From cdc9638ac1256f8a5305adb2f50a188de8874a0f Mon Sep 17 00:00:00 2001
From: Piotr Galar <piotr.galar@gmail.com>
Date: Fri, 13 Sep 2024 19:18:30 +0200
Subject: [PATCH 1/2] chore: parameterise s3 build cache setup (#5586)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As we're setting up a new cache bucket, we'd like to be able to control
its' configuration via GitHub vars/secrets fully.

FYI, the secrets are not set up yet.

---------

Co-authored-by: João Oliveira <hello@jxs.pt>
Co-authored-by: Guillaume Michel <guillaumemichel@users.noreply.github.com>
---
 .github/workflows/docker-image.yml |  8 +-------
 .github/workflows/interop-test.yml | 17 +++++++++--------
 scripts/build-interop-image.sh     |  4 ++--
 3 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 21863d0ed39..5cbfc20d69d 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -6,7 +6,6 @@ on:
       - 'master'
     tags:
       - 'libp2p-server-**'
-  pull_request:
 
 jobs:
   server:
@@ -34,11 +33,6 @@ jobs:
         with:
           context: .
           file: ./misc/server/Dockerfile
-          push: ${{ ! github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }} # Only push image if we have the required permissions, i.e. not running from a fork
-          cache-from: ${{ ! github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && type=s3,mode=max,bucket=libp2p-by-tf-aws-bootstrap,region=us-east-1,prefix=buildCache,name=rust-libp2p-server }}
-          cache-to:   ${{ ! github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && type=s3,mode=max,bucket=libp2p-by-tf-aws-bootstrap,region=us-east-1,prefix=buildCache,name=rust-libp2p-server }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-        env:
-          AWS_ACCESS_KEY_ID: ${{ vars.TEST_PLANS_BUILD_CACHE_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_PLANS_BUILD_CACHE_KEY }}
diff --git a/.github/workflows/interop-test.yml b/.github/workflows/interop-test.yml
index f3950897089..1d70ca2eaee 100644
--- a/.github/workflows/interop-test.yml
+++ b/.github/workflows/interop-test.yml
@@ -24,8 +24,9 @@ jobs:
       - name: Build ${{ matrix.flavour }} image
         run: ./scripts/build-interop-image.sh
         env:
-          AWS_ACCESS_KEY_ID: ${{ vars.TEST_PLANS_BUILD_CACHE_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_PLANS_BUILD_CACHE_KEY }}
+          AWS_BUCKET_NAME: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
+          AWS_ACCESS_KEY_ID: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
           FLAVOUR: ${{ matrix.flavour }}
 
       - name: Run ${{ matrix.flavour }} tests
@@ -33,9 +34,9 @@ jobs:
         with:
           test-filter: ${{ matrix.flavour }}-rust-libp2p-head
           extra-versions: ${{ github.workspace }}/interop-tests/${{ matrix.flavour }}-ping-version.json
-          s3-cache-bucket: libp2p-by-tf-aws-bootstrap
-          s3-access-key-id: ${{ vars.TEST_PLANS_BUILD_CACHE_KEY_ID }}
-          s3-secret-access-key: ${{ secrets.TEST_PLANS_BUILD_CACHE_KEY }}
+          s3-cache-bucket: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
+          s3-access-key-id: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
+          s3-secret-access-key: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
           worker-count: 16
   run-holepunching-interop:
     name: Run hole-punch interoperability tests
@@ -50,7 +51,7 @@ jobs:
         with:
           test-filter: rust-libp2p-head
           extra-versions: ${{ github.workspace }}/hole-punching-tests/version.json
-          s3-cache-bucket: libp2p-by-tf-aws-bootstrap
-          s3-access-key-id: ${{ vars.TEST_PLANS_BUILD_CACHE_KEY_ID }}
-          s3-secret-access-key: ${{ secrets.TEST_PLANS_BUILD_CACHE_KEY }}
+          s3-cache-bucket: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
+          s3-access-key-id: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
+          s3-secret-access-key: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
           worker-count: 16
diff --git a/scripts/build-interop-image.sh b/scripts/build-interop-image.sh
index 28a8db9188d..ad6ef78b153 100755
--- a/scripts/build-interop-image.sh
+++ b/scripts/build-interop-image.sh
@@ -6,13 +6,13 @@ CACHE_TO=""
 
 # If we have credentials, write to cache
 if [[ -n "${AWS_SECRET_ACCESS_KEY}" ]]; then
-  CACHE_TO="--cache-to   type=s3,mode=max,bucket=libp2p-by-tf-aws-bootstrap,region=us-east-1,prefix=buildCache,name=${FLAVOUR}-rust-libp2p-head"
+  CACHE_TO="--cache-to   type=s3,mode=max,bucket=${AWS_BUCKET_NAME},region=us-east-1,prefix=buildCache,name=${FLAVOUR}-rust-libp2p-head"
 fi
 
 docker buildx build \
   --load \
   $CACHE_TO \
-  --cache-from type=s3,mode=max,bucket=libp2p-by-tf-aws-bootstrap,region=us-east-1,prefix=buildCache,name=${FLAVOUR}-rust-libp2p-head \
+  --cache-from type=s3,mode=max,bucket=${AWS_BUCKET_NAME},region=us-east-1,prefix=buildCache,name=${FLAVOUR}-rust-libp2p-head \
   -t ${FLAVOUR}-rust-libp2p-head \
   . \
   -f interop-tests/Dockerfile.${FLAVOUR}

From a2a281609a0a64b211f7917aa856924983b63200 Mon Sep 17 00:00:00 2001
From: Stefan <stefan@novabytes.nl>
Date: Sat, 14 Sep 2024 00:33:14 +0200
Subject: [PATCH 2/2] fix(autonat): reject inbound dial request from peer if
 its not connected (#5597)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Description
As discovered and described in the issue below, there are situations
where an incoming AutoNAT dial can come from a non-connected peer.
However `resolve_inbound_request` expects that this situation cannot
occur. This PR adds a check upfront and refuses the incoming dial when
no connected peer is found.

Fixes https://github.com/libp2p/rust-libp2p/issues/5570.
## Change checklist

- [x] I have performed a self-review of my own code
- [x] I have made corresponding changes to the documentation
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [x] A changelog entry has been made in the appropriate crates

Co-authored-by: João Oliveira <hello@jxs.pt>
---
 Cargo.lock                                      |  2 +-
 Cargo.toml                                      |  2 +-
 protocols/autonat/CHANGELOG.md                  |  3 +++
 protocols/autonat/Cargo.toml                    |  2 +-
 protocols/autonat/src/v1/behaviour/as_server.rs | 15 +++++++++++++++
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 4c12e6fb984..b3d1cd0d76d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2687,7 +2687,7 @@ dependencies = [
 
 [[package]]
 name = "libp2p-autonat"
-version = "0.13.0"
+version = "0.13.1"
 dependencies = [
  "async-std",
  "async-trait",
diff --git a/Cargo.toml b/Cargo.toml
index da8d32e1a4a..c9fe928096d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -77,7 +77,7 @@ futures-bounded = { version = "0.2.4" }
 futures-rustls = { version = "0.26.0", default-features = false }
 libp2p = { version = "0.54.1", path = "libp2p" }
 libp2p-allow-block-list = { version = "0.4.1", path = "misc/allow-block-list" }
-libp2p-autonat = { version = "0.13.0", path = "protocols/autonat" }
+libp2p-autonat = { version = "0.13.1", path = "protocols/autonat" }
 libp2p-connection-limits = { version = "0.4.0", path = "misc/connection-limits" }
 libp2p-core = { version = "0.42.0", path = "core" }
 libp2p-dcutr = { version = "0.12.0", path = "protocols/dcutr" }
diff --git a/protocols/autonat/CHANGELOG.md b/protocols/autonat/CHANGELOG.md
index e171412aa58..f1aeda6ac18 100644
--- a/protocols/autonat/CHANGELOG.md
+++ b/protocols/autonat/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 0.13.1
+- Verify that an incoming AutoNAT dial comes from a connected peer. See [PR 5597](https://github.com/libp2p/rust-libp2p/pull/5597).
+
 ## 0.13.0
 
 - Due to the refactor of `Transport` it's no longer required to create a seperate transport for
diff --git a/protocols/autonat/Cargo.toml b/protocols/autonat/Cargo.toml
index 2c01d18dceb..0c0e757641d 100644
--- a/protocols/autonat/Cargo.toml
+++ b/protocols/autonat/Cargo.toml
@@ -3,7 +3,7 @@ name = "libp2p-autonat"
 edition = "2021"
 rust-version = { workspace = true }
 description = "NAT and firewall detection for libp2p"
-version = "0.13.0"
+version = "0.13.1"
 authors = ["David Craven <david@craven.ch>", "Elena Frank <elena.frank@protonmail.com>", "Hannes Furmans <hannes@umgefahren.xyz>"]
 license = "MIT"
 repository = "https://github.com/libp2p/rust-libp2p"
diff --git a/protocols/autonat/src/v1/behaviour/as_server.rs b/protocols/autonat/src/v1/behaviour/as_server.rs
index 3ecdd3ac26e..1289bd53d24 100644
--- a/protocols/autonat/src/v1/behaviour/as_server.rs
+++ b/protocols/autonat/src/v1/behaviour/as_server.rs
@@ -107,6 +107,21 @@ impl<'a> HandleInnerEvent for AsServer<'a> {
                     },
             } => {
                 let probe_id = self.probe_id.next();
+                if !self.connected.contains_key(&peer) {
+                    tracing::debug!(
+                        %peer,
+                        "Reject inbound dial request from peer since it is not connected"
+                    );
+
+                    return VecDeque::from([ToSwarm::GenerateEvent(Event::InboundProbe(
+                        InboundProbeEvent::Error {
+                            probe_id,
+                            peer,
+                            error: InboundProbeError::Response(ResponseError::DialRefused),
+                        },
+                    ))]);
+                }
+
                 match self.resolve_inbound_request(peer, request) {
                     Ok(addrs) => {
                         tracing::debug!(