Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ODIS 2.0.0 #9693

Merged
merged 229 commits into from
Oct 27, 2022
Merged

ODIS 2.0.0 #9693

merged 229 commits into from
Oct 27, 2022

Conversation

alecps
Copy link
Contributor

@alecps alecps commented Jul 21, 2022
edited
Loading

Description

  • Implements CIP40, which extends ODIS to support "domain" specific queries. A domain is a struct which specifies rate limiting information and uniquely identifies the context of the secret to be hashed. This enables granular rate limiting with the goal of hardening passwords for use as encryption keys in the PEAR Account Recovery protocol, as well as other future use cases.
  • Adds support for a new on-chain payment based rate limit to ODIS, to enable more seamless onboarding in the Federated Attestations identity protocol (ASv2). For sequence diagrams and technical details on how ODIS fits into ASv2, please refer to the ASv2 User Flows doc.
  • This is a major refactor of ODIS that introduces a new class structure (+ dependency injection) to maximize code reuse and modularity across both the ASv2 and PEAR use cases. The following diagram gives a rough illustration of how the main classes fit together.

Other changes

  • Adds io-ts type safety checks for all incoming requests and responses throughout the codebase
  • Adds support for multiple key versions and key rotations
  • Adds support for ODIS to be queried by web clients
  • Deletes legacy matchmaking code from the combiner, common package, and SDK
  • Adds support for querying a user's remaining quota (based off on-chain payments) to both the combiner and identity SDK

Tested

  • Adds integration tests that utilize in-memory nodes and databases to easily test the system's end-to-end behavior without requiring a deployment.
  • Adds unit tests for critical rate limiting, key versioning and monitoring functionality
  • Enforces new code coverage requirements in CI
  • DOES NOT add new e2e tests. These will be added in a subsequent PR that will be written while deploying and testing against our staging environment.

Backwards compatibility

  • The Signer is backwards compatible, but the Combiner is not. Signers must be upgraded before the Combiner.
  • SDK changes are not backwards compatible with old versions of ODIS. The SDK should be released after ODIS is upgraded.

Documentation

  • Signer README is updated with key-rotation instructions
  • All other relevant documentation linked above
  • There's an ongoing epic to develop client-facing tooling and documentation for ASv2

alecps and others added 30 commits January 11, 2022 16:52
@alecps
env file changes
1aa179c
@alecps
package version changes
180330c
@alecps
celotool and helm changes for key rotation
91df988
@alecps
signer README changes
c6eeb99
@alecps
signer logger changes
e4942b5
@alecps
signer key management changes
62bc7b1
@alecps
signer key management test changes
4ec29ea
@alecps
signer domain test changes
0ed28ca
@alecps
combiner test changes
bb28438
@alecps
common package changes
59547e6
@alecps
combiner changes
693a52a
@alecps
signer domain changes
0870f7f
@alecps
split combiner and signer endpoints
7597333
@alecps
fix endpoints import statements
d97ec73
@alecps
fix error
4f7b55a
@alecps
add domain endpoint signatures to combiner
15ae632
@alecps
change error auth error message
55eabf0
@alecps
fix response type error in combiner
cd065a6
@alecps
Merge branch 'master' of github.com:celo-org/celo-monorepo into alecp…
d28197f 
…s/odisCip40
@alecps
commit small changes made during review (#9175)
6fda106 
Co-authored-by: Alec Schaefer <alec@cLabs.co>
@alecps
Merge branch 'alecps/odisCip40' of github.com:celo-org/celo-monorepo …
6940f13 
…into alecps/odisCip40
@alecps
change endpoints to endpoint
8eacd3c
@alecps
fix import error
8c6ce2e
@alecps
add crypto client constructor
59560a5
@alecps
fix incorrect endpoint
1caf22f
@alecps
fix nonce check
58fe161
@alecps
add domain-disable
347b83c
@alecps
start domain-quota-status
2b5b988
@alecps
add new errors to common
1effb78
@alecps
add domainRequest table
d120bcc
@alecps alecps requested review from eelanagaraj and removed request for a team and jcortejoso October 21, 2022 17:02
eelanagaraj and others added 2 commits October 21, 2022 14:20
@eelanagaraj
Add enable config parameter for legacy PNP signer endpoints (#9967)
e9601d4 
* Add separate enable config value for legacy PNP signer endpoint

* Driveby change: remove unnecessary jest line from test utils

* Add legacy enabled param to celotool and helm charts

* Remove rpc-wallet dep
@aaronmgdr
Enable direct web-app --> ODIS interactions (#9968)
d206527 
* enable cross origin resource sharing from any domain so odis can be interacted with from web apps

* explictly enable OPTIONS (and other methods)

* use arrow function as its required by lint config
nategraf
nategraf approved these changes Oct 22, 2022
View reviewed changes
Copy link
Contributor

@nategraf nategraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love the huge improvements to ODIS being made in this PR. This really is the culmination of a lot of work to improve the quality, safety, and maintainability of this service. Very excited to have this PR merged at last!

I didn't have time to do the kind of through review I usually like to do, but I did leave some comments where I could. I had a number of comments about minor issues around coding practices. I think it's time this PR be merged so the intention is not to require refactoring. I decided to leave the comments anyway because it might be useful for future work.

I did have a couple of questions around quota accounting. In particular, the fail open mechanism is still something I understand pragmatically, but always gives me pause. I left a thought on whether we could install a mitigation for by having the system "circuit break" at some number of failed open requests.

I think we may have talked about this before, but is the intention with the legacy and on-chain payment versions of quota accounting to shut down the legacy version in the near future? If so, I wish you god speed in doing so.

packages/phone-number-privacy/combiner/src/common/combine.ts Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/common/combine.ts Outdated Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/common/combine.ts Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/common/crypto-clients/crypto-client.ts Outdated Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/common/crypto-clients/domain-crypto-client.ts Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/index.ts Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/pnp/endpoints/sign/action.ts Show resolved Hide resolved
packages/phone-number-privacy/combiner/src/pnp/services/threshold-state.ts Show resolved Hide resolved
packages/phone-number-privacy/signer/src/pnp/endpoints/sign/action.ts Show resolved Hide resolved
packages/phone-number-privacy/signer/src/pnp/services/quota.ts Show resolved Hide resolved
alecps and others added 6 commits October 24, 2022 09:53
@alecps @aaronmgdr
Update packages/phone-number-privacy/combiner/src/server.ts
1b554e0 
Co-authored-by: Aaron DeRuvo <aaron@clabs.co>
@alecps @eelanagaraj
Update packages/phone-number-privacy/signer/README.md
f1e2756 
Co-authored-by: Eela Nagaraj <7308464+eelanagaraj@users.noreply.github.com>
@alecps @isabellewei
Update packages/phone-number-privacy/combiner/src/server.ts
ff281c0 
Co-authored-by: isabellewei <isabelle@clabs.co>
@eelanagaraj @aaronmgdr
Respond to some review comments and merge master (#9972)
ce94884 
* 2.3.0  (#9944)

* 2.3.0 Beta 1

* catch require module not found errors   (#9949)

* catch require module not found errors :)

* Beta 2

* 2.3.0 gold

* Fix bug with shouldFailOpen param flag

* Tiny nits

* Fix merge errors with OdisPayments

* Run prettify

* Fix CLI tests

Co-authored-by: Aaron DeRuvo <aaron@clabs.co>
@alecps
"Accept all current" Merge branch 'master' of github.com:celo-org/cel…
010429b 
…o-monorepo into odisCip40
@alecps
deletes all matchmaking code (#9974)
0affcff 
* deletes all matchmaking code

* deletes matchmaking sdk code

* fixes error
@eelanagaraj eelanagaraj mentioned this pull request Sep 28, 2023
Closed
eelanagaraj and others added 5 commits October 25, 2022 14:02
@eelanagaraj
ODIS 2.0 PR fixes 2 (#9975)
fe4d87f 
* Rename combinePartialBlindedSignatures -> combineBlindedSignatureShares

* Bump line coverage to 80 and remove TODO

* Small error handling additions

* Change distribute return type to void

* Fix CI issues with flake tracking
@alecps
Merge branch 'master' into odisCip40
f78dad6
@alecps
cleans up TODOs
baaad5e
@alecps
sets default shouldFailOpen to false, updates default query price to …
05bdb44 
…match original rate limit target
@alecps
fixes tests
f0204fe
@alecps alecps merged commit 6a146db into master Oct 27, 2022
@alecps alecps deleted the odisCip40 branch October 27, 2022 05:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isabellewei isabellewei isabellewei left review comments

@eelanagaraj eelanagaraj eelanagaraj left review comments

@aaronmgdr aaronmgdr aaronmgdr left review comments

@nategraf nategraf nategraf approved these changes

Assignees
No one assigned
Labels
ASv2 Component: Account Recovery Component: ODIS ODIS 2.0.0
Projects
🔖 Identity - Team
Status:  Closed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alecps @aaronmgdr @nategraf @eelanagaraj @isabellewei