Do not validate Signed API responses from config (#301)

Siegrift · web-flow · commit fe671c9b06ae · 2024-05-13T11:05:26.000+02:00
* Do not validate Signed API responses from config

* Improve readability

* Add tsreset to tsconfig build
diff --git a/package.json b/package.json
@@ -52,6 +52,7 @@
     "@api3/ois": "^2.3.2",
     "@nomicfoundation/hardhat-ethers": "^3.0.5",
     "@nomicfoundation/hardhat-toolbox": "^5.0.0",
+    "@total-typescript/ts-reset": "^0.5.1",
     "@types/jest": "^29.5.12",
     "@types/lodash": "^4.17.1",
     "@types/node": "^20.12.11",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/reset.d.ts b/reset.d.ts
@@ -0,0 +1,2 @@
+// Do not add any other lines of code to this file!
+import '@total-typescript/ts-reset';
diff --git a/scripts/create-docker-release.ts b/scripts/create-docker-release.ts
@@ -23,7 +23,7 @@ const execSyncWithErrorHandling = (command: string) => {
 export const isMacOrWindows = () => process.platform === 'win32' || process.platform === 'darwin' || isWsl;
 
 const main = () => {
-  const { version } = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8'));
+  const { version } = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8')) as any;
   console.info(`Building docker image with semantic version ${version}...`);
 
   if (isMacOrWindows()) {
diff --git a/scripts/create-npm-release.ts b/scripts/create-npm-release.ts
@@ -47,12 +47,12 @@ const main = () => {
   console.info('Making sure we have the latest version of the dependencies...');
   execSyncWithErrorHandling('pnpm install');
 
-  const currentVersion = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8')).version;
+  const currentVersion = (JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8')) as any).version;
   console.info(`Current version is ${currentVersion}...`);
 
   console.info('Bumping root package.json version...');
   execSyncWithErrorHandling(`pnpm version --no-git-tag-version ${versionBump}`);
-  const newVersion = JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8')).version;
+  const newVersion = (JSON.parse(readFileSync(join(__dirname, '../package.json'), 'utf8')) as any).version;
 
   console.info('Updating versions in example files and fixtures...');
   const replacements = [
diff --git a/src/data-fetcher-loop/data-fetcher-loop.test.ts b/src/data-fetcher-loop/data-fetcher-loop.test.ts
@@ -13,9 +13,12 @@ describe(dataFetcherLoopModule.runDataFetcher.name, () => {
   beforeEach(() => {
     initializeState();
     updateState((draft) => {
-      draft.signedApiUrls = {
+      draft.signedApiUrlsFromConfig = {
         '31337': { hardhat: ['http://127.0.0.1:8090/0xC04575A2773Da9Cd23853A69694e02111b2c4182'] },
       };
+      draft.signedApiUrlsFromContract = {
+        '31337': { hardhat: [] },
+      };
       draft.activeDataFeedBeaconIds = {
         '31337': {
           hardhat: [
diff --git a/src/data-fetcher-loop/data-fetcher-loop.ts b/src/data-fetcher-loop/data-fetcher-loop.ts
@@ -60,7 +60,8 @@ export const runDataFetcher = async () => {
     const state = getState();
     const {
       config: { signedDataFetchInterval },
-      signedApiUrls,
+      signedApiUrlsFromConfig,
+      signedApiUrlsFromContract,
       activeDataFeedBeaconIds,
     } = state;
     const signedDataFetchIntervalMs = signedDataFetchInterval * 1000;
@@ -73,10 +74,17 @@ export const runDataFetcher = async () => {
         .flat(2)
     );
 
+    // Compute the set of URLs coming from the config. These are trusted and don't need to be verified.
+    const trustedUrls = new Set(
+      Object.values(signedApiUrlsFromConfig)
+        .map((urlsPerProvider) => Object.values(urlsPerProvider))
+        .flat(2)
+    );
+
     // Better to log the non-decomposed object to see which URL comes from which chain-provider group.
-    logger.debug('Signed API URLs.', { signedApiUrls });
+    logger.debug('Signed API URLs.', { signedApiUrlsFromConfig, signedApiUrlsFromContract });
     const urls = uniq(
-      Object.values(signedApiUrls)
+      [...Object.values(signedApiUrlsFromConfig), ...Object.values(signedApiUrlsFromContract)]
         .map((urlsPerProvider) => Object.values(urlsPerProvider))
         .flat(2)
     );
@@ -100,7 +108,10 @@ export const runDataFetcher = async () => {
         const signedDataForActiveBeacons = Object.entries(signedDataBatch).filter(([beaconId]) =>
           activeBeaconIds.has(beaconId as Hex)
         );
-        const signedDataCount = await saveSignedData(signedDataForActiveBeacons as SignedDataRecordEntry[]);
+        const signedDataCount = await saveSignedData(
+          signedDataForActiveBeacons as SignedDataRecordEntry[],
+          trustedUrls.has(url)
+        );
         logger.info('Saved signed data from Signed API using a worker.', {
           url,
           duration: Date.now() - now,
diff --git a/src/data-fetcher-loop/signed-data-state.test.ts b/src/data-fetcher-loop/signed-data-state.test.ts
@@ -35,7 +35,7 @@ describe(signedDataStateModule.saveSignedData.name, () => {
     jest.spyOn(signedDataVerifierPoolModule, 'getVerifier').mockResolvedValue(createMockSignedDataVerifier());
     const beaconId = deriveBeaconId(validSignedData.airnode, validSignedData.templateId) as Hex;
 
-    await signedDataStateModule.saveSignedData([[beaconId, validSignedData]]);
+    await signedDataStateModule.saveSignedData([[beaconId, validSignedData]], false);
 
     const signedData = signedDataStateModule.getSignedData(beaconId);
     expect(signedData).toStrictEqual(validSignedData);
@@ -54,7 +54,7 @@ describe(signedDataStateModule.saveSignedData.name, () => {
     });
     jest.spyOn(logger, 'debug');
 
-    await signedDataStateModule.saveSignedData([[beaconId, validSignedData]]);
+    await signedDataStateModule.saveSignedData([[beaconId, validSignedData]], false);
 
     expect(signedDataStateModule.getSignedData(beaconId)).toStrictEqual(storedSignedData);
     expect(logger.debug).toHaveBeenCalledTimes(1);
@@ -80,7 +80,7 @@ describe(signedDataStateModule.saveSignedData.name, () => {
     jest.spyOn(logger, 'warn');
     jest.spyOn(logger, 'error');
 
-    await signedDataStateModule.saveSignedData([[beaconId, futureSignedData]]);
+    await signedDataStateModule.saveSignedData([[beaconId, futureSignedData]], false);
 
     expect(signedDataStateModule.getSignedData(beaconId)).toBeUndefined();
     expect(logger.error).toHaveBeenCalledTimes(1);
@@ -108,7 +108,7 @@ describe(signedDataStateModule.saveSignedData.name, () => {
     jest.spyOn(logger, 'warn');
     jest.spyOn(logger, 'error');
 
-    await signedDataStateModule.saveSignedData([[beaconId, futureSignedData]]);
+    await signedDataStateModule.saveSignedData([[beaconId, futureSignedData]], false);
 
     expect(signedDataStateModule.getSignedData(deriveBeaconId(airnode, templateId) as Hex)).toStrictEqual(
       futureSignedData
@@ -139,13 +139,39 @@ describe(signedDataStateModule.saveSignedData.name, () => {
     };
     const beaconId = deriveBeaconId(airnode, templateId) as Hex;
 
-    await signedDataStateModule.saveSignedData([[beaconId, badSignedData]]);
+    await signedDataStateModule.saveSignedData([[beaconId, badSignedData]], false);
 
     expect(signedDataStateModule.getSignedData(deriveBeaconId(airnode, templateId) as Hex)).toBeUndefined();
     expect(logger.error).toHaveBeenCalledTimes(1);
     expect(logger.error).toHaveBeenCalledWith('Failed to verify signed data.', badSignedData);
     expect(logger.warn).toHaveBeenCalledTimes(0);
   });
+
+  it('only verifies the signed data for untrusted APIs', async () => {
+    const templateId = generateRandomBytes(32);
+    const airnode = ethers.Wallet.createRandom().address as Hex;
+    jest.spyOn(signedDataVerifierPoolModule, 'getVerifier').mockResolvedValue(createMockSignedDataVerifier());
+    jest.spyOn(logger, 'warn');
+    jest.spyOn(logger, 'error');
+    const beaconId = deriveBeaconId(airnode, templateId) as Hex;
+
+    // First save data for trusted API and expect it to be saved without verification.
+    await signedDataStateModule.saveSignedData([[beaconId, validSignedData]], true);
+    expect(signedDataVerifierPoolModule.getVerifier).not.toHaveBeenCalled();
+
+    // Then save data for untrusted API and expect it to be verified.
+    const timestamp = Math.floor((Date.now() - 30 * 60 * 1000) / 1000).toString();
+    const encodedValue = ethers.AbiCoder.defaultAbiCoder().encode(['int256'], [123n]);
+    const otherSignedData = {
+      airnode,
+      encodedValue,
+      signature: await signData(signer, templateId, timestamp, encodedValue),
+      templateId,
+      timestamp,
+    };
+    await signedDataStateModule.saveSignedData([[beaconId, otherSignedData]], false);
+    expect(signedDataVerifierPoolModule.getVerifier).toHaveBeenCalledTimes(1);
+  });
 });
 
 describe(signedDataStateModule.purgeOldSignedData.name, () => {
diff --git a/src/data-fetcher-loop/signed-data-state.ts b/src/data-fetcher-loop/signed-data-state.ts
@@ -40,19 +40,23 @@ const verifyTimestamp = ([beaconId, signedData]: SignedDataRecordEntry) => {
   return true;
 };
 
-export const saveSignedData = async (signedDataBatch: SignedDataRecordEntry[]) => {
+export const saveSignedData = async (signedDataBatch: SignedDataRecordEntry[], isTrustedApi: boolean) => {
   // Filter out signed data with invalid timestamps or we already have a fresher signed data stored in state.
   signedDataBatch = signedDataBatch.filter((signedDataEntry) => verifyTimestamp(signedDataEntry));
   if (signedDataBatch.length === 0) return;
 
-  const verifier = await getVerifier();
-  // We are skipping the whole batch even if there is only one invalid signed data. This is consistent with the Signed
-  // API approach.
-  const verificationResult = await verifier.verifySignedData(signedDataBatch);
-  if (verificationResult !== true) {
-    logger.error('Failed to verify signed data.', verificationResult);
-    return;
+  // Only verify the signed data if it is not coming from a trusted API.
+  if (!isTrustedApi) {
+    const verifier = await getVerifier();
+    // We are skipping the whole batch even if there is only one invalid signed data. This is consistent with the Signed
+    // API approach.
+    const verificationResult = await verifier.verifySignedData(signedDataBatch);
+    if (verificationResult !== true) {
+      logger.error('Failed to verify signed data.', verificationResult);
+      return;
+    }
   }
+
   updateState((draft) => {
     for (const [beaconId, signedData] of signedDataBatch) {
       draft.signedDatas[beaconId] = signedData;
diff --git a/src/state/state.test.ts b/src/state/state.test.ts
@@ -35,7 +35,10 @@ const stateMock: State = {
       timestamp: 'something-silly',
     },
   },
-  signedApiUrls: { '31337': { hardhat: ['http://127.0.0.1:8090/0xC04575A2773Da9Cd23853A69694e02111b2c4182'] } },
+  signedApiUrlsFromConfig: {
+    '31337': { hardhat: ['http://127.0.0.1:8090/0xC04575A2773Da9Cd23853A69694e02111b2c4182'] },
+  },
+  signedApiUrlsFromContract: { '31337': { hardhat: [] } },
   derivedSponsorWallets: {},
   deploymentTimestamp: '1687850583',
   activeDataFeedBeaconIds: { '31337': { hardhat: [] } },
diff --git a/src/state/state.ts b/src/state/state.ts
@@ -27,7 +27,8 @@ export interface State {
   >;
   derivedSponsorWallets: Record<string /* dAPI name or data feed ID */, Hex /* Private key */>;
   signedDatas: SignedDataRecord;
-  signedApiUrls: Record<ChainId, Record<string /* Provider name */, string[]>>;
+  signedApiUrlsFromConfig: Record<ChainId, Record<string /* Provider name */, string[]>>;
+  signedApiUrlsFromContract: Record<ChainId, Record<string /* Provider name */, string[]>>;
   // The timestamp of when the service was initialized. This can be treated as a "deployment" timestamp.
   deploymentTimestamp: string;
   activeDataFeedBeaconIds: Record<ChainId, Record<string /* Provider name */, Hex[]>>;
@@ -49,7 +50,8 @@ export const setInitialState = (config: Config) => {
     gasPrices: {},
     pendingTransactionsInfo: {},
     signedDatas: {},
-    signedApiUrls: {},
+    signedApiUrlsFromConfig: {},
+    signedApiUrlsFromContract: {},
     derivedSponsorWallets: {},
     deploymentTimestamp: Math.floor(Date.now() / 1000).toString(),
     activeDataFeedBeaconIds: {},
diff --git a/src/update-feeds-loops/update-feeds-loops.test.ts b/src/update-feeds-loops/update-feeds-loops.test.ts
@@ -218,7 +218,8 @@ describe(updateFeedsLoopsModule.runUpdateFeeds.name, () => {
     jest.spyOn(stateModule, 'getState').mockReturnValue(
       allowPartial<stateModule.State>({
         config: testConfig,
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         signedDatas: {},
         gasPrices: {},
         pendingTransactionsInfo: { '31337': { 'provider-name': {} } },
@@ -329,7 +330,8 @@ describe(updateFeedsLoopsModule.runUpdateFeeds.name, () => {
     jest.spyOn(stateModule, 'getState').mockReturnValue(
       allowPartial<stateModule.State>({
         config: testConfig,
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         signedDatas: {},
         gasPrices: {},
       })
@@ -380,7 +382,8 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     jest.spyOn(stateModule, 'getState').mockReturnValue(
       allowPartial<stateModule.State>({
         config: testConfig,
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         signedDatas: {
           '0xf5c140bcb4814dfec311d38f6293e86c02d32ba1b7da027fe5b5202cae35dbc6': {
             airnode: '0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4',
@@ -428,7 +431,8 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     jest.spyOn(stateModule, 'getState').mockReturnValue(
       allowPartial<stateModule.State>({
         config: { ...testConfig, signedApiUrls: ['http://config.url'] },
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         pendingTransactionsInfo: { '31337': { 'default-provider': {} } },
       })
     );
@@ -440,17 +444,18 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     jest.spyOn(getUpdatableFeedsModule, 'getUpdatableFeeds').mockReturnValue([]);
     jest.spyOn(submitTransactionModule, 'getDerivedSponsorWallet').mockReturnValue(ethers.Wallet.createRandom());
 
-    const { signedApiUrls } = await updateFeedsLoopsModule.processBatch(
+    const { signedApiUrlsFromConfig, signedApiUrlsFromContract } = await updateFeedsLoopsModule.processBatch(
       [activeDataFeed],
       'default-provider',
       new ethers.JsonRpcProvider(),
       '31337',
       123
     );
 
-    expect(signedApiUrls).toHaveLength(2);
-    expect(signedApiUrls).toContain('http://config.url/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
-    expect(signedApiUrls).toContain('http://localhost:8080/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
+    expect(signedApiUrlsFromConfig).toHaveLength(1);
+    expect(signedApiUrlsFromConfig).toContain('http://config.url/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
+    expect(signedApiUrlsFromContract).toHaveLength(1);
+    expect(signedApiUrlsFromContract).toContain('http://localhost:8080/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
   });
 
   it('generates airnode-populated signed api urls when only config defines base url', async () => {
@@ -468,7 +473,8 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     jest.spyOn(stateModule, 'getState').mockReturnValue(
       allowPartial<stateModule.State>({
         config: { ...testConfig, signedApiUrls: ['http://config.url'] },
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         pendingTransactionsInfo: { '31337': { 'default-provider': {} } },
       })
     );
@@ -480,16 +486,16 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     jest.spyOn(getUpdatableFeedsModule, 'getUpdatableFeeds').mockReturnValue([]);
     jest.spyOn(submitTransactionModule, 'getDerivedSponsorWallet').mockReturnValue(ethers.Wallet.createRandom());
 
-    const { signedApiUrls } = await updateFeedsLoopsModule.processBatch(
+    const { signedApiUrlsFromConfig } = await updateFeedsLoopsModule.processBatch(
       [activeDataFeed],
       'default-provider',
       new ethers.JsonRpcProvider(),
       '31337',
       123
     );
 
-    expect(signedApiUrls).toHaveLength(1);
-    expect(signedApiUrls).toContain('http://config.url/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
+    expect(signedApiUrlsFromConfig).toHaveLength(1);
+    expect(signedApiUrlsFromConfig).toContain('http://config.url/0xc52EeA00154B4fF1EbbF8Ba39FDe37F1AC3B9Fd4');
   });
 
   it('does not scale gas price for the original (first) update transaction', async () => {
@@ -508,7 +514,8 @@ describe(updateFeedsLoopsModule.processBatch.name, () => {
     stateModule.updateState(() =>
       allowPartial<stateModule.State>({
         config: testConfig,
-        signedApiUrls: {},
+        signedApiUrlsFromConfig: {},
+        signedApiUrlsFromContract: {},
         gasPrices: {
           '31337': {
             'default-provider': [{ price: 10n ** 9n, timestamp: 123 }],
diff --git a/src/update-feeds-loops/update-feeds-loops.ts b/src/update-feeds-loops/update-feeds-loops.ts
diff --git a/tsconfig.build.json b/tsconfig.build.json
diff --git a/tsconfig.json b/tsconfig.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Do not add any other lines of code to this file!`
	`2`	`+import '@total-typescript/ts-reset';`