interface.

I think the proper solution here would be to get rid of orphan pool and merge its functionality into partial witness tracker. That is something I want to do in the long term, so I suggest keeping this size ugliness for now.

[jancionear]

For the size check, we can easily just move it to the partial witness tracker module.

The size check is meant only for orphan witnesses. It's dangerous to apply size limit to all witnesses, as we could end up in a state when the witness is too big and we can't move the chain forward.

[shreyan-gupta]

If we stop caring about passing raw_size to process_chunk_state_witness fn, we can get rid of this function as well.

[shreyan-gupta]

In case this is only used in tests, can we pass some dummy value instead of implementing borsh_size?

[pugachAG]

dummy value would where it doesn't matter, but most test cases are actually on orphan pool where it is actually needed
decided to completely get rid of it and just inline usage for now: 535cef9