Lp/two step dvpn reg (#6386)

* squashing  Lp/two step dvpn reg #6386

fixed integration tests by extending the mocks

remove dead code

compiling client-side code

gateway side handling of updated lp-wg reg

wip: countless changes on the gateway handler side

splitting up NestedLpSession

* fixed lp-messages tests

* gateway probe fixes

* unused variable

* resolved nits
This commit is contained in:
Jędrzej Stuczyński
2026-01-29 13:38:21 +00:00
committed by GitHub
parent 982786b678
commit 7dd1dd1a6c
34 changed files with 2259 additions and 1573 deletions
@@ -2,18 +2,38 @@
// SPDX-License-Identifier: Apache-2.0
use anyhow::{Context, bail};
use nym_bandwidth_controller::BandwidthTicketProvider;
use nym_bandwidth_controller::error::BandwidthControllerError;
use nym_bandwidth_controller::mock::MockBandwidthController;
use nym_client_core::client::base_client::storage::OnDiskPersistent;
use nym_credentials::CredentialSpendingData;
use nym_credentials_interface::TicketType;
use nym_node_status_client::models::AttachedTicketMaterials;
use nym_sdk::bandwidth::BandwidthImporter;
use nym_sdk::mixnet::{DisconnectedMixnetClient, EphemeralCredentialStorage};
use nym_sdk::mixnet::{CredentialStorage, DisconnectedMixnetClient, EphemeralCredentialStorage};
use nym_validator_client::QueryHttpRpcNyxdClient;
use nym_validator_client::nyxd::error::NyxdError;
use std::time::Duration;
use time::OffsetDateTime;
use tracing::{error, info};
pub(crate) fn build_bandwidth_controller<S>(
rpc_client: QueryHttpRpcNyxdClient,
on_disk_storage: S,
use_mock_ecash: bool,
) -> Box<dyn BandwidthTicketProvider>
where
S: CredentialStorage + 'static,
S::StorageError: Send + Sync + 'static,
{
if !use_mock_ecash {
Box::new(nym_bandwidth_controller::BandwidthController::new(
on_disk_storage,
rpc_client,
))
} else {
Box::new(MockBandwidthController::default())
}
}
pub(crate) async fn import_bandwidth(
bandwidth_importer: BandwidthImporter<'_, EphemeralCredentialStorage>,
attached_ticket_materials: AttachedTicketMaterials,
@@ -157,93 +177,3 @@ pub(crate) async fn acquire_bandwidth(
bail!("failed to acquire bandwidth after {MAX_RETRIES} attempts")
}
/// Create a dummy credential for mock ecash testing
///
/// Gateway with --lp-use-mock-ecash accepts any credential without verification,
/// so we only need to provide properly structured data with correct types.
///
/// This is useful for local testing without requiring blockchain access or funded accounts.
///
/// This uses a pre-serialized test credential from the wireguard tests - since MockEcashManager
/// doesn't verify anything, any valid CredentialSpendingData structure will work.
#[allow(clippy::expect_used)] // Test helper with hardcoded valid data
pub(crate) fn create_dummy_credential(
_gateway_identity: &[u8; 32],
_ticket_type: TicketType,
) -> CredentialSpendingData {
// This is a valid serialized CredentialSpendingData taken from integration tests
// See: common/wireguard-private-metadata/tests/src/lib.rs:CREDENTIAL_BYTES
const CREDENTIAL_BYTES: [u8; 1245] = [
0, 0, 4, 133, 96, 179, 223, 185, 136, 23, 213, 166, 59, 203, 66, 69, 209, 181, 227, 254,
16, 102, 98, 237, 59, 119, 170, 111, 31, 194, 51, 59, 120, 17, 115, 229, 79, 91, 11, 139,
154, 2, 212, 23, 68, 70, 167, 3, 240, 54, 224, 171, 221, 1, 69, 48, 60, 118, 119, 249, 123,
35, 172, 227, 131, 96, 232, 209, 187, 123, 4, 197, 102, 90, 96, 45, 125, 135, 140, 99, 1,
151, 17, 131, 143, 157, 97, 107, 139, 232, 212, 87, 14, 115, 253, 255, 166, 167, 186, 43,
90, 96, 173, 105, 120, 40, 10, 163, 250, 224, 214, 200, 178, 4, 160, 16, 130, 59, 76, 193,
39, 240, 3, 101, 141, 209, 183, 226, 186, 207, 56, 210, 187, 7, 164, 240, 164, 205, 37, 81,
184, 214, 193, 195, 90, 205, 238, 225, 195, 104, 12, 123, 203, 57, 233, 243, 215, 145, 195,
196, 57, 38, 125, 172, 18, 47, 63, 165, 110, 219, 180, 40, 58, 116, 92, 254, 160, 98, 48,
92, 254, 232, 107, 184, 80, 234, 60, 160, 235, 249, 76, 41, 38, 165, 28, 40, 136, 74, 48,
166, 50, 245, 23, 201, 140, 101, 79, 93, 235, 128, 186, 146, 126, 180, 134, 43, 13, 186,
19, 195, 48, 168, 201, 29, 216, 95, 176, 198, 132, 188, 64, 39, 212, 150, 32, 52, 53, 38,
228, 199, 122, 226, 217, 75, 40, 191, 151, 48, 164, 242, 177, 79, 14, 122, 105, 151, 85,
88, 199, 162, 17, 96, 103, 83, 178, 128, 9, 24, 30, 74, 108, 241, 85, 240, 166, 97, 241,
85, 199, 11, 198, 226, 234, 70, 107, 145, 28, 208, 114, 51, 12, 234, 108, 101, 202, 112,
48, 185, 22, 159, 67, 109, 49, 27, 149, 90, 109, 32, 226, 112, 7, 201, 208, 209, 104, 31,
97, 134, 204, 145, 27, 181, 206, 181, 106, 32, 110, 136, 115, 249, 201, 111, 5, 245, 203,
71, 121, 169, 126, 151, 178, 236, 59, 221, 195, 48, 135, 115, 6, 50, 227, 74, 97, 107, 107,
213, 90, 2, 203, 154, 138, 47, 128, 52, 134, 128, 224, 51, 65, 240, 90, 8, 55, 175, 180,
178, 204, 206, 168, 110, 51, 57, 189, 169, 48, 169, 136, 121, 99, 51, 170, 178, 214, 74, 1,
96, 151, 167, 25, 173, 180, 171, 155, 10, 55, 142, 234, 190, 113, 90, 79, 80, 244, 71, 166,
30, 235, 113, 150, 133, 1, 218, 17, 109, 111, 223, 24, 216, 177, 41, 2, 204, 65, 221, 212,
207, 236, 144, 6, 65, 224, 55, 42, 1, 1, 161, 134, 118, 127, 111, 220, 110, 127, 240, 71,
223, 129, 12, 93, 20, 220, 60, 56, 71, 146, 184, 95, 132, 69, 28, 56, 53, 192, 213, 22,
119, 230, 152, 225, 182, 188, 163, 219, 37, 175, 247, 73, 14, 247, 38, 72, 243, 1, 48, 131,
59, 8, 13, 96, 143, 185, 127, 241, 161, 217, 24, 149, 193, 40, 16, 30, 202, 151, 28, 119,
240, 153, 101, 156, 61, 193, 72, 245, 199, 181, 12, 231, 65, 166, 67, 142, 121, 207, 202,
58, 197, 113, 188, 248, 42, 124, 105, 48, 161, 241, 55, 209, 36, 194, 27, 63, 233, 144,
189, 85, 117, 234, 9, 139, 46, 31, 206, 114, 95, 131, 29, 240, 13, 81, 142, 140, 133, 33,
30, 41, 141, 37, 80, 217, 95, 221, 76, 115, 86, 201, 165, 51, 252, 9, 28, 209, 1, 48, 150,
74, 248, 212, 187, 222, 66, 210, 3, 200, 19, 217, 171, 184, 42, 148, 53, 150, 57, 50, 6,
227, 227, 62, 49, 42, 148, 148, 157, 82, 191, 58, 24, 34, 56, 98, 120, 89, 105, 176, 85,
15, 253, 241, 41, 153, 195, 136, 1, 48, 142, 126, 213, 101, 223, 79, 133, 230, 105, 38,
161, 149, 2, 21, 136, 150, 42, 72, 218, 85, 146, 63, 223, 58, 108, 186, 183, 248, 62, 20,
47, 34, 113, 160, 177, 204, 181, 16, 24, 212, 224, 35, 84, 51, 168, 56, 136, 11, 1, 48,
135, 242, 62, 149, 230, 178, 32, 224, 119, 26, 234, 163, 237, 224, 114, 95, 112, 140, 170,
150, 96, 125, 136, 221, 180, 78, 18, 11, 12, 184, 2, 198, 217, 119, 43, 69, 4, 172, 109,
55, 183, 40, 131, 172, 161, 88, 183, 101, 1, 48, 173, 216, 22, 73, 42, 255, 211, 93, 249,
87, 159, 115, 61, 91, 55, 130, 17, 216, 60, 34, 122, 55, 8, 244, 244, 153, 151, 57, 5, 144,
178, 55, 249, 64, 211, 168, 34, 148, 56, 89, 92, 203, 70, 124, 219, 152, 253, 165, 0, 32,
203, 116, 63, 7, 240, 222, 82, 86, 11, 149, 167, 72, 224, 55, 190, 66, 201, 65, 168, 184,
96, 47, 194, 241, 168, 124, 7, 74, 214, 250, 37, 76, 32, 218, 69, 122, 103, 215, 145, 169,
24, 212, 229, 168, 106, 10, 144, 31, 13, 25, 178, 242, 250, 106, 159, 40, 48, 163, 165, 61,
130, 57, 146, 4, 73, 32, 254, 233, 125, 135, 212, 29, 111, 4, 177, 114, 15, 210, 170, 82,
108, 110, 62, 166, 81, 209, 106, 176, 156, 14, 133, 242, 60, 127, 120, 242, 28, 97, 0, 1,
32, 103, 93, 109, 89, 240, 91, 1, 84, 150, 50, 206, 157, 203, 49, 220, 120, 234, 175, 234,
150, 126, 225, 94, 163, 164, 199, 138, 114, 62, 99, 106, 112, 1, 32, 171, 40, 220, 82, 241,
203, 76, 146, 111, 139, 182, 179, 237, 182, 115, 75, 128, 201, 107, 43, 214, 0, 135, 217,
160, 68, 150, 232, 144, 114, 237, 98, 32, 30, 134, 232, 59, 93, 163, 253, 244, 13, 202, 52,
147, 168, 83, 121, 123, 95, 21, 210, 209, 225, 223, 143, 49, 10, 205, 238, 1, 22, 83, 81,
70, 1, 32, 26, 76, 6, 234, 160, 50, 139, 102, 161, 232, 155, 106, 130, 171, 226, 210, 233,
178, 85, 247, 71, 123, 55, 53, 46, 67, 148, 137, 156, 207, 208, 107, 1, 32, 102, 31, 4, 98,
110, 156, 144, 61, 229, 140, 198, 84, 196, 238, 128, 35, 131, 182, 137, 125, 241, 95, 69,
131, 170, 27, 2, 144, 75, 72, 242, 102, 3, 32, 121, 80, 45, 173, 56, 65, 218, 27, 40, 251,
197, 32, 169, 104, 123, 110, 90, 78, 153, 166, 38, 9, 129, 228, 99, 8, 1, 116, 142, 233,
162, 69, 32, 216, 169, 159, 116, 95, 12, 63, 176, 195, 6, 183, 123, 135, 75, 61, 112, 106,
83, 235, 176, 41, 27, 248, 48, 71, 165, 170, 12, 92, 103, 103, 81, 32, 58, 74, 75, 145,
192, 94, 153, 69, 80, 128, 241, 3, 16, 117, 192, 86, 161, 103, 44, 174, 211, 196, 182, 124,
55, 11, 107, 142, 49, 88, 6, 41, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 0, 37, 139, 240, 0, 0,
0, 0, 0, 0, 0, 1,
];
let mut credential = CredentialSpendingData::try_from_bytes(&CREDENTIAL_BYTES)
.expect("Failed to deserialize test credential - this is a bug in the test harness");
// Update spend_date to today to pass validation
credential.spend_date = OffsetDateTime::now_utc().date();
credential
}
+51 -137
View File
@@ -8,7 +8,7 @@ use crate::common::types::{
use crate::common::wireguard::{
TwoHopWgTunnelConfig, WgTunnelConfig, run_tunnel_tests, run_two_hop_tunnel_tests,
};
use crate::common::{bandwidth_helpers, helpers, icmp};
use crate::common::{helpers, icmp};
use crate::config::NetstackArgs;
use anyhow::bail;
use base64::{Engine, engine::general_purpose};
@@ -19,6 +19,7 @@ use nym_authenticator_requests::{
AuthenticatorVersion, client_message::ClientMessage, response::AuthenticatorResponse, v2, v3,
v4, v5, v6,
};
use nym_bandwidth_controller::BandwidthTicketProvider;
use nym_config::defaults::mixnet_vpn::{NYM_TUN_DEVICE_ADDRESS_V4, NYM_TUN_DEVICE_ADDRESS_V6};
use nym_connection_monitor::self_ping_and_wait;
use nym_credentials_interface::{CredentialSpendingData, TicketType};
@@ -147,22 +148,11 @@ pub async fn wg_probe(
Ok(wg_outcome)
}
pub async fn lp_registration_probe<St>(
pub async fn lp_registration_probe(
gateway_identity: NodeIdentity,
gateway_lp_data: TestedNodeLpDetails,
bandwidth_controller: &nym_bandwidth_controller::BandwidthController<
nym_validator_client::nyxd::NyxdClient<nym_validator_client::HttpRpcClient>,
St,
>,
use_mock_ecash: bool,
) -> anyhow::Result<LpProbeResults>
where
St: nym_sdk::mixnet::CredentialStorage + Clone + Send + Sync + 'static,
<St as nym_sdk::mixnet::CredentialStorage>::StorageError: Send + Sync,
{
use nym_crypto::asymmetric::ed25519;
use nym_registration_client::LpRegistrationClient;
bandwidth_controller: &dyn BandwidthTicketProvider,
) -> anyhow::Result<LpProbeResults> {
let lp_address = gateway_lp_data.address;
let peer = helpers::to_lp_remote_peer(gateway_identity, gateway_lp_data);
@@ -223,44 +213,22 @@ where
// Register using the new packet-per-connection API (returns GatewayData directly)
let ticket_type = TicketType::V1WireguardEntry;
let gateway_data = if use_mock_ecash {
info!("Using mock ecash credential for LP registration");
let credential = bandwidth_helpers::create_dummy_credential(
&gateway_ed25519_pubkey.to_bytes(),
let gateway_data = match client
.register_dvpn(
&mut rng,
&wg_keypair,
&gateway_ed25519_pubkey,
bandwidth_controller,
ticket_type,
);
match client
.register_with_credential(&mut rng, &wg_keypair, credential, ticket_type)
.await
{
Ok(data) => data,
Err(e) => {
let error_msg = format!("LP registration failed (mock ecash): {}", e);
error!("{}", error_msg);
lp_outcome.error = Some(error_msg);
return Ok(lp_outcome);
}
}
} else {
info!("Using real bandwidth controller for LP registration");
match client
.register(
&mut rng,
&wg_keypair,
&gateway_ed25519_pubkey,
bandwidth_controller,
ticket_type,
)
.await
{
Ok(data) => data,
Err(e) => {
let error_msg = format!("LP registration failed: {}", e);
error!("{}", error_msg);
lp_outcome.error = Some(error_msg);
return Ok(lp_outcome);
}
)
.await
{
Ok(data) => data,
Err(e) => {
let error_msg = format!("LP registration failed: {}", e);
error!("{}", error_msg);
lp_outcome.error = Some(error_msg);
return Ok(lp_outcome);
}
};
@@ -291,21 +259,13 @@ where
// but subsequent DNS/ping tests may timeout. This appears to be related to Apple Container
// Runtime networking quirks combined with our NAT/iptables configuration. Tracked in
// beads issue nym-vbdo. Workaround: restart the localnet containers between probe runs.
pub async fn wg_probe_lp<St>(
pub async fn wg_probe_lp(
entry_gateway: &TestedNodeDetails,
exit_gateway: &TestedNodeDetails,
bandwidth_controller: &nym_bandwidth_controller::BandwidthController<
nym_validator_client::nyxd::NyxdClient<nym_validator_client::HttpRpcClient>,
St,
>,
use_mock_ecash: bool,
bandwidth_controller: &dyn BandwidthTicketProvider,
awg_args: String,
netstack_args: NetstackArgs,
) -> anyhow::Result<WgProbeResults>
where
St: nym_sdk::mixnet::CredentialStorage + Clone + Send + Sync + 'static,
<St as nym_sdk::mixnet::CredentialStorage>::StorageError: Send + Sync,
{
) -> anyhow::Result<WgProbeResults> {
// Validate that both gateways have required information
let entry_lp_data = entry_gateway
.lp_data
@@ -366,47 +326,24 @@ where
.map_err(|e| anyhow::anyhow!("Invalid exit gateway identity: {}", e))?;
// Perform handshake and registration with exit gateway via forwarding
let exit_gateway_data = if use_mock_ecash {
info!("Using mock ecash credential for exit gateway registration");
let credential = bandwidth_helpers::create_dummy_credential(
&exit_gateway_pubkey.to_bytes(),
let exit_gateway_data = match nested_session
.handshake_and_register_dvpn(
&mut entry_client,
&mut rng,
&exit_wg_keypair,
&exit_gateway_pubkey,
bandwidth_controller,
TicketType::V1WireguardExit,
);
match nested_session
.handshake_and_register_with_credential(
&mut entry_client,
&mut rng,
&exit_wg_keypair,
credential,
TicketType::V1WireguardExit,
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with exit gateway (mock ecash): {}", e);
return Ok(wg_outcome);
}
}
} else {
match nested_session
.handshake_and_register(
&mut entry_client,
&mut rng,
&exit_wg_keypair,
&exit_gateway_pubkey,
bandwidth_controller,
TicketType::V1WireguardExit,
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with exit gateway: {}", e);
return Ok(wg_outcome);
}
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with exit gateway: {}", e);
return Ok(wg_outcome);
}
};
info!("Exit gateway registration successful via forwarding");
// STEP 3: Register with entry gateway
@@ -416,43 +353,20 @@ where
.map_err(|e| anyhow::anyhow!("Invalid entry gateway identity: {}", e))?;
// Use packet-per-connection register() which returns GatewayData directly
let entry_gateway_data = if use_mock_ecash {
info!("Using mock ecash credential for entry gateway registration");
let credential = bandwidth_helpers::create_dummy_credential(
&entry_gateway_pubkey.to_bytes(),
let entry_gateway_data = match entry_client
.register_dvpn(
&mut rng,
&entry_wg_keypair,
&entry_gateway_pubkey,
bandwidth_controller,
TicketType::V1WireguardEntry,
);
match entry_client
.register_with_credential(
&mut rng,
&entry_wg_keypair,
credential,
TicketType::V1WireguardEntry,
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with entry gateway (mock ecash): {}", e);
return Ok(wg_outcome);
}
}
} else {
match entry_client
.register(
&mut rng,
&entry_wg_keypair,
&entry_gateway_pubkey,
bandwidth_controller,
TicketType::V1WireguardEntry,
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with entry gateway: {}", e);
return Ok(wg_outcome);
}
)
.await
{
Ok(data) => data,
Err(e) => {
error!("Failed to register with entry gateway: {}", e);
return Ok(wg_outcome);
}
};
info!("Entry gateway registration successful");
+19 -18
View File
@@ -24,7 +24,9 @@ use url::Url;
mod common;
pub mod config;
use crate::common::bandwidth_helpers::{acquire_bandwidth, import_bandwidth};
use crate::common::bandwidth_helpers::{
acquire_bandwidth, build_bandwidth_controller, import_bandwidth,
};
pub use crate::common::nodes::{
DirectoryNode, NymApiDirectory, TestedNode, TestedNodeDetails, TestedNodeLpDetails,
query_gateway_by_ip,
@@ -435,16 +437,14 @@ impl Probe {
&NymNetworkDetails::new_from_env(),
)?;
let client = nym_validator_client::nyxd::NyxdClient::connect(config, nyxd_url.as_str())?;
let bw_controller = nym_bandwidth_controller::BandwidthController::new(
storage.credential_store().clone(),
client,
);
let bw_controller =
build_bandwidth_controller(client, storage.credential_store().clone(), use_mock_ecash);
// Run LP registration probe
let lp_outcome =
lp_registration_probe(node_info.identity, lp_data, &bw_controller, use_mock_ecash)
.await
.unwrap_or_default();
let lp_outcome = lp_registration_probe(node_info.identity, lp_data, &bw_controller)
.await
.unwrap_or_default();
// Return result with only LP outcome
Ok(ProbeResult {
@@ -644,9 +644,11 @@ impl Probe {
)?;
let client =
nym_validator_client::nyxd::NyxdClient::connect(config, nyxd_url.as_str())?;
let bw_controller = nym_bandwidth_controller::BandwidthController::new(
storage.credential_store().clone(),
let bw_controller = build_bandwidth_controller(
client,
storage.credential_store().clone(),
use_mock_ecash,
);
// Determine entry and exit gateways
@@ -691,7 +693,6 @@ impl Probe {
&entry_gateway,
&exit_gateway,
&bw_controller,
use_mock_ecash,
self.amnezia_args.clone(),
self.netstack_args.clone(),
)
@@ -773,15 +774,15 @@ impl Probe {
)?;
let client =
nym_validator_client::nyxd::NyxdClient::connect(config, nyxd_url.as_str())?;
let bw_controller = nym_bandwidth_controller::BandwidthController::new(
storage.credential_store().clone(),
let bw_controller = build_bandwidth_controller(
client,
storage.credential_store().clone(),
use_mock_ecash,
);
let outcome =
lp_registration_probe(node_info.identity, lp_data, &bw_controller, use_mock_ecash)
.await
.unwrap_or_default();
let outcome = lp_registration_probe(node_info.identity, lp_data, &bw_controller)
.await
.unwrap_or_default();
Some(outcome)
} else {