Merge branch 'master' into alex/storage-doc-guidelines

Author: AlexHentschel

.dockerignore

@@ -1,3 +1,7 @@
+# Do not copy the user's project git directory into the container
+# it's not needed to build the project, and causes issues when working within git worktrees
+.git/
+
 integration/localnet/bootstrap/
 integration/localnet/profiler/
 integration/localnet/data/

access/api.go

@@ -57,8 +57,8 @@ type TransactionsAPI interface {
 	GetTransactionResultByIndex(ctx context.Context, blockID flow.Identifier, index uint32, encodingVersion entities.EventEncodingVersion) (*accessmodel.TransactionResult, error)
 	GetTransactionResultsByBlockID(ctx context.Context, blockID flow.Identifier, encodingVersion entities.EventEncodingVersion) ([]*accessmodel.TransactionResult, error)
 
-	GetSystemTransaction(ctx context.Context, blockID flow.Identifier) (*flow.TransactionBody, error)
-	GetSystemTransactionResult(ctx context.Context, blockID flow.Identifier, encodingVersion entities.EventEncodingVersion) (*accessmodel.TransactionResult, error)
+	GetSystemTransaction(ctx context.Context, txID flow.Identifier, blockID flow.Identifier) (*flow.TransactionBody, error)
+	GetSystemTransactionResult(ctx context.Context, txID flow.Identifier, blockID flow.Identifier, encodingVersion entities.EventEncodingVersion) (*accessmodel.TransactionResult, error)
 }
 
 type TransactionStreamAPI interface {

access/mock/api.go

@@ -77,14 +77,24 @@ func (e DuplicatedSignatureError) Error() string {
 	return fmt.Sprintf("duplicated signature for key (address: %s, index: %d)", e.Address.String(), e.KeyIndex)
 }
 
-// InvalidSignatureError indicates that a transaction contains a signature
+// InvalidRawSignatureError indicates that a transaction contains a cryptographic raw signature
 // with a wrong format.
-type InvalidSignatureError struct {
+type InvalidRawSignatureError struct {
 	Signature flow.TransactionSignature
 }
 
-func (e InvalidSignatureError) Error() string {
-	return fmt.Sprintf("invalid signature: %s", e.Signature)
+func (e InvalidRawSignatureError) Error() string {
+	return fmt.Sprintf("the cryptographic signature within the transaction signature has an invalid format: %s", e.Signature)
+}
+
+// InvalidAuthenticationSchemeFormatError indicates that a transaction contains a signature
+// with a wrong format.
+type InvalidAuthenticationSchemeFormatError struct {
+	Signature flow.TransactionSignature
+}
+
+func (e InvalidAuthenticationSchemeFormatError) Error() string {
+	return fmt.Sprintf("the transaction signature has invalid extension data: %s", e.Signature)
 }
 
 // InvalidTxByteSizeError indicates that a transaction byte size exceeds the maximum.

access/validator/errors.go

@@ -428,6 +428,20 @@ func (v *TransactionValidator) checkSignatureDuplications(tx *flow.TransactionBo
 }
 
 func (v *TransactionValidator) checkSignatureFormat(tx *flow.TransactionBody) error {
+	for _, signature := range tx.PayloadSignatures {
+		valid, _ := signature.ValidateExtensionDataAndReconstructMessage(tx.PayloadMessage())
+		if !valid {
+			return InvalidAuthenticationSchemeFormatError{Signature: signature}
+		}
+	}
+
+	for _, signature := range tx.EnvelopeSignatures {
+		valid, _ := signature.ValidateExtensionDataAndReconstructMessage(tx.EnvelopeMessage())
+		if !valid {
+			return InvalidAuthenticationSchemeFormatError{Signature: signature}
+		}
+	}
+
 	for _, signature := range append(tx.PayloadSignatures, tx.EnvelopeSignatures...) {
 		// check the format of the signature is valid.
 		// a valid signature is an ECDSA signature of either P-256 or secp256k1 curve.
@@ -451,7 +465,7 @@ func (v *TransactionValidator) checkSignatureFormat(tx *flow.TransactionBody) er
 			continue
 		}
 
-		return InvalidSignatureError{Signature: signature}
+		return InvalidRawSignatureError{Signature: signature}
 	}
 
 	return nil

access/validator/validator.go

@@ -2,13 +2,15 @@ package validator_test
 
 import (
 	"context"
+	"encoding/hex"
 	"errors"
 	"testing"
 
 	"github.com/onflow/cadence"
 	"github.com/onflow/cadence/common"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 
 	jsoncdc "github.com/onflow/cadence/encoding/json"
@@ -206,5 +208,102 @@ func (s *TransactionValidatorSuite) TestTransactionValidator_SealedIndexedHeight
 
 	err = validator.Validate(context.Background(), &txBody)
 	assert.NoError(s.T(), err)
+}
+
+func (s *TransactionValidatorSuite) TestTransactionValidator_SignatureValidation() {
+	scriptExecutor := execmock.NewScriptExecutor(s.T())
+
+	// setting indexed height to be behind of sealed by bigger number than allowed(DefaultSealedIndexedHeightThreshold)
+	indexedHeight := s.header.Height - 40
+
+	s.blocks.
+		On("IndexedHeight").
+		Return(indexedHeight, nil)
+
+	validator, err := validator.NewTransactionValidator(s.blocks, s.chain, s.metrics, s.validatorOptions, scriptExecutor)
+	assert.NoError(s.T(), err)
+	assert.NotNil(s.T(), validator)
+
+	// valid format signature
+	ecdsaSignatureFixtureStr := "0f9c37c155fbb656d2049a8349a0fcd2dedfe27d1588c2f635f60df2052141c17f2e195790c55ce42c4f73b5cc7e194060fee641818e8d640e69f92d4777518d"
+	ecdsaSignatureFixture, err := hex.DecodeString(ecdsaSignatureFixtureStr)
+	require.NoError(s.T(), err)
 
+	address := unittest.AddressFixture()
+	transactionBody := flow.TransactionBody{
+		Script: []byte("some script"),
+		Arguments: [][]byte{
+			[]byte("arg1"),
+		},
+		ReferenceBlockID: flow.HashToID([]byte("some block id")),
+		GasLimit:         1000,
+		Payer:            address,
+		ProposalKey: flow.ProposalKey{
+			Address:        address,
+			KeyIndex:       0,
+			SequenceNumber: 0,
+		},
+		Authorizers: []flow.Address{
+			address,
+		},
+		PayloadSignatures: []flow.TransactionSignature{
+			{
+				Address:       address,
+				KeyIndex:      0,
+				Signature:     ecdsaSignatureFixture,
+				SignerIndex:   0,
+				ExtensionData: unittest.RandomBytes(3),
+			},
+		},
+		EnvelopeSignatures: []flow.TransactionSignature{
+			{
+				Address:       address,
+				KeyIndex:      1,
+				Signature:     ecdsaSignatureFixture,
+				SignerIndex:   0,
+				ExtensionData: unittest.RandomBytes(3),
+			},
+		},
+	}
+
+	// detailed cases of signature validation are tested in model/flow/transaction_test.go
+	cases := []struct {
+		payloadSigExtensionData  []byte
+		EnvelopeSigExtensionData []byte
+		shouldError              bool
+	}{
+		{
+			// happy path
+			payloadSigExtensionData:  nil,
+			EnvelopeSigExtensionData: nil,
+			shouldError:              false,
+		},
+		{
+			// invalid payload transaction
+			payloadSigExtensionData:  []byte{10},
+			EnvelopeSigExtensionData: nil,
+			shouldError:              true,
+		}, {
+			// invalid envelope transaction
+			payloadSigExtensionData:  nil,
+			EnvelopeSigExtensionData: []byte{10},
+			shouldError:              true,
+		}, {
+			// invalid envelope and payload transactions
+			payloadSigExtensionData:  []byte{10},
+			EnvelopeSigExtensionData: []byte{10},
+			shouldError:              true,
+		},
+	}
+	// test all cases
+	for _, c := range cases {
+		transactionBody.PayloadSignatures[0].ExtensionData = c.payloadSigExtensionData
+		transactionBody.EnvelopeSignatures[0].ExtensionData = c.EnvelopeSigExtensionData
+		err = validator.Validate(context.Background(), &transactionBody)
+		if c.shouldError {
+			assert.Error(s.T(), err)
+		} else {
+			assert.NoError(s.T(), err)
+		}
+	}
 }