satellite/metainfo/pointerverification: service for verifying pointers

This implements a service for pointer verification. This makes the slightly clearer, because it's not part of metainfo. It also adds a peer identity cache which reduces database calls and peer identity decoding. Change-Id: I45da40460d579c6f5fd74c69bccea215157aafda
2020-03-18 15:24:31 +02:00 · 2020-03-18 15:24:31 +02:00 · eb1d8aab96
commit eb1d8aab96
parent 8597e6b512
5 changed files with 333 additions and 191 deletions
--- a/satellite/metainfo/metainfo.go
+++ b/satellite/metainfo/metainfo.go
@ -18,7 +18,6 @@ import (
 	"go.uber.org/zap"

 	"storj.io/common/errs2"
-	"storj.io/common/identity"
 	"storj.io/common/pb"
 	"storj.io/common/rpc/rpcstatus"
 	"storj.io/common/signing"
@ -31,6 +30,7 @@ import (
 	"storj.io/storj/satellite/attribution"
 	"storj.io/storj/satellite/console"
 	"storj.io/storj/satellite/metainfo/piecedeletion"
+	"storj.io/storj/satellite/metainfo/pointerverification"
 	"storj.io/storj/satellite/orders"
 	"storj.io/storj/satellite/overlay"
 	"storj.io/storj/satellite/rewards"
@ -39,7 +39,6 @@ import (
 )

 const (
-	pieceHashExpiration = 24 * time.Hour
 	satIDExpiration = 24 * time.Hour
 	lastSegment     = -1
 	listLimit       = 1000
@ -80,7 +79,7 @@ type Endpoint struct {
 	overlay             *overlay.Service
 	attributions        attribution.DB
 	partners            *rewards.PartnersService
-	peerIdentities    overlay.PeerIdentities
+	pointerVerification *pointerverification.Service
 	projectUsage        *accounting.Service
 	projects            console.Projects
 	apiKeys             APIKeys
@ -108,7 +107,7 @@ func NewEndpoint(log *zap.Logger, metainfo *Service, deletePieces *piecedeletion
 		overlay:             cache,
 		attributions:        attributions,
 		partners:            partners,
-		peerIdentities:    peerIdentities,
+		pointerVerification: pointerverification.NewService(peerIdentities),
 		apiKeys:             apiKeys,
 		projectUsage:        projectUsage,
 		projects:            projects,
@ -502,115 +501,33 @@ func (endpoint *Endpoint) filterValidPieces(ctx context.Context, pointer *pb.Poi
 		return nil
 	}

+	// verify that the piece sizes matches what we would expect.
+	err = endpoint.pointerVerification.VerifySizes(ctx, pointer)
+	if err != nil {
+		endpoint.log.Debug("piece sizes are invalid", zap.Error(err))
+		return rpcstatus.Errorf(rpcstatus.InvalidArgument, "piece sizes are invalid: %v", err)
+	}
+
+	validPieces, invalidPieces, err := endpoint.pointerVerification.SelectValidPieces(ctx, pointer, originalLimits)
+	if err != nil {
+		endpoint.log.Debug("pointer verification failed", zap.Error(err))
+		return rpcstatus.Errorf(rpcstatus.InvalidArgument, "pointer verification failed: %s", err)
+	}
+
 	remote := pointer.Remote

-	peerIDMap, err := endpoint.mapNodesFor(ctx, remote.RemotePieces)
-	if err != nil {
-		return err
-	}
-
-	type invalidPiece struct {
-		NodeID   storj.NodeID
-		PieceNum int32
-		Reason   string
-	}
-
-	var (
-		remotePieces  []*pb.RemotePiece
-		invalidPieces []invalidPiece
-		lastPieceSize int64
-		allSizesValid = true
-	)
-	for _, piece := range remote.RemotePieces {
-		// Verify storagenode signature on piecehash
-		peerID, ok := peerIDMap[piece.NodeId]
-		if !ok {
-			endpoint.log.Warn("Identity chain unknown for node. Piece removed from pointer",
-				zap.Stringer("Node ID", piece.NodeId),
-				zap.Int32("Piece ID", piece.PieceNum),
-			)
-
-			invalidPieces = append(invalidPieces, invalidPiece{
-				NodeID:   piece.NodeId,
-				PieceNum: piece.PieceNum,
-				Reason:   "Identity chain unknown for node",
-			})
-			continue
-		}
-		signee := signing.SigneeFromPeerIdentity(peerID)
-
-		limit := originalLimits[piece.PieceNum]
-		if limit == nil {
-			endpoint.log.Warn("There is not limit for the piece.  Piece removed from pointer",
-				zap.Int32("Piece ID", piece.PieceNum),
-			)
-
-			invalidPieces = append(invalidPieces, invalidPiece{
-				NodeID:   piece.NodeId,
-				PieceNum: piece.PieceNum,
-				Reason:   "No order limit for validating the piece hash",
-			})
-			continue
-		}
-
-		err = endpoint.validatePieceHash(ctx, piece, limit, signee)
-		if err != nil {
-			endpoint.log.Warn("Problem validating piece hash. Pieces removed from pointer", zap.Error(err))
-			invalidPieces = append(invalidPieces, invalidPiece{
-				NodeID:   piece.NodeId,
-				PieceNum: piece.PieceNum,
-				Reason:   err.Error(),
-			})
-			continue
-		}
-
-		if piece.Hash.PieceSize <= 0 || (lastPieceSize > 0 && lastPieceSize != piece.Hash.PieceSize) {
-			allSizesValid = false
-			break
-		}
-		lastPieceSize = piece.Hash.PieceSize
-
-		remotePieces = append(remotePieces, piece)
-	}
-
-	if allSizesValid {
-		redundancy, err := eestream.NewRedundancyStrategyFromProto(pointer.GetRemote().GetRedundancy())
-		if err != nil {
-			endpoint.log.Debug("pointer contains an invalid redundancy strategy", zap.Error(Error.Wrap(err)))
-			return rpcstatus.Errorf(rpcstatus.InvalidArgument,
-				"invalid redundancy strategy; MinReq and/or Total are invalid: %s", err,
-			)
-		}
-
-		expectedPieceSize := eestream.CalcPieceSize(pointer.SegmentSize, redundancy)
-		if expectedPieceSize != lastPieceSize {
-			endpoint.log.Debug("expected piece size is different from provided",
-				zap.Int64("expectedSize", expectedPieceSize),
-				zap.Int64("actualSize", lastPieceSize),
-			)
-			return rpcstatus.Errorf(rpcstatus.InvalidArgument,
-				"expected piece size is different from provided (%d != %d)",
-				expectedPieceSize, lastPieceSize,
-			)
-		}
-	} else {
-		errMsg := "all pieces needs to have the same size"
-		endpoint.log.Debug(errMsg)
-		return rpcstatus.Error(rpcstatus.InvalidArgument, errMsg)
-	}
-
 	// We repair when the number of healthy files is less than or equal to the repair threshold
 	// except for the case when the repair and success thresholds are the same (a case usually seen during testing).
-	if numPieces := int32(len(remotePieces)); numPieces <= remote.Redundancy.RepairThreshold && numPieces < remote.Redundancy.SuccessThreshold {
+	if numPieces := int32(len(validPieces)); numPieces <= remote.Redundancy.RepairThreshold && numPieces < remote.Redundancy.SuccessThreshold {
 		endpoint.log.Debug("Number of valid pieces is less than or equal to the repair threshold",
 			zap.Int("totalReceivedPieces", len(remote.RemotePieces)),
-			zap.Int("validPieces", len(remotePieces)),
+			zap.Int("validPieces", len(validPieces)),
 			zap.Int("invalidPieces", len(invalidPieces)),
 			zap.Int32("repairThreshold", remote.Redundancy.RepairThreshold),
 		)

 		errMsg := fmt.Sprintf("Number of valid pieces (%d) is less than or equal to the repair threshold (%d). Found %d invalid pieces",
-			len(remotePieces),
+			len(validPieces),
 			remote.Redundancy.RepairThreshold,
 			len(remote.RemotePieces),
 		)
@ -627,16 +544,16 @@ func (endpoint *Endpoint) filterValidPieces(ctx context.Context, pointer *pb.Poi
 		return rpcstatus.Error(rpcstatus.InvalidArgument, errMsg)
 	}

-	if int32(len(remotePieces)) < remote.Redundancy.SuccessThreshold {
+	if int32(len(validPieces)) < remote.Redundancy.SuccessThreshold {
 		endpoint.log.Debug("Number of valid pieces is less than the success threshold",
 			zap.Int("totalReceivedPieces", len(remote.RemotePieces)),
-			zap.Int("validPieces", len(remotePieces)),
+			zap.Int("validPieces", len(validPieces)),
 			zap.Int("invalidPieces", len(invalidPieces)),
 			zap.Int32("successThreshold", remote.Redundancy.SuccessThreshold),
 		)

 		errMsg := fmt.Sprintf("Number of valid pieces (%d) is less than the success threshold (%d). Found %d invalid pieces",
-			len(remotePieces),
+			len(validPieces),
 			remote.Redundancy.SuccessThreshold,
 			len(remote.RemotePieces),
 		)
@ -653,29 +570,11 @@ func (endpoint *Endpoint) filterValidPieces(ctx context.Context, pointer *pb.Poi
 		return rpcstatus.Error(rpcstatus.InvalidArgument, errMsg)
 	}

-	remote.RemotePieces = remotePieces
+	remote.RemotePieces = validPieces

 	return nil
 }

-func (endpoint *Endpoint) mapNodesFor(ctx context.Context, pieces []*pb.RemotePiece) (map[storj.NodeID]*identity.PeerIdentity, error) {
-	nodeIDList := storj.NodeIDList{}
-	for _, piece := range pieces {
-		nodeIDList = append(nodeIDList, piece.NodeId)
-	}
-	peerIDList, err := endpoint.peerIdentities.BatchGet(ctx, nodeIDList)
-	if err != nil {
-		endpoint.log.Error("retrieving batch of the peer identities of nodes", zap.Error(Error.Wrap(err)))
-		return nil, rpcstatus.Error(rpcstatus.Internal, "retrieving nodes peer identities")
-	}
-	peerIDMap := make(map[storj.NodeID]*identity.PeerIdentity, len(peerIDList))
-	for _, peerID := range peerIDList {
-		peerIDMap[peerID.ID] = peerID
-	}
-
-	return peerIDMap, nil
-}
-
 // CreatePath creates a Segment path.
 func CreatePath(ctx context.Context, projectID uuid.UUID, segmentIndex int64, bucket, path []byte) (_ storj.Path, err error) {
 	defer mon.Task()(&ctx)(&err)
--- a/satellite/metainfo/metainfo_old_test.go
+++ b/satellite/metainfo/metainfo_old_test.go
@ -625,13 +625,13 @@ func TestCommitSegmentPointer(t *testing.T) {
 				require.NoError(t, err)
 				pointer.Remote.RemotePieces[0].Hash = storageNodeHash
 			},
-			ErrorMessage: "all pieces needs to have the same size",
+			ErrorMessage: "piece sizes are invalid",
 		},
 		{
 			Modify: func(ctx context.Context, pointer *pb.Pointer, _ map[storj.NodeID]*identity.FullIdentity, limits []*pb.OrderLimit) {
 				pointer.SegmentSize = 100
 			},
-			ErrorMessage: "expected piece size is different from provided",
+			ErrorMessage: "piece sizes are invalid",
 		},
 		{
 			Modify: func(ctx context.Context, pointer *pb.Pointer, _ map[storj.NodeID]*identity.FullIdentity, limits []*pb.OrderLimit) {
--- a/satellite/metainfo/pointerverification/cache.go
+++ b/satellite/metainfo/pointerverification/cache.go
@ -0,0 +1,92 @@
+// Copyright (C) 2020 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+package pointerverification
+
+import (
+	"context"
+	"sync"
+
+	"storj.io/common/identity"
+	"storj.io/common/pb"
+	"storj.io/common/storj"
+	"storj.io/storj/satellite/overlay"
+)
+
+// IdentityCache implements caching of *identity.PeerIdentity.
+type IdentityCache struct {
+	db overlay.PeerIdentities
+
+	mu     sync.RWMutex
+	cached map[storj.NodeID]*identity.PeerIdentity
+}
+
+// NewIdentityCache returns an IdentityCache.
+func NewIdentityCache(db overlay.PeerIdentities) *IdentityCache {
+	return &IdentityCache{
+		db:     db,
+		cached: map[storj.NodeID]*identity.PeerIdentity{},
+	}
+}
+
+// GetCached returns the peer identity in the cache.
+func (cache *IdentityCache) GetCached(ctx context.Context, id storj.NodeID) *identity.PeerIdentity {
+	defer mon.Task()(&ctx)(nil)
+
+	cache.mu.RLock()
+	defer cache.mu.RUnlock()
+
+	return cache.cached[id]
+}
+
+// GetUpdated returns the identity from database and updates the cache.
+func (cache *IdentityCache) GetUpdated(ctx context.Context, id storj.NodeID) (_ *identity.PeerIdentity, err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	identity, err := cache.db.Get(ctx, id)
+	if err != nil {
+		return nil, Error.Wrap(err)
+	}
+
+	cache.mu.Lock()
+	defer cache.mu.Unlock()
+	cache.cached[id] = identity
+
+	return identity, nil
+}
+
+// EnsureCached loads any missing identity into cache.
+func (cache *IdentityCache) EnsureCached(ctx context.Context, pieces []*pb.RemotePiece) (err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	missing := []storj.NodeID{}
+
+	cache.mu.RLock()
+	for _, piece := range pieces {
+		if _, ok := cache.cached[piece.NodeId]; !ok {
+			missing = append(missing, piece.NodeId)
+		}
+	}
+	cache.mu.RUnlock()
+
+	if len(missing) == 0 {
+		return nil
+	}
+
+	// There might be a race during updating, however we'll "reupdate" later if there's a failure.
+	// The common path doesn't end up here.
+
+	identities, err := cache.db.BatchGet(ctx, missing)
+	if err != nil {
+		return Error.Wrap(err)
+	}
+
+	cache.mu.Lock()
+	defer cache.mu.Unlock()
+
+	for _, identity := range identities {
+		cache.cached[identity.ID] = identity
+	}
+
+	return nil
+}
--- a/satellite/metainfo/pointerverification/service.go
+++ b/satellite/metainfo/pointerverification/service.go
@ -0,0 +1,187 @@
+// Copyright (C) 2020 Storj Labs, Inc.
+// See LICENSE for copying information.
+
+// Package pointerverification implements verification of pointers.
+package pointerverification
+
+import (
+	"context"
+	"time"
+
+	"github.com/spacemonkeygo/monkit/v3"
+	"github.com/zeebo/errs"
+
+	"storj.io/common/pb"
+	"storj.io/common/signing"
+	"storj.io/common/storj"
+	"storj.io/storj/satellite/overlay"
+	"storj.io/uplink/private/eestream"
+)
+
+var (
+	mon = monkit.Package()
+	// Error general pointer verification error.
+	Error = errs.Class("pointer verification")
+)
+
+const pieceHashExpiration = 24 * time.Hour
+
+// Service is a service for verifying validity of pieces.
+type Service struct {
+	identities *IdentityCache
+}
+
+// NewService returns a service using the provided database.
+func NewService(db overlay.PeerIdentities) *Service {
+	return &Service{
+		identities: NewIdentityCache(db),
+	}
+}
+
+// VerifySizes verifies that the remote piece sizes in pointer match each other.
+func (service *Service) VerifySizes(ctx context.Context, pointer *pb.Pointer) (err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	if pointer.Type != pb.Pointer_REMOTE {
+		return nil
+	}
+
+	commonSize := int64(-1)
+	for _, piece := range pointer.GetRemote().GetRemotePieces() {
+		if piece.Hash == nil {
+			continue
+		}
+		if piece.Hash.PieceSize <= 0 {
+			return Error.New("size is invalid (%d)", piece.Hash.PieceSize)
+		}
+
+		if commonSize > 0 && commonSize != piece.Hash.PieceSize {
+			return Error.New("sizes do not match (%d != %d)", commonSize, piece.Hash.PieceSize)
+		}
+
+		commonSize = piece.Hash.PieceSize
+	}
+
+	if commonSize < 0 {
+		return Error.New("no remote pieces")
+	}
+
+	redundancy, err := eestream.NewRedundancyStrategyFromProto(pointer.GetRemote().GetRedundancy())
+	if err != nil {
+		return Error.New("invalid redundancy strategy: %v", err)
+	}
+
+	expectedSize := eestream.CalcPieceSize(pointer.SegmentSize, redundancy)
+	if expectedSize != commonSize {
+		return Error.New("expected size is different from provided (%d != %d)", expectedSize, commonSize)
+	}
+
+	return nil
+}
+
+// InvalidPiece is information about an invalid piece in the pointer.
+type InvalidPiece struct {
+	NodeID   storj.NodeID
+	PieceNum int32
+	Reason   error
+}
+
+// SelectValidPieces selects pieces that are have correct hashes and match the original limits.
+func (service *Service) SelectValidPieces(ctx context.Context, pointer *pb.Pointer, originalLimits []*pb.OrderLimit) (valid []*pb.RemotePiece, invalid []InvalidPiece, err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	err = service.identities.EnsureCached(ctx, pointer.GetRemote().GetRemotePieces())
+	if err != nil {
+		return nil, nil, Error.Wrap(err)
+	}
+
+	for _, piece := range pointer.GetRemote().GetRemotePieces() {
+		if int(piece.PieceNum) >= len(originalLimits) {
+			return nil, nil, Error.New("invalid piece number")
+		}
+
+		limit := originalLimits[piece.PieceNum]
+		if limit == nil {
+			return nil, nil, Error.New("limit missing for piece")
+		}
+
+		// verify that the piece id, serial number etc. match in piece and limit.
+		if err := VerifyPieceAndLimit(ctx, piece, limit); err != nil {
+			invalid = append(invalid, InvalidPiece{
+				NodeID:   piece.NodeId,
+				PieceNum: piece.PieceNum,
+				Reason:   err,
+			})
+			continue
+		}
+
+		peerIdentity := service.identities.GetCached(ctx, piece.NodeId)
+		if peerIdentity == nil {
+			// This shouldn't happen due to the caching in the start of the func.
+			return nil, nil, Error.New("nil identity returned (%v)", piece.NodeId)
+		}
+		signee := signing.SigneeFromPeerIdentity(peerIdentity)
+
+		// verify the signature
+		err = signing.VerifyPieceHashSignature(ctx, signee, piece.Hash)
+		if err != nil {
+			// TODO: check whether the identity changed from what it was before.
+
+			// Maybe the cache has gone stale?
+			peerIdentity, err := service.identities.GetUpdated(ctx, piece.NodeId)
+			if err != nil {
+				return nil, nil, Error.Wrap(err)
+			}
+			signee := signing.SigneeFromPeerIdentity(peerIdentity)
+
+			// let's check the signature again
+			err = signing.VerifyPieceHashSignature(ctx, signee, piece.Hash)
+			if err != nil {
+				invalid = append(invalid, InvalidPiece{
+					NodeID:   piece.NodeId,
+					PieceNum: piece.PieceNum,
+					Reason:   err,
+				})
+				continue
+			}
+		}
+
+		valid = append(valid, piece)
+	}
+
+	return valid, invalid, nil
+}
+
+// VerifyPieceAndLimit verifies that the piece and limit match.
+func VerifyPieceAndLimit(ctx context.Context, piece *pb.RemotePiece, limit *pb.OrderLimit) (err error) {
+	defer mon.Task()(&ctx)(&err)
+
+	// ensure that we have a hash
+	if piece.Hash == nil {
+		return Error.New("no piece hash. NodeID: %v, PieceNum: %d", piece.NodeId, piece.PieceNum)
+	}
+
+	// verify the timestamp
+	timestamp := piece.Hash.Timestamp
+	if timestamp.Before(time.Now().Add(-pieceHashExpiration)) {
+		return Error.New("piece hash timestamp is too old (%v). NodeId: %v, PieceNum: %d)",
+			timestamp, piece.NodeId, piece.PieceNum,
+		)
+	}
+
+	// verify the piece id
+	if limit.PieceId != piece.Hash.PieceId {
+		return Error.New("piece hash pieceID (%v) doesn't match limit pieceID (%v). NodeID: %v, PieceNum: %d",
+			piece.Hash.PieceId, limit.PieceId, piece.NodeId, piece.PieceNum,
+		)
+	}
+
+	// verify the limit
+	if limit.Limit < piece.Hash.PieceSize {
+		return Error.New("piece hash PieceSize (%d) is larger than order limit (%d). NodeID: %v, PieceNum: %d",
+			piece.Hash.PieceSize, limit.Limit, piece.NodeId, piece.PieceNum,
+		)
+	}
+
+	return nil
+}
--- a/satellite/metainfo/validation.go
+++ b/satellite/metainfo/validation.go
@ -20,7 +20,6 @@ import (
 	"storj.io/common/macaroon"
 	"storj.io/common/pb"
 	"storj.io/common/rpc/rpcstatus"
-	"storj.io/common/signing"
 	"storj.io/common/storj"
 	"storj.io/storj/pkg/auth"
 	"storj.io/storj/satellite/console"
@ -409,38 +408,3 @@ func (endpoint *Endpoint) validateRedundancy(ctx context.Context, redundancy *pb

 	return nil
 }
-
-func (endpoint *Endpoint) validatePieceHash(ctx context.Context, piece *pb.RemotePiece, originalLimit *pb.OrderLimit, signee signing.Signee) (err error) {
-	defer mon.Task()(&ctx)(&err)
-
-	if piece.Hash == nil {
-		return errs.New("no piece hash. NodeID: %v, PieceNum: %d", piece.NodeId, piece.PieceNum)
-	}
-
-	err = signing.VerifyPieceHashSignature(ctx, signee, piece.Hash)
-	if err != nil {
-		return errs.New("piece hash signature could not be verified for node (NodeID: %v, PieceNum: %d): %+v",
-			piece.NodeId, piece.PieceNum, err,
-		)
-	}
-
-	timestamp := piece.Hash.Timestamp
-	if timestamp.Before(time.Now().Add(-pieceHashExpiration)) {
-		return errs.New("piece hash timestamp is too old (%v). NodeId: %v, PieceNum: %d)",
-			timestamp, piece.NodeId, piece.PieceNum,
-		)
-	}
-
-	switch {
-	case originalLimit.PieceId != piece.Hash.PieceId:
-		return errs.New("piece hash pieceID (%v) doesn't match limit pieceID (%v). NodeID: %v, PieceNum: %d",
-			piece.Hash.PieceId, originalLimit.PieceId, piece.NodeId, piece.PieceNum,
-		)
-	case originalLimit.Limit < piece.Hash.PieceSize:
-		return errs.New("piece hash PieceSize (%d) is larger than order limit (%d). NodeID: %v, PieceNum: %d",
-			piece.Hash.PieceSize, originalLimit.Limit, piece.NodeId, piece.PieceNum,
-		)
-	}
-
-	return nil
-}