Merge branch 'dev' into issue-260-preserve-original-error-message

Author: elpiel

Dockerfile

@@ -34,7 +34,11 @@ ENV SINGLE_TICK=
 
 WORKDIR /usr/local/bin
 
-RUN apt update && apt-get install -y libssl-dev
+RUN apt update && apt-get install -y libssl-dev ca-certificates
+
+COPY docs/config/cloudflare_origin.crt /usr/local/share/ca-certificates/
+
+RUN update-ca-certificates
 
 COPY --from=builder /usr/local/bin/validator_worker .
 

adapter/src/ethereum.rs

@@ -115,7 +115,9 @@ impl Adapter for EthereumAdapter {
 
     fn sign(&self, state_root: &str) -> AdapterResult<String> {
         if let Some(wallet) = &self.wallet {
-            let message = Message::from_slice(&hash_message(state_root));
+            let state_root = hex::decode(state_root)
+                .map_err(|_| AdapterError::Signature("invalid state_root".to_string()))?;
+            let message = Message::from_slice(&hash_message(&state_root));
             let wallet_sign = wallet
                 .sign(&self.keystore_pwd, &message)
                 .map_err(|_| map_error("failed to sign messages"))?;
@@ -130,11 +132,16 @@ impl Adapter for EthereumAdapter {
     }
 
     fn verify(&self, signer: &ValidatorId, state_root: &str, sig: &str) -> AdapterResult<bool> {
-        let decoded_signature = hex::decode(sig)
+        if !sig.starts_with("0x") {
+            return Err(AdapterError::Signature("not 0x prefixed hex".to_string()));
+        }
+        let decoded_signature = hex::decode(&sig[2..])
             .map_err(|_| AdapterError::Signature("invalid signature".to_string()))?;
         let address = Address::from_slice(signer.inner());
         let signature = Signature::from_electrum(&decoded_signature);
-        let message = Message::from_slice(&hash_message(state_root));
+        let state_root = hex::decode(state_root)
+            .map_err(|_| AdapterError::Signature("invalid state_root".to_string()))?;
+        let message = Message::from_slice(&hash_message(&state_root));
 
         verify_address(&address, &signature, &message).or_else(|_| Ok(false))
     }
@@ -314,14 +321,13 @@ impl RelayerClient {
     }
 }
 
-fn hash_message(message: &str) -> [u8; 32] {
+fn hash_message(message: &[u8]) -> [u8; 32] {
     let eth = "\x19Ethereum Signed Message:\n";
     let message_length = message.len();
 
-    let encoded = format!("{}{}{}", eth, message_length, message);
-
     let mut result = Keccak::new_keccak256();
-    result.update(&encoded.as_bytes());
+    result.update(&format!("{}{}", eth, message_length).as_bytes());
+    result.update(&message);
 
     let mut res: [u8; 32] = [0; 32];
     result.finalize(&mut res);
@@ -371,10 +377,9 @@ pub fn ewt_sign(
 
     let payload_encoded =
         base64::encode_config(&serde_json::to_string(payload)?, base64::URL_SAFE_NO_PAD);
-    let message = Message::from_slice(&hash_message(&format!(
-        "{}.{}",
-        header_encoded, payload_encoded
-    )));
+    let message = Message::from_slice(&hash_message(
+        &format!("{}.{}", header_encoded, payload_encoded).as_bytes(),
+    ));
     let signature: Signature = signer
         .sign(password, &message)
         .map_err(|_| map_error("sign message"))?
@@ -394,10 +399,9 @@ pub fn ewt_verify(
     payload_encoded: &str,
     token: &str,
 ) -> Result<VerifyPayload, Box<dyn Error>> {
-    let message = Message::from_slice(&hash_message(&format!(
-        "{}.{}",
-        header_encoded, payload_encoded
-    )));
+    let message = Message::from_slice(&hash_message(
+        &format!("{}.{}", header_encoded, payload_encoded).as_bytes(),
+    ));
 
     let decoded_signature = base64::decode_config(&token, base64::URL_SAFE_NO_PAD)?;
     let signature = Signature::from_electrum(&decoded_signature);
@@ -466,23 +470,35 @@ mod test {
 
         // Sign
         let expected_response =
-            "0xce654de0b3d14d63e1cb3181eee7a7a37ef4a06c9fabc204faf96f26357441b625b1be460fbe8f5278cc02aa88a5d0ac2f238e9e3b8e4893760d33bccf77e47f1b";
+            "0x625fd46f82c4cfd135ea6a8534e85dbf50beb157046dce59d2e97aacdf4e38381d1513c0e6f002b2f05c05458038b187754ff38cc0658dfc9ba854cccfb6e13e1b";
         let message = "2bdeafae53940669daa6f519373f686c";
-        let response = eth_adapter.sign(message).expect("failed to sign message");
-        assert_eq!(expected_response, response, "invalid signature");
+        let signature = eth_adapter.sign(message).expect("failed to sign message");
+        assert_eq!(expected_response, signature, "invalid signature");
 
         // Verify
         let signature =
-            "ce654de0b3d14d63e1cb3181eee7a7a37ef4a06c9fabc204faf96f26357441b625b1be460fbe8f5278cc02aa88a5d0ac2f238e9e3b8e4893760d33bccf77e47f1b";
+            "0x9e07f12958ce7c5eb1362eb9461e4745dd9d74a42b921391393caea700bfbd6e1ad876a7d8f9202ef1fe6110dbfe87840c5676ca5c4fda9f3330694a1ac2a1fc1b";
         let verify = eth_adapter
             .verify(
-                &ValidatorId::try_from("2bDeAFAE53940669DaA6F519373f686c1f3d3393")
+                &ValidatorId::try_from("2892f6C41E0718eeeDd49D98D648C789668cA67d")
                     .expect("Failed to parse id"),
-                "2bdeafae53940669daa6f519373f686c",
+                "8bc45d8eb27f4c98cab35d17b0baecc2a263d6831ef0800f4c190cbfac6d20a3",
                 &signature,
             )
             .expect("Failed to verify signatures");
 
+        let sig1 = "0x9fa5852041b9818021323aff8260624fd6998c52c95d9ad5036e0db6f2bf2b2d48a188ec1d638581ff56b0a2ecceca6d3880fc65030558bd8f68b154e7ebf80f1b";
+        let msg = "1648231285e69677531ffe70719f67a07f3d4393b8425a5a1c84b0c72434c77b";
+
+        let verify2 = eth_adapter
+            .verify(
+                &ValidatorId::try_from("ce07CbB7e054514D590a0262C93070D838bFBA2e")
+                    .expect("Failed to parse id"),
+                msg,
+                &sig1,
+            )
+            .expect("Failed to verify signatures");
+
         assert_eq!(verify, true, "invalid signature verification");
     }
 

docs/config/cloudflare_origin.crt

@@ -0,0 +1,41 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
+MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
+cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
+xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
+tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
+AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
+XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
+ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
+MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
+bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
+Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
+V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
+OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
+yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
+SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
+lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
+HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
+ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
+wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
+VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
+hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
+MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
+0iykLhH1trywrKRMVw67F44IE8Y=
+-----END CERTIFICATE-----
+

primitives/src/adapter.rs

@@ -31,7 +31,7 @@ impl fmt::Display for AdapterError {
             AdapterError::Authorization(error) => write!(f, "Authorization error: {}", error),
             AdapterError::Configuration(error) => write!(f, "Configuration error: {}", error),
             AdapterError::Signature(error) => write!(f, "Signature error: {}", error),
-            AdapterError::InvalidChannel(error) => write!(f, "Invalid Channel error: {}", error),
+            AdapterError::InvalidChannel(error) => write!(f, "{}", error),
             AdapterError::Failed(error) => write!(f, "error: {}", error),
         }
     }

primitives/src/channel.rs

@@ -3,7 +3,7 @@ use std::fmt;
 
 use chrono::serde::{ts_milliseconds, ts_milliseconds_option, ts_seconds};
 use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
+use serde::{Deserialize, Deserializer, Serialize};
 use serde_hex::{SerHex, StrictPfx};
 
 use crate::big_num::BigNum;
@@ -13,7 +13,25 @@ use std::ops::Deref;
 
 #[derive(Serialize, Deserialize, PartialEq, Eq, Debug, Copy, Clone, Hash)]
 #[serde(transparent)]
-pub struct ChannelId(#[serde(with = "SerHex::<StrictPfx>")] [u8; 32]);
+pub struct ChannelId(
+    #[serde(
+        deserialize_with = "channel_id_from_str",
+        serialize_with = "SerHex::<StrictPfx>::serialize"
+    )]
+    [u8; 32],
+);
+
+fn channel_id_from_str<'de, D>(deserializer: D) -> Result<[u8; 32], D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let channel_id = String::deserialize(deserializer)?;
+    if channel_id.is_empty() || channel_id.len() != 66 {
+        return Err(serde::de::Error::custom("invalid channel id".to_string()));
+    }
+
+    <[u8; 32] as FromHex>::from_hex(&channel_id[2..]).map_err(serde::de::Error::custom)
+}
 
 impl Deref for ChannelId {
     type Target = [u8];
@@ -72,7 +90,9 @@ pub struct Pricing {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "UPPERCASE")]
 pub struct PricingBounds {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub impression: Option<Pricing>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub click: Option<Pricing>,
 }
 
@@ -86,7 +106,8 @@ pub struct ChannelSpec {
     pub max_per_impression: BigNum,
     /// Minimum payment offered per impression
     pub min_per_impression: BigNum,
-    // Event pricing bounds
+    /// Event pricing bounds
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub pricing_bounds: Option<PricingBounds>,
     /// An array of TargetingTag (optional)
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
@@ -95,6 +116,7 @@ pub struct ChannelSpec {
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub min_targeting_score: Option<f64>,
     /// EventSubmission object, applies to event submission (POST /channel/:id/events)
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub event_submission: Option<EventSubmission>,
     /// A millisecond timestamp of when the campaign was created
     #[serde(
@@ -112,6 +134,7 @@ pub struct ChannelSpec {
     )]
     pub active_from: Option<DateTime<Utc>>,
     /// A random number to ensure the campaignSpec hash is unique
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub nonce: Option<BigNum>,
     /// A millisecond timestamp of when the campaign should enter a withdraw period
     /// (no longer accept any events other than CHANNEL_CLOSE)
@@ -232,17 +255,34 @@ pub enum ChannelError {
     /// which in terms means, that the adapter shouldn't handle this Channel
     AdapterNotIncluded,
     /// when `channel.valid_until` has passed (< now), the channel should be handled
-    PassedValidUntil,
+    InvalidValidUntil(String),
     UnlistedValidator,
     UnlistedCreator,
     UnlistedAsset,
     MinimumDepositNotMet,
     MinimumValidatorFeeNotMet,
+    FeeConstraintViolated,
 }
 
 impl fmt::Display for ChannelError {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "Channel error",)
+        match self {
+            ChannelError::InvalidArgument(error) => write!(f, "{}", error),
+            ChannelError::AdapterNotIncluded => write!(f, "channel is not validated by us"),
+            ChannelError::InvalidValidUntil(error) => write!(f, "{}", error),
+            ChannelError::UnlistedValidator => write!(f, "validators are not in the whitelist"),
+            ChannelError::UnlistedCreator => write!(f, "channel.creator is not whitelisted"),
+            ChannelError::UnlistedAsset => write!(f, "channel.depositAsset is not whitelisted"),
+            ChannelError::MinimumDepositNotMet => {
+                write!(f, "channel.depositAmount is less than MINIMAL_DEPOSIT")
+            }
+            ChannelError::MinimumValidatorFeeNotMet => {
+                write!(f, "channel validator fee is less than MINIMAL_FEE")
+            }
+            ChannelError::FeeConstraintViolated => {
+                write!(f, "total fees <= deposit: fee constraint violated")
+            }
+        }
     }
 }
 

primitives/src/channel_validator.rs

@@ -1,8 +1,10 @@
 use crate::channel::{Channel, ChannelError, SpecValidator, SpecValidators};
 use crate::config::Config;
+use crate::BigNum;
 use crate::ValidatorId;
 use chrono::Utc;
 use std::cmp::PartialEq;
+use time::Duration;
 
 pub trait ChannelValidator {
     fn is_channel_valid(
@@ -17,7 +19,21 @@ pub trait ChannelValidator {
         };
 
         if channel.valid_until < Utc::now() {
-            return Err(ChannelError::PassedValidUntil);
+            return Err(ChannelError::InvalidValidUntil(
+                "channel.validUntil has passed".to_string(),
+            ));
+        }
+
+        if channel.valid_until > (Utc::now() + Duration::days(365)) {
+            return Err(ChannelError::InvalidValidUntil(
+                "channel.validUntil should not be greater than one year".to_string(),
+            ));
+        }
+
+        if channel.spec.withdraw_period_start > channel.valid_until {
+            return Err(ChannelError::InvalidValidUntil(
+                "channel withdrawPeriodStart is invalid".to_string(),
+            ));
         }
 
         if !all_validators_listed(&channel.spec.validators, &config.validators_whitelist) {
@@ -40,6 +56,17 @@ pub trait ChannelValidator {
             return Err(ChannelError::MinimumValidatorFeeNotMet);
         }
 
+        let total_validator_fee: BigNum = channel
+            .spec
+            .validators
+            .iter()
+            .map(|v| v.fee.clone())
+            .fold(BigNum::from(0), |acc, x| acc + x);
+
+        if total_validator_fee >= channel.deposit_amount {
+            return Err(ChannelError::FeeConstraintViolated);
+        }
+
         Ok(())
     }
 }

primitives/src/sentry.rs

@@ -160,6 +160,14 @@ pub struct EventAggregateResponse {
     pub events: Vec<EventAggregate>,
 }
 
+#[derive(Serialize, Deserialize, Debug)]
+#[serde(rename_all = "camelCase")]
+pub struct ValidationErrorResponse {
+    pub status_code: u64,
+    pub message: String,
+    pub validation: Vec<String>,
+}
+
 #[derive(Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct AdvancedAnalyticsResponse {

primitives/src/util/tests/prep_db.rs

@@ -1,4 +1,5 @@
 use crate::{
+    channel::{Pricing, PricingBounds},
     BigNum, Channel, ChannelId, ChannelSpec, EventSubmission, SpecValidators, ValidatorDesc,
     ValidatorId,
 };
@@ -35,7 +36,7 @@ lazy_static! {
         auth.insert("user".into(), "x8c9v1b2".into());
         auth.insert("publisher".into(), "testing".into());
         auth.insert("publisher2".into(), "testing2".into());
-        auth.insert("creator".into(), "0x033ed90e0fec3f3ea1c9b005c724d704501e0196".into());
+        auth.insert("creator".into(), "0x033Ed90e0FeC3F3ea1C9b005C724D704501e0196".into());
         auth.insert("tester".into(), "AUTH_awesomeTester".into());
 
         auth
@@ -69,7 +70,7 @@ lazy_static! {
                 title: None,
                 validators: SpecValidators::new(DUMMY_VALIDATOR_LEADER.clone(), DUMMY_VALIDATOR_FOLLOWER.clone()),
                 max_per_impression: 10.into(),
-                min_per_impression: 10.into(),
+                min_per_impression: 1.into(),
                 targeting: vec![],
                 min_targeting_score: None,
                 event_submission: Some(EventSubmission { allow: vec![] }),
@@ -79,7 +80,7 @@ lazy_static! {
                 nonce: Some(nonce),
                 withdraw_period_start: Utc.timestamp_millis(4_073_414_400_000),
                 ad_units: vec![],
-                pricing_bounds: None,
+                pricing_bounds: Some(PricingBounds {impression: None, click: Some(Pricing { max: 0.into(), min: 0.into()})}),
             },
         }
     };