Merge branch 'main' into runtianz/account_perms

aptos-move/e2e-move-tests/README.md

@@ -0,0 +1,9 @@
+# e2e-move-tests
+
+## Keyless
+
+To run the keyless VM tests:
+
+```
+cargo test -- keyless
+```

aptos-move/e2e-move-tests/src/tests/keyless_feature_gating.rs

@@ -16,6 +16,7 @@ use aptos_types::{
         },
         AnyKeylessPublicKey, Configuration, EphemeralCertificate, FederatedKeylessPublicKey,
         Groth16VerificationKey, KeylessPublicKey, KeylessSignature, TransactionAndProof,
+        VERIFICATION_KEY_FOR_TESTING,
     },
     on_chain_config::FeatureFlag,
     transaction::{
@@ -35,7 +36,7 @@ use move_core_types::{
     },
 };
 
-/// Initializes an Aptos VM and sets the keyless configuration via script (the VK is already set in genesis).
+/// Initializes an Aptos VM and sets the keyless configuration via script.
 fn init_feature_gating(
     enabled_features: Vec<FeatureFlag>,
     disabled_features: Vec<FeatureFlag>,
@@ -46,6 +47,12 @@ fn init_feature_gating(
 
     // initialize JWKs
     let core_resources = run_jwk_and_config_script(&mut h);
+    // initialize default VK
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(VERIFICATION_KEY_FOR_TESTING.clone()),
+    );
 
     (h, recipient, core_resources)
 }
@@ -256,6 +263,14 @@ fn test_federated_keyless_at_jwk_addr() {
 
     let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap();
 
+    // Step 0: Make sure the default VK is installed
+    let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap());
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(VERIFICATION_KEY_FOR_TESTING.clone()),
+    );
+
     // Step 1: Make sure TXN validation fails if JWKs are not installed at jwk_addr.
     let (sig, pk) = get_sample_groth16_sig_and_pk();
     let sender = create_federated_keyless_account(&mut h, jwk_addr, pk);
@@ -280,7 +295,7 @@ fn test_federated_keyless_at_jwk_addr() {
     // Step 1: Make sure TXN validation succeeds once JWKs are installed at jwk_addr.
     let iss = get_sample_iss();
     let jwk = get_sample_jwk();
-    let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+    let _ = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
 
     let txn = spend_keyless_account(&mut h, sig, &sender, *recipient.address());
     let output = h.run_raw(txn);
@@ -308,7 +323,14 @@ fn test_federated_keyless_override_at_0x1() {
     let jwk_addr = AccountAddress::from_hex_literal("0xadd").unwrap();
     let iss = get_sample_iss();
     let jwk = secure_test_rsa_jwk(); // this will be the wrong JWK
-    let _core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+    let core_resources = install_federated_jwks_and_set_keyless_config(&mut h, jwk_addr, iss, jwk);
+
+    // Step 0: Make sure the default VK is installed
+    run_upgrade_vk_script(
+        &mut h,
+        core_resources.clone(),
+        Groth16VerificationKey::from(VERIFICATION_KEY_FOR_TESTING.clone()),
+    );
 
     // Step 1: Make sure the TXN does not validate, since the wrong JWK is installed at JWK addr
     let (sig, pk) = get_sample_groth16_sig_and_pk();
@@ -441,7 +463,7 @@ fn create_and_spend_keyless_account(
     spend_keyless_account(h, sig, &account, recipient)
 }
 
-/// Sets the keyless configuration (Note: the VK is already set in genesis.)
+/// Sets the keyless configuration
 fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account {
     let core_resources = h.new_account_at(AccountAddress::from_hex_literal("0xA550C18").unwrap());
 
@@ -475,16 +497,14 @@ fn run_jwk_and_config_script(h: &mut MoveHarness) -> Account {
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 
     core_resources
 }
 
-/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK
-/// (Note: the VK is already set in genesis.)
+/// Sets the keyless configuration and installs the sample RSA JWK as a federated JWK.
 fn install_federated_jwks_and_set_keyless_config(
     h: &mut MoveHarness,
     jwk_owner: AccountAddress,
@@ -524,8 +544,7 @@ fn federated_keyless_init_config(h: &mut MoveHarness, core_resources: Account) {
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 }
@@ -557,8 +576,7 @@ fn federated_keyless_install_jwk(
         .sign();
 
     // NOTE: We cannot write the Configuration and Groth16Verification key via MoveHarness::set_resource
-    // because it does not (yet) work with resource groups. This is okay, because the VK will be
-    // there from genesis.
+    // because it does not (yet) work with resource groups.
 
     assert_success!(h.run(txn));
 }

aptos-move/vm-genesis/src/lib.rs

@@ -27,8 +27,7 @@ use aptos_types::{
         secure_test_rsa_jwk,
     },
     keyless::{
-        self, test_utils::get_sample_iss, Groth16VerificationKey, DEVNET_VERIFICATION_KEY,
-        KEYLESS_ACCOUNT_MODULE_NAME,
+        self, test_utils::get_sample_iss, Groth16VerificationKey, KEYLESS_ACCOUNT_MODULE_NAME,
     },
     move_utils::as_move_value::AsMoveValue,
     on_chain_config::{
@@ -111,7 +110,7 @@ pub struct GenesisConfiguration {
     pub randomness_config_override: Option<OnChainRandomnessConfig>,
     pub jwk_consensus_config_override: Option<OnChainJWKConsensusConfig>,
     pub initial_jwks: Vec<IssuerJWK>,
-    pub keyless_groth16_vk_override: Option<Groth16VerificationKey>,
+    pub keyless_groth16_vk: Option<Groth16VerificationKey>,
 }
 
 pub static GENESIS_KEYPAIR: Lazy<(Ed25519PrivateKey, Ed25519PublicKey)> = Lazy::new(|| {
@@ -312,7 +311,7 @@ pub fn encode_genesis_change_set(
         &module_storage,
         chain_id,
         genesis_config.initial_jwks.clone(),
-        genesis_config.keyless_groth16_vk_override.clone(),
+        genesis_config.keyless_groth16_vk.clone(),
     );
     set_genesis_end(&mut session, &module_storage);
 
@@ -686,7 +685,7 @@ fn initialize_keyless_accounts(
     module_storage: &impl AptosModuleStorage,
     chain_id: ChainId,
     mut initial_jwks: Vec<IssuerJWK>,
-    vk_override: Option<Groth16VerificationKey>,
+    vk: Option<Groth16VerificationKey>,
 ) {
     let config = keyless::Configuration::new_for_devnet();
     exec_function(
@@ -700,9 +699,8 @@ fn initialize_keyless_accounts(
             config.as_move_value(),
         ]),
     );
-    if !chain_id.is_mainnet() {
-        let vk =
-            vk_override.unwrap_or_else(|| Groth16VerificationKey::from(&*DEVNET_VERIFICATION_KEY));
+
+    if vk.is_some() {
         exec_function(
             session,
             module_storage,
@@ -711,10 +709,11 @@ fn initialize_keyless_accounts(
             vec![],
             serialize_values(&vec![
                 MoveValue::Signer(CORE_CODE_ADDRESS),
-                vk.as_move_value(),
+                vk.unwrap().as_move_value(),
             ]),
         );
-
+    }
+    if !chain_id.is_mainnet() {
         let additional_jwk_patch = IssuerJWK {
             issuer: get_sample_iss(),
             jwk: JWK::RSA(secure_test_rsa_jwk()),
@@ -1255,7 +1254,7 @@ pub fn generate_test_genesis(
             randomness_config_override: None,
             jwk_consensus_config_override: None,
             initial_jwks: vec![],
-            keyless_groth16_vk_override: None,
+            keyless_groth16_vk: None,
         },
         &OnChainConsensusConfig::default_for_genesis(),
         &OnChainExecutionConfig::default_for_genesis(),
@@ -1307,7 +1306,7 @@ fn mainnet_genesis_config() -> GenesisConfiguration {
         randomness_config_override: None,
         jwk_consensus_config_override: None,
         initial_jwks: vec![],
-        keyless_groth16_vk_override: None,
+        keyless_groth16_vk: None,
     }
 }
 

crates/aptos-genesis/src/builder.rs

@@ -444,7 +444,7 @@ pub struct GenesisConfiguration {
     pub randomness_config_override: Option<OnChainRandomnessConfig>,
     pub jwk_consensus_config_override: Option<OnChainJWKConsensusConfig>,
     pub initial_jwks: Vec<IssuerJWK>,
-    pub keyless_groth16_vk_override: Option<Groth16VerificationKey>,
+    pub keyless_groth16_vk: Option<Groth16VerificationKey>,
 }
 
 pub type InitConfigFn = Arc<dyn Fn(usize, &mut NodeConfig, &mut NodeConfig) + Send + Sync>;
@@ -667,7 +667,7 @@ impl Builder {
             randomness_config_override: None,
             jwk_consensus_config_override: None,
             initial_jwks: vec![],
-            keyless_groth16_vk_override: None,
+            keyless_groth16_vk: None,
         };
         if let Some(init_genesis_config) = &self.init_genesis_config {
             (init_genesis_config)(&mut genesis_config);

crates/aptos-genesis/src/lib.rs

@@ -79,7 +79,7 @@ pub struct GenesisInfo {
     pub randomness_config_override: Option<OnChainRandomnessConfig>,
     pub jwk_consensus_config_override: Option<OnChainJWKConsensusConfig>,
     pub initial_jwks: Vec<IssuerJWK>,
-    pub keyless_groth16_vk_override: Option<Groth16VerificationKey>,
+    pub keyless_groth16_vk: Option<Groth16VerificationKey>,
 }
 
 impl GenesisInfo {
@@ -120,7 +120,7 @@ impl GenesisInfo {
             randomness_config_override: genesis_config.randomness_config_override.clone(),
             jwk_consensus_config_override: genesis_config.jwk_consensus_config_override.clone(),
             initial_jwks: genesis_config.initial_jwks.clone(),
-            keyless_groth16_vk_override: genesis_config.keyless_groth16_vk_override.clone(),
+            keyless_groth16_vk: genesis_config.keyless_groth16_vk.clone(),
         })
     }
 
@@ -157,7 +157,7 @@ impl GenesisInfo {
                 randomness_config_override: self.randomness_config_override.clone(),
                 jwk_consensus_config_override: self.jwk_consensus_config_override.clone(),
                 initial_jwks: self.initial_jwks.clone(),
-                keyless_groth16_vk_override: self.keyless_groth16_vk_override.clone(),
+                keyless_groth16_vk: self.keyless_groth16_vk.clone(),
             },
             &self.consensus_config,
             &self.execution_config,

crates/aptos-genesis/src/mainnet.rs

@@ -144,7 +144,7 @@ impl MainnetGenesisInfo {
                 randomness_config_override: self.randomness_config_override.clone(),
                 jwk_consensus_config_override: self.jwk_consensus_config_override.clone(),
                 initial_jwks: vec![],
-                keyless_groth16_vk_override: None,
+                keyless_groth16_vk: None,
             },
         )
     }

crates/aptos/src/common/types.rs

@@ -1608,7 +1608,7 @@ impl FaucetOptions {
 }
 
 /// Gas price options for manipulating how to prioritize transactions
-#[derive(Debug, Eq, Parser, PartialEq)]
+#[derive(Debug, Clone, Eq, Parser, PartialEq)]
 pub struct GasOptions {
     /// Gas multiplier per unit of gas
     ///

crates/aptos/src/genesis/mod.rs

@@ -261,7 +261,7 @@ pub fn fetch_mainnet_genesis_info(git_options: GitOptions) -> CliTypedResult<Mai
             randomness_config_override: None,
             jwk_consensus_config_override: None,
             initial_jwks: vec![],
-            keyless_groth16_vk_override: None,
+            keyless_groth16_vk: None,
         },
     )?)
 }
@@ -306,7 +306,7 @@ pub fn fetch_genesis_info(git_options: GitOptions) -> CliTypedResult<GenesisInfo
             randomness_config_override: None,
             jwk_consensus_config_override: layout.jwk_consensus_config_override.clone(),
             initial_jwks: layout.initial_jwks.clone(),
-            keyless_groth16_vk_override: layout.keyless_groth16_vk_override.clone(),
+            keyless_groth16_vk: layout.keyless_groth16_vk_override.clone(),
         },
     )?)
 }

execution/executor-benchmark/src/db_generator.rs

@@ -81,7 +81,7 @@ pub(crate) fn bootstrap_with_genesis(
                 issuer: get_sample_iss(),
                 jwk: JWK::RSA(get_sample_jwk()),
             }];
-            config.keyless_groth16_vk_override = Some(Groth16VerificationKey::from(
+            config.keyless_groth16_vk = Some(Groth16VerificationKey::from(
                 &TEST_GROTH16_SETUP.prepared_vk,
             ));
         })));

keyless/pepper/example-client-rust/src/main.rs

@@ -66,6 +66,9 @@ fn get_jwt_or_path() -> String {
 
 #[tokio::main]
 async fn main() {
+    // if let Ok(x) = std::env::var("V0_VERIFY") {
+    //     test_v0_verify();
+    // }
     println!();
     println!("Starting an interaction with aptos-oidb-pepper-service.");
     let url = get_pepper_service_url();

keyless/pepper/readme.md

@@ -58,3 +58,32 @@ Follow the instruction to manually complete a session with the pepper service.
 Sorry for the missing examples in other programming languages.
 For now please read through `example-client-rust/src/main.rs` implementation and output:
 that is what your frontend needs to do.
+
+## Extra: manual testing for endpoint `v0/verify`.
+NOTE: API `v0/verify` now depends on on-chain resources
+`0x1::keyless_account::Groth16VerificationKey` and `0x1::keyless_account::Configuration`,
+which need to be fetched via HTTP requests.
+
+In terminal 0, run the pepper service.
+```bash
+export VUF_KEY_SEED_HEX=ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+export ONCHAIN_GROTH16_VK_URL=http://localhost:4444/groth16_vk.json
+export ONCHAIN_KEYLESS_CONFIG_URL=http://localhost:4444/keyless_config.json
+cargo run -p aptos-keyless-pepper-service
+```
+
+In terminal 1, peek the cached resources, they should currently give 404.
+```
+curl -v http://localhost:8000/cached/groth16-vk
+curl -v http://localhost:8000/cached/keyless-config
+```
+
+In terminal 2, mock the full node with a naive HTTP server.
+```bash
+cd keyless/pepper/service/resources
+python3 -m http.server 4444
+```
+
+Wait for 10 secs then go back to terminal 1 to retry the curl cmds. The cached data should be available.
+
+TODO: how to generate sample request and interact with `v0/verify` endpoint?

keyless/pepper/service/Cargo.toml

@@ -23,8 +23,10 @@ aptos-logger = { workspace = true }
 aptos-metrics-core = { workspace = true }
 aptos-types = { workspace = true }
 ark-bls12-381 = { workspace = true }
+ark-bn254 = { workspace = true }
 ark-ec = { workspace = true }
 ark-ff = { workspace = true }
+ark-groth16 = { workspace = true }
 ark-serialize = { workspace = true }
 bcs = { workspace = true }
 dashmap = { workspace = true }

keyless/pepper/service/resources/groth16_vk.json

@@ -0,0 +1,13 @@
+{
+  "type": "0x1::keyless_account::Groth16VerificationKey",
+  "data": {
+    "alpha_g1": "0xe2f26dbea299f5223b646cb1fb33eadb059d9407559d7441dfd902e3a79a4d2d",
+    "beta_g2": "0xabb73dc17fbc13021e2471e0c08bd67d8401f52b73d6d07483794cad4778180e0c06f33bbc4c79a9cadef253a68084d382f17788f885c9afd176f7cb2f036789",
+    "delta_g2": "0xb106619932d0ef372c46909a2492e246d5de739aa140e27f2c71c0470662f125219049cfe15e4d140d7e4bb911284aad1cad19880efb86f2d9dd4b1bb344ef8f",
+    "gamma_abc_g1": [
+      "0x6123b6fea40de2a7e3595f9c35210da8a45a7e8c2f7da9eb4548e9210cfea81a",
+      "0x32a9b8347c512483812ee922dc75952842f8f3083edb6fe8d5c3c07e1340b683"
+    ],
+    "gamma_g2": "0xedf692d95cbdde46ddda5ef7d422436779445c5e66006a42761e1f12efde0018c212f3aeb785e49712e7a9353349aaf1255dfb31b7bf60723a480d9293938e19"
+  }
+}

keyless/pepper/service/resources/keyless_config.json

@@ -0,0 +1,17 @@
+{
+  "type": "0x1::keyless_account::Configuration",
+  "data": {
+    "max_commited_epk_bytes": 93,
+    "max_exp_horizon_secs": "10000000",
+    "max_extra_field_bytes": 350,
+    "max_iss_val_bytes": 120,
+    "max_jwt_header_b64_bytes": 300,
+    "max_signatures_per_txn": 3,
+    "override_aud_vals": [],
+    "training_wheels_pubkey": {
+      "vec": [
+        "0x5cd926a700e3997a3b319bfd003127ec7278eff14973c8cdcfbea54f3ea3669f"
+      ]
+    }
+  }
+}