Compare commits
17 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 589ee64516 | |||
| b20ab5dc50 | |||
| 5bdff28a11 | |||
| 4795a643a4 | |||
| f7f6421415 | |||
| 891cfb80ea | |||
| 9344296804 | |||
| 3538b5237e | |||
| 5581f735d2 | |||
| c0ede6a506 | |||
| 5d6b84a94f | |||
| 66fff0edf0 | |||
| 2bdb623101 | |||
| 1f435880d7 | |||
| 34579222c5 | |||
| 2a43134327 | |||
| 844bcba6e8 |
@@ -1,7 +0,0 @@
|
||||
.git
|
||||
.github
|
||||
.gitignore
|
||||
**/node_modules
|
||||
**/target
|
||||
dist
|
||||
documentation
|
||||
+1
-4
@@ -48,7 +48,4 @@ foxyfox.env
|
||||
|
||||
.next
|
||||
ppa-private-key.b64
|
||||
ppa-private-key.asc
|
||||
nym-network-monitor/topology.json
|
||||
nym-network-monitor/__pycache__
|
||||
nym-network-monitor/*.key
|
||||
ppa-private-key.asc
|
||||
Generated
-58
@@ -1858,7 +1858,6 @@ dependencies = [
|
||||
"lock_api",
|
||||
"once_cell",
|
||||
"parking_lot_core 0.9.10",
|
||||
"serde",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -2398,12 +2397,6 @@ dependencies = [
|
||||
"windows-sys 0.52.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "fixedbitset"
|
||||
version = "0.4.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
|
||||
|
||||
[[package]]
|
||||
name = "flate2"
|
||||
version = "1.0.30"
|
||||
@@ -4260,7 +4253,6 @@ dependencies = [
|
||||
"nym-sphinx",
|
||||
"nym-task",
|
||||
"nym-topology",
|
||||
"nym-types",
|
||||
"nym-validator-client",
|
||||
"nym-vesting-contract-common",
|
||||
"okapi",
|
||||
@@ -4587,7 +4579,6 @@ dependencies = [
|
||||
"nym-topology",
|
||||
"nym-validator-client",
|
||||
"rand 0.8.5",
|
||||
"rand_chacha 0.3.1",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"sha2 0.10.8",
|
||||
@@ -5419,36 +5410,6 @@ dependencies = [
|
||||
"url",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "nym-network-monitor"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"axum 0.7.5",
|
||||
"clap 4.5.7",
|
||||
"dashmap",
|
||||
"futures",
|
||||
"log",
|
||||
"nym-bin-common",
|
||||
"nym-crypto",
|
||||
"nym-network-defaults",
|
||||
"nym-sdk",
|
||||
"nym-sphinx",
|
||||
"nym-topology",
|
||||
"nym-types",
|
||||
"nym-validator-client",
|
||||
"petgraph",
|
||||
"rand 0.8.5",
|
||||
"rand_chacha 0.3.1",
|
||||
"reqwest 0.12.4",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"tokio",
|
||||
"tokio-util",
|
||||
"utoipa",
|
||||
"utoipa-swagger-ui",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "nym-network-requester"
|
||||
version = "1.1.40"
|
||||
@@ -5614,7 +5575,6 @@ dependencies = [
|
||||
"nym-task",
|
||||
"nym-topology",
|
||||
"rand 0.8.5",
|
||||
"rand_chacha 0.3.1",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"thiserror",
|
||||
@@ -5898,7 +5858,6 @@ version = "0.1.0"
|
||||
dependencies = [
|
||||
"log",
|
||||
"nym-crypto",
|
||||
"nym-metrics",
|
||||
"nym-mixnet-contract-common",
|
||||
"nym-sphinx-acknowledgements",
|
||||
"nym-sphinx-addressing",
|
||||
@@ -5912,7 +5871,6 @@ dependencies = [
|
||||
"nym-sphinx-types",
|
||||
"nym-topology",
|
||||
"rand 0.8.5",
|
||||
"rand_chacha 0.3.1",
|
||||
"rand_distr",
|
||||
"thiserror",
|
||||
"tokio",
|
||||
@@ -5969,17 +5927,12 @@ dependencies = [
|
||||
name = "nym-sphinx-chunking"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"dashmap",
|
||||
"log",
|
||||
"nym-crypto",
|
||||
"nym-metrics",
|
||||
"nym-sphinx-addressing",
|
||||
"nym-sphinx-params",
|
||||
"nym-sphinx-types",
|
||||
"rand 0.8.5",
|
||||
"serde",
|
||||
"thiserror",
|
||||
"utoipa",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -6093,7 +6046,6 @@ dependencies = [
|
||||
"nym-sphinx-routing",
|
||||
"nym-sphinx-types",
|
||||
"rand 0.8.5",
|
||||
"reqwest 0.12.4",
|
||||
"semver 0.11.0",
|
||||
"serde",
|
||||
"serde_json",
|
||||
@@ -6730,16 +6682,6 @@ dependencies = [
|
||||
"sha2 0.10.8",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "petgraph"
|
||||
version = "0.6.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
|
||||
dependencies = [
|
||||
"fixedbitset",
|
||||
"indexmap 2.2.6",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "pin-project"
|
||||
version = "1.1.5"
|
||||
|
||||
+1
-2
@@ -14,6 +14,7 @@ panic = "abort"
|
||||
opt-level = 3
|
||||
|
||||
[workspace]
|
||||
|
||||
resolver = "2"
|
||||
members = [
|
||||
"clients/native",
|
||||
@@ -105,7 +106,6 @@ members = [
|
||||
"service-providers/common",
|
||||
"service-providers/ip-packet-router",
|
||||
"service-providers/network-requester",
|
||||
"nym-network-monitor",
|
||||
"nym-api",
|
||||
"nym-browser-extension/storage",
|
||||
"nym-api/nym-api-requests",
|
||||
@@ -159,7 +159,6 @@ homepage = "https://nymtech.net"
|
||||
documentation = "https://nymtech.net"
|
||||
edition = "2021"
|
||||
license = "Apache-2.0"
|
||||
rust-version = "1.80"
|
||||
|
||||
[workspace.dependencies]
|
||||
addr = "0.15.6"
|
||||
|
||||
@@ -19,7 +19,6 @@ futures = { workspace = true }
|
||||
humantime-serde = { workspace = true }
|
||||
log = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
serde = { workspace = true, features = ["derive"] }
|
||||
serde_json = { workspace = true }
|
||||
sha2 = { workspace = true }
|
||||
|
||||
@@ -458,7 +458,7 @@ impl PacketStatisticsControl {
|
||||
|
||||
fn report_rates(&self) {
|
||||
if let Some((_, rates)) = self.rates.back() {
|
||||
log::debug!("{}", rates.summary());
|
||||
log::info!("{}", rates.summary());
|
||||
log::debug!("{}", rates.detailed_summary());
|
||||
}
|
||||
}
|
||||
@@ -486,7 +486,7 @@ impl PacketStatisticsControl {
|
||||
// Check what the number of retransmissions was during the recording window
|
||||
if let Some((_, start_stats)) = self.history.front() {
|
||||
let delta = self.stats.clone() - start_stats.clone();
|
||||
log::debug!(
|
||||
log::info!(
|
||||
"mix packet retransmissions/real mix packets: {}/{}",
|
||||
delta.retransmissions_queued,
|
||||
delta.real_packets_queued,
|
||||
|
||||
@@ -453,7 +453,6 @@ where
|
||||
|
||||
let mut pending_acks = Vec::with_capacity(fragments.len());
|
||||
let mut real_messages = Vec::with_capacity(fragments.len());
|
||||
debug!("Splitting message into {} fragments", fragments.len());
|
||||
for fragment in fragments {
|
||||
// we need to clone it because we need to keep it in memory in case we had to retransmit
|
||||
// it. And then we'd need to recreate entire ACK again.
|
||||
|
||||
@@ -90,6 +90,4 @@ default = ["http-client"]
|
||||
http-client = ["cosmrs/rpc"]
|
||||
generate-ts = []
|
||||
contract-testing = ["nym-mixnet-contract-common/contract-testing"]
|
||||
# Features below are added to make clippy happy, it seems like they're unused we should remove them
|
||||
tendermint-rpc-http-client = ["tendermint-rpc/http-client"]
|
||||
tendermint-rpc-websocket-client = ["tendermint-rpc/websocket-client"]
|
||||
|
||||
|
||||
@@ -49,7 +49,5 @@ pub const COMPUTE_REWARD_ESTIMATION: &str = "compute-reward-estimation";
|
||||
pub const AVG_UPTIME: &str = "avg_uptime";
|
||||
pub const STAKE_SATURATION: &str = "stake-saturation";
|
||||
pub const INCLUSION_CHANCE: &str = "inclusion-probability";
|
||||
pub const SUBMIT_GATEWAY: &str = "submit-gateway-monitoring-results";
|
||||
pub const SUBMIT_NODE: &str = "submit-node-monitoring-results";
|
||||
|
||||
pub const SERVICE_PROVIDERS: &str = "services";
|
||||
|
||||
@@ -300,8 +300,8 @@ where
|
||||
}
|
||||
|
||||
#[cfg(any(
|
||||
feature = "tendermint-rpc-http-client",
|
||||
feature = "tendermint-rpc-websocket-client"
|
||||
feature = "tendermint-rpc/http-client",
|
||||
feature = "tendermint-rpc/websocket-client"
|
||||
))]
|
||||
async fn wait_until_healthy<T>(&self, timeout: T) -> Result<(), Error>
|
||||
where
|
||||
|
||||
@@ -820,8 +820,8 @@ where
|
||||
}
|
||||
|
||||
#[cfg(any(
|
||||
feature = "tendermint-rpc-http-client",
|
||||
feature = "tendermint-rpc-websocket-client"
|
||||
feature = "tendermint-rpc/http-client",
|
||||
feature = "tendermint-rpc/websocket-client"
|
||||
))]
|
||||
async fn wait_until_healthy<T>(&self, timeout: T) -> Result<(), Error>
|
||||
where
|
||||
|
||||
@@ -300,8 +300,8 @@ pub trait TendermintRpcClient {
|
||||
}
|
||||
|
||||
#[cfg(any(
|
||||
feature = "tendermint-rpc-http-client",
|
||||
feature = "tendermint-rpc-websocket-client"
|
||||
feature = "tendermint-rpc/http-client",
|
||||
feature = "tendermint-rpc/websocket-client"
|
||||
))]
|
||||
/// Poll the `/health` endpoint until it returns a successful result or
|
||||
/// the given `timeout` has elapsed.
|
||||
@@ -518,8 +518,8 @@ mod non_wasm {
|
||||
}
|
||||
|
||||
#[cfg(any(
|
||||
feature = "tendermint-rpc-http-client",
|
||||
feature = "tendermint-rpc-websocket-client"
|
||||
feature = "tendermint-rpc/http-client",
|
||||
feature = "tendermint-rpc/websocket-client"
|
||||
))]
|
||||
async fn wait_until_healthy<T>(&self, timeout: T) -> Result<(), Error>
|
||||
where
|
||||
|
||||
@@ -22,7 +22,7 @@ use tracing::{debug, error};
|
||||
pub mod bandwidth;
|
||||
pub mod error;
|
||||
mod inboxes;
|
||||
pub mod models;
|
||||
pub(crate) mod models;
|
||||
mod shared_keys;
|
||||
mod tickets;
|
||||
#[cfg(feature = "wireguard")]
|
||||
|
||||
@@ -9,12 +9,11 @@ license.workspace = true
|
||||
[dependencies]
|
||||
futures = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
|
||||
serde = { workspace = true }
|
||||
serde_json = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
tokio = { workspace = true, features = ["macros"] }
|
||||
tokio = { workspace = true, features = ["macros"]}
|
||||
|
||||
nym-crypto = { path = "../crypto", features = ["asymmetric"] }
|
||||
nym-task = { path = "../task" }
|
||||
|
||||
@@ -294,8 +294,4 @@ impl<R: CryptoRng + Rng> FragmentPreparer for NodeTester<R> {
|
||||
fn average_ack_delay(&self) -> Duration {
|
||||
self.average_ack_delay
|
||||
}
|
||||
|
||||
fn nonce(&self) -> i32 {
|
||||
1
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,7 +11,6 @@ repository = { workspace = true }
|
||||
log = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
rand_distr = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
|
||||
nym-sphinx-acknowledgements = { path = "acknowledgements" }
|
||||
@@ -28,13 +27,10 @@ nym-sphinx-types = { path = "types" }
|
||||
# to separate crate?
|
||||
nym-crypto = { path = "../crypto", version = "0.4.0" }
|
||||
nym-topology = { path = "../topology" }
|
||||
nym-metrics = { path = "../nym-metrics" }
|
||||
|
||||
[dev-dependencies]
|
||||
nym-mixnet-contract-common = { path = "../cosmwasm-smart-contracts/mixnet-contract" }
|
||||
nym-crypto = { path = "../crypto", version = "0.4.0", features = [
|
||||
"asymmetric",
|
||||
] }
|
||||
nym-crypto = { path = "../crypto", version = "0.4.0", features = ["asymmetric"] }
|
||||
|
||||
# do not include this when compiling into wasm as it somehow when combined together with reqwest, it will require
|
||||
# net2 via tokio-util -> tokio -> mio -> net2
|
||||
@@ -47,13 +43,5 @@ features = ["sync"]
|
||||
|
||||
[features]
|
||||
default = ["sphinx"]
|
||||
sphinx = [
|
||||
"nym-crypto/sphinx",
|
||||
"nym-sphinx-params/sphinx",
|
||||
"nym-sphinx-types/sphinx",
|
||||
]
|
||||
outfox = [
|
||||
"nym-crypto/outfox",
|
||||
"nym-sphinx-params/outfox",
|
||||
"nym-sphinx-types/outfox",
|
||||
]
|
||||
sphinx = ["nym-crypto/sphinx", "nym-sphinx-params/sphinx", "nym-sphinx-types/sphinx"]
|
||||
outfox = ["nym-crypto/outfox", "nym-sphinx-params/outfox", "nym-sphinx-types/outfox"]
|
||||
|
||||
@@ -13,14 +13,7 @@ repository = { workspace = true }
|
||||
log = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
dashmap = { workspace = true, features = ["serde"] }
|
||||
serde = { workspace = true, features = ["derive"] }
|
||||
utoipa = { workspace = true }
|
||||
|
||||
nym-sphinx-addressing = { path = "../addressing" }
|
||||
nym-sphinx-params = { path = "../params" }
|
||||
nym-sphinx-types = { path = "../types" }
|
||||
nym-metrics = { path = "../../nym-metrics" }
|
||||
nym-crypto = { path = "../../crypto", version = "0.4.0", features = [
|
||||
"asymmetric",
|
||||
] }
|
||||
|
||||
@@ -3,8 +3,6 @@
|
||||
|
||||
use crate::ChunkingError;
|
||||
use nym_sphinx_params::{SerializedFragmentIdentifier, FRAG_ID_LEN};
|
||||
use serde::Serialize;
|
||||
use utoipa::ToSchema;
|
||||
|
||||
use std::fmt::{self, Debug, Formatter};
|
||||
|
||||
@@ -60,7 +58,7 @@ pub const COVER_FRAG_ID: FragmentIdentifier = FragmentIdentifier {
|
||||
/// and u8 position of the `Fragment` in the set.
|
||||
// TODO: this should really be redesigned, especially how cover and reply messages are really
|
||||
// "abusing" this. They should work with it natively instead.
|
||||
#[derive(Debug, Clone, Copy, Hash, Eq, PartialEq, Ord, PartialOrd, Serialize)]
|
||||
#[derive(Debug, Clone, Copy, Hash, Eq, PartialEq, Ord, PartialOrd)]
|
||||
pub struct FragmentIdentifier {
|
||||
set_id: i32,
|
||||
fragment_position: u8,
|
||||
@@ -77,10 +75,6 @@ impl fmt::Display for FragmentIdentifier {
|
||||
}
|
||||
|
||||
impl FragmentIdentifier {
|
||||
pub fn set_id(&self) -> i32 {
|
||||
self.set_id
|
||||
}
|
||||
|
||||
pub fn to_bytes(self) -> SerializedFragmentIdentifier {
|
||||
debug_assert_eq!(FRAG_ID_LEN, 5);
|
||||
|
||||
@@ -131,10 +125,6 @@ impl Debug for Fragment {
|
||||
}
|
||||
|
||||
impl Fragment {
|
||||
pub fn header(&self) -> FragmentHeader {
|
||||
self.header.clone()
|
||||
}
|
||||
|
||||
/// Tries to encapsulate provided payload slice and metadata into a `Fragment`.
|
||||
/// It can fail if payload would not fully fit in a single `Fragment` or some of the metadata
|
||||
/// is malformed or self-contradictory, for example if current_fragment > total_fragments.
|
||||
@@ -226,10 +216,6 @@ impl Fragment {
|
||||
}
|
||||
}
|
||||
|
||||
pub fn seed(&self) -> i32 {
|
||||
self.header().seed()
|
||||
}
|
||||
|
||||
/// Gets the size of payload contained in this `Fragment`.
|
||||
pub fn payload_size(&self) -> usize {
|
||||
self.payload.len()
|
||||
@@ -311,8 +297,8 @@ impl Fragment {
|
||||
/// there is 7 bytes of overhead inside each sphinx packet sent
|
||||
/// and for the longest messages, without upper bound, there is usually also only 7 bytes
|
||||
/// of overhead apart from first and last fragments in each set that instead have 10 bytes of overhead.
|
||||
#[derive(PartialEq, Clone, Debug, Serialize, ToSchema)]
|
||||
pub struct FragmentHeader {
|
||||
#[derive(PartialEq, Clone, Debug)]
|
||||
pub(crate) struct FragmentHeader {
|
||||
/// ID associated with `FragmentSet` to which this particular `Fragment` belongs.
|
||||
/// Its value is restricted to (0, i32::MAX].
|
||||
/// Note that it *excludes* 0, but *includes* i32::MAX.
|
||||
@@ -338,20 +324,6 @@ pub struct FragmentHeader {
|
||||
}
|
||||
|
||||
impl FragmentHeader {
|
||||
pub fn seed(&self) -> i32 {
|
||||
let mut seed = self.id;
|
||||
seed = seed.wrapping_mul(self.total_fragments as i32);
|
||||
seed = seed.wrapping_mul(self.current_fragment as i32);
|
||||
seed
|
||||
}
|
||||
|
||||
pub fn total_fragments(&self) -> u8 {
|
||||
self.total_fragments
|
||||
}
|
||||
|
||||
pub fn current_fragment(&self) -> u8 {
|
||||
self.current_fragment
|
||||
}
|
||||
/// Tries to create a new `FragmentHeader` using provided metadata. Bunch of logical
|
||||
/// checks are performed to see if the data is not self-contradictory,
|
||||
/// for example if current_fragment > total_fragments.
|
||||
|
||||
@@ -1,16 +1,9 @@
|
||||
// Copyright 2021 - Nym Technologies SA <contact@nymtech.net>
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
use std::sync::LazyLock;
|
||||
|
||||
use crate::fragment::{linked_fragment_payload_max_len, unlinked_fragment_payload_max_len};
|
||||
use dashmap::DashMap;
|
||||
use fragment::{Fragment, FragmentHeader};
|
||||
use nym_crypto::asymmetric::ed25519::PublicKey;
|
||||
use serde::Serialize;
|
||||
pub use set::split_into_sets;
|
||||
use thiserror::Error;
|
||||
use utoipa::ToSchema;
|
||||
|
||||
pub const MIN_PADDING_OVERHEAD: usize = 1;
|
||||
|
||||
@@ -29,118 +22,6 @@ pub mod fragment;
|
||||
pub mod reconstruction;
|
||||
pub mod set;
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct FragmentMixParams {
|
||||
destination: PublicKey,
|
||||
hops: u8,
|
||||
}
|
||||
|
||||
impl FragmentMixParams {
|
||||
pub fn destination(&self) -> &PublicKey {
|
||||
&self.destination
|
||||
}
|
||||
|
||||
pub fn hops(&self) -> u8 {
|
||||
self.hops
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, ToSchema)]
|
||||
pub struct SentFragment {
|
||||
header: FragmentHeader,
|
||||
at: u64,
|
||||
client_nonce: i32,
|
||||
#[serde(skip)]
|
||||
mixnet_params: FragmentMixParams,
|
||||
}
|
||||
|
||||
impl SentFragment {
|
||||
fn new(
|
||||
header: FragmentHeader,
|
||||
at: u64,
|
||||
client_nonce: i32,
|
||||
destination: PublicKey,
|
||||
hops: u8,
|
||||
) -> Self {
|
||||
let mixnet_params = FragmentMixParams { destination, hops };
|
||||
SentFragment {
|
||||
header,
|
||||
at,
|
||||
client_nonce,
|
||||
mixnet_params,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn header(&self) -> FragmentHeader {
|
||||
self.header.clone()
|
||||
}
|
||||
|
||||
pub fn at(&self) -> u64 {
|
||||
self.at
|
||||
}
|
||||
|
||||
pub fn client_nonce(&self) -> i32 {
|
||||
self.client_nonce
|
||||
}
|
||||
|
||||
pub fn seed(&self) -> i32 {
|
||||
self.header().seed().wrapping_mul(self.client_nonce())
|
||||
}
|
||||
|
||||
pub fn mixnet_params(&self) -> FragmentMixParams {
|
||||
self.mixnet_params.clone()
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, ToSchema)]
|
||||
pub struct ReceivedFragment {
|
||||
header: FragmentHeader,
|
||||
at: u64,
|
||||
}
|
||||
|
||||
impl ReceivedFragment {
|
||||
fn new(header: FragmentHeader, at: u64) -> Self {
|
||||
ReceivedFragment { header, at }
|
||||
}
|
||||
|
||||
pub fn header(&self) -> FragmentHeader {
|
||||
self.header.clone()
|
||||
}
|
||||
|
||||
pub fn at(&self) -> u64 {
|
||||
self.at
|
||||
}
|
||||
}
|
||||
|
||||
pub static FRAGMENTS_RECEIVED: LazyLock<DashMap<i32, Vec<ReceivedFragment>>> =
|
||||
LazyLock::new(DashMap::new);
|
||||
|
||||
pub static FRAGMENTS_SENT: LazyLock<DashMap<i32, Vec<SentFragment>>> = LazyLock::new(DashMap::new);
|
||||
|
||||
#[macro_export]
|
||||
macro_rules! now {
|
||||
() => {
|
||||
match std::time::SystemTime::now().duration_since(std::time::SystemTime::UNIX_EPOCH) {
|
||||
Ok(n) => n.as_secs(),
|
||||
Err(_) => 0,
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
pub fn fragment_received(fragment: &Fragment) {
|
||||
let id = fragment.fragment_identifier().set_id();
|
||||
let mut entry = FRAGMENTS_RECEIVED.entry(id).or_default();
|
||||
let r = ReceivedFragment::new(fragment.header(), now!());
|
||||
entry.push(r);
|
||||
}
|
||||
|
||||
pub fn fragment_sent(fragment: &Fragment, client_nonce: i32, destination: PublicKey, hops: u8) {
|
||||
let id = fragment.fragment_identifier().set_id();
|
||||
let mut entry = FRAGMENTS_SENT.entry(id).or_default();
|
||||
let s = SentFragment::new(fragment.header(), now!(), client_nonce, destination, hops);
|
||||
entry.push(s);
|
||||
}
|
||||
|
||||
/// The idea behind the process of chunking is to incur as little data overhead as possible due
|
||||
/// to very computationally costly sphinx encapsulation procedure.
|
||||
///
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
// Copyright 2021 - Nym Technologies SA <contact@nymtech.net>
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
use crate::fragment::Fragment;
|
||||
use crate::{fragment_received, ChunkingError};
|
||||
use crate::ChunkingError;
|
||||
use log::*;
|
||||
use std::collections::HashMap;
|
||||
|
||||
@@ -66,12 +66,6 @@ impl ReconstructionBuffer {
|
||||
// if the set is complete.
|
||||
debug_assert!(self.is_complete);
|
||||
|
||||
debug!(
|
||||
"Got {} fragments for set id {}",
|
||||
self.fragments.len(),
|
||||
self.fragments[0].as_ref().unwrap().id()
|
||||
);
|
||||
|
||||
self.fragments
|
||||
.into_iter()
|
||||
.map(|fragment| fragment.unwrap().extract_payload())
|
||||
@@ -110,8 +104,6 @@ impl ReconstructionBuffer {
|
||||
}
|
||||
});
|
||||
|
||||
fragment_received(&fragment);
|
||||
|
||||
let fragment_index = fragment.current_fragment() as usize - 1;
|
||||
if self.fragments[fragment_index].is_some() {
|
||||
// TODO: what to do in that case? give up on the message? overwrite it? panic?
|
||||
|
||||
@@ -3,7 +3,6 @@
|
||||
|
||||
use crate::message::{NymMessage, ACK_OVERHEAD, OUTFOX_ACK_OVERHEAD};
|
||||
use crate::NymPayloadBuilder;
|
||||
use log::debug;
|
||||
use nym_crypto::asymmetric::encryption;
|
||||
use nym_crypto::Digest;
|
||||
use nym_sphinx_acknowledgements::surb_ack::SurbAck;
|
||||
@@ -12,14 +11,12 @@ use nym_sphinx_addressing::clients::Recipient;
|
||||
use nym_sphinx_addressing::nodes::NymNodeRoutingAddress;
|
||||
use nym_sphinx_anonymous_replies::reply_surb::ReplySurb;
|
||||
use nym_sphinx_chunking::fragment::{Fragment, FragmentIdentifier};
|
||||
use nym_sphinx_chunking::fragment_sent;
|
||||
use nym_sphinx_forwarding::packet::MixPacket;
|
||||
use nym_sphinx_params::packet_sizes::PacketSize;
|
||||
use nym_sphinx_params::{PacketType, ReplySurbKeyDigestAlgorithm, DEFAULT_NUM_MIX_HOPS};
|
||||
use nym_sphinx_types::{Delay, NymPacket};
|
||||
use nym_topology::{NymTopology, NymTopologyError};
|
||||
use rand::{CryptoRng, Rng, SeedableRng};
|
||||
use rand_chacha::ChaCha20Rng;
|
||||
use rand::{CryptoRng, Rng};
|
||||
|
||||
use std::time::Duration;
|
||||
|
||||
@@ -52,7 +49,6 @@ pub trait FragmentPreparer {
|
||||
type Rng: CryptoRng + Rng;
|
||||
|
||||
fn rng(&mut self) -> &mut Self::Rng;
|
||||
fn nonce(&self) -> i32;
|
||||
fn num_mix_hops(&self) -> u8;
|
||||
fn average_packet_delay(&self) -> Duration;
|
||||
fn average_ack_delay(&self) -> Duration;
|
||||
@@ -196,18 +192,9 @@ pub trait FragmentPreparer {
|
||||
packet_type: PacketType,
|
||||
mix_hops: Option<u8>,
|
||||
) -> Result<PreparedFragment, NymTopologyError> {
|
||||
debug!("Preparing chunk for sending");
|
||||
// each plain or repliable packet (i.e. not a reply) attaches an ephemeral public key so that the recipient
|
||||
// could perform diffie-hellman with its own keys followed by a kdf to re-derive
|
||||
// the packet encryption key
|
||||
|
||||
let seed = fragment.seed().wrapping_mul(self.nonce());
|
||||
let mut rng = ChaCha20Rng::seed_from_u64(seed as u64);
|
||||
|
||||
let destination = packet_recipient.gateway();
|
||||
let hops = mix_hops.unwrap_or(self.num_mix_hops());
|
||||
fragment_sent(&fragment, self.nonce(), *destination, hops);
|
||||
|
||||
let non_reply_overhead = encryption::PUBLIC_KEY_SIZE;
|
||||
let expected_plaintext = match packet_type {
|
||||
PacketType::Outfox => {
|
||||
@@ -241,8 +228,10 @@ pub trait FragmentPreparer {
|
||||
};
|
||||
|
||||
// generate pseudorandom route for the packet
|
||||
let hops = mix_hops.unwrap_or(self.num_mix_hops());
|
||||
log::trace!("Preparing chunk for sending with {} mix hops", hops);
|
||||
let route = topology.random_route_to_gateway(&mut rng, hops, destination)?;
|
||||
let route =
|
||||
topology.random_route_to_gateway(self.rng(), hops, packet_recipient.gateway())?;
|
||||
let destination = packet_recipient.as_sphinx_destination();
|
||||
|
||||
// including set of delays
|
||||
@@ -324,8 +313,6 @@ pub struct MessagePreparer<R> {
|
||||
/// Number of mix hops each packet ('real' message, ack, reply) is expected to take.
|
||||
/// Note that it does not include gateway hops.
|
||||
num_mix_hops: u8,
|
||||
|
||||
nonce: i32,
|
||||
}
|
||||
|
||||
impl<R> MessagePreparer<R>
|
||||
@@ -338,15 +325,12 @@ where
|
||||
average_packet_delay: Duration,
|
||||
average_ack_delay: Duration,
|
||||
) -> Self {
|
||||
let mut rng = rng;
|
||||
let nonce = rng.gen();
|
||||
MessagePreparer {
|
||||
rng,
|
||||
sender_address,
|
||||
average_packet_delay,
|
||||
average_ack_delay,
|
||||
num_mix_hops: DEFAULT_NUM_MIX_HOPS,
|
||||
nonce,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -470,10 +454,6 @@ impl<R: CryptoRng + Rng> FragmentPreparer for MessagePreparer<R> {
|
||||
fn average_ack_delay(&self) -> Duration {
|
||||
self.average_ack_delay
|
||||
}
|
||||
|
||||
fn nonce(&self) -> i32 {
|
||||
self.nonce
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -60,7 +60,7 @@ pub(super) async fn run_outbound(
|
||||
|
||||
loop {
|
||||
select! {
|
||||
connection_message = mix_receiver.next() => {
|
||||
connection_message = &mut mix_receiver.next() => {
|
||||
if let Some(connection_message) = connection_message {
|
||||
if deal_with_message(connection_message, &mut writer, &local_destination_address, &remote_source_address, connection_id).await {
|
||||
break;
|
||||
|
||||
@@ -5,6 +5,7 @@ edition = { workspace = true }
|
||||
authors = { workspace = true }
|
||||
license = { workspace = true }
|
||||
repository = { workspace = true }
|
||||
readme = { workspace = true }
|
||||
homepage = { workspace = true }
|
||||
documentation = { workspace = true }
|
||||
|
||||
@@ -14,10 +15,9 @@ documentation = { workspace = true }
|
||||
bs58 = { workspace = true }
|
||||
log = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
reqwest = { workspace = true, features = ["json"] }
|
||||
thiserror = { workspace = true }
|
||||
async-trait = { workspace = true, optional = true }
|
||||
semver = { version = "0.11" }
|
||||
semver = "0.11"
|
||||
|
||||
# 'serializable' feature
|
||||
serde = { workspace = true, features = ["derive"], optional = true }
|
||||
@@ -28,22 +28,20 @@ tsify = { workspace = true, features = ["js"], optional = true }
|
||||
wasm-bindgen = { workspace = true, optional = true }
|
||||
|
||||
## internal
|
||||
nym-bin-common = { path = "../bin-common" }
|
||||
nym-config = { path = "../config" }
|
||||
nym-crypto = { path = "../crypto", features = ["sphinx", "outfox"] }
|
||||
nym-mixnet-contract-common = { path = "../cosmwasm-smart-contracts/mixnet-contract" }
|
||||
nym-sphinx-addressing = { path = "../nymsphinx/addressing" }
|
||||
nym-sphinx-types = { path = "../nymsphinx/types", features = [
|
||||
"sphinx",
|
||||
"outfox",
|
||||
] }
|
||||
nym-sphinx-types = { path = "../nymsphinx/types", features = ["sphinx", "outfox"] }
|
||||
nym-sphinx-routing = { path = "../nymsphinx/routing" }
|
||||
|
||||
nym-bin-common = { path = "../bin-common" }
|
||||
|
||||
# I'm not sure how to feel about pulling in this dependency here...
|
||||
nym-api-requests = { path = "../../nym-api/nym-api-requests" }
|
||||
|
||||
|
||||
# 'serializable' feature
|
||||
nym-config = { path = "../config", optional = true }
|
||||
|
||||
# 'wasm-serde-types' feature
|
||||
wasm-utils = { path = "../wasm/utils", default-features = false, optional = true }
|
||||
|
||||
@@ -51,5 +49,4 @@ wasm-utils = { path = "../wasm/utils", default-features = false, optional = true
|
||||
default = ["provider-trait"]
|
||||
provider-trait = ["async-trait"]
|
||||
wasm-serde-types = ["tsify", "wasm-bindgen", "wasm-utils"]
|
||||
serializable = ["serde", "serde_json"]
|
||||
outfox = []
|
||||
serializable = ["serde", "nym-config", "serde_json"]
|
||||
@@ -51,16 +51,4 @@ pub enum NymTopologyError {
|
||||
|
||||
#[error("{0}")]
|
||||
PacketError(#[from] NymPacketError),
|
||||
|
||||
#[error("{0}")]
|
||||
ReqwestError(#[from] reqwest::Error),
|
||||
|
||||
#[error("{0}")]
|
||||
MixnodeConversionError(#[from] crate::mix::MixnodeConversionError),
|
||||
|
||||
#[error("{0}")]
|
||||
GatewayConversionError(#[from] crate::gateway::GatewayConversionError),
|
||||
|
||||
#[error("{0}")]
|
||||
VarError(#[from] std::env::VarError),
|
||||
}
|
||||
|
||||
@@ -6,9 +6,7 @@
|
||||
|
||||
use crate::filter::VersionFilterable;
|
||||
pub use error::NymTopologyError;
|
||||
use log::{debug, info, warn};
|
||||
use mix::Node;
|
||||
use nym_config::defaults::var_names::NYM_API;
|
||||
use log::{debug, warn};
|
||||
use nym_mixnet_contract_common::mixnode::MixNodeDetails;
|
||||
use nym_mixnet_contract_common::{GatewayBond, IdentityKeyRef, MixId};
|
||||
use nym_sphinx_addressing::nodes::NodeIdentity;
|
||||
@@ -118,40 +116,13 @@ impl Display for NetworkAddress {
|
||||
|
||||
pub type MixLayer = u8;
|
||||
|
||||
#[derive(Debug, Clone, Default)]
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct NymTopology {
|
||||
mixes: BTreeMap<MixLayer, Vec<mix::Node>>,
|
||||
gateways: Vec<gateway::Node>,
|
||||
}
|
||||
|
||||
impl NymTopology {
|
||||
pub async fn new_from_env() -> Result<Self, NymTopologyError> {
|
||||
let api_url = std::env::var(NYM_API)?;
|
||||
|
||||
info!("Generating topology from {}", api_url);
|
||||
|
||||
let mixnodes = reqwest::get(&format!("{}/v1/mixnodes", api_url))
|
||||
.await?
|
||||
.json::<Vec<MixNodeDetails>>()
|
||||
.await?
|
||||
.into_iter()
|
||||
.map(|details| details.bond_information)
|
||||
.map(mix::Node::try_from)
|
||||
.filter(Result::is_ok)
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
|
||||
let gateways = reqwest::get(&format!("{}/v1/gateways", api_url))
|
||||
.await?
|
||||
.json::<Vec<GatewayBond>>()
|
||||
.await?
|
||||
.into_iter()
|
||||
.map(gateway::Node::try_from)
|
||||
.filter(Result::is_ok)
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
let topology = NymTopology::new_unordered(mixnodes, gateways);
|
||||
Ok(topology)
|
||||
}
|
||||
|
||||
pub fn new(mixes: BTreeMap<MixLayer, Vec<mix::Node>>, gateways: Vec<gateway::Node>) -> Self {
|
||||
NymTopology { mixes, gateways }
|
||||
}
|
||||
@@ -299,7 +270,7 @@ impl NymTopology {
|
||||
&self,
|
||||
rng: &mut R,
|
||||
num_mix_hops: u8,
|
||||
) -> Result<Vec<Node>, NymTopologyError>
|
||||
) -> Result<Vec<SphinxNode>, NymTopologyError>
|
||||
where
|
||||
R: Rng + CryptoRng + ?Sized,
|
||||
{
|
||||
@@ -324,32 +295,12 @@ impl NymTopology {
|
||||
let random_mix = layer_mixes
|
||||
.choose(rng)
|
||||
.ok_or(NymTopologyError::EmptyMixLayer { layer })?;
|
||||
route.push(random_mix.clone());
|
||||
route.push(random_mix.into());
|
||||
}
|
||||
|
||||
Ok(route)
|
||||
}
|
||||
|
||||
pub fn random_path_to_gateway<R>(
|
||||
&self,
|
||||
rng: &mut R,
|
||||
num_mix_hops: u8,
|
||||
gateway_identity: &NodeIdentity,
|
||||
) -> Result<(Vec<mix::Node>, gateway::Node), NymTopologyError>
|
||||
where
|
||||
R: Rng + CryptoRng + ?Sized,
|
||||
{
|
||||
let gateway = self.get_gateway(gateway_identity).ok_or(
|
||||
NymTopologyError::NonExistentGatewayError {
|
||||
identity_key: gateway_identity.to_base58_string(),
|
||||
},
|
||||
)?;
|
||||
|
||||
let path = self.random_mix_route(rng, num_mix_hops)?;
|
||||
|
||||
Ok((path, gateway.clone()))
|
||||
}
|
||||
|
||||
/// Tries to create a route to the specified gateway, such that it goes through mixnode on layer 1,
|
||||
/// mixnode on layer2, .... mixnode on layer n and finally the target gateway
|
||||
pub fn random_route_to_gateway<R>(
|
||||
@@ -370,7 +321,6 @@ impl NymTopology {
|
||||
Ok(self
|
||||
.random_mix_route(rng, num_mix_hops)?
|
||||
.into_iter()
|
||||
.map(|node| SphinxNode::from(&node))
|
||||
.chain(std::iter::once(gateway.into()))
|
||||
.collect())
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@ version = "1.0.0"
|
||||
description = "Nym common types"
|
||||
authors.workspace = true
|
||||
edition = "2021"
|
||||
rust-version.workspace = true
|
||||
rust-version = "1.58"
|
||||
license.workspace = true
|
||||
|
||||
[dependencies]
|
||||
|
||||
@@ -11,7 +11,6 @@ pub mod gas;
|
||||
pub mod gateway;
|
||||
pub mod helpers;
|
||||
pub mod mixnode;
|
||||
pub mod monitoring;
|
||||
pub mod pending_events;
|
||||
pub mod transaction;
|
||||
pub mod vesting;
|
||||
|
||||
@@ -1,131 +0,0 @@
|
||||
use std::{collections::HashSet, sync::LazyLock, time::SystemTime};
|
||||
|
||||
use nym_crypto::asymmetric::identity::{PrivateKey, PublicKey, Signature};
|
||||
use nym_mixnet_contract_common::MixId;
|
||||
use schemars::JsonSchema;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
static NETWORK_MONITORS: LazyLock<HashSet<String>> = LazyLock::new(|| {
|
||||
let mut nm = HashSet::new();
|
||||
nm.insert("5VsPyLbsBCq9PAMWmjKkToteVAKNabNqex6QwDf5fWzt".to_string());
|
||||
nm
|
||||
});
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize, JsonSchema, Clone)]
|
||||
pub struct NodeResult {
|
||||
pub node_id: MixId,
|
||||
pub identity: String,
|
||||
pub reliability: u8,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize, JsonSchema, Clone)]
|
||||
pub struct MixnodeResult {
|
||||
pub mix_id: MixId,
|
||||
pub identity: String,
|
||||
pub owner: String,
|
||||
pub reliability: u8,
|
||||
}
|
||||
|
||||
impl MixnodeResult {
|
||||
pub fn new(mix_id: MixId, identity: String, owner: String, reliability: u8) -> Self {
|
||||
MixnodeResult {
|
||||
mix_id,
|
||||
identity,
|
||||
owner,
|
||||
reliability,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, Serialize, JsonSchema, Clone)]
|
||||
pub struct GatewayResult {
|
||||
pub identity: String,
|
||||
pub owner: String,
|
||||
pub reliability: u8,
|
||||
pub mix_id: MixId,
|
||||
}
|
||||
|
||||
impl GatewayResult {
|
||||
pub fn new(identity: String, owner: String, reliability: u8) -> Self {
|
||||
GatewayResult {
|
||||
identity,
|
||||
owner,
|
||||
reliability,
|
||||
mix_id: 0,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, JsonSchema)]
|
||||
#[serde(untagged)]
|
||||
pub enum MonitorResults {
|
||||
Mixnode(Vec<MixnodeResult>),
|
||||
Gateway(Vec<GatewayResult>),
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, JsonSchema)]
|
||||
pub struct MonitorMessage {
|
||||
results: Vec<NodeResult>,
|
||||
signature: String,
|
||||
signer: String,
|
||||
timestamp: i64,
|
||||
}
|
||||
|
||||
impl MonitorMessage {
|
||||
fn message_to_sign(results: &[NodeResult], timestamp: i64) -> Vec<u8> {
|
||||
let mut msg = match serde_json::to_vec(results) {
|
||||
Ok(msg) => msg,
|
||||
Err(_) => Vec::new(),
|
||||
};
|
||||
msg.extend_from_slice(×tamp.to_le_bytes());
|
||||
msg
|
||||
}
|
||||
|
||||
pub fn timely(&self) -> bool {
|
||||
let now = SystemTime::now()
|
||||
.duration_since(SystemTime::UNIX_EPOCH)
|
||||
.expect("Time went backwards")
|
||||
.as_secs() as i64;
|
||||
|
||||
now - self.timestamp < 5
|
||||
}
|
||||
|
||||
pub fn new(results: Vec<NodeResult>, private_key: &PrivateKey) -> Self {
|
||||
let timestamp = SystemTime::now()
|
||||
.duration_since(SystemTime::UNIX_EPOCH)
|
||||
.expect("Time went backwards")
|
||||
.as_secs() as i64;
|
||||
|
||||
let msg = Self::message_to_sign(&results, timestamp);
|
||||
let signature = private_key.sign(&msg);
|
||||
let public_key = private_key.public_key();
|
||||
|
||||
MonitorMessage {
|
||||
results,
|
||||
signature: signature.to_base58_string(),
|
||||
signer: public_key.to_base58_string(),
|
||||
timestamp,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn from_allowed(&self) -> bool {
|
||||
NETWORK_MONITORS.contains(&self.signer)
|
||||
}
|
||||
|
||||
pub fn results(&self) -> &[NodeResult] {
|
||||
&self.results
|
||||
}
|
||||
|
||||
pub fn verify(&self) -> bool {
|
||||
let msg = Self::message_to_sign(&self.results, self.timestamp);
|
||||
|
||||
let signature = match Signature::from_base58_string(&self.signature) {
|
||||
Ok(sig) => sig,
|
||||
Err(_) => return false,
|
||||
};
|
||||
|
||||
PublicKey::from_base58_string(&self.signer)
|
||||
.map(|pk| pk.verify(msg, &signature).is_ok())
|
||||
.unwrap_or(false)
|
||||
}
|
||||
}
|
||||
@@ -30,9 +30,13 @@ workspace = true
|
||||
optional = true
|
||||
|
||||
[features]
|
||||
default = ["sleep"]
|
||||
default = ["sleep", "console_error_panic_hook"]
|
||||
sleep = ["web-sys", "web-sys/Window"]
|
||||
websocket = ["getrandom", "tungstenite", "gloo-net"]
|
||||
websocket = [
|
||||
"getrandom",
|
||||
"tungstenite",
|
||||
"gloo-net"
|
||||
]
|
||||
crypto = [
|
||||
"web-sys",
|
||||
"web-sys/Crypto",
|
||||
|
||||
@@ -84,7 +84,6 @@ pub struct WireguardData {
|
||||
#[cfg(target_os = "linux")]
|
||||
pub async fn start_wireguard<St: nym_gateway_storage::Storage + 'static>(
|
||||
storage: St,
|
||||
all_peers: Vec<nym_gateway_storage::models::WireguardPeer>,
|
||||
task_client: nym_task::TaskClient,
|
||||
wireguard_data: WireguardData,
|
||||
control_tx: UnboundedSender<peer_controller::PeerControlResponse>,
|
||||
@@ -96,7 +95,7 @@ pub async fn start_wireguard<St: nym_gateway_storage::Storage + 'static>(
|
||||
|
||||
let mut peers = vec![];
|
||||
let mut suspended_peers = vec![];
|
||||
for storage_peer in all_peers {
|
||||
for storage_peer in storage.get_all_wireguard_peers().await? {
|
||||
let suspended = storage_peer.suspended;
|
||||
let peer = Peer::try_from(storage_peer)?;
|
||||
if suspended {
|
||||
|
||||
@@ -31,9 +31,15 @@
|
||||
- [RPC Nodes](nyx/rpc-node.md)
|
||||
- [Ledger Live Support](nyx/ledger-live.md)
|
||||
|
||||
# Coconut
|
||||
- [Coconut](coconut.md)
|
||||
- [Bandwidth Credentials](bandwidth-credentials.md)
|
||||
# zkNyms (prev. Coconut)
|
||||
- [What are zkNyms?](ecash/what-are-zknyms.md)
|
||||
- [zkNym Generation & Useage: Overview](ecash/zknym-overview.md)
|
||||
- [Feature: Unlinkability](ecash/unlinkability.md)
|
||||
- [Feature: Double Spend Protection](ecash/double-spend-prot.md)
|
||||
- [Feature: Rerandomisation & Incremental Spend](ecash/rerandomise.md)
|
||||
- [Archive](ecash/archive.md)
|
||||
- [Coconut](ecash/coconut.md)
|
||||
- [Bandwidth Credentials](ecash/bandwidth-credentials.md)
|
||||
|
||||
# Tools
|
||||
- [NymCLI](tools/nym-cli.md)
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
# Archive
|
||||
|
||||
You can find the previous pages related to ecash - referred to then as 'Coconut' - in this archive.
|
||||
@@ -1,7 +1,5 @@
|
||||
# Coconut
|
||||
|
||||
> Coconut is in active development - stay tuned for code and integration examples
|
||||
|
||||
Coconut is a cryptographic signature scheme that produces privacy-enhanced credentials. It lets application programmers who are concerned with resource access control to think and code in a new way.
|
||||
|
||||
Most of the time, when we build system security, we think of _who_ questions:
|
||||
@@ -0,0 +1,41 @@
|
||||
# Double Spend Protection
|
||||
Double spend protection in the context of zkNym is a balancing act between speed, reliability, and UX. There are two possible modes for protecting against attempted double spending of zkNyms:
|
||||
|
||||
- Online: The online approach mandates that ingress Gateways instantly deposit zkNyms received from clients to the NymAPI Quorum for verification. Once verified by the Quroum, the ingress Gateway is paid proprtional to the amount of bandwidth 'spent' with the zkNym, and proceeds to grant the client access to the network.
|
||||
- Offline: In contrast, the offline approach involves the periodic submission of collected zkNyms by ingress Gateways to the Quorum, instead of an instant check. Subsequently, the Quorum nodes perform checks to detect any instances of double-spending and identify the public key associated with such occurrences, whereas the ingress Gateways only do a simple check to check that _that particular_ zkNym had not been spent with itself before.
|
||||
|
||||
> The zkNym system takes the **offline** approach.
|
||||
|
||||
## Offline Approach: Pros & Cons
|
||||
The advantages of the offline approach are manifold:
|
||||
- Immediate access to the Nym network upon zkNym submission, eliminating any delays in service provisioning until payments are deposited and verified as would occur in the online approach.
|
||||
- Alleviates performance strain on ingress Gateways and Quorum members, serving as a more efficient method compared to the online counterpart. By moving computationally intense work to the Quorum, this means that Gateway nodes are able to be run on less powerful machines, meaning more operators can more easily run them (and cover their costs) and thus increase the overall number and spread of Gateways around the globe.
|
||||
- Moreover, we can circumvent the potential issue of overwhelming the blockchain with the serial numbers of spent coins (like in the case of the Zcash DoS attack). TODO reword
|
||||
|
||||
However, the offline approach introduces certain limitations.
|
||||
- Ingress Gateways accept zkNyms without preemptively checking for instances of double spending thus making them susceptible to unknowingly accepting double-spent credentials.
|
||||
- Any potential repercussions against double spenders can only be implemented once the user requests a new credential for their zkNym Generator (aka they have to 'top up' and buy more bandwidth allowance), assuming they haven't altered their identifier, such as the Bech32 address.
|
||||
|
||||
An exploitable scenario arises from these limitations:
|
||||
- A malicious user purchases bandwidth and aggregates a valid credential in the standard way, worth $10 of crypto/fiat. Subsequently, the malicious user proceeds to sell the credential to 100 users for $1 each, allowing each user to generate zkNyms of 100MB from this **valid** credential. Under the offline approach, entry nodes forego double-spending checks, enabling all 100 users to access the network without obtaining a subscription. The 100 MB limit does not prevent that, as the bandwidth consumption is tracked locally between client and ingress node. This loophole highlights the need for stringent measures to counter such potential abuses within the system.
|
||||
|
||||
We can, however, mitigate this problem.
|
||||
|
||||
## Solution to Offline Double Spending
|
||||
To efficiently prevent the fraudulent use of tickets within the Nym network, a two-tiered solution is in place that combines (1) the immediate detection of double-spending attempts at the entry node level and (2) subsequent identification and blacklisting at the nym-API level.
|
||||
|
||||
TODO check against https://www.figma.com/board/geUGlj4Dffddx3E08vMZxz/Ecash-Flow?node-id=0-1&node-type=CANVAS&t=yuSZkEQRna8RqzwD-0 to check you havent gone off piste
|
||||
|
||||
### Entry Node Implementation: Real-Time Ticket Unspending Validation
|
||||
Each zkNym contains as an attribute a unique serial number, which is revealed in plaintext to the respective ingress Gateway. Each Gateway has a copy of a [Bloom Filter](https://www.geeksforgeeks.org/bloom-filters-introduction-and-python-implementation/) - on receiving a zkNym, it will check against its copy in a local database to check whether this serial number has already been seen. If so, it rejects the zkNym as being double-spent and the client's connection request is rejected. If not, it will add the serial number to its local DB cache.
|
||||
|
||||
> Since each time a zkNym is rerandomised its serial number is changed, the serial number being shared in no way identifies a client or user.
|
||||
|
||||
Each Gateway will periodically share their serial numbers with the Quorum and refresh their copy of the Bloom Filters from the Quorum, in order to refresh the global list shared by all ingress Gateways and the Quorum. See the step below for more on this.
|
||||
|
||||
> Crucially, ingress Gateways refrain from extensive computations to identify the original ticket owner, and avoids broadcasting information about the double-spending attempt to other ingress Gateways. The entry node is also not involved in any global blacklisting process of the clients. The sole purpose of this check is to swiftly identify any attempts at double-spending and add the seen ticket's serial number to the local DB cache.
|
||||
|
||||
### Nym-API Implementation: Blacklisting and Penalties for Double-Spenders
|
||||
All Gateways periodically forward the collected zkNyms to the Quorum, enabling them to pinpoint and blacklist any clients who double spend. Upon receiving the tickets, the Quorum appends all the incoming serial numbers to the global list of spend zkNym serial numbers and proceed with the identification process for any malicious users engaging in double-spending.
|
||||
|
||||
This identification phase involves looking for instances of double spending, identifying the id of the double-spending client, and blacklisting this client by its id. Subsequently, when this client requests a new credential, their plaintext public identifier is included in the request. The Quorum then checks if this identifier is blacklisted. If it is, a new credential is not issued. Furthermore, since the PSCs are only attainable after depositing NYM as payment, the Quorum has the authority to withhold the deposited NYMs as a punitive measure for any detected instances of double-spending.
|
||||
@@ -0,0 +1,47 @@
|
||||
# Rerandomisation & Incremental Spend
|
||||
|
||||
Each zkNym generated by the Generator will not be valid for the entire amount of data that the credential aggregated from the PSCs is; if the aggregated credential is worth (e.g.) 10GB of Mixnet data, each zkNym created by the Generator will be worth far less.
|
||||
|
||||
```admonish info
|
||||
The functionality included in the following code block examples were added to the [nym-cli tool](../tools/nym-cli.md) for illustrative purposes only: this is not necessarily how credentials will be accessed in the future.
|
||||
|
||||
**Furthermore, the `nym-cli` uses the words 'tickets' in place of 'zkNyms' and 'ticketbook' in place of 'aggregated credential': this was WIP internal wording that we are moving away from now.**
|
||||
|
||||
The numbers used in this high level overview are for illustration purposes only. The figures used in production will potentially vary. Note that individual zkNym sizes will be uniform across the Network.
|
||||
```
|
||||
|
||||
This is to account for the need for a client to change their ingress Gateway, either because the Gateway itself has gone down / is not offering the required bandwidth, or because a user might simply want to split their traffic across multiple Gateways for extra privacy.
|
||||
|
||||
In order to accomodate this then each generated zkNym will be worth a far smaller amount than the aggregated credential fed into the zkNym Generator. A single aggregated credential worth (e.g.) 10GB of data might be split into 100MB zkNym chunks. This means that clients are not tied to particular Gateways they have 'spent' their entire subscription amount with; if the ingress Gateway goes down, or the client simply wishes to use another ingress Gateway, the user has multiple other zkNyms they can use that account for their remaining purchased bandwidth.
|
||||
|
||||
Going back to the `nym-cli` tool to illustrate this; we can generate multiple unlinkable zkNyms ('tickets' on this command output) from a single aggregated credential ('ticketbook' below):
|
||||
|
||||
```
|
||||
❯ ./nym-cli ecash generate-ticket --credential-storage storage.db --provider 6qidVK21zpHD298jdDa1RRpbRozP29ENVyqcSbm6hQrG --full
|
||||
TICKETBOOK DATA:
|
||||
4Ys9pzUf9MPxX4s5RASyrRoY9fPk1a1kFuPBP2jm2L5PyUy535yPEfjHAfpUTC1Lf2d155TmjukvcDycQYfBSDfhEUJM4J3qPNfG3B5aQEEkefESZp3CM5AEnAu1AEyhpepbYw6BuXokiNcmaYtq3yJQbA4KicKP8FowoRzKHmXpJoUqY8wYQughGfdtXgr3rVaZmK21X51P1NL2UW1aCE512WWfy6P1LJHByWywT3qVw28Z83
|
||||
|
||||
generating payment information for 50 tickets. this might take a while!...
|
||||
AVAILABLE TICKETS
|
||||
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+
|
||||
| index | binary data | spend status |
|
||||
+============================================================================================================================================================================================+
|
||||
| 0 | 4kgKyJLq1zQuk9r9AbEFHPqD8mDuxsLSjgo9XW4Lf7EqGSbgfNsWSEcTbRPEMFLzpstbX5azsA3opFh851h4g5qCG2qE3Luwqua4GG2ebJhk91rvEc5JPctbVQxL62fkfQ6svdcNp…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 1 | 4kefQqViRZd5YezMHH1FTcgUGPK2E2ivfmwgf59exvsnR8tsb5aJtGVwpA7wAJT6icPeo8jtDwDZ3WMPJxL3VRLiakAQr79zh7ixM89gowg3ChHEy6ewmHcT7T6RFkZFsMCMj1CNd…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 2 | 4kxaKdBxyFzJ8gxSZCh1v3wBfN7JvnCJuoJ4MWqkkMHtt2XgRKbDmHCv5ZxtA57Qk8LC3NDMBmqjADvY34mAPdT3tLBL4uxse9ASa227Ji96dwgxvfbpvLXSSr5o4vuPRV9K7UfpJ…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 3 | 4kdYwUJwXyxZBLQXextd4GsU2MATjzArVq5Ec459fTXyrm6q3vxurWULzBMpV5UjcmjJtnw1zFqt7f8Ydu5gyxwAVXP3Nwpn83ouguv2n4YrUewZCvFAqQYXgahhhaQGp6RxK2Arh…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
...
|
||||
|
||||
| 46 | 4kg8bfQ7kGgq5TkkqXagpAEu95gmGT4i7NKbaxJtp2gRgWRrQZM1rxaDAzAxfghoM6PFNbYgKsnLD4MF8HtXW3p92CnPBjswzJ1EbtsMGpgDER3CYFt2ivAhMAVXFziF5UjVJXhpa…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 47 | 4kipbH5Fqt5E9hFMynm9vzFh5FkxKRdHrSEiiJWDwmg3mASctR61sXoFD5u5ZMBwGdvz9sWsRfrpR4MX2NNfRhC85aUxqtkAv3hXZiCLtE1pUC54Cq7YXHyv2XTNKpvuFZs2GmwYg…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 48 | 4kxYZ26HXvxVhh4quHXeCUyQokydeF5wkwUi8fMx6P3uoMvuiPaNP1SJTbYnaQEFFtF6U4dGop6QckUYvbtwQFoGJTJesHFHTDtHbshj5Dg8DwbyaHuAR86zGwYMUPved4XKUTMLa…1057bytes remaining | NOT SPENT |
|
||||
|-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------|
|
||||
| 49 | 4kb6zmPebRxjKLVicctq2whvANjWJMoohiPBMr21cT4xj78nvXmJEK8EB4PpqQVFo6ddU9uzuer5ggQZNZgETX2VXBzymBYNzXBuXjLJi1WRdAiASqWz5Hv5im1TJh4XBE4mxKo8Q…1057bytes remaining | NOT SPENT |
|
||||
+-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+
|
||||
```
|
||||
@@ -0,0 +1,36 @@
|
||||
# zkNym Unlinkability
|
||||
Each time a credential is requested by an ingress Gateway to prove that a client has purchased data to send through the Mixnet, the zkNym Generator will provide a new, unlinkable zkNym. This is a rereandomised value that is able to be verified as being legitimate (in that it was created by feeding a valid root credential into the Generator) but **not linked to any other zkNyms**, either previously generated or to be generated in the future.
|
||||
|
||||
```admonish info
|
||||
The functionality included in the following code block examples were added to the [nym-cli tool](../tools/nym-cli.md) for illustrative purposes only: this is not necessarily how credentials will be accessed in the future.
|
||||
|
||||
**Furthermore, the `nym-cli` uses the words 'tickets' in place of 'zkNyms' and 'ticketbook' in place of 'aggregated credential': this was WIP internal wording that we are moving away from now.**
|
||||
|
||||
TODO ONCE THESE DOCS ARE GOOD TO GO, CHANGE NYM-CLI ARGS IN SAME PR
|
||||
```
|
||||
|
||||
```
|
||||
❯ ./nym-cli ecash generate-ticket --credential-storage storage.db --provider 6qidVK21zpHD298jdDa1RRpbRozP29ENVyqcSbm6hQrG --ticket-index=3
|
||||
TICKETBOOK DATA:
|
||||
4Ys9pzUf9MPxX4s5RASyrRoY9fPk1a1kFuPBP2jm2L5PyUy535yPEfjHAfpUTC1Lf2d155TmjukvcDycQYfBSDfhEUJM4J3qPNfG3B5aQEEkefESZp3CM5AEnAu1AEyhpepbYw6BuXokiNcmaYtq3yJQbA4KicKP8FowoRzKHmXpJoUqY8wYQughGfdtXgr3rVaZmK21X51P1NL2UW1aCE512WWfy6P1LJHByWywT3qVw28Z83
|
||||
|
||||
attempting to generate payment for ticket 3...
|
||||
|
||||
PAYMENT FOR TICKET 3:
|
||||
VfZAuVRRHekQYMvFevNAZmPPuwMAfEhTBY8TXatBysbrNXAg8euEGPpJvdbhNfQSznBb9nRSeBUSVoNTToSA6Uj5dXmJ7oE2rCB439DarLMWHWYfQNhw6yhWJhcg6bt7ebBYTs3vVeQgSB5kYuifzJF4QQmK6uJyTNPvpV1J6V8M32PBkGT3JpVB3GUGZiksETf7TaF9wAhMo2QAMxw5ZvaQVve5ea7Mane6cfb2Gx69SRff5zDfEQvKqKnyyZje4SGZgWUeHWVLhRjg4KMTJ3JcsHxEqj2k5qeGeyBbgzcuEtCpYvaytsz7nuZGJsT4Z87gB5Zq4NGuDmekuN977eRJvua2dASNWeHiAzVyvnS7ARN5cdUjjYKYiWgHaYrHGsv26WTDeiu4U3sdJMrLHGFY5ihX7f8sTZqD6Wx5AWjQNbEtKaVHymDogfLcwGCC42gQ2yhKfPUaWJ8H4yMB65YBDXGjATaUzcDmJcZKx8g31j2uTVNSFUesd5CRNEEcTNW7cSFFCishCD3T4eV9SuyZyEXAZ48pazPzc1BysBNHEXQNUEtEAZTKmpghC2pihhfDub6LnMJPo9DDdhCULCbcWbGAPc1vPekPaWvk7wrUTGwp5xoNUhQLW3MeJzMvrMSsqLdursCKB4h4Tk272WCStCPQwAKMYoxjWvMzxoUTTWCkhLKHruMtsehRnai4vhu13jbui6ji1F389gfazm4ctth2s4Yw3H3SaPtRETBfZNvZ7n5UV1MD6Q3qin92gT65iqXEi4zRN3woYcK6ZehiSvgUksdEFAUSxNMgNXKtHEYDS6kA37tn5JdBa2Ex2jLudFfhg6JBM226ZKyj65o6feYPgbJAR3jMCmQRHe6DSFb4aH895EowNMjfGUhwhmnbYB1djp7iFXxPP7575NAerhxEQ1WFnxTfoX7pu1Vc9YZb5priCAVbATCaDkECJsdedM45Vx96Jc6E5NWqD98RhMsPimVJkSfYJmRxH9qugica6WonFFb2YLvXYyhoBA1VHBcRqZJ5KHitS5AegYSoYprUfubMzcYo2hGVEQkGKAsFq6jZgCsbJoGLXt3No317vcowB5f3hqT9FjASHAzW2j8uJ9RRzX7XtrPhArwx4EyPgYzrvgG7xcenoSgQt8poa7aYky56eZTKHVUZgUEt6St32MjcivMvmNdWiAHHDc2ZxzTJHgeuCckX7n19vQ3XNLuXv9oGKNNCi8kHnT4tUnnGXNAWXWuyBgZKWUL8u3y41iW6dLYK3Pw5zfpKZTrq3q3bTLJRN5LnnUuFVnWsC3SNqa6VAAvhTGR9PzxLk8C6HeLP2AsYPpqeQwbaL3Ks6tvPdob3tQPWRBGL4uiKtNZ23tRYZGZLYFWZK7psRSZg5AETejKxztVzAuYovpVUiDq71o331tjqWWV1SzWT13Rd1uwz6nHtsjgao2863YaizKARcYr1j9MKtNfDs483yho6i7tbCRR9M4CPLqdiKEaRyVC1FP4F3sejA6nZTuAA35JWUzX6BBj7wgdypMLdMmmtcCZm3bRrF3GvJJs67U8JWRc6dnoGUDaD7rUu
|
||||
```
|
||||
|
||||
Now lets generate another zkNym to spend either topping up once the previous one's data allowance has been used, or with another Gateway. Notice that the `ticket-index` is the same: this is generated from the same aggregated credential as the one above!
|
||||
|
||||
```
|
||||
❯ ./nym-cli ecash generate-ticket --credential-storage storage.db --provider 6qidVK21zpHD298jdDa1RRpbRozP29ENVyqcSbm6hQrG --ticket-index=3
|
||||
TICKETBOOK DATA:
|
||||
4Ys9pzUf9MPxX4s5RASyrRoY9fPk1a1kFuPBP2jm2L5PyUy535yPEfjHAfpUTC1Lf2d155TmjukvcDycQYfBSDfhEUJM4J3qPNfG3B5aQEEkefESZp3CM5AEnAu1AEyhpepbYw6BuXokiNcmaYtq3yJQbA4KicKP8FowoRzKHmXpJoUqY8wYQughGfdtXgr3rVaZmK21X51P1NL2UW1aCE512WWfy6P1LJHByWywT3qVw28Z83
|
||||
|
||||
attempting to generate payment for ticket 3...
|
||||
|
||||
PAYMENT FOR TICKET 3:
|
||||
Vev3SmwWtH5vbnejX5Zzc1EcxXAgveqHpKNN8arxXaWLhFcEpdcZ6n7qr3NrQUNURWsK2AsUiX8aSiGSjMPEY3iDE3aDYnjYERVow8RKUmQiYSKvz7v9cEJxt97JAHBfu9WYNHXTnLFSJwWuFtBdzY5dzPdzGckFenGCysa1ZBHGADHChDVXKoPHXxpn5qyJxmi48coUQDptR64QgkCeQ8RRZ396Lxw2NKFSjqavCMMDVm3g1rW7cYyPanBhkoAUzPU9KXX1rtmhD6F9gV89mGZ8fm7ByDuKuYU28seLQ7GkVKkhNeRW9XxbjSiyscTnMUzJ24R5VbSdr141BaquUHezdUTzmA2EjAtcyyiVrCMV13cc96CRbMXENP2soUzckFnh1qPnrfKCvX4JYkztq7UgPT2mZEnSTDW4C6Z2NVCNBPNLqUSYrU4id8Jzcp1mBxqJjdYcQ7P5fWJbT5Q9NAq44PCgfXpsUkNoj35QVQvKXKLb5oNGqnua5YC1WBPcENcpS7ZPWpk2hwe8VK4gNgnwQtWH2RPmWbvBREAV97vS1vKNHJyry9sD2PiMJGSmBnb1bKsGxR9UQN3YvRsdGHzyJHzAMTzxbFJBqMPmxjSHJR4UdwzhB81Ludu1RAffTvecWFxmWH5bNymCQjw3wey7Uequcxgyy8KAWYDzvHGwCZQbHQXghsYREiqquZWaa8hX3iTNBFUtEk8PRVT78MoFNdeBWNjsLr8zyZ5EGnf4kqmw3a91g5p5vywf6e3LgMu19VHjPSNtKMNXiatkPEVjsCuCppmV4sB7FsdKKWcMUSWLsdmrDBg9PStHr7NaJRzLL5E91gvysmB36Nob9cHeHSZj3wM4NVVjFfZeRqQf4bi7ahfXjeeBetgDpqx7JcbU6tTN4JpcGUpp7fp4MhTq7MeVQMLweGUVLqewKgAGzCvEmrK6dzLd3U1P9vkAAVZ3cCAKUywnHGxoxDeEfexP1g1EqJLtKNZVKPf7hSMWqGhoQ36K7y5GnyZ5YhQ7jcDME9orm5w4StoxoDdCPcjbakKG7UaTHuhd7tU1mUffXcEvVerkXoQK9SEaKvGks21RBhW86aHUzJWVbkiDzdaqjJWbmzLV8FKvNxNyzucoH2rq8LiHRMZfV1H3SkVSa4j2Ktw7ZGoQfdj8DgekxXSR2nHPfhybzKYXTBqFo2ACisxkjR4rXr9Xo6eYywQhQ1MP6aYgYCAXFGHPoFf7kx7Jns5sWvHRBdaMF65zeFF2m5NDuMWETtLgFfsyNgR84vfSqTfzj2gsUykRei7q9N4LKmiDwBALTAEcTvZpLtXBjc8JaB9PUeBw7DoSiSK376sGrQ9F6ZGTngXACNz1TbvYhtau4bDa6KC2Qn7wmoyrphpn7TtM1jdwGBxLcaEEWZKQHvWVfTyL2itjqnrcAZkxYdCj56oQYwpWfKQk3zJEUA6SYHqyJjaLNVK6u25j7969EWjdpTsJ8qSsZgXi3T7dQqiwintZbUUUKRq7egN1SGVnA6Wup91uKrYUWEWMqVu4g8ipmRsLD9iXHHr3yA21Cka7pqk1FxR9BFTAnkk1
|
||||
```
|
||||
|
||||
These are both generated by the _same_ underlying credential fed into the zkNym Generator and verified and used in a way that they cannot be tied to each other. An ingress Gateway might (for instance) get 100 connection requests from 100 Nym clients, each validated with a zkNym. It has no way of knowing whether these are all zkNyms from the same single subscription, or 100 different ones.
|
||||
@@ -0,0 +1,51 @@
|
||||
# What are zkNyms?
|
||||
|
||||
The zkNym scheme enables the creation and use of unlinkable, rerandomisable anonymous access credentials that are 'spent' with Gateways in order to anonymously prove that someone has paid for Mixnet access. This implementation incorporates elements of both the [Coconut Credential](./coconut.md) and [Offline Ecash](https://arxiv.org/pdf/2303.08221) schemes.
|
||||
|
||||
As outlined in the [overview](./zknym-overview.md) on the next page, zkNyms allow for users to pay for Mixnet access in a manner that is **unlinkable to their payment account**; even with pseudonymous cryptocurrencies, or fiat. This solves one of the fundamental privacy problems with the majority of VPNs and dVPNs in production today: the linkability of a user's session with their payment information, which can in the majority of cases be easily used to deanonymise them, either at the behest of an authority or by the service operators themselves.
|
||||
|
||||
> The current zkNym scheme is non-generic in that it is only used for gating Mixnet access. A generic scheme based on zkNyms is being actively researched in order to facilitate more generic and customisable anonymous credentials for other applications and services.
|
||||
|
||||
## Motivations
|
||||
This scheme lets application programmers who are concerned with resource access control to think and code in a new way.
|
||||
|
||||
Most of the time, when we build system security, we think of _who_ questions:
|
||||
|
||||
- Has Alice identified herself (authentication)?
|
||||
- Is Alice allowed to take a specific action (authorisation)?
|
||||
|
||||
This fundamentally changes these questions. Rather than asking _who_ a user is, it allows application designers to ask different questions, mostly centered around questions of _rights_:
|
||||
|
||||
- Does the entity taking this action have a right to do X?
|
||||
|
||||
This allows a different kind of security. Many of the computer systems we talk to every day don't need to know _who we are_, they only need to know if we have a _right to use_ the system. The credentials are generated cooperatively by decentralised, trustless systems.
|
||||
|
||||
Once the credentials are generated, they can be _re-randomized:_ entirely new credentials, which no one has ever seen before, can be presented to the ingress point of the Nym Network, and validated without being linkable back to the signatures produced by the Quorum of credential signers.
|
||||
|
||||
These properties allow zkNyms to act as something like cryptographic bearer tokens generated by decentralised systems. The tokens can be mutated so that they are not traceable, but still verified with the original permissions intact.
|
||||
|
||||
Users present cryptographic claims encoded inside the credentials to get secure access to resources despite the systems verifying credential usage not being able to know who they are.
|
||||
|
||||
### Re-randomisation vs pseudonymity
|
||||
We stand on the shoulders of giants. Ten years ago, Bitcoin showed the way forward by allowing people to control resource access without recourse to _who_ questions. Rather, in Bitcoin and succeeding blockchains, a private key proves a _right to use_.
|
||||
|
||||
But as we can now see, private keys in blockchain systems act only as a minor barrier to finding out _who_ is accessing resources. A Bitcoin or Ethereum private key is effectively a long-lived pseudonym which is easily traceable through successive transactions.
|
||||
|
||||
**zkNyms allows us to build truly private systems rather than pseudonymous ones.**
|
||||
|
||||
## Features
|
||||
Just like normal credentials, zkNyms can be signed with a secret key and later verified by anybody with the correct public key. They also have additional superpowers when compared to "normal" signature schemes like RSA or DSA.
|
||||
|
||||
Specifically, it is an implementation of a blinded, re-randomizable, selective disclosure threshold credential signature scheme.
|
||||
|
||||
Let's say you have a `message` with the content `This credential controls X` in hand. In addition to the normal `sign(message, secretKey)` and `verify(message, publicKey)` functions present in other signature schemes, Coconut adds the following:
|
||||
|
||||
1. _[Blind signatures](https://en.wikipedia.org/wiki/Blind_signature)_ - disguises message content so that the signer can't see what they're signing. This defends users against signers: the entity that signed can't identify the user who created a given credential, since they've never seen the message they're signing before it's been _blinded_ (turned into seemingly random binary data). The scheme uses zero-knowledge proofs so that the signer can sign confidently without seeing the unblinded content of the message.
|
||||
|
||||
2. _Re-randomizable signatures_ - take a signature, and generate a brand new signature that is valid for the same underlying message `This credential controls X`. The new bitstring in the re-randomized signature is equivalent to the original signature but not linkable to it. So a user can generate multiple zkNyms from a single credential source, unlinkable to any previous "shown" zkNym. But the underlying content of the re-randomized credential is the same (including for things like double-spend protection). This once again protects the user against the signer, because the signer can't trace the signed message that they gave back to the user when it is presented. It also protects the user against the relying party that accepts the signed credential. The user can generate multiple re-randomized credentials repeatedly, and although the underlying message is the same in all cases, there's no way of tracking them by watching the user present the same credential multiple times.
|
||||
|
||||
3. _Selective disclosure of attributes_ - allows someone with the public key to verify some, but not all, parts of a message. So you could for instance selectively reveal parts of a signed message to some people, but not to others. This is a very powerful property of the scheme which is to be explored more in future work, potentially leading to diverse applications: voting systems, anonymous currency, privacy-friendly KYC systems, etc.
|
||||
|
||||
4. _[Threshold issuance](https://en.wikipedia.org/wiki/Threshold_cryptosystem)_ - allows signature generation to be split up across multiple nodes and decentralized, so that either all signers need to sign (_n of n_ where _n_ is the number of signers) or only a threshold number of signers need to sign a message (_t of n_ where _t_ is the threshold value).
|
||||
|
||||
Taken together, these properties provide privacy for applications when it comes to generating and using signatures for cryptographic claims. If you compare it to existing tech, you might think of it as a sort of supercharged decentralized privacy-friendly [JWT](https://jwt.io/).
|
||||
@@ -0,0 +1,53 @@
|
||||
# zkNym Generation and Usage: High Level Overview
|
||||
|
||||
```admonish info
|
||||
Access to the Mixnet is - at the time of publication - free for everyone. However, soon™ it will be required for each connecting client to present a valid credential - a zkNym - to their ingress Gateway to access the Mixnet. This document outlines the payment flow and zkNym generation for zkNyms.
|
||||
|
||||
zkNym access will vary depending on use:
|
||||
- individual developers will have access to something like a faucet for credentials.
|
||||
- larger application integrations will have their own 'under the hood' credential generation and distribution scheme for importing credentials into apps automatically.
|
||||
- and NymVPN users will have a variety of payment methods avaliable to them.
|
||||
_More on this soon_.
|
||||
```
|
||||
|
||||
Generation of zkNyms involves the following actors / pieces of infrastructure:
|
||||
- [NymAPI](https://nymtech.net/operators/nodes/nym-api.html) instances working together on Distributed Key Generation, referred to as the **NymAPI Quorum**. Members of the Quorum are a subset of the Nyx chain Validator set, and are part of a multisig used for triggering reward payouts to the Network Infrastructure Node Operators.
|
||||
- **zkNym Requester** represented by a Bech32 address on the Nyx blockchain. This Requester might be a single user using the NymVPN app, or represent a company purchasing zkNyms to distribute to their application users, in the instance of an app integrating a Mixnet client via one of the SDKs.
|
||||
- **OrderAPI**: an API creating crypto/fiat <> NYM swaps and then depositing NYM in a smart contract managed by the NymAPI Quroum for payment verification. Implementation details of the API will be released in the future.
|
||||
|
||||
Generation happens in 3 distinct stages:
|
||||
- Key Generation & Payment
|
||||
- Deposit NYM tokens & issue credential
|
||||
- Generate unlinkable zkNyms for Nym Network access
|
||||
|
||||
The vast majority of this - from the perspective of the Requester - happens under the hood, but results in the creation and usage of an **unlinkable, rerandomisable anonymous proof-of-payment credential** - a zkNym - with which to access the Mixnet without fear of doxxing themselves via linking app usage and payment information. The user experience is further enhanced by the fact that a single credential can be split into multiple small zkNyms, meaning that a Requester may buy a large chunk of bandwidth but 'spend' this in the form of multiple zkNyms with different ingress Gateways. Whilst this happens under the hood, what it affords the Requester is an ease of experience in that they have to 'top up' their bandwidth less and are able to chop and change ingress points to the Nym Network as they see fit, akin to the UX of most modern day VPNs and dVPNs.
|
||||
|
||||
TODO ADD A BIG DIAGRAM FOR EACH STAGE
|
||||
|
||||
## Key Generation & Payment
|
||||
- A Cosmos [Bech32 address](https://docs.cosmos.network/main/build/spec/addresses/bech32) is created for the Requester.
|
||||
This is used to identify themselves when interacting with the OrderAPI via signed authentication tokens. This is the only identity that the OrderAPI is able to see, and is not able to link this to generated zkNyms. This identity never leaves the Requester’s device and there is no email or any personal details needed for signup. If a Requester is simply 'topping up' their subscription, the creation of the address is skipped as it already exists.
|
||||
- The Requester can then interact with various payment backends to pay for their zkNyms with non-NYM crypto, fiat options, or natively with NYM tokens.
|
||||
- Payment options will trigger the OrderAPI. This will:
|
||||
- Create a swap for <PAYMENT_AMOUNT> <> NYM tokens.
|
||||
- Deposit these tokens with the NymAPI Quorum via a CosmWasm smart contract deployed on the Nyx blockchain.
|
||||
- The Requester generates an ed25519 keypair: this is used to identify and authenticate them in the case of using zkNyms across several devices as an individual user. However, this is never used in the clear: these keys are used as private attribute values within generated credentials which are verified via zero-knowledge.
|
||||
- The Requester sends a request to each member of the Quorum requesting a credential. This request is signed with their private key and includes the transaction hash of the NYM deposit into the deposit contract, performed either by themselves or the OrderAPI. _(( TODO double check which keypair and make clear ))_
|
||||
|
||||
## Deposit NYM & Issue zkNym
|
||||
- Once NYM tokens have been deposited into the contract controlled by the Quorum's multisig and a credential is requested, each member of the Quroum performs several checks to verify the request is valid:
|
||||
- They verify the signature sent as part of the request is valid and that the request was made in the last 48 hours.
|
||||
- They verify that the amount requested matches the amount deposited in the transcation, the hash of which was signed and sent as part of the request.
|
||||
- Each member then creates a partial blinded signature - a 'partial signed credential' ('PSC') - from their fragment of the master key generated and split amongst them at the beginning of the Quroum in the initial DKG ceremony.
|
||||
- The member also creates a `key:value` entry in their local cache with the transaction hash as the key, and the PSC + encrypted signature as the value. This is used later for zkNym validation and is cleaned after a predefined timeout.
|
||||
- These PSCs are given back to the Requester after setting up a secure channel via DH key ex., with each replying Quorum member also sending their public key for verification that the returned PSC was signed by them.
|
||||
|
||||
> In other words, each member of the Quorum who responds to the Requester's request for a zkNym (since this is a threshold cryptsystem, not all members of the Quroum must respond to create a credential, only enough to pass the threshold) returns a PSC signed with part of the master key.
|
||||
|
||||
- Once the Requester has received > threshold number of PSCs they can assemble them into a credential signed by the master key. The Requester never learns this master key (it is a private attribute) but the credential can be verified by the Quroum as being valid by checking for a proof that the credential's private attribute - the value of the master key - is valid.
|
||||
- This credential is fed into the Requester's local 'zkNym Generator'.
|
||||
|
||||
## Access Network
|
||||
- The zkNym Generator is entirely offline and holds the credential created from the aggregated threshold PSCs returned from individual members of the Quorum. Each time an application requests an access credential, the Generator will provide an unlinkable and unique zkNym to the requesting ingress Gateway.
|
||||
- _((TODO add a point on what spend is in other terms))_
|
||||
- This zkNym is later presented to the Quorum by the Gateway that collected it, which is used to calculate reward percentages given to Nym Network infrastructure operators by the Quorum, with payouts triggered by their multisig wallet.
|
||||
@@ -1,27 +0,0 @@
|
||||
CONFIGURED=true
|
||||
|
||||
NETWORK_NAME=mainnet
|
||||
|
||||
RUST_LOG=info
|
||||
RUST_BACKTRACE=1
|
||||
|
||||
BECH32_PREFIX=n
|
||||
MIX_DENOM=unym
|
||||
MIX_DENOM_DISPLAY=nym
|
||||
STAKE_DENOM=unyx
|
||||
STAKE_DENOM_DISPLAY=nyx
|
||||
DENOMS_EXPONENT=6
|
||||
|
||||
MIXNET_CONTRACT_ADDRESS=n17srjznxl9dvzdkpwpw24gg668wc73val88a6m5ajg6ankwvz9wtst0cznr
|
||||
VESTING_CONTRACT_ADDRESS=n1nc5tatafv6eyq7llkr2gv50ff9e22mnf70qgjlv737ktmt4eswrq73f2nw
|
||||
GROUP_CONTRACT_ADDRESS=n1e2zq4886zzewpvpucmlw8v9p7zv692f6yck4zjzxh699dkcmlrfqk2knsr
|
||||
MULTISIG_CONTRACT_ADDRESS=n1txayqfz5g9qww3rlflpg025xd26m9payz96u54x4fe3s2ktz39xqk67gzx
|
||||
COCONUT_DKG_CONTRACT_ADDRESS=n19604yflqggs9mk2z26mqygq43q2kr3n932egxx630svywd5mpxjsztfpvx
|
||||
|
||||
REWARDING_VALIDATOR_ADDRESS=n10yyd98e2tuwu0f7ypz9dy3hhjw7v772q6287gy
|
||||
STATISTICS_SERVICE_DOMAIN_ADDRESS="https://mainnet-stats.nymte.ch:8090"
|
||||
NYXD="https://rpc.nymtech.net"
|
||||
NYM_API="http://127.0.0.1:8000"
|
||||
NYXD_WS="wss://rpc.nymtech.net/websocket"
|
||||
EXPLORER_API="https://explorer.nymtech.net/api/"
|
||||
NYM_VPN_API="https://nymvpn.com/api"
|
||||
+5
-4
@@ -13,10 +13,11 @@ DENOMS_EXPONENT=6
|
||||
REWARDING_VALIDATOR_ADDRESS=n1pefc2utwpy5w78p2kqdsfmpjxfwmn9d39k5mqa
|
||||
MIXNET_CONTRACT_ADDRESS=n1xr3rq8yvd7qplsw5yx90ftsr2zdhg4e9z60h5duusgxpv72hud3sjkxkav
|
||||
VESTING_CONTRACT_ADDRESS=n1unyuj8qnmygvzuex3dwmg9yzt9alhvyeat0uu0jedg2wj33efl5qackslz
|
||||
GROUP_CONTRACT_ADDRESS=n1ewmwz97xm0h8rdk8sw7h9mwn866qkx9hl9zlmagqfkhuzvwk5hhq844ue9
|
||||
MULTISIG_CONTRACT_ADDRESS=n1tz0setr8vkh9udp8xyxgpqc89ns27k4d0jx2h942hr0ax63yjhmqz6xct8
|
||||
COCONUT_DKG_CONTRACT_ADDRESS=n1v3n2ly2dp3a9ng3ff6rh26yfkn0pc5hed7w2shc5u9ca5c865utqj5elvh
|
||||
ECASH_CONTRACT_ADDRESS=n1v3vydvs2ued84yv3khqwtgldmgwn0elljsdh08dr5s2j9x4rc5fs9jlwz9
|
||||
ECASH_CONTRACT_ADDRESS=n1ljlwey4xdj0zs7zueepc48nkr033fca6fjgvurfvttqegm8dvsrswsul70
|
||||
GROUP_CONTRACT_ADDRESS=n10v3rjnq4cjyccfykyams68ztce337gksuu6f0lvtl4meuwvkewaqru4uav
|
||||
MULTISIG_CONTRACT_ADDRESS=n1cemnu8as0ls45v3caunpesl8jlsfw2ff9rlwnltlecp7zrxct4dsqc2y42
|
||||
COCONUT_DKG_CONTRACT_ADDRESS=n1zx96qgd88vqlzcxkpwzks7kqs5ctrx36xtzfc58p7q6c4ng9anlqzc4nh8
|
||||
|
||||
|
||||
STATISTICS_SERVICE_DOMAIN_ADDRESS="http://0.0.0.0"
|
||||
EXPLORER_API=https://sandbox-explorer.nymtech.net/api
|
||||
|
||||
@@ -204,8 +204,8 @@ pub enum GatewayError {
|
||||
WireguardInterfaceError(#[from] defguard_wireguard_rs::error::WireguardInterfaceError),
|
||||
|
||||
#[cfg(all(feature = "wireguard", target_os = "linux"))]
|
||||
#[error("internal wireguard error {0}")]
|
||||
InternalWireguardError(String),
|
||||
#[error("wireguard not set")]
|
||||
WireguardNotSet,
|
||||
|
||||
#[error("failed to start authenticator: {source}")]
|
||||
AuthenticatorStartError {
|
||||
|
||||
+1
-21
@@ -267,29 +267,12 @@ impl<St> Gateway<St> {
|
||||
forwarding_channel,
|
||||
router_tx,
|
||||
);
|
||||
let all_peers = self.storage.get_all_wireguard_peers().await?;
|
||||
let used_private_network_ips = all_peers
|
||||
.iter()
|
||||
.cloned()
|
||||
.map(|wireguard_peer| {
|
||||
defguard_wireguard_rs::host::Peer::try_from(wireguard_peer).map(|mut peer| {
|
||||
peer.allowed_ips
|
||||
.pop()
|
||||
.ok_or(Box::new(GatewayError::InternalWireguardError(format!(
|
||||
"no private IP set for peer {}",
|
||||
peer.public_key
|
||||
))))
|
||||
.map(|p| p.ip)
|
||||
})
|
||||
})
|
||||
.collect::<Result<Result<Vec<_>, _>, _>>()??;
|
||||
|
||||
if let Some(wireguard_data) = self.wireguard_data.take() {
|
||||
let (on_start_tx, on_start_rx) = oneshot::channel();
|
||||
let mut authenticator_server = nym_authenticator::Authenticator::new(
|
||||
opts.config.clone(),
|
||||
wireguard_data.inner.clone(),
|
||||
used_private_network_ips,
|
||||
peer_response_rx,
|
||||
)
|
||||
.with_custom_gateway_transceiver(Box::new(transceiver))
|
||||
@@ -323,7 +306,6 @@ impl<St> Gateway<St> {
|
||||
|
||||
let wg_api = nym_wireguard::start_wireguard(
|
||||
self.storage.clone(),
|
||||
all_peers,
|
||||
shutdown,
|
||||
wireguard_data,
|
||||
peer_response_tx,
|
||||
@@ -335,9 +317,7 @@ impl<St> Gateway<St> {
|
||||
handle: LocalEmbeddedClientHandle::new(start_data.address, auth_mix_sender),
|
||||
})
|
||||
} else {
|
||||
Err(Box::new(GatewayError::InternalWireguardError(
|
||||
"wireguard not set".to_string(),
|
||||
)))
|
||||
Err(Box::new(GatewayError::WireguardNotSet))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+4
-14
@@ -28,13 +28,10 @@ dirs = { workspace = true }
|
||||
futures = { workspace = true }
|
||||
itertools = { workspace = true }
|
||||
humantime-serde = { workspace = true }
|
||||
k256 = { workspace = true, features = [
|
||||
"ecdsa-core",
|
||||
] } # needed for the Verifier trait; pull whatever version is used by other dependencies
|
||||
k256 = { workspace = true, features = ["ecdsa-core"] } # needed for the Verifier trait; pull whatever version is used by other dependencies
|
||||
log = { workspace = true }
|
||||
pin-project = { workspace = true }
|
||||
rand = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
reqwest = { workspace = true, features = ["json"] }
|
||||
rocket = { workspace = true, features = ["json"] }
|
||||
rocket_cors = { workspace = true }
|
||||
@@ -43,12 +40,7 @@ serde_json = { workspace = true }
|
||||
tap = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
time = { workspace = true, features = ["serde-human-readable", "parsing"] }
|
||||
tokio = { workspace = true, features = [
|
||||
"rt-multi-thread",
|
||||
"macros",
|
||||
"signal",
|
||||
"time",
|
||||
] }
|
||||
tokio = { workspace = true, features = ["rt-multi-thread", "macros", "signal", "time"] }
|
||||
tokio-stream = { workspace = true }
|
||||
url = { workspace = true }
|
||||
|
||||
@@ -90,9 +82,7 @@ nym-credentials-interface = { path = "../common/credentials-interface" }
|
||||
#nym-ephemera-common = { path = "../common/cosmwasm-smart-contracts/ephemera" }
|
||||
nym-config = { path = "../common/config" }
|
||||
cosmwasm-std = { workspace = true }
|
||||
nym-credential-storage = { path = "../common/credential-storage", features = [
|
||||
"persistent-storage",
|
||||
] }
|
||||
nym-credential-storage = { path = "../common/credential-storage", features = ["persistent-storage"] }
|
||||
nym-credentials = { path = "../common/credentials" }
|
||||
nym-crypto = { path = "../common/crypto" }
|
||||
cw2 = { workspace = true }
|
||||
@@ -115,7 +105,6 @@ nym-validator-client = { path = "../common/client-libs/validator-client" }
|
||||
nym-bin-common = { path = "../common/bin-common", features = ["output_format"] }
|
||||
nym-node-tester-utils = { path = "../common/node-tester-utils" }
|
||||
nym-node-requests = { path = "../nym-node/nym-node-requests" }
|
||||
nym-types = { path = "../common/types" }
|
||||
|
||||
[features]
|
||||
no-reward = []
|
||||
@@ -136,3 +125,4 @@ cw3 = { workspace = true }
|
||||
cw-utils = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
sha2 = "0.9"
|
||||
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
CREATE TABLE mixnode_details_v2
|
||||
(
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
mix_id INTEGER NOT NULL UNIQUE,
|
||||
owner VARCHAR NOT NULL,
|
||||
identity_key VARCHAR NOT NULL
|
||||
);
|
||||
|
||||
CREATE TABLE mixnode_status_v2
|
||||
(
|
||||
mixnode_details_id INTEGER NOT NULL,
|
||||
reliability INTEGER NOT NULL,
|
||||
timestamp INTEGER NOT NULL
|
||||
);
|
||||
|
||||
CREATE TABLE gateway_details_v2
|
||||
(
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
owner VARCHAR NOT NULL,
|
||||
identity VARCHAR NOT NULL UNIQUE
|
||||
);
|
||||
|
||||
CREATE TABLE gateway_status_v2
|
||||
(
|
||||
gateway_details_id INTEGER NOT NULL,
|
||||
reliability INTEGER NOT NULL,
|
||||
timestamp INTEGER NOT NULL
|
||||
);
|
||||
|
||||
|
||||
|
||||
@@ -1,19 +0,0 @@
|
||||
DROP TABLE IF EXISTS mixnode_details_v2;
|
||||
|
||||
CREATE TABLE mixnode_details_v2
|
||||
(
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
node_id INTEGER NOT NULL UNIQUE,
|
||||
identity_key VARCHAR NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS gateway_details_v2;
|
||||
|
||||
CREATE TABLE gateway_details_v2
|
||||
(
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
node_id INTEGER NOT NULL UNIQUE,
|
||||
identity VARCHAR NOT NULL UNIQUE
|
||||
);
|
||||
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
DROP TABLE IF EXISTS gateway_details_v2;
|
||||
|
||||
CREATE TABLE gateway_details_v2
|
||||
(
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
node_id INTEGER NOT NULL,
|
||||
identity VARCHAR NOT NULL UNIQUE
|
||||
);
|
||||
|
||||
|
||||
@@ -56,7 +56,6 @@ impl RewardedSetUpdater {
|
||||
}
|
||||
}
|
||||
|
||||
#[allow(clippy::doc_lazy_continuation)]
|
||||
// This is where the epoch gets advanced, and all epoch related transactions originate
|
||||
/// Upon each epoch having finished the following actions are executed by this nym-api:
|
||||
/// 1. it computes the rewards for each node using the ephemera channel for the epoch that
|
||||
|
||||
@@ -4,8 +4,8 @@
|
||||
use crate::network_monitor::monitor::preparer::InvalidNode;
|
||||
use crate::network_monitor::test_packet::NodeTestMessage;
|
||||
use crate::network_monitor::test_route::TestRoute;
|
||||
use nym_mixnet_contract_common::MixId;
|
||||
use nym_node_tester_utils::node::{NodeType, TestableNode};
|
||||
use nym_types::monitoring::{GatewayResult, MixnodeResult};
|
||||
use std::collections::HashMap;
|
||||
use std::fmt::{Display, Formatter};
|
||||
|
||||
@@ -20,6 +20,42 @@ const UNRELIABLE_THRESHOLD: u8 = 1; // 1 - 60
|
||||
// from the average result, remove this data and recalculate scores.
|
||||
// const ALLOWED_RELIABILITY_DEVIATION: f32 = 5.0;
|
||||
|
||||
#[derive(Debug)]
|
||||
pub(crate) struct MixnodeResult {
|
||||
pub(crate) mix_id: MixId,
|
||||
pub(crate) identity: String,
|
||||
pub(crate) owner: String,
|
||||
pub(crate) reliability: u8,
|
||||
}
|
||||
|
||||
impl MixnodeResult {
|
||||
pub(crate) fn new(mix_id: MixId, identity: String, owner: String, reliability: u8) -> Self {
|
||||
MixnodeResult {
|
||||
mix_id,
|
||||
identity,
|
||||
owner,
|
||||
reliability,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub(crate) struct GatewayResult {
|
||||
pub(crate) identity: String,
|
||||
pub(crate) owner: String,
|
||||
pub(crate) reliability: u8,
|
||||
}
|
||||
|
||||
impl GatewayResult {
|
||||
pub(crate) fn new(identity: String, owner: String, reliability: u8) -> Self {
|
||||
GatewayResult {
|
||||
identity,
|
||||
owner,
|
||||
reliability,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub(crate) struct RouteResult {
|
||||
pub(crate) route: TestRoute,
|
||||
|
||||
@@ -54,8 +54,6 @@ pub(crate) fn node_status_routes(
|
||||
routes::get_gateways_detailed_unfiltered,
|
||||
routes::unstable::mixnode_test_results,
|
||||
routes::unstable::gateway_test_results,
|
||||
routes::submit_gateway_monitoring_results,
|
||||
routes::submit_node_monitoring_results,
|
||||
]
|
||||
} else {
|
||||
// in the minimal variant we would not have access to endpoints relying on existence
|
||||
|
||||
@@ -10,7 +10,6 @@ use nym_api_requests::models::{
|
||||
UptimeResponse,
|
||||
};
|
||||
use nym_mixnet_contract_common::MixId;
|
||||
use nym_types::monitoring::MonitorMessage;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_okapi::openapi;
|
||||
@@ -30,92 +29,6 @@ use crate::node_status_api::models::ErrorResponse;
|
||||
use crate::storage::NymApiStorage;
|
||||
use crate::NymContractCache;
|
||||
|
||||
#[openapi(tag = "status")]
|
||||
#[post("/submit-gateway-monitoring-results", data = "<message>")]
|
||||
pub(crate) async fn submit_gateway_monitoring_results(
|
||||
message: Json<MonitorMessage>,
|
||||
storage: &State<NymApiStorage>,
|
||||
) -> Result<(), ErrorResponse> {
|
||||
if !message.from_allowed() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Monitor not registered to submit results".to_string(),
|
||||
rocket::http::Status::Forbidden,
|
||||
));
|
||||
}
|
||||
|
||||
if !message.timely() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Message is too old".to_string(),
|
||||
rocket::http::Status::BadRequest,
|
||||
));
|
||||
}
|
||||
|
||||
if !message.verify() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Invalid signature".to_string(),
|
||||
rocket::http::Status::BadRequest,
|
||||
));
|
||||
}
|
||||
|
||||
match storage
|
||||
.manager
|
||||
.submit_gateway_statuses_v2(message.results())
|
||||
.await
|
||||
{
|
||||
Ok(_) => Ok(()),
|
||||
Err(err) => {
|
||||
error!("failed to submit gateway monitoring results: {}", err);
|
||||
Err(ErrorResponse::new(
|
||||
"failed to submit gateway monitoring results".to_string(),
|
||||
rocket::http::Status::InternalServerError,
|
||||
))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[openapi(tag = "status")]
|
||||
#[post("/submit-node-monitoring-results", data = "<message>")]
|
||||
pub(crate) async fn submit_node_monitoring_results(
|
||||
message: Json<MonitorMessage>,
|
||||
storage: &State<NymApiStorage>,
|
||||
) -> Result<(), ErrorResponse> {
|
||||
if !message.from_allowed() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Monitor not registered to submit results".to_string(),
|
||||
rocket::http::Status::Forbidden,
|
||||
));
|
||||
}
|
||||
|
||||
if !message.timely() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Message is too old".to_string(),
|
||||
rocket::http::Status::BadRequest,
|
||||
));
|
||||
}
|
||||
|
||||
if !message.verify() {
|
||||
return Err(ErrorResponse::new(
|
||||
"Invalid signature".to_string(),
|
||||
rocket::http::Status::BadRequest,
|
||||
));
|
||||
}
|
||||
|
||||
match storage
|
||||
.manager
|
||||
.submit_mixnode_statuses_v2(message.results())
|
||||
.await
|
||||
{
|
||||
Ok(_) => Ok(()),
|
||||
Err(err) => {
|
||||
error!("failed to submit node monitoring results: {}", err);
|
||||
Err(ErrorResponse::new(
|
||||
"failed to submit node monitoring results".to_string(),
|
||||
rocket::http::Status::InternalServerError,
|
||||
))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[openapi(tag = "status")]
|
||||
#[get("/gateway/<identity>/report")]
|
||||
pub(crate) async fn gateway_report(
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
// Copyright 2021 - Nym Technologies SA <contact@nymtech.net>
|
||||
// SPDX-License-Identifier: GPL-3.0-only
|
||||
use crate::network_monitor::monitor::summary_producer::{GatewayResult, MixnodeResult};
|
||||
use crate::node_status_api::models::{HistoricalUptime, Uptime};
|
||||
use crate::node_status_api::utils::{ActiveGatewayStatuses, ActiveMixnodeStatuses};
|
||||
use crate::support::storage::models::{
|
||||
@@ -7,8 +8,6 @@ use crate::support::storage::models::{
|
||||
TestedGatewayStatus, TestedMixnodeStatus, TestingRoute,
|
||||
};
|
||||
use nym_mixnet_contract_common::{EpochId, IdentityKey, MixId};
|
||||
use nym_types::monitoring::{GatewayResult, MixnodeResult, NodeResult};
|
||||
use time::OffsetDateTime;
|
||||
|
||||
#[derive(Clone)]
|
||||
pub(crate) struct StorageManager {
|
||||
@@ -503,47 +502,6 @@ impl StorageManager {
|
||||
tx.commit().await
|
||||
}
|
||||
|
||||
pub(crate) async fn submit_mixnode_statuses_v2(
|
||||
&self,
|
||||
mixnode_results: &[NodeResult],
|
||||
) -> Result<(), sqlx::Error> {
|
||||
info!("Inserting {} mixnode statuses", mixnode_results.len());
|
||||
|
||||
let timestamp = OffsetDateTime::now_utc().unix_timestamp();
|
||||
// insert it all in a transaction to make sure all nodes are updated at the same time
|
||||
// (plus it's a nice guard against new nodes)
|
||||
let mut tx = self.connection_pool.begin().await?;
|
||||
for mixnode_result in mixnode_results {
|
||||
let mixnode_id = sqlx::query!(
|
||||
r#"
|
||||
INSERT OR IGNORE INTO mixnode_details_v2(node_id, identity_key) VALUES (?, ?);
|
||||
SELECT id FROM mixnode_details_v2 WHERE node_id = ?;
|
||||
"#,
|
||||
mixnode_result.node_id,
|
||||
mixnode_result.identity,
|
||||
mixnode_result.node_id,
|
||||
)
|
||||
.fetch_one(&mut tx)
|
||||
.await?
|
||||
.id;
|
||||
|
||||
// insert the actual status
|
||||
sqlx::query!(
|
||||
r#"
|
||||
INSERT INTO mixnode_status_v2 (mixnode_details_id, reliability, timestamp) VALUES (?, ?, ?);
|
||||
"#,
|
||||
mixnode_id,
|
||||
mixnode_result.reliability,
|
||||
timestamp
|
||||
)
|
||||
.execute(&mut tx)
|
||||
.await?;
|
||||
}
|
||||
|
||||
// finally commit the transaction
|
||||
tx.commit().await
|
||||
}
|
||||
|
||||
/// Tries to submit gateway [`NodeResult`] from the network monitor to the database.
|
||||
///
|
||||
/// # Arguments
|
||||
@@ -593,51 +551,6 @@ impl StorageManager {
|
||||
tx.commit().await
|
||||
}
|
||||
|
||||
pub(crate) async fn submit_gateway_statuses_v2(
|
||||
&self,
|
||||
gateway_results: &[NodeResult],
|
||||
) -> Result<(), sqlx::Error> {
|
||||
info!("Inserting {} gateway statuses", gateway_results.len());
|
||||
|
||||
let timestamp = OffsetDateTime::now_utc().unix_timestamp();
|
||||
// insert it all in a transaction to make sure all nodes are updated at the same time
|
||||
// (plus it's a nice guard against new nodes)
|
||||
let mut tx = self.connection_pool.begin().await?;
|
||||
|
||||
for gateway_result in gateway_results {
|
||||
// if gateway info doesn't exist, insert it and get its id
|
||||
|
||||
// same ID "problem" as described for mixnode insertion
|
||||
let gateway_id = sqlx::query!(
|
||||
r#"
|
||||
INSERT OR IGNORE INTO gateway_details_v2(identity, node_id) VALUES (?, ?);
|
||||
SELECT id FROM gateway_details_v2 WHERE identity = ?;
|
||||
"#,
|
||||
gateway_result.identity,
|
||||
gateway_result.node_id,
|
||||
gateway_result.identity,
|
||||
)
|
||||
.fetch_one(&mut tx)
|
||||
.await?
|
||||
.id;
|
||||
|
||||
// insert the actual status
|
||||
sqlx::query!(
|
||||
r#"
|
||||
INSERT INTO gateway_status_v2 (gateway_details_id, reliability, timestamp) VALUES (?, ?, ?);
|
||||
"#,
|
||||
gateway_id,
|
||||
gateway_result.reliability,
|
||||
timestamp
|
||||
)
|
||||
.execute(&mut tx)
|
||||
.await?;
|
||||
}
|
||||
|
||||
// finally commit the transaction
|
||||
tx.commit().await
|
||||
}
|
||||
|
||||
/// Saves the information about which nodes were used as core nodes during this particular
|
||||
/// network monitor test run.
|
||||
///
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
// Copyright 2021 - Nym Technologies SA <contact@nymtech.net>
|
||||
// SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
use crate::network_monitor::monitor::summary_producer::{GatewayResult, MixnodeResult};
|
||||
use crate::network_monitor::test_route::TestRoute;
|
||||
use crate::node_status_api::models::{
|
||||
GatewayStatusReport, GatewayUptimeHistory, MixnodeStatusReport, MixnodeUptimeHistory,
|
||||
@@ -13,7 +14,6 @@ use crate::support::storage::models::{
|
||||
GatewayDetails, MixnodeDetails, TestedGatewayStatus, TestedMixnodeStatus,
|
||||
};
|
||||
use nym_mixnet_contract_common::MixId;
|
||||
use nym_types::monitoring::{GatewayResult, MixnodeResult};
|
||||
use rocket::fairing::AdHoc;
|
||||
use sqlx::ConnectOptions;
|
||||
use std::path::Path;
|
||||
|
||||
@@ -1,14 +0,0 @@
|
||||
FROM rust:latest AS builder
|
||||
|
||||
COPY ./ /usr/src/nym
|
||||
WORKDIR /usr/src/nym/nym-network-monitor
|
||||
RUN cargo build --release
|
||||
|
||||
FROM locustio/locust
|
||||
EXPOSE 8089
|
||||
COPY --from=builder /usr/src/nym/target/release/nym-network-monitor /bin/nym-network-monitor
|
||||
COPY --from=builder /usr/src/nym/nym-network-monitor/locustfile.py locustfile.py
|
||||
COPY --from=builder /usr/src/nym/nym-network-monitor/entrypoint.sh entrypoint.sh
|
||||
COPY --from=builder /usr/src/nym/envs/mainnet.env mainnet.env
|
||||
|
||||
ENTRYPOINT ["./entrypoint.sh"]
|
||||
@@ -1,39 +0,0 @@
|
||||
[package]
|
||||
name = "nym-network-monitor"
|
||||
version = "0.1.0"
|
||||
authors.workspace = true
|
||||
repository.workspace = true
|
||||
homepage.workspace = true
|
||||
documentation.workspace = true
|
||||
edition.workspace = true
|
||||
license.workspace = true
|
||||
|
||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
anyhow = { workspace = true }
|
||||
axum = { workspace = true, features = ["json"] }
|
||||
clap = { workspace = true, features = ["derive"] }
|
||||
dashmap = { workspace = true }
|
||||
futures = { workspace = true }
|
||||
log = { workspace = true }
|
||||
petgraph = "0.6.5"
|
||||
rand = { workspace = true }
|
||||
rand_chacha = { workspace = true }
|
||||
reqwest = { workspace = true, features = ["json"] }
|
||||
serde = { workspace = true, features = ["derive"] }
|
||||
serde_json = { workspace = true }
|
||||
tokio = { workspace = true, features = ["macros", "time"] }
|
||||
tokio-util = { workspace = true }
|
||||
utoipa = { workspace = true, features = ["axum_extras"] }
|
||||
utoipa-swagger-ui = { workspace = true, features = ["axum"] }
|
||||
|
||||
# internal
|
||||
nym-bin-common = { path = "../common/bin-common" }
|
||||
nym-crypto = { path = "../common/crypto" }
|
||||
nym-network-defaults = { path = "../common/network-defaults" }
|
||||
nym-sdk = { path = "../sdk/rust/nym-sdk" }
|
||||
nym-sphinx = { path = "../common/nymsphinx" }
|
||||
nym-topology = { path = "../common/topology" }
|
||||
nym-types = { path = "../common/types" }
|
||||
nym-validator-client = { path = "../common/client-libs/validator-client" }
|
||||
@@ -1,47 +0,0 @@
|
||||
# Nym Network Monitor
|
||||
|
||||
Monitors the Nym network by sending itself packages across the mixnet.
|
||||
|
||||
Network monitor is running two tokio tasks, one manages mixnet clients and another manages monitoring itself. Monitor is designed to be driven externally, via an HTTP api. This means that it does not do any monitoring unless driven by something like [`locust`](https://locust.io/). This allows us to tailor the load externally, potentially distributing it across multiple monitors.
|
||||
|
||||
### Client manager
|
||||
|
||||
On start network monitor will spawn `C` clients, with 10 being the default. Random client is dropped every `T`, defaults to 60 seconds, and a new one is created. Clients chose a random gateway to connect to the mixnet. Meaning that on average all gateways will be tested in `NUMBER_OF_GATEWAYS/N*T`, assuming at least one request per client per T.
|
||||
|
||||
### Network monitor API
|
||||
|
||||
Swagger UI is available at `/v1/ui/`, ie `http://localhost:8080/v1/ui/`
|
||||
|
||||
### Driving the monitor with Locust
|
||||
|
||||
+ Head over to https://locust.io/ and get `locust`
|
||||
+ Start everything
|
||||
```bash
|
||||
# Start the network monitor
|
||||
cargo run --release
|
||||
|
||||
# Start locus in a separate terminal
|
||||
python -m locust -H http://127.0.0.1:8080 --processes 4
|
||||
```
|
||||
+ Head over to http://127.0.0.1:8089/ and start a testing run
|
||||
|
||||
## Usage
|
||||
|
||||
```bash
|
||||
Usage: nym-network-monitor [OPTIONS]
|
||||
|
||||
Options:
|
||||
-C, --clients <N_CLIENTS> Number of clients to spawn [default: 10]
|
||||
-T, --client-lifetime <CLIENT_LIFETIME> Lifetime of each client in seconds [default: 60]
|
||||
--port <PORT> Port to listen on [default: 8080]
|
||||
--host <HOST> Host to listen on [default: 127.0.0.1]
|
||||
-t, --topology <TOPOLOGY> Path to the topology file
|
||||
-e, --env <ENV> Path to the environment file
|
||||
-m, --mixnet-timeout <MIXNET_TIMEOUT> [default: 10]
|
||||
--generate-key-pair
|
||||
--private-key <PRIVATE_KEY>
|
||||
-h, --help Print help
|
||||
-V, --version Print version
|
||||
```
|
||||
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Takes timeout in seconds as the first argument, defaults to 60
|
||||
# Takes number of users as the second argument, defaults to 10
|
||||
|
||||
set -ex
|
||||
|
||||
users=${2:-10}
|
||||
timeout=${1:-600}
|
||||
|
||||
RUST_LOG=info nym-network-monitor --env mainnet.env --host 127.0.0.1 --port 8080 &
|
||||
nnm_pid=$!
|
||||
|
||||
sleep 10
|
||||
|
||||
python -m locust -H http://127.0.0.1:8080 --processes 4 --autostart --autoquit 60 -u "$users" -t "$timeout"s &
|
||||
locust_pid=$!
|
||||
|
||||
wait $locust_pid
|
||||
kill -2 $nnm_pid
|
||||
|
||||
exit $?
|
||||
@@ -1,7 +0,0 @@
|
||||
from locust import HttpUser, task
|
||||
|
||||
|
||||
class SendMsg(HttpUser):
|
||||
@task
|
||||
def hello_world(self):
|
||||
self.client.post("/v1/send")
|
||||
@@ -1,382 +0,0 @@
|
||||
use std::collections::{HashMap, HashSet};
|
||||
|
||||
use anyhow::Result;
|
||||
use futures::{stream::FuturesUnordered, StreamExt};
|
||||
use log::{debug, info};
|
||||
use nym_sphinx::chunking::{SentFragment, FRAGMENTS_RECEIVED, FRAGMENTS_SENT};
|
||||
use nym_topology::{gateway, mix, NymTopology};
|
||||
use nym_types::monitoring::{MonitorMessage, NodeResult};
|
||||
use nym_validator_client::nym_api::routes::{API_VERSION, STATUS, SUBMIT_GATEWAY, SUBMIT_NODE};
|
||||
use rand::SeedableRng;
|
||||
use rand_chacha::ChaCha8Rng;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use utoipa::ToSchema;
|
||||
|
||||
use crate::{NYM_API_URL, PRIVATE_KEY, TOPOLOGY};
|
||||
|
||||
struct HydratedRoute {
|
||||
mix_nodes: Vec<mix::Node>,
|
||||
gateway_node: gateway::Node,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug, Default, ToSchema)]
|
||||
struct GatewayStats(u32, u32, Option<String>);
|
||||
|
||||
impl GatewayStats {
|
||||
fn new(sent: u32, recv: u32, owner: Option<String>) -> Self {
|
||||
GatewayStats(sent, recv, owner)
|
||||
}
|
||||
|
||||
fn success(&self) -> u32 {
|
||||
self.0
|
||||
}
|
||||
|
||||
fn failed(&self) -> u32 {
|
||||
self.1
|
||||
}
|
||||
|
||||
fn reliability(&self) -> f64 {
|
||||
self.success() as f64 / (self.success() + self.failed()) as f64
|
||||
}
|
||||
|
||||
fn incr_success(&mut self) {
|
||||
self.0 += 1;
|
||||
}
|
||||
|
||||
fn incr_failure(&mut self) {
|
||||
self.1 += 1;
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug, Default, ToSchema)]
|
||||
pub struct NetworkAccount {
|
||||
complete_fragment_sets: HashSet<i32>,
|
||||
incomplete_fragment_sets: HashSet<i32>,
|
||||
missing_fragments: HashMap<i32, Vec<u8>>,
|
||||
complete_routes: Vec<Vec<u32>>,
|
||||
gateway_stats: HashMap<String, GatewayStats>,
|
||||
incomplete_routes: Vec<Vec<u32>>,
|
||||
#[serde(skip)]
|
||||
topology: NymTopology,
|
||||
tested_nodes: HashSet<u32>,
|
||||
#[serde(skip)]
|
||||
mix_details: HashMap<u32, mix::Node>,
|
||||
#[serde(skip)]
|
||||
gateway_details: HashMap<String, gateway::Node>,
|
||||
}
|
||||
|
||||
impl NetworkAccount {
|
||||
pub fn tested_nodes(&self) -> &HashSet<u32> {
|
||||
&self.tested_nodes
|
||||
}
|
||||
|
||||
pub fn node_stats(&self, id: u32) -> NodeStats {
|
||||
let complete_routes = self.complete_for_id(id);
|
||||
let incomplete_routes = self.incomplete_for_id(id);
|
||||
let node = self
|
||||
.mix_details
|
||||
.get(&id)
|
||||
.expect("Has to be in here, since we've put it in!");
|
||||
NodeStats::new(
|
||||
id,
|
||||
complete_routes,
|
||||
incomplete_routes,
|
||||
node.identity_key.to_base58_string(),
|
||||
node.owner.clone(),
|
||||
)
|
||||
}
|
||||
|
||||
fn complete_for_id(&self, id: u32) -> usize {
|
||||
self.complete_routes()
|
||||
.iter()
|
||||
.filter(|r| r.contains(&id))
|
||||
.count()
|
||||
}
|
||||
|
||||
fn incomplete_for_id(&self, id: u32) -> usize {
|
||||
self.incomplete_routes()
|
||||
.iter()
|
||||
.filter(|r| r.contains(&id))
|
||||
.count()
|
||||
}
|
||||
|
||||
pub fn complete_routes(&self) -> &Vec<Vec<u32>> {
|
||||
&self.complete_routes
|
||||
}
|
||||
|
||||
pub fn incomplete_routes(&self) -> &Vec<Vec<u32>> {
|
||||
&self.incomplete_routes
|
||||
}
|
||||
|
||||
pub fn finalize() -> Result<Self> {
|
||||
let mut account = NetworkAccount::new();
|
||||
account.find_missing_fragments();
|
||||
account.hydrate_all_fragments()?;
|
||||
Ok(account)
|
||||
}
|
||||
|
||||
pub fn empty_buffers() {
|
||||
FRAGMENTS_SENT.clear();
|
||||
FRAGMENTS_RECEIVED.clear();
|
||||
}
|
||||
|
||||
fn new() -> Self {
|
||||
let topology = TOPOLOGY.get().expect("Topology not set yet!").clone();
|
||||
let mut account = NetworkAccount {
|
||||
topology,
|
||||
..Default::default()
|
||||
};
|
||||
for fragment_set in FRAGMENTS_SENT.iter() {
|
||||
let sent_fragments = fragment_set
|
||||
.value()
|
||||
.first()
|
||||
.map(|f| f.header().total_fragments())
|
||||
.unwrap_or(0);
|
||||
|
||||
debug!(
|
||||
"SENT Fragment set {} has {} fragments",
|
||||
fragment_set.key(),
|
||||
sent_fragments
|
||||
);
|
||||
|
||||
let recv = FRAGMENTS_RECEIVED.get(fragment_set.key());
|
||||
let recv_fragments = recv.as_ref().map(|r| r.value().len()).unwrap_or(0);
|
||||
debug!(
|
||||
"RECV Fragment set {} has {} fragments",
|
||||
fragment_set.key(),
|
||||
recv_fragments
|
||||
);
|
||||
|
||||
// Due to retransmission we can recieve a fragment multiple times
|
||||
if sent_fragments as usize <= recv_fragments {
|
||||
account.push_complete(*fragment_set.key());
|
||||
} else {
|
||||
account.push_incomplete(*fragment_set.key());
|
||||
}
|
||||
}
|
||||
account
|
||||
}
|
||||
|
||||
fn hydrate_route(&self, fragment: SentFragment) -> anyhow::Result<HydratedRoute> {
|
||||
let mut rng = ChaCha8Rng::seed_from_u64(fragment.seed() as u64);
|
||||
let (nodes, gw) = self.topology.random_path_to_gateway(
|
||||
&mut rng,
|
||||
fragment.mixnet_params().hops(),
|
||||
fragment.mixnet_params().destination(),
|
||||
)?;
|
||||
Ok(HydratedRoute {
|
||||
mix_nodes: nodes,
|
||||
gateway_node: gw,
|
||||
})
|
||||
}
|
||||
|
||||
fn hydrate_all_fragments(&mut self) -> Result<()> {
|
||||
for fragment_set in FRAGMENTS_SENT.iter() {
|
||||
let fragment_set_id = fragment_set.key();
|
||||
for fragment in fragment_set.value() {
|
||||
let route = self.hydrate_route(fragment.clone())?;
|
||||
let mix_ids = route
|
||||
.mix_nodes
|
||||
.iter()
|
||||
.map(|n| n.mix_id)
|
||||
.collect::<Vec<u32>>();
|
||||
self.tested_nodes.extend(&mix_ids);
|
||||
self.mix_details
|
||||
.extend(route.mix_nodes.iter().map(|n| (n.mix_id, n.clone())));
|
||||
let gateway_stats_entry = self
|
||||
.gateway_stats
|
||||
.entry(route.gateway_node.identity_key.to_base58_string())
|
||||
.or_insert(GatewayStats::new(0, 0, route.gateway_node.owner.clone()));
|
||||
self.gateway_details.insert(
|
||||
route.gateway_node.identity_key.to_base58_string(),
|
||||
route.gateway_node,
|
||||
);
|
||||
if self.complete_fragment_sets.contains(fragment_set_id) {
|
||||
self.complete_routes.push(mix_ids);
|
||||
gateway_stats_entry.incr_success();
|
||||
} else {
|
||||
self.incomplete_routes.push(mix_ids);
|
||||
gateway_stats_entry.incr_failure();
|
||||
}
|
||||
}
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn find_missing_fragments(&mut self) {
|
||||
let mut missing_fragments_map = HashMap::new();
|
||||
for fragment_set_id in &self.incomplete_fragment_sets {
|
||||
if let Some(fragment_ref) = FRAGMENTS_RECEIVED.get(fragment_set_id) {
|
||||
if let Some(ref_fragment) = fragment_ref.value().first() {
|
||||
let ref_header = ref_fragment.header();
|
||||
let ref_id_set = (0..ref_header.total_fragments()).collect::<HashSet<u8>>();
|
||||
let recieved_set = fragment_ref
|
||||
.value()
|
||||
.iter()
|
||||
.map(|f| f.header().current_fragment())
|
||||
.collect::<HashSet<u8>>();
|
||||
let missing_fragments = ref_id_set
|
||||
.difference(&recieved_set)
|
||||
.cloned()
|
||||
.collect::<Vec<u8>>();
|
||||
missing_fragments_map.insert(*fragment_set_id, missing_fragments);
|
||||
}
|
||||
};
|
||||
}
|
||||
self.missing_fragments = missing_fragments_map;
|
||||
}
|
||||
|
||||
fn push_complete(&mut self, id: i32) {
|
||||
self.complete_fragment_sets.insert(id);
|
||||
}
|
||||
|
||||
fn push_incomplete(&mut self, id: i32) {
|
||||
self.incomplete_fragment_sets.insert(id);
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Debug, Default, ToSchema)]
|
||||
pub struct NetworkAccountStats {
|
||||
complete_fragment_sets: usize,
|
||||
incomplete_fragment_sets: usize,
|
||||
missing_fragments: usize,
|
||||
complete_routes: usize,
|
||||
incomplete_routes: usize,
|
||||
tested_nodes: usize,
|
||||
}
|
||||
|
||||
impl From<NetworkAccount> for NetworkAccountStats {
|
||||
fn from(account: NetworkAccount) -> Self {
|
||||
NetworkAccountStats {
|
||||
complete_fragment_sets: account.complete_fragment_sets.len(),
|
||||
incomplete_fragment_sets: account.incomplete_fragment_sets.len(),
|
||||
missing_fragments: account.missing_fragments.values().map(|v| v.len()).sum(),
|
||||
complete_routes: account.complete_routes.len(),
|
||||
incomplete_routes: account.incomplete_routes.len(),
|
||||
tested_nodes: account.tested_nodes.len(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Debug, ToSchema)]
|
||||
pub struct NodeStats {
|
||||
mix_id: u32,
|
||||
complete_routes: usize,
|
||||
incomplete_routes: usize,
|
||||
reliability: f64,
|
||||
identity: String,
|
||||
owner: Option<String>,
|
||||
}
|
||||
|
||||
impl NodeStats {
|
||||
pub fn new(
|
||||
mix_id: u32,
|
||||
complete_routes: usize,
|
||||
incomplete_routes: usize,
|
||||
identity: String,
|
||||
owner: Option<String>,
|
||||
) -> Self {
|
||||
NodeStats {
|
||||
mix_id,
|
||||
complete_routes,
|
||||
incomplete_routes,
|
||||
reliability: complete_routes as f64 / (complete_routes + incomplete_routes) as f64,
|
||||
identity,
|
||||
owner,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn reliability(&self) -> f64 {
|
||||
self.reliability
|
||||
}
|
||||
|
||||
pub fn into_node_results(self) -> NodeResult {
|
||||
NodeResult {
|
||||
node_id: self.mix_id,
|
||||
identity: self.identity,
|
||||
reliability: (self.reliability * 100.) as u8,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn all_node_stats() -> anyhow::Result<Vec<NodeStats>> {
|
||||
let account = NetworkAccount::finalize()?;
|
||||
Ok(account
|
||||
.tested_nodes()
|
||||
.iter()
|
||||
.map(|id| account.node_stats(*id))
|
||||
.collect::<Vec<NodeStats>>())
|
||||
}
|
||||
|
||||
pub async fn monitor_gateway_results() -> anyhow::Result<Vec<NodeResult>> {
|
||||
let account = NetworkAccount::finalize()?;
|
||||
Ok(account
|
||||
.gateway_stats
|
||||
.iter()
|
||||
.map(into_gateway_result)
|
||||
.collect())
|
||||
}
|
||||
|
||||
pub async fn monitor_mixnode_results() -> anyhow::Result<Vec<NodeResult>> {
|
||||
let stats = all_node_stats().await?;
|
||||
Ok(stats
|
||||
.into_iter()
|
||||
.map(NodeStats::into_node_results)
|
||||
.collect())
|
||||
}
|
||||
|
||||
pub async fn submit_metrics() -> anyhow::Result<()> {
|
||||
let node_stats = monitor_mixnode_results().await?;
|
||||
let gateway_stats = monitor_gateway_results().await?;
|
||||
|
||||
info!("Submitting metrics to {}", *NYM_API_URL);
|
||||
let client = reqwest::Client::new();
|
||||
|
||||
let node_submit_url = format!("{}/{API_VERSION}/{STATUS}/{SUBMIT_NODE}", &*NYM_API_URL);
|
||||
let gateway_submit_url = format!("{}/{API_VERSION}/{STATUS}/{SUBMIT_GATEWAY}", &*NYM_API_URL);
|
||||
|
||||
info!("Submitting {} mixnode measurements", node_stats.len());
|
||||
|
||||
node_stats
|
||||
.chunks(10)
|
||||
.map(|chunk| {
|
||||
let monitor_message =
|
||||
MonitorMessage::new(chunk.to_vec(), PRIVATE_KEY.get().expect("We've set this!"));
|
||||
client.post(&node_submit_url).json(&monitor_message).send()
|
||||
})
|
||||
.collect::<FuturesUnordered<_>>()
|
||||
.collect::<Vec<Result<_, _>>>()
|
||||
.await
|
||||
.into_iter()
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
|
||||
info!("Submitting {} gateway measurements", gateway_stats.len());
|
||||
|
||||
gateway_stats
|
||||
.chunks(10)
|
||||
.map(|chunk| {
|
||||
let monitor_message =
|
||||
MonitorMessage::new(chunk.to_vec(), PRIVATE_KEY.get().expect("We've set this!"));
|
||||
client
|
||||
.post(&gateway_submit_url)
|
||||
.json(&monitor_message)
|
||||
.send()
|
||||
})
|
||||
.collect::<FuturesUnordered<_>>()
|
||||
.collect::<Vec<Result<_, _>>>()
|
||||
.await
|
||||
.into_iter()
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
|
||||
NetworkAccount::empty_buffers();
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn into_gateway_result((key, stats): (&String, &GatewayStats)) -> NodeResult {
|
||||
NodeResult {
|
||||
identity: key.clone(),
|
||||
reliability: (stats.reliability() * 100.) as u8,
|
||||
node_id: 0,
|
||||
}
|
||||
}
|
||||
@@ -1,295 +0,0 @@
|
||||
use axum::{
|
||||
extract::{Path, State},
|
||||
http::StatusCode,
|
||||
Json,
|
||||
};
|
||||
use futures::StreamExt;
|
||||
use log::{debug, error, warn};
|
||||
use nym_sdk::mixnet::MixnetMessageSender;
|
||||
use nym_sphinx::chunking::{ReceivedFragment, SentFragment, FRAGMENTS_RECEIVED, FRAGMENTS_SENT};
|
||||
use petgraph::{dot::Dot, Graph};
|
||||
use rand::{distributions::Alphanumeric, seq::SliceRandom, Rng};
|
||||
use serde::Serialize;
|
||||
use std::{
|
||||
collections::{HashMap, HashSet},
|
||||
sync::Arc,
|
||||
time::Duration,
|
||||
};
|
||||
use tokio::time::timeout;
|
||||
use utoipa::ToSchema;
|
||||
|
||||
use crate::{
|
||||
accounting::{all_node_stats, NetworkAccount, NetworkAccountStats, NodeStats},
|
||||
http::AppState,
|
||||
MIXNET_TIMEOUT,
|
||||
};
|
||||
|
||||
#[derive(ToSchema, Serialize)]
|
||||
pub struct FragmentsSent(HashMap<i32, Vec<SentFragment>>);
|
||||
|
||||
#[derive(ToSchema, Serialize)]
|
||||
pub struct FragmentsReceived(HashMap<i32, Vec<ReceivedFragment>>);
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/stats",
|
||||
responses(
|
||||
(status = 200, description = "Returns statistics collected since startup", body = NetworkAccountStats),
|
||||
)
|
||||
)]
|
||||
pub async fn stats_handler() -> Result<Json<NetworkAccountStats>, StatusCode> {
|
||||
let account = NetworkAccount::finalize().map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
Ok(Json(account.into()))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/node_stats/{mix_id}",
|
||||
responses(
|
||||
(status = 200, description = "Returns statistics for a given mix_id, collected since startup", body = NodeStats),
|
||||
)
|
||||
)]
|
||||
pub async fn node_stats_handler(Path(mix_id): Path<u32>) -> Result<Json<NodeStats>, StatusCode> {
|
||||
let account = NetworkAccount::finalize().map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
Ok(Json(account.node_stats(mix_id)))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/node_stats",
|
||||
responses(
|
||||
(status = 200, description = "Returns statistics for all nodes, collected since startup, sorted by reliability", body = Vec<NodeStats>),
|
||||
)
|
||||
)]
|
||||
pub async fn all_nodes_stats_handler() -> Result<Json<Vec<NodeStats>>, StatusCode> {
|
||||
let mut stats = all_node_stats()
|
||||
.await
|
||||
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
stats.sort_by(|a, b| a.reliability().partial_cmp(&b.reliability()).unwrap());
|
||||
Ok(Json(stats))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/accounting",
|
||||
responses(
|
||||
(status = 200, description = "Returns raw aggregated data collected since startup", body = NetworkAccount),
|
||||
)
|
||||
)]
|
||||
pub async fn accounting_handler() -> Result<Json<NetworkAccount>, StatusCode> {
|
||||
NetworkAccount::finalize()
|
||||
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
|
||||
.map(Json)
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/dot/{mix_id}",
|
||||
responses(
|
||||
(status = 200, description = "Returns Subgraph for a given *mix_id* in `dot` format", body = String),
|
||||
)
|
||||
)]
|
||||
pub async fn mix_dot_handler(Path(mix_id): Path<u32>) -> Result<String, StatusCode> {
|
||||
generate_dot(Some(mix_id))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/dot",
|
||||
responses(
|
||||
(status = 200, description = "Returns entire tested network graph in `dot` format", body = String),
|
||||
)
|
||||
)]
|
||||
pub async fn graph_handler() -> Result<String, StatusCode> {
|
||||
generate_dot(None)
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/sent",
|
||||
responses(
|
||||
(status = 200, description = "Returns a map of all fragments sent by the network monitor", body = FragmentsSent),
|
||||
)
|
||||
)]
|
||||
pub async fn sent_handler() -> Json<FragmentsSent> {
|
||||
Json(FragmentsSent(
|
||||
(*FRAGMENTS_SENT)
|
||||
.clone()
|
||||
.into_iter()
|
||||
.collect::<HashMap<_, _>>(),
|
||||
))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/received",
|
||||
responses(
|
||||
(status = 200, description = "Returns a map of all fragments received by the network monitor", body = FragmentsReceived),
|
||||
)
|
||||
)]
|
||||
pub async fn recv_handler() -> Json<FragmentsReceived> {
|
||||
Json(FragmentsReceived(
|
||||
(*FRAGMENTS_RECEIVED)
|
||||
.clone()
|
||||
.into_iter()
|
||||
.collect::<HashMap<_, _>>(),
|
||||
))
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
post,
|
||||
path = "/v1/send",
|
||||
responses(
|
||||
(status = 200, description = "Sends a message to itself through the mixnet", body = String),
|
||||
)
|
||||
)]
|
||||
pub async fn send_handler(State(state): State<AppState>) -> Result<String, StatusCode> {
|
||||
send_receive_mixnet(state).await
|
||||
}
|
||||
|
||||
#[utoipa::path(
|
||||
get,
|
||||
path = "/v1/mermaid",
|
||||
responses(
|
||||
(status = 200, description = "Returns entire tested network graph in `mermaid` format", body = String),
|
||||
)
|
||||
)]
|
||||
pub async fn mermaid_handler() -> Result<String, StatusCode> {
|
||||
let account = NetworkAccount::finalize().map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
let mut mermaid = String::new();
|
||||
mermaid.push_str("flowchart LR;\n");
|
||||
for route in account.complete_routes() {
|
||||
mermaid.push_str(
|
||||
route
|
||||
.iter()
|
||||
.map(|n| n.to_string())
|
||||
.collect::<Vec<String>>()
|
||||
.join("-->")
|
||||
.as_str(),
|
||||
);
|
||||
mermaid.push('\n')
|
||||
}
|
||||
for route in account.incomplete_routes() {
|
||||
mermaid.push_str(
|
||||
route
|
||||
.iter()
|
||||
.map(|n| n.to_string())
|
||||
.collect::<Vec<String>>()
|
||||
.join("-- ❌ -->")
|
||||
.as_str(),
|
||||
);
|
||||
mermaid.push('\n')
|
||||
}
|
||||
Ok(mermaid)
|
||||
}
|
||||
|
||||
async fn send_receive_mixnet(state: AppState) -> Result<String, StatusCode> {
|
||||
let msg: String = rand::thread_rng()
|
||||
.sample_iter(&Alphanumeric)
|
||||
.take(32)
|
||||
.map(char::from)
|
||||
.collect();
|
||||
let sent_msg = msg.clone();
|
||||
|
||||
let client = {
|
||||
let mut clients = state.clients().write().await;
|
||||
if let Some(client) = clients.make_contiguous().choose(&mut rand::thread_rng()) {
|
||||
Arc::clone(client)
|
||||
} else {
|
||||
error!("No clients currently available");
|
||||
return Err(StatusCode::INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
};
|
||||
|
||||
let recv = Arc::clone(&client);
|
||||
let sender = Arc::clone(&client);
|
||||
|
||||
let recv_handle = tokio::spawn(async move {
|
||||
match timeout(
|
||||
Duration::from_secs(*MIXNET_TIMEOUT.get().expect("Set at the begining")),
|
||||
recv.write().await.next(),
|
||||
)
|
||||
.await
|
||||
{
|
||||
Ok(Some(received)) => {
|
||||
debug!("Received: {}", String::from_utf8_lossy(&received.message));
|
||||
}
|
||||
Ok(None) => debug!("No message received"),
|
||||
Err(e) => warn!("Failed to receive message: {e}"),
|
||||
}
|
||||
});
|
||||
|
||||
let send_handle = tokio::spawn(async move {
|
||||
let mixnet_sender = sender.read().await.split_sender();
|
||||
let our_address = *sender.read().await.nym_address();
|
||||
match timeout(
|
||||
Duration::from_secs(5),
|
||||
mixnet_sender.send_plain_message(our_address, &msg),
|
||||
)
|
||||
.await
|
||||
{
|
||||
Ok(_) => debug!("Sent message: {msg}"),
|
||||
Err(e) => warn!("Failed to send message: {e}"),
|
||||
};
|
||||
});
|
||||
|
||||
let results = futures::future::join_all(vec![send_handle, recv_handle]).await;
|
||||
for result in results {
|
||||
match result {
|
||||
Ok(_) => {}
|
||||
Err(e) => {
|
||||
error!("Failed to send/receive message: {e}");
|
||||
return Err(StatusCode::INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Ok(sent_msg)
|
||||
}
|
||||
|
||||
fn generate_dot(mix_id: Option<u32>) -> Result<String, StatusCode> {
|
||||
let account = NetworkAccount::finalize().map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
let mut nodes = HashSet::new();
|
||||
let mut edges: Vec<(u32, u32)> = vec![];
|
||||
let mut broken_edges: Vec<(u32, u32)> = vec![];
|
||||
|
||||
let mix_id = mix_id.unwrap_or(0);
|
||||
|
||||
for route in account.complete_routes().iter() {
|
||||
if mix_id == 0 || route.contains(&mix_id) {
|
||||
for window in route.windows(2) {
|
||||
nodes.insert(window[0]);
|
||||
nodes.insert(window[1]);
|
||||
edges.push((window[0], window[1]));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for route in account.incomplete_routes().iter() {
|
||||
if mix_id == 0 || route.contains(&mix_id) {
|
||||
for window in route.windows(2) {
|
||||
nodes.insert(window[0]);
|
||||
nodes.insert(window[1]);
|
||||
broken_edges.push((window[0], window[1]));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let mut graph = Graph::new();
|
||||
|
||||
let node_indices: HashMap<u32, _> = nodes
|
||||
.iter()
|
||||
.map(|node| (*node, graph.add_node(*node)))
|
||||
.collect();
|
||||
|
||||
for (from, to) in edges {
|
||||
graph.add_edge(node_indices[&from], node_indices[&to], "");
|
||||
}
|
||||
|
||||
for (from, to) in broken_edges {
|
||||
graph.add_edge(node_indices[&from], node_indices[&to], "❌");
|
||||
}
|
||||
|
||||
let dot = Dot::new(&graph);
|
||||
Ok(dot.to_string())
|
||||
}
|
||||
@@ -1,94 +0,0 @@
|
||||
use crate::accounting::{NetworkAccount, NetworkAccountStats, NodeStats};
|
||||
use crate::handlers::{
|
||||
accounting_handler, all_nodes_stats_handler, graph_handler, mermaid_handler, mix_dot_handler,
|
||||
node_stats_handler, recv_handler, send_handler, sent_handler, stats_handler, FragmentsReceived,
|
||||
FragmentsSent,
|
||||
};
|
||||
use axum::routing::{get, post};
|
||||
use axum::Router;
|
||||
use log::info;
|
||||
use nym_sphinx::chunking::fragment::FragmentHeader;
|
||||
use nym_sphinx::chunking::{ReceivedFragment, SentFragment};
|
||||
use std::net::SocketAddr;
|
||||
use tokio_util::sync::CancellationToken;
|
||||
use utoipa::OpenApi;
|
||||
use utoipa_swagger_ui::SwaggerUi;
|
||||
|
||||
use crate::ClientsWrapper;
|
||||
|
||||
pub struct HttpServer {
|
||||
listener: SocketAddr,
|
||||
cancel: CancellationToken,
|
||||
}
|
||||
|
||||
#[derive(OpenApi)]
|
||||
#[openapi(
|
||||
paths(
|
||||
crate::handlers::accounting_handler,
|
||||
crate::handlers::graph_handler,
|
||||
crate::handlers::mermaid_handler,
|
||||
crate::handlers::mix_dot_handler,
|
||||
crate::handlers::node_stats_handler,
|
||||
crate::handlers::recv_handler,
|
||||
crate::handlers::send_handler,
|
||||
crate::handlers::sent_handler,
|
||||
crate::handlers::all_nodes_stats_handler,
|
||||
),
|
||||
components(schemas(
|
||||
FragmentHeader,
|
||||
FragmentsReceived,
|
||||
FragmentsSent,
|
||||
NetworkAccount,
|
||||
NetworkAccountStats,
|
||||
NodeStats,
|
||||
ReceivedFragment,
|
||||
SentFragment,
|
||||
))
|
||||
)]
|
||||
struct ApiDoc;
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct AppState {
|
||||
clients: ClientsWrapper,
|
||||
}
|
||||
|
||||
impl AppState {
|
||||
pub fn clients(&self) -> &ClientsWrapper {
|
||||
&self.clients
|
||||
}
|
||||
}
|
||||
|
||||
impl HttpServer {
|
||||
pub fn new(listener: SocketAddr, cancel: CancellationToken) -> Self {
|
||||
HttpServer { listener, cancel }
|
||||
}
|
||||
|
||||
pub async fn run(self, clients: ClientsWrapper) -> anyhow::Result<()> {
|
||||
let n_clients = clients.read().await.len();
|
||||
let state = AppState { clients };
|
||||
let app = Router::new()
|
||||
.route("/v1/send", post(send_handler).with_state(state))
|
||||
.merge(SwaggerUi::new("/v1/ui").url("/v1/docs/openapi.json", ApiDoc::openapi()))
|
||||
.route("/v1/accounting", get(accounting_handler))
|
||||
.route("/v1/sent", get(sent_handler))
|
||||
.route("/v1/dot/:mix_id", get(mix_dot_handler))
|
||||
.route("/v1/dot", get(graph_handler))
|
||||
.route("/v1/mermaid", get(mermaid_handler))
|
||||
.route("/v1/stats", get(stats_handler))
|
||||
.route("/v1/node_stats/:mix_id", get(node_stats_handler))
|
||||
.route("/v1/node_stats", get(all_nodes_stats_handler))
|
||||
.route("/v1/received", get(recv_handler));
|
||||
let listener = tokio::net::TcpListener::bind(self.listener).await?;
|
||||
|
||||
let server_future =
|
||||
axum::serve(listener, app).with_graceful_shutdown(self.cancel.cancelled_owned());
|
||||
|
||||
info!("##########################################################################################");
|
||||
info!("######################### HTTP server running, with {} clients ############################################", n_clients);
|
||||
info!("##########################################################################################");
|
||||
|
||||
server_future.await?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
@@ -1,214 +0,0 @@
|
||||
use crate::http::HttpServer;
|
||||
use accounting::submit_metrics;
|
||||
use anyhow::Result;
|
||||
use clap::Parser;
|
||||
use log::{info, warn};
|
||||
use nym_crypto::asymmetric::ed25519::PrivateKey;
|
||||
use nym_network_defaults::setup_env;
|
||||
use nym_network_defaults::var_names::NYM_API;
|
||||
use nym_sdk::mixnet::{self, MixnetClient};
|
||||
use nym_topology::{HardcodedTopologyProvider, NymTopology};
|
||||
use std::fs::File;
|
||||
use std::io::Write;
|
||||
use std::sync::LazyLock;
|
||||
use std::time::Duration;
|
||||
use std::{
|
||||
collections::VecDeque,
|
||||
net::{IpAddr, Ipv4Addr, SocketAddr},
|
||||
str::FromStr,
|
||||
sync::Arc,
|
||||
};
|
||||
use tokio::sync::OnceCell;
|
||||
use tokio::{signal::ctrl_c, sync::RwLock};
|
||||
use tokio_util::sync::CancellationToken;
|
||||
|
||||
static NYM_API_URL: LazyLock<String> = LazyLock::new(|| {
|
||||
std::env::var(NYM_API).unwrap_or_else(|_| panic!("{} env var not set", NYM_API))
|
||||
});
|
||||
|
||||
static MIXNET_TIMEOUT: OnceCell<u64> = OnceCell::const_new();
|
||||
static TOPOLOGY: OnceCell<NymTopology> = OnceCell::const_new();
|
||||
static PRIVATE_KEY: OnceCell<PrivateKey> = OnceCell::const_new();
|
||||
|
||||
mod accounting;
|
||||
mod handlers;
|
||||
mod http;
|
||||
|
||||
/// Simple program to greet a person
|
||||
pub type ClientsWrapper = Arc<RwLock<VecDeque<Arc<RwLock<MixnetClient>>>>>;
|
||||
|
||||
async fn make_clients(
|
||||
clients: ClientsWrapper,
|
||||
n_clients: usize,
|
||||
lifetime: u64,
|
||||
topology: NymTopology,
|
||||
) {
|
||||
loop {
|
||||
let spawned_clients = clients.read().await.len();
|
||||
info!("Currently spawned clients: {}", spawned_clients);
|
||||
// If we have enough clients, sleep for a minute and remove the oldest one
|
||||
if spawned_clients >= n_clients {
|
||||
info!("New client will be spawned in {} seconds", lifetime);
|
||||
tokio::time::sleep(tokio::time::Duration::from_secs(lifetime)).await;
|
||||
info!("Removing oldest client");
|
||||
if let Some(dropped_client) = clients.write().await.pop_front() {
|
||||
loop {
|
||||
if Arc::strong_count(&dropped_client) == 1 {
|
||||
if let Some(client) = Arc::into_inner(dropped_client) {
|
||||
client.into_inner().disconnect().await;
|
||||
} else {
|
||||
warn!("Failed to drop client, client had more then one strong ref")
|
||||
}
|
||||
break;
|
||||
}
|
||||
info!("Client still in use, waiting 2 seconds");
|
||||
tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
|
||||
}
|
||||
}
|
||||
}
|
||||
info!("Spawning new client");
|
||||
let client = match make_client(topology.clone()).await {
|
||||
Ok(client) => client,
|
||||
Err(err) => {
|
||||
warn!("{}, moving on", err);
|
||||
continue;
|
||||
}
|
||||
};
|
||||
clients
|
||||
.write()
|
||||
.await
|
||||
.push_back(Arc::new(RwLock::new(client)));
|
||||
}
|
||||
}
|
||||
|
||||
async fn make_client(topology: NymTopology) -> Result<MixnetClient> {
|
||||
let net = mixnet::NymNetworkDetails::new_from_env();
|
||||
let topology_provider = Box::new(HardcodedTopologyProvider::new(topology));
|
||||
let mixnet_client = mixnet::MixnetClientBuilder::new_ephemeral()
|
||||
.network_details(net)
|
||||
.custom_topology_provider(topology_provider)
|
||||
// .enable_credentials_mode()
|
||||
.build()?;
|
||||
|
||||
let client = mixnet_client.connect_to_mixnet().await?;
|
||||
Ok(client)
|
||||
}
|
||||
|
||||
#[derive(Parser, Debug)]
|
||||
#[command(version, about, long_about = None)]
|
||||
struct Args {
|
||||
/// Number of clients to spawn
|
||||
#[arg(short = 'C', long = "clients", default_value_t = 10)]
|
||||
n_clients: usize,
|
||||
|
||||
/// Lifetime of each client in seconds
|
||||
#[arg(short = 'T', long, default_value_t = 60)]
|
||||
client_lifetime: u64,
|
||||
|
||||
/// Port to listen on
|
||||
#[arg(long, default_value_t = 8080)]
|
||||
port: u16,
|
||||
|
||||
/// Host to listen on
|
||||
#[arg(long, default_value = "127.0.0.1")]
|
||||
host: String,
|
||||
|
||||
/// Path to the topology file
|
||||
#[arg(short, long, default_value = None)]
|
||||
topology: Option<String>,
|
||||
|
||||
/// Path to the environment file
|
||||
#[arg(short, long, default_value = None)]
|
||||
env: Option<String>,
|
||||
|
||||
#[arg(short, long, default_value_t = 10)]
|
||||
mixnet_timeout: u64,
|
||||
|
||||
#[arg(long, default_value_t = false)]
|
||||
generate_key_pair: bool,
|
||||
|
||||
#[arg(long)]
|
||||
private_key: String,
|
||||
}
|
||||
|
||||
fn generate_key_pair() -> Result<()> {
|
||||
let mut rng = rand::thread_rng();
|
||||
let keypair = nym_crypto::asymmetric::identity::KeyPair::new(&mut rng);
|
||||
|
||||
let mut public_key_file = File::create("network-monitor-public")?;
|
||||
public_key_file.write_all(keypair.public_key().to_base58_string().as_bytes())?;
|
||||
|
||||
let mut private_key_file = File::create("network-monitor-private")?;
|
||||
private_key_file.write_all(keypair.private_key().to_base58_string().as_bytes())?;
|
||||
|
||||
info!("Generated keypair, public key to 'network-monitor-public', and private key to 'network-monitor-private', public key should be whitelisted with the nym-api");
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() -> Result<()> {
|
||||
nym_bin_common::logging::setup_logging();
|
||||
|
||||
let args = Args::parse();
|
||||
|
||||
setup_env(args.env); // Defaults to mainnet if empty
|
||||
|
||||
let cancel_token = CancellationToken::new();
|
||||
let server_cancel_token = cancel_token.clone();
|
||||
let clients = Arc::new(RwLock::new(VecDeque::with_capacity(args.n_clients)));
|
||||
|
||||
if args.generate_key_pair {
|
||||
generate_key_pair()?;
|
||||
std::process::exit(0);
|
||||
}
|
||||
|
||||
let pk = PrivateKey::from_base58_string(&args.private_key)?;
|
||||
PRIVATE_KEY.set(pk).ok();
|
||||
|
||||
TOPOLOGY
|
||||
.set(if let Some(topology_file) = args.topology {
|
||||
NymTopology::new_from_file(topology_file)?
|
||||
} else {
|
||||
NymTopology::new_from_env().await?
|
||||
})
|
||||
.ok();
|
||||
|
||||
MIXNET_TIMEOUT.set(args.mixnet_timeout).ok();
|
||||
|
||||
let spawn_clients = Arc::clone(&clients);
|
||||
tokio::spawn(make_clients(
|
||||
spawn_clients,
|
||||
args.n_clients,
|
||||
args.client_lifetime,
|
||||
TOPOLOGY.get().expect("Topology not set yet!").clone(),
|
||||
));
|
||||
|
||||
let server_handle = tokio::spawn(async move {
|
||||
let socket = SocketAddr::new(IpAddr::V4(Ipv4Addr::from_str(&args.host)?), args.port);
|
||||
let server = HttpServer::new(socket, server_cancel_token);
|
||||
server.run(clients).await
|
||||
});
|
||||
|
||||
info!("Waiting for message (ctrl-c to exit)");
|
||||
|
||||
loop {
|
||||
match tokio::time::timeout(Duration::from_secs(600), ctrl_c()).await {
|
||||
Ok(_) => {
|
||||
info!("Received kill signal, shutting down, submitting final batch of metrics");
|
||||
submit_metrics().await?;
|
||||
break;
|
||||
}
|
||||
Err(_) => {
|
||||
info!("Submitting metrics, cleaning metric buffers");
|
||||
submit_metrics().await?;
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
cancel_token.cancel();
|
||||
|
||||
server_handle.await??;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
@@ -625,8 +625,7 @@ where
|
||||
///
|
||||
/// - If the client is already registered with a gateway, use that gateway.
|
||||
/// - If no gateway is registered, but there is an existing configuration and key, use that.
|
||||
/// - If no gateway is registered, and there is no pre-existing configuration or key, try to
|
||||
/// register a new gateway.
|
||||
/// - If no gateway is registered, and there is no pre-existing configuration or key, try to register a new gateway.
|
||||
///
|
||||
/// # Example
|
||||
///
|
||||
@@ -706,8 +705,7 @@ where
|
||||
///
|
||||
/// - If the client is already registered with a gateway, use that gateway.
|
||||
/// - If no gateway is registered, but there is an existing configuration and key, use that.
|
||||
/// - If no gateway is registered, and there is no pre-existing configuration or key, try to
|
||||
/// register a new gateway.
|
||||
/// - If no gateway is registered, and there is no pre-existing configuration or key, try to register a new gateway.
|
||||
///
|
||||
/// # Example
|
||||
///
|
||||
@@ -729,8 +727,7 @@ where
|
||||
let (mut started_client, nym_address) = self.connect_to_mixnet_common().await?;
|
||||
let client_input = started_client.client_input.register_producer();
|
||||
let mut client_output = started_client.client_output.register_consumer();
|
||||
let client_state: nym_client_core::client::base_client::ClientState =
|
||||
started_client.client_state;
|
||||
let client_state = started_client.client_state;
|
||||
|
||||
let identity_keys = started_client.identity_keys.clone();
|
||||
let reconstructed_receiver = client_output.register_receiver()?;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
// Copyright 2024 - Nym Technologies SA <contact@nymtech.net>
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
use std::{net::IpAddr, path::Path, time::SystemTime};
|
||||
use std::path::Path;
|
||||
|
||||
use futures::channel::oneshot;
|
||||
use ipnetwork::IpNetwork;
|
||||
@@ -31,7 +31,6 @@ pub struct Authenticator {
|
||||
custom_topology_provider: Option<Box<dyn TopologyProvider + Send + Sync>>,
|
||||
custom_gateway_transceiver: Option<Box<dyn GatewayTransceiver + Send + Sync>>,
|
||||
wireguard_gateway_data: WireguardGatewayData,
|
||||
used_private_network_ips: Vec<IpAddr>,
|
||||
response_rx: UnboundedReceiver<PeerControlResponse>,
|
||||
shutdown: Option<TaskClient>,
|
||||
on_start: Option<oneshot::Sender<OnStartData>>,
|
||||
@@ -41,7 +40,6 @@ impl Authenticator {
|
||||
pub fn new(
|
||||
config: Config,
|
||||
wireguard_gateway_data: WireguardGatewayData,
|
||||
used_private_network_ips: Vec<IpAddr>,
|
||||
response_rx: UnboundedReceiver<PeerControlResponse>,
|
||||
) -> Self {
|
||||
Self {
|
||||
@@ -50,7 +48,6 @@ impl Authenticator {
|
||||
custom_topology_provider: None,
|
||||
custom_gateway_transceiver: None,
|
||||
wireguard_gateway_data,
|
||||
used_private_network_ips,
|
||||
response_rx,
|
||||
shutdown: None,
|
||||
on_start: None,
|
||||
@@ -131,26 +128,13 @@ impl Authenticator {
|
||||
|
||||
let self_address = *mixnet_client.nym_address();
|
||||
|
||||
let used_private_network_ips =
|
||||
std::collections::BTreeSet::from_iter(self.used_private_network_ips.iter());
|
||||
let private_ip_network = IpNetwork::new(
|
||||
self.config.authenticator.private_ip,
|
||||
self.config.authenticator.private_network_prefix,
|
||||
)?;
|
||||
let now = SystemTime::now();
|
||||
let free_private_network_ips = private_ip_network
|
||||
.iter()
|
||||
.map(|ip| {
|
||||
if used_private_network_ips.contains(&ip) {
|
||||
(ip, Some(now))
|
||||
} else {
|
||||
(ip, None)
|
||||
}
|
||||
})
|
||||
.collect();
|
||||
let mixnet_listener = crate::mixnet_listener::MixnetListener::new(
|
||||
self.config,
|
||||
free_private_network_ips,
|
||||
private_ip_network,
|
||||
self.wireguard_gateway_data,
|
||||
self.response_rx,
|
||||
mixnet_client,
|
||||
|
||||
@@ -55,7 +55,7 @@ pub(crate) async fn execute(args: &Run) -> Result<(), AuthenticatorError> {
|
||||
handler.run().await;
|
||||
});
|
||||
let mut server =
|
||||
nym_authenticator::Authenticator::new(config, wireguard_gateway_data, vec![], response_rx);
|
||||
nym_authenticator::Authenticator::new(config, wireguard_gateway_data, response_rx);
|
||||
if let Some(custom_mixnet) = &args.common_args.custom_mixnet {
|
||||
server = server.with_stored_topology(custom_mixnet)?
|
||||
}
|
||||
|
||||
@@ -8,6 +8,7 @@ use std::{
|
||||
|
||||
use crate::{error::AuthenticatorError, peer_manager::PeerManager};
|
||||
use futures::StreamExt;
|
||||
use ipnetwork::IpNetwork;
|
||||
use nym_authenticator_requests::v1::{
|
||||
self,
|
||||
request::{AuthenticatorRequest, AuthenticatorRequestData},
|
||||
@@ -66,7 +67,7 @@ pub(crate) struct MixnetListener {
|
||||
impl MixnetListener {
|
||||
pub fn new(
|
||||
config: Config,
|
||||
free_private_network_ips: PrivateIPs,
|
||||
private_ip_network: IpNetwork,
|
||||
wireguard_gateway_data: WireguardGatewayData,
|
||||
response_rx: UnboundedReceiver<PeerControlResponse>,
|
||||
mixnet_client: nym_sdk::mixnet::MixnetClient,
|
||||
@@ -74,6 +75,7 @@ impl MixnetListener {
|
||||
) -> Self {
|
||||
let timeout_check_interval =
|
||||
IntervalStream::new(tokio::time::interval(DEFAULT_REGISTRATION_TIMEOUT_CHECK));
|
||||
let free_private_network_ips = private_ip_network.iter().map(|ip| (ip, None)).collect();
|
||||
MixnetListener {
|
||||
config,
|
||||
mixnet_client,
|
||||
|
||||
@@ -176,7 +176,7 @@ impl DaemonLauncher {
|
||||
info!("it finished with the following exit status: {exit_status}");
|
||||
return Ok(false)
|
||||
}
|
||||
event = self.upgrade_plan_watcher.next() => {
|
||||
event = &mut self.upgrade_plan_watcher.next() => {
|
||||
let Some(event) = event else {
|
||||
// this is a critical failure since the file watcher task should NEVER terminate by itself
|
||||
error!("CRITICAL FAILURE: the upgrade plan watcher channel got closed");
|
||||
|
||||
Reference in New Issue
Block a user