Failure limit on tx proposals

CHANGELOG.md

@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 The crates in this repository do not adhere to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) at this time.
 
+## [5.0.0]
+
+### Changed
+
+- mobilecoind now has its own version of the `LastBlockInfo` proto message. ([#3307])
+
 ## [4.1.0]
 
 ### Added

Cargo.toml

@@ -242,8 +242,5 @@ schnorrkel-og = { git = "https://github.com/mobilecoinfoundation/schnorrkel.git"
 #   See: https://github.com/pyfisch/cbor/pull/198
 serde_cbor = { git = "https://github.com/mobilecoinofficial/cbor", rev = "4c886a7c1d523aae1ec4aa7386f402cb2f4341b5" }
 
-# Override diesel dependency with our fork, to statically link SQLite.
-diesel = { git = "https://github.com/mobilecoinofficial/diesel", rev = "026f6379715d27c8be48396e5ca9059f4a263198" }
-
 # Fix issues with recent nightlies, bump curve25519-dalek version
 x25519-dalek = { git = "https://github.com/mobilecoinfoundation/x25519-dalek.git", rev = "4fbaa3343301c62cfdbc3023c9f485257e6b718a" }

attest/core/Cargo.toml

@@ -34,7 +34,7 @@ mc-util-encodings = { path = "../../util/encodings" }
 mc-util-repr-bytes = { path = "../../util/repr-bytes", features = ["hex_fmt"] }
 
 base64 = { version = "0.21", default-features = false, features = ["alloc"] }
-bitflags = "1.3"
+bitflags = { version = "2.0", default-features = false, features = ["serde"] }
 chrono = { version = "0.4.24", default-features = false, features = ["alloc"] }
 digest = "0.10"
 displaydoc = { version = "0.2", default-features = false }

attest/core/src/error.rs

@@ -390,7 +390,7 @@ pub enum ReportDetailsError {
 
 bitflags! {
     /// Revocation cause flags
-    #[derive(Deserialize, Serialize)]
+    #[derive(Clone, Debug, Deserialize, Eq, Hash, Ord, PartialEq, PartialOrd, Serialize)]
     pub struct RevocationCause: u64 {
         /// Cause reason was not given (but still revoked)
         const UNSPECIFIED = 0;

attest/core/src/ias/verify.rs

@@ -336,6 +336,7 @@ impl<'src> TryFrom<&'src VerificationReport> for VerificationReportData {
             "SIGNATURE_INVALID" => Err(IasQuoteError::SignatureInvalid),
             "GROUP_REVOKED" => Err(IasQuoteError::GroupRevoked(
                 revocation_reason
+                    .clone()
                     .ok_or_else(|| JsonError::FieldMissing("revocationReason".to_string()))?,
                 platform_info_blob
                     .ok_or_else(|| JsonError::FieldMissing("platformInfoBlob".to_string()))?,

consensus/api/proto/consensus_config.proto

@@ -69,4 +69,24 @@ message ConsensusNodeConfig {
 
     // SCP message signing key.
     external.Ed25519Public scp_message_signing_key = 8;
+
+    // Maximum number of client session tracking structures to retain in
+    // a least-recently-used cache.
+    //
+    // This corresponds to Config::client_tracking_capacity
+    uint64 client_tracking_capacity = 9;
+
+    // How many seconds to retain instances of proposed-transaction
+    // failures, per-client. This is used to implement DOS-protection,
+    // protecting against clients who make too many failed
+    // transaction proposals within this span.
+    uint64 tx_failure_window_seconds = 10;
+
+    // How many tx proposal failures within the rolling window are required
+    // before it's treated as concerning, thereby tripping denial-of-service
+    // protection?
+    // In other words, how many failed transaction proposals are permitted
+    // within the last tx_failure_window_seconds before a user is
+    // disconnected or temporarily blocked?
+    uint32 tx_failure_limit = 11;
 }

consensus/service/config/src/lib.rs

@@ -136,6 +136,24 @@ pub struct Config {
     /// config setting to match.
     #[clap(long, default_value = "10000", env = "MC_CLIENT_TRACKING_CAPACITY")]
     pub client_tracking_capacity: usize,
+
+    /// How many seconds to retain instances of proposed-transaction
+    /// failures, per-client. This is used to implement DOS-protection,
+    /// along the lines of kicking clients who make too many failed transaction
+    /// proposals within the span of tx_failure_window
+    // TODO: slam-testing to derive reasonable default
+    #[clap(long, default_value = "30", value_parser = parse_duration_in_seconds, env = "MC_CLIENT_TX_FAILURE_WINDOW")]
+    pub tx_failure_window: Duration,
+
+    /// How many tx proposal failures within the rolling window are required
+    /// before it's treated as concerning, thereby tripping denial-of-service
+    /// protection?
+    /// In other words, how many failed transaction proposals are permitted
+    /// within the last tx_failure_window seconds before a user is
+    /// disconnected or temporarily blocked?
+    // TODO: slam-testing to derive reasonable default
+    #[clap(long, default_value = "16384", env = "MC_CLIENT_TX_FAILURE_LIMIT")]
+    pub tx_failure_limit: u32,
 }
 
 impl Config {
@@ -224,6 +242,8 @@ mod tests {
             tokens_path: None,
             block_version: BlockVersion::ZERO,
             client_tracking_capacity: 4096,
+            tx_failure_window: Duration::from_secs(30),
+            tx_failure_limit: 16384,
         };
 
         assert_eq!(
@@ -293,6 +313,8 @@ mod tests {
             tokens_path: None,
             block_version: BlockVersion::ZERO,
             client_tracking_capacity: 4096,
+            tx_failure_window: Duration::from_secs(30),
+            tx_failure_limit: 16384,
         };
 
         assert_eq!(