Add node ID to index mapping to DKG data model #441
Conversation
|
I'm also leaning towards option 2. We actually can remove fields in upgrades. It doesn't delete the state, but it removes the ability to access it anywhere, so that is an option. Might be good to keep the field though for the small chance that we might actually need it again in the future |
| return false | ||
| } | ||
| // TODO: validate equality check on list is safe | ||
| if self.pubKeys != other.pubKeys { |
There was a problem hiding this comment.
Do we expect these to be in the same exact order or just contain the same keys?
There was a problem hiding this comment.
Equivalent ResultSubmission would need to have them in the same order, because the index is meaningful in the DKG.
contracts/epochs/FlowDKG.cdc
Outdated
| @@ -357,6 +426,7 @@ access(all) contract FlowDKG { | |||
| } | |||
|
|
|||
| /// Get the count of the final submissions array | |||
| // TODO: Should this be a view function? | |||
There was a problem hiding this comment.
yes, probably should be view
Sounds good. We'll move ahead in that direction then - thanks for the review! I agree keeping the deprecated fields (at least at first) is the better move. |
- make funs view - improve docs - remove commented-out code
was called "publish participant" but was actually publishing admin
| // By convention, all keys are encoded as lowercase hex strings, though it is not enforced here. | ||
| // | ||
| // INVARIANTS: | ||
| // (1) either all fields are nil (empty submission) or no fields are nil |
There was a problem hiding this comment.
Previously, the data model for submissions was [String?], so some keys could be nil and some could be non-nil. If any keys were nil, we considered the submission invalid ("empty" in the terminology used in this PR).
This PR changes the data model so that either all fields are nil, or none are, and enforces this in the constructor.
| @@ -119,6 +333,7 @@ access(all) contract FlowDKG { | |||
|
|
|||
| /// Posts a whiteboard message to the contract | |||
| access(all) fun postMessage(_ content: String) { | |||
| // TODO: DKG enabled? | |||
There was a problem hiding this comment.
It seems like the smart contract allows posting whiteboard messages and sending final submissions even when the DKG is disabled 🤔. I don't think this matters functionally because:
- the DKG cannot be ended (winning final submission retrieved) if it is disabled
- when enabled/started, all state including whiteboard messages and submissions are wiped
For clarity though, I think we should disallow interacting with the contract while it is disabled.
There was a problem hiding this comment.
That is fine with me. Feel free to add those pre-conditions to the functions if you want!
| @@ -279,36 +442,9 @@ access(all) contract FlowDKG { | |||
| } | |||
| } | |||
|
|
|||
| /// Checks if two final submissions are equal by comparing each element | |||
| /// Each element has to be exactly the same and in the same order | |||
| access(account) fun submissionsEqual(_ existingSubmission: [String?], _ submission: [String?]): Bool { | |||
There was a problem hiding this comment.
Replaced with ResultSubmission.equals
| @@ -139,57 +354,9 @@ access(all) contract FlowDKG { | |||
| /// Sends the final key vector submission. | |||
| /// Can only be called by consensus nodes that are registered | |||
| /// and can only be called once per consensus node per epoch | |||
| access(all) fun sendFinalSubmission(_ submission: [String?]) { | |||
There was a problem hiding this comment.
Replaced with SubmissionTracker methods
| } | ||
|
|
||
| // Borrows the singleton SubmissionTracker from storage; panics if none exists. | ||
| access(contract) view fun mustBorrowSubmissionTracker(): &FlowDKG.SubmissionTracker { |
There was a problem hiding this comment.
This can be used to read from SubmissionTracker in a view-only context.
| @@ -19,10 +19,6 @@ import ( | |||
| "github.com/onflow/flow-core-contracts/lib/go/templates" | |||
There was a problem hiding this comment.
These tests are updated to the point where they are passing, however there are still several places (noted as TODO comments) where additional updates should be made prior to merging. In particular cases where the test is expecting a failure, but the failure occurs for the wrong reason (like passing in the old transaction arguments).
jordanschalm
changed the title
There was a problem hiding this comment.
Looks pretty good! I just had a few comments. I appreciate converting some of the tests to the Cadence testing framework. Still will need to make sure all the important transactions are tested in Go though because we need to make sure the templates package is still working properly and returning valid transactions.
| if groupPubKey == nil && pubKeys == nil && idMapping == nil { | ||
| return true | ||
| } | ||
| // Otherwise, all fields must be non-nil | ||
| return groupPubKey != nil && pubKeys != nil && idMapping != nil |
There was a problem hiding this comment.
I'm a little confused. The comments make it seem like this function is checking if any submission is valid, but the function name is isValidNilSubmission, which makes me think that this should only verify that the all-nil case is valid. Maybe it should be renamed to isValidSubmission? Also, we can simplify the conditional I think:
return (groupPubKey == nil && pubKeys == nil && idMapping == nil)
|| (groupPubKey != nil && pubKeys != nil && idMapping != nil)
|
|
||
| // Checks that an id mapping (part of ResultSubmission) contains one entry per public key. | ||
| access(all) view fun isValidIDMapping(pubKeys: [String]?, idMapping: {String: Int}?): Bool { | ||
| if pubKeys == nil { |
There was a problem hiding this comment.
Should this be pubKeys == nil && idMapping == nil?
|
|
||
| init(groupPubKey: String?, pubKeys: [String]?, idMapping: {String:Int}?) { | ||
| pre { | ||
| FlowDKG.isValidNilSubmission(groupPubKey: groupPubKey, pubKeys: pubKeys, idMapping: idMapping): "invalid empty submission" |
There was a problem hiding this comment.
| FlowDKG.isValidNilSubmission(groupPubKey: groupPubKey, pubKeys: pubKeys, idMapping: idMapping): "invalid empty submission" | |
| FlowDKG.isValidNilSubmission(groupPubKey: groupPubKey, pubKeys: pubKeys, idMapping: idMapping): | |
| "FlowDKG.ResultSubmission.init: Invalid DKG Result Submission! " | |
| .concat("DKG fields must all be `nil` or all be non-`nil`") |
I'm going through all the core contracts repos and updating the error messages to be more helpful, so it would be good to start doing this for all our PRs from now on. Basically going off the guidelines in this issue. Can you do something similar for the other panics in this PR?
| // CAUTION: This method should only be called by Participant, which enforces that Participant.nodeID is passed in. | ||
| access(all) fun addSubmission(nodeID: String, submission: ResultSubmission) { | ||
| pre { | ||
| self.authorized[nodeID] != nil: "must be authorized for this DKG instance" |
There was a problem hiding this comment.
| self.authorized[nodeID] != nil: "must be authorized for this DKG instance" | |
| self.authorized[nodeID] != nil: | |
| "FlowDKG.addSubmission: Cannot add Result Submission for DKG for epoch " | |
| .concat(FlowEpoch.proposedEpochCounter().toString()) | |
| .concat(". The node with id ").concat(nodeID) | |
| .concat(" that is submitting the Result Submission is not authorized for this DKG instance." |
Same comment about error messages here.
| @@ -119,6 +333,7 @@ access(all) contract FlowDKG { | |||
|
|
|||
| /// Posts a whiteboard message to the contract | |||
| access(all) fun postMessage(_ content: String) { | |||
| // TODO: DKG enabled? | |||
There was a problem hiding this comment.
That is fine with me. Feel free to add those pre-conditions to the functions if you want!
|
|
||
| // Borrows the singleton SubmissionTracker from storage; panics if none exists. | ||
| access(contract) view fun mustBorrowSubmissionTracker(): &FlowDKG.SubmissionTracker { | ||
| return self.account.storage.borrow<&SubmissionTracker>(from: /storage/flowDKGFinalSubmissionTracker)! |
There was a problem hiding this comment.
Should we add a ?? panic() here?
|
|
||
| prepare(signer: auth(BorrowValue) &Account) { | ||
| self.dkgParticipant = signer.storage.borrow<&FlowDKG.Participant>(from: FlowDKG.ParticipantStoragePath) | ||
| ?? panic("Cannot borrow dkg participant reference") |
There was a problem hiding this comment.
| ?? panic("Cannot borrow dkg participant reference") | |
| ?? panic("Cannot borrow DKG Participant Reference from path " | |
| .concat(FlowDKG.ParticipantStoragePath) | |
| .concat(". The signer needs to make sure their account is initialized with the DKG Participant resource.")) |
It would be good to start updating the error messages here too. This would apply to most of the DKG transactions here too
Ref: onflow/flow-go#6213
General Context
This PR modifies the DKG result data model to include an explicit mapping from node ID to DKG index. Currently the submission is an ordered list of keys, with the mapping being implicit based on the ordering. To support EFM Recovery we need to explicitly encode the index mapping and include it in the
EpochCommitevent. See onflow/flow-go#6213 for details.📝 Notes about implementation options from original draft
I broadly see two approaches to implement this:
finalSubmissionByNodeIDanduniqueFinalSubmissions.The contract would use the new and existing fields together, and would need to maintain consistency between them.
finalSubmissionByNodeIDanduniqueFinalSubmissions.The existing fields would be deprecated (we can't remove them because of upgrade limitations, but they would not be referenced by any code in the contract).
After noodling around a bit with both, I'm inclined to go with Option 2, because it seems easier to work with and reason about the submission state when it's encapsulated in one field (and type).
Changes
ResultSubmissionthat encapsulates one complete DKG submission, (replaces[String?])SubmissionTrackerthat encapsulates the state for all DKG submissions for one DKG instance[String]dkgGroupKeyanddkgIdMappingfields toEpochCommit(previously the group key was by convention the first entry in the singledkgPubKeysentry