supplyverifier: add push syncer and universe server verification #1674
Conversation
ffranr
added
the
supply commit
Pull Request Test Coverage Report for Build 17445452389Details
💛 - Coveralls |
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
from
56b7c94 to
efeb38a
Compare
universe/supplyverifier/states.go
Outdated
| } | ||
|
|
||
| // IdleState is the state we reach when a valid unspent commitment output is | ||
| // observed. We wait for a spend to re-enter the sync state. |
There was a problem hiding this comment.
I don't have much experience with the protofsm package and the state machine. But what I found helpful in Laolu's PRs was the Godoc description for each state that described what events a state can process and what other state that leads to. From that a nice diagram can then easily be created using AI tools.
There was a problem hiding this comment.
Yeah I after we get a bit further along w/ the final version, i can generate another set of similar docs/diagrams, and also share the prompts I used to generate them.
| // to the idle state. | ||
| if len(events) == 0 { | ||
| return &StateTransition{ | ||
| NextState: &IdleState{}, |
There was a problem hiding this comment.
Ah, just for me to check my understanding of the state machine and the code so far: If there are no outputs to watch, we go into the idle state, at which the machine does nothing. Once a spend event comes in (presumably from watching the chain), we then transition back into the sync state.
What I don't yet see in the code is the actual "watch on-chain" part. Shouldn't there be a call to RegisterConfNtfn or RegisterSpendNtfn and a wait somewhere?
There was a problem hiding this comment.
So the register spend ntfn is what's sent as ExternalEvents below. If a spend occurs, then a new event will be sent in that contains the spending transaction, etc.
universe/supplyverifier/states.go
Outdated
| } | ||
|
|
||
| // String returns the name of the state. | ||
| func (i *IdleState) String() string { |
There was a problem hiding this comment.
Just took another look at how things are done in the supply commit state machine. And it looks like the idle state there is just the DefaultState. I think we should do the same here. Or if you want things to be more explicit in the name, then do we even need the DefaultState in this package? Where will it be used?
There was a problem hiding this comment.
Mmhm, np for it to just loop back to the default state. While it loops back, it can also send an "internal event" to stage another transition. The internal event might just be telling it about the new unspent pre-commitment output.
universe/supplyverifier/env.go
Outdated
|
|
||
| // OnChainLookup is an interface that is used to look up on-chain information | ||
| // about supply commitments. | ||
| type OnChainLookup interface { |
There was a problem hiding this comment.
Doesn't it also need a way to fetch the asset commitment leaves/tree that existed at a given height?
The loop I have in my mind is:
- Verify a new asset, realize that it has a universe commitment field set, and a pre-commitment.
- Make one of these state machines for it.
- It watches for the pre-commitment outpoint spend.
3a. In this state, if the normal syncing detects a new issuance event (as rn we don't force input linkage between minting events), then we send an event to also watch that outpoint. - After it's spent, fetch from the universe RPC server, using the new height based index we added recently.
- After fetching that, verify everything matches up (you get the delta, the prior tree, then the new root).
- If it all matches up, add the pre-commitment, go back to the watch for spend state.
universe/supplyverifier/states.go
Outdated
| } | ||
|
|
||
| // String returns the name of the state. | ||
| func (i *IdleState) String() string { |
There was a problem hiding this comment.
Mmhm, np for it to just loop back to the default state. While it loops back, it can also send an "internal event" to stage another transition. The internal event might just be telling it about the new unspent pre-commitment output.
| // If we don't have a last verified commitment, then this is the | ||
| // first time we're verifying this asset group. We'll kick | ||
| // things off by watching for the latest on-chain state. | ||
| if lastCommit == nil { |
There was a problem hiding this comment.
Shouldn't we also check for a pre-commitment here? As when we first come up, we may not know of the verified commitment at all, but if it's a grouped asset w/ universe commitments, then it should have a pre-commitment output on chain.
| // things off by watching for the latest on-chain state. | ||
| if lastCommit == nil { | ||
| return &StateTransition{ | ||
| NextState: &WatchOutputsSpendState{}, |
There was a problem hiding this comment.
Should this just go back to default with a self-transition?
| // to the idle state. | ||
| if len(events) == 0 { | ||
| return &StateTransition{ | ||
| NextState: &IdleState{}, |
There was a problem hiding this comment.
So the register spend ntfn is what's sent as ExternalEvents below. If a spend occurs, then a new event will be sent in that contains the spending transaction, etc.
|
|
||
| // We'll gather all the UTXOs we need to watch. We start with | ||
| // the unspent pre-commitments. | ||
| preCommits, err := env.OnChainLookup.UnspentPrecommits( |
There was a problem hiding this comment.
Need to get through a bit more, but perhaps we can collapse this state into the above?
If we don't have an any unspent pre-commitments, or then we do nothing.
From the default state, we can then also accept a new event that's sent every block (or w/e) to check for new unspent pre-commitments. If we have some, then we go to the spend phase, etc. The callers can also send these events anytime they detect a new spend.
| env *Environment) (*StateTransition, error) { | ||
|
|
||
| switch e := event.(type) { | ||
| case *SpendEvent: |
There was a problem hiding this comment.
One thing that we'll want to make sure we can handle is that: if there's 5 unspent pre-commitments (we're just catching up, and they recently did a batch mint or something), then we'll get this event 5 times. So any state after this, needs to be able to handle the spend event as a noop, if it doesn't contribute any new information.
There was a problem hiding this comment.
Yes, I see it that way also.
I think we should also ensure that the spend consumes all outstanding pre-commitment outputs. The SpendEvent includes the fields SpentPreCommitment and PreCommitments to track this.
| "commitment: %w", err) | ||
| } | ||
|
|
||
| // TODO(ffranr): proof syncing logic here. |
There was a problem hiding this comment.
So this is the queries to go height-by-height right?
There was a problem hiding this comment.
Yes. At this point, we know that either a pre-commitment output or a supply commitment output has been spent, so we need to look up any associated supply-related leaves.
| // TODO(ffranr): verification logic here. This should include | ||
| // checking that there are no more unspent pre-commitments. All | ||
| // the pre-commitments should have been spent in the same supply | ||
| // commitment transaction. |
There was a problem hiding this comment.
I'd imagine that we may go back and forth between the fetch, then verify states many times until we reach the very last unspent pre-commitment. So we go height by height to fetch the latest commitment state, verify it matches up, set up the spend for the next one, repeat.
One option would be to split things into like an "initial sync" vs "sync from tip" transitions. On the other hand, i miagine that we can just unify it, as the spends will be insta if we're still catching up.
There was a problem hiding this comment.
as the spends will be insta if we're still catching up.
That's what I'm hoping for. I think the spend notification should work like that.
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
5 times, most recently
from
e91bd93 to
1171731
Compare
|
|
||
| -- The latest block height that has been successfully synced for this asset | ||
| -- group. | ||
| latest_sync_block_height INTEGER NOT NULL |
tapdb/supply_syncer.go
Outdated
| // Reuse the internal supply update logic which handles all | ||
| // the complex sub-tree and root tree updates within the | ||
| // transaction. | ||
| _, err := applySupplyUpdatesInternal(ctx, dbTx, spec, updates) |
There was a problem hiding this comment.
So we don't want to insert these items yet, as they haven't been validated. Instead, we want to insert them on disk as supply update logs. They can be inserted as dangling, and may need some other attribtues such as that these are staged, or their height, etc.
Then the verifier (which should now persistently which height it has verified up to), can do a query for the next set of updates to verify. Once it verifies those, then it can all a method like this.
There was a problem hiding this comment.
Comment still stands. IIUC we have a new top level InsertSupplyCommit that can be used to insert the pre-validated commitment. Right now it accepts all the leaves, but could in theory just do a query for dangling supply updates, and then insert those.
github-project-automation
bot
moved this from 🏗 In progress
to 👀 In review
in Taproot-Assets Project Board
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
2 times, most recently
from
727429d to
4abae0a
Compare
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
from
4abae0a to
ca19ee8
Compare
|
|
||
| // stateMachineCache is a thread-safe cache mapping an asset group's public key | ||
| // to its supply verifier state machine. | ||
| type stateMachineCache struct { |
There was a problem hiding this comment.
Can we extract this into a separate package so we don't have to re-defined here? Looks to be identical to the one in supplycommit (but probably needs to be parametrized since it's a different state machine struct that's cached).
There was a problem hiding this comment.
Yes, I need to reconcile that eventually. I'm focusing on getting the end-to-end itest working first, then my plan is to revisit and clean up any remaining duplication.
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
from
ca19ee8 to
f4d0771
Compare
tapcfg/server.go
Outdated
| return db.WithTx(tx) | ||
| }, | ||
| ) | ||
| supplySyncerStore := tapdb.NewSupplySyncerStore(supplySyncerDb) |
There was a problem hiding this comment.
This can just be: tapdb.NewSupplySyncerStore(uniDB) as that has the same executor signature.
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
4 times, most recently
from
5726969 to
3f5f816
Compare
|
Current state:
|
guggero
force-pushed
the
wip/supplycommit/add-verifier
branch
from
8ebe23f to
e8527e9
Compare
Renames applyTreeUpdates to make it suitable for reuse in supplyverifier during the verification process.
Refactor existing logic into a standalone exported function, UpdateRootSupplyTree, to enable reuse in the `supplyverifier` package for verification purposes.
This refactor enables reuse of the function in a new method to be introduced in a subsequent commit. The upcoming method will support reading both the sbtrees and the (upper) root tree from the database atomically.
Introduces a new method to retrieve all supply trees for a given asset group in a single atomic database read.
Introduces a manager with an InsertSupplyCommit method to handle supply commit verification and local DB insertion for universe server tapd nodes. Subsequent commits will further develop this component. The manager follows the same pattern as the supplycommit package's state machine manager. Each state machine is tied to an asset group, and the manager oversees all machines across groups. We avoid specifying the full state machine now, as it won't be used for universe server supply commit verification, which will be implemented first. This placeholder enables progress on the RPC implementation in upcoming commits.
This endpoint allows the supply commit syncer to push new supply commits
into a canonical universe.
In this commit we also modify the REST path for UpdateSupplyCommit to
`/v1/taproot-assets/universe/supply/update/{group_key_str}` from
`/v1/taproot-assets/universe/supply/{group_key_str}`.
Remove the FetchSupplyLeaves RPC endpoint from the public universe whitelist, as it will primarily be used by integration tests from now on.
The FetchSupplyCommit RPC previously accepted leaf keys and returned inclusion proofs for those leaves. This feature is now moved to the FetchSupplyLeaves RPC. The FetchSupplyLeaves endpoint is not served publicly by the universe server (mostly used in itests), whereas FetchSupplyCommit is public. Limiting FetchSupplyCommit avoids on-the-fly inclusion proof generation. FetchSupplyCommit is geared towards supply commit syncing.
Update supply commit construction state machine to push the generated supply commitment and diff leaves to the remote universe server. We will pass the supply syncer into the supply commit manager in a separate future commit once RocSupplySync is in place.
We clean up and consolidate a bunch of code: - Parsing the supply commitment and data was duplicated, is now a single function. - The commitmentChainInfo can be merged directly into the commitment.CommitmentBlock (add fields BlockHeader and MerkleProof), gets rid of a parameter. We also add a new spent_commitment field to the supply_commitments table that tracks the previous commitment transaction that was spent, to create the full chain. To be able to traverse that chain, we also need to be able to query the commitments either by a commitment's outpoint or by the outpoint a commitment is spending, which allows backward lookup in a loop.
These fields in CommitmentBlock were introduced in an earlier commit. Populating them here allows simplifying the Manager.InsertSupplyCommit method interface in the supplyverifier package.
To find out what commitment is being spent by a next one, we add the optional SpentCommitment field to the RootCommitment struct. The field should only be None for the very first commitment of an asset group.
This field will allow us to directly find the previous supply commitment which will be useful during verification. We will make use of this data in a subsiquent commit.
Introduce RpcSupplySync as an intermediary between the supply commit leaf fetch RPC endpoints and the supply verifier syncer.
Enhances ApplyTreeUpdates by ensuring that an empty subtree is included for each relevant subtree type when appropriate. This makes the function's return value more consistent and reliable.
Adds a verifier component to encapsulate all supply commit verification logic. The verifier is used in the Manager.InsertSupplyCommit method, which allows a universe server tapd node to verify supply commitments before inserting them into the local universe server DB. The actual DB insertion logic will be added in a subsequent commit.
Adds the InsertSupplyCommit method to tapdb for inserting supply commitments into the local DB. The supply verifier now uses this method to complete the supply commit insertion flow. This change resolves the final TODO, enabling a universe server tapd node to verify and store a given supply commitment.
Introduce a CopyFilter method to the Tree interface, along with implementations for both Compact and Full trees. This method enables selective copying of tree nodes using a caller-provided predicate function, similar to the existing Copy method. Include unit tests to verify the new functionality. This will be used to filter leaves from the supply subtree based on a maximum block height, supporting reconstruction of subtrees anchored to the chain via a supply commitment transaction.
Add a block height range end parameter to FetchSubTrees, enabling filtering of supply subtree leaves by block height. This allows reconstruction of supply subtrees as they existed at a specific supply commitment block height. This functionality is useful for reproducing a supply commitment at a given block height for syncing purposes.
Add a method to retrieve supply commitments from the verifier using a supply commitment locator. Locator supported options are: the first supply commit, the supply commit committed to at a given outpoint, and the supply commit that spends a given outpoint. A follow-up commit will remove FetchCommitment from the supply commit manager in favor of this new method.
Add `locator` field to the FetchSupplyCommit RPC request to specify which supply commit to retrieve. Supported options include: the first supply commit, the supply commit committed to at a given outpoint, and the supply commit that spends a given outpoint. Also update the response message for this endpoint. The response now includes all leaves new to the specified supply commit, as well as the outpoint that the fetched supply commit spends.
Favor use of supplyverifier.Manager.FetchCommitment instead.
Extend itest testSupplyCommitIgnoreAsset to fetch the supply commitment from the universe server. The issuer's supply commit state machine should push the commitment to the universe server, which must validate it before serving it. The universe server should only serve the snapshot after successful validation. This change verifies that the commitment can be fetched from the universe server as expected.
ffranr
force-pushed
the
wip/supplycommit/add-verifier
branch
from
26cf469 to
ded200f
Compare
There was a problem hiding this comment.
@Roasbeef reviewed 2 of 17 files at r1, 42 of 42 files at r2, 45 of 45 files at r3, all commit messages.
Reviewable status: all files reviewed, 44 unresolved discussions (waiting on @ffranr, @GeorgeTsagk, and @guggero)
universe/supplyverifier/verifier.go line 142 at r3 (raw file):
// verifyInitialCommit verifies the first (starting) supply commitment for a // given asset group. func (v *Verifier) verifyInitialCommit(ctx context.Context,
Additional things we should verify:
- the signatures for the ignore updates
- for burn+ignore, verify the proofs
- verify the anchor output information:
- the delegation key was used
- the root committed to matches up
universe/supplyverifier/verifier.go line 166 at r3 (raw file):
} return fmt.Errorf("found initial commitment for asset group; "+
I'm not sure I understand this check. Wouldn't it always fail after we've inserted the initial commitment?
universe/supplyverifier/verifier.go line 285 at r3 (raw file):
// that they correspond to the spent supply commitment outpoint. spentRootTree, spentSubtrees, err := v.cfg.SupplyTreeView.FetchSupplyTrees(
So we're expected to already have this on disk before we attempt to verify? Meaning we write to disk without verifying first?
universe/supplyverifier/verifier.go line 391 at r3 (raw file):
return v.verifyInitialCommit(ctx, assetSpec, commitment, leaves) }
See my comment about validation that's missing.
mssmt/interface.go line 9 at r3 (raw file):
// whether to include the leaf in the copy operation. A true value means the // leaf should be included, while false means it should be excluded. type CopyFilterPredicate = func([hashSize]byte, LeafNode) (bool, error)
Any reason to reach for an alias vs an actual type here?
itest/assertions.go line 2805 at r3 (raw file):
GroupKey: groupKeyReq, Locator: &unirpc.FetchSupplyCommitRequest_VeryFirst{ VeryFirst: true,
Perhaps an index to fetch instead would be more generic?
tapdb/sqlc/migrations/000045_supply_syncer_push_log.up.sql line 41 at r3 (raw file):
-- commitment of an asset group, each subsequent commitment needs to spend a -- prior commitment to ensure continuity in the supply chain. ALTER TABLE supply_commitments
👍
tapdb/supply_tree.go line 324 at r3 (raw file):
} filteredSubTree, err := filterSubTree(
Very cool pattern + solution here w/ the tree filter!
itest/supply_commit_test.go line 508 at r3 (raw file):
t.Log("Fetch first supply commitment from universe server") // Ensure that the supply commitment was pushed to the universe server
Style nit: missing a space above.
Can also be a sub test potentially.
tapdb/supply_commit_test.go line 2115 at r3 (raw file):
require.True(t, rows.Next(), "Expected supply commitment to exist") var rootHashBytes []byte
Style nit: can collapse into a single var statement.
rpcserver.go line 4352 at r3 (raw file):
// mapSupplyLeaves is a generic helper that converts a slice of supply update // events into a slice of RPC SupplyLeafEntry objects. func mapSupplyLeaves[E any](entries []E) ([]*unirpc.SupplyLeafEntry, error) {
Couldn't this just take the supply leaves interface from the supplycommit package?
You're already doing the type assert below.
Towards closing: #1463
This PR introduces the initial push sync flow for supply commitments:
Syncer (issuer side):
Universe server:
Integration test:
This PR establishes the push route for supply commitment sync. A follow-up PR will add the pull route to allow clients to fetch and verify supply commitments from a universe server.
Notes
This change is