From 19db2c8a379866d67cb3df66503907eae50c71aa Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 16:01:38 +0000 Subject: [PATCH 01/33] smp-server: namespaces resolver scaffolding --- plans/20260522_01_smp_public_namespaces.md | 431 ++++++++++++++++++ protocol/simplex-messaging.md | 72 ++- simplexmq.cabal | 9 + src/Simplex/Messaging/Encoding.hs | 1 + src/Simplex/Messaging/Protocol.hs | 148 +++++- src/Simplex/Messaging/Server.hs | 55 ++- src/Simplex/Messaging/Server/Env/STM.hs | 20 +- src/Simplex/Messaging/Server/Main.hs | 62 +++ src/Simplex/Messaging/Server/Main/Init.hs | 19 + src/Simplex/Messaging/Server/Names.hs | 18 + src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 213 +++++++++ .../Messaging/Server/Names/Eth/SNRC.hs | 171 +++++++ .../Messaging/Server/Names/Resolver.hs | 200 ++++++++ src/Simplex/Messaging/Server/Prometheus.hs | 38 +- src/Simplex/Messaging/Server/Stats.hs | 142 +++++- src/Simplex/Messaging/Transport.hs | 10 +- tests/SMPClient.hs | 1 + tests/SMPNamesTests.hs | 266 +++++++++++ tests/Test.hs | 2 + 19 files changed, 1842 insertions(+), 36 deletions(-) create mode 100644 plans/20260522_01_smp_public_namespaces.md create mode 100644 src/Simplex/Messaging/Server/Names.hs create mode 100644 src/Simplex/Messaging/Server/Names/Eth/RPC.hs create mode 100644 src/Simplex/Messaging/Server/Names/Eth/SNRC.hs create mode 100644 src/Simplex/Messaging/Server/Names/Resolver.hs create mode 100644 tests/SMPNamesTests.hs diff --git a/plans/20260522_01_smp_public_namespaces.md b/plans/20260522_01_smp_public_namespaces.md new file mode 100644 index 0000000000..a197635624 --- /dev/null +++ b/plans/20260522_01_smp_public_namespaces.md @@ -0,0 +1,431 @@ +# Server: SMP support for public namespaces + +Implementation plan for Part 2 of [RFC 2026-05-21-public-namespaces](https://github.com/simplex-chat/simplex-chat/blob/ep/namespace/docs/rfcs/2026-05-21-public-namespaces.md). Adds a forwarded-only `RSLV ` SMP command that returns `NAME ` read from the SNRC contract via a Reth+Nimbus JSON-RPC endpoint. Smp-server becomes name-capable by `[NAMES] enable: on`. + +Out of scope: `Simplex.Messaging.Client` API, agent-side resolution flow, `ServerRoles.names` in the agent, default-router list, reverse resolution, multicoin/text records, state proofs. + +## Architecture + +```mermaid +sequenceDiagram + participant C as Client + participant P as Proxy (storage role) + participant N as Name server (names role) + participant E as Ethereum endpoint
(Reth+Nimbus) + + C ->> P: PFWD(enc(RSLV key)) + P ->> N: RFWD(enc(RSLV key)) + note over N: verifyTransmission True →
vc SResolver (RSLV _) → VRVerified + N ->> N: cache lookup + alt cache miss + N ->> E: eth_call(SNRC, namehash(key)) + E -->> N: ABI bytes + note over N: ABI decode + zero-owner check + cache insert + end + N -->> P: RFWD(enc(NAME rec | ERR AUTH)) + P -->> C: PRES(enc(NAME rec | ERR AUTH)) +``` + +RSLV is **forwarded-only** — direct RSLV is rejected `CMD PROHIBITED`. This preserves the RFC's two-server resolution: the name server sees the lookup key but never the client's IP, session, or identity. + +## Protocol + +Shared library: `src/Simplex/Messaging/Protocol.hs` and `src/Simplex/Messaging/Transport.hs`. + +**Version.** `Transport.hs:226`: `namesSMPVersion = VersionSMP 20`. Bump `currentClientSMPRelayVersion`, `currentServerSMPRelayVersion`, `proxiedSMPRelayVersion` to 20. Pre-v20 binaries lack the `RSLV_` tag; v20 binaries with sessions negotiated at v < 20 reject `RSLV_` at the parameter parser. The proxied-version bump 18 → 20 is safe (v19's `RecipientService`/`NotifierService` aren't in the forwarded whitelist; v18's `BLOCKED info` is already version-branched at `Protocol.hs:1943`). + +**Party kind.** Append `Resolver` to `Party` (line 335); add `SResolver` (line 349), `TestEquality` clause (line 361), `PartyI Resolver` (line 394). `queueParty SResolver = Nothing` (falls through line 412). `partyClientRole SResolver = Nothing`. + +**`RSLV` command.** + +```haskell +RSLV :: LookupKey -> Command Resolver +newtype LookupKey = LookupKey ByteString + +instance Encoding LookupKey where + smpEncode (LookupKey s) = smpEncode s + smpP = do + n <- lenP + when (n > 64) $ fail "LookupKey too large" + LookupKey <$> A.take n +``` + +Name-syntax validation is client-side per RFC; the server treats the key as opaque bytes. Tag `"RSLV"`, version guard inside `protocolP v (CT SResolver RSLV_)`: `| v >= namesSMPVersion -> Cmd SResolver . RSLV <$> _smpP`. + +**Testnet/mainnet selector**: how the `#testnet:name` namespace appears in `LookupKey` bytes is determined by the SNRC contract (Part 1) — confirm with Part 1 before merging. + +**`NAME` response.** + +```haskell +NAME :: NameRecord -> BrokerMsg +``` + +Tag `"NAME"`. Symmetric version guards on encode (in `encodeProtocol v`) and decode (in `protocolP v NAME_`): `| v >= namesSMPVersion -> ...`. `NameRecord` has **no `Encoding` typeclass instance** — the typeclass cannot version-branch. Use top-level helpers `nameRecBytes :: VersionSMP -> NameRecord -> ByteString` and `parseNameRec :: VersionSMP -> Parser NameRecord`, mirroring the `IDS QIK` precedent at `Protocol.hs:1912–1979`. + +**`NameRecord` schema and wire layout.** + +```haskell +data NameRecord = NameRecord + { nrDisplayName :: Text -- ≤255 bytes UTF-8 + , nrOwner :: NameOwner -- 20 raw bytes + , nrChannelLinks :: [NameLink] + , nrContactLinks :: [NameLink] + , nrAdminAddress :: Maybe Text + , nrAdminEmail :: Maybe Text + , nrExpiry :: Int64 -- Unix seconds, ≥ 0 + , nrIsTest :: Bool + } + +newtype NameOwner = NameOwner ByteString -- bare ctor NOT exported; smart ctor enforces length 20 +newtype NameLink = NameLink Text -- bare ctor NOT exported; smart ctor enforces ≤1024 bytes + +unNameOwner :: NameOwner -> ByteString +unNameOwner (NameOwner bs) = bs + +unNameLink :: NameLink -> Text +unNameLink (NameLink t) = t +``` + +Field additions are gated by future SMP version bumps (matching the `IDS QIK` precedent at `Protocol.hs:1912–1979`) — no separate record-version field. + +| Field | Encoding | Max bytes | +|---|---|---| +| `nrDisplayName` | 1-byte length prefix + UTF-8 | 1 + 255 | +| `nrOwner` | 20 raw bytes, no prefix | 20 | +| `nrChannelLinks`, `nrContactLinks` | 1-byte count + per-element (Word16 BE len + UTF-8); combined cap **8 entries** across both lists | 1 + Σ(2 + ≤1024) | +| `nrAdminAddress`, `nrAdminEmail` | `'0'` or `'1'` + (1-byte length + UTF-8 if `'1'`) | 1 + 1 + 255 | +| `nrExpiry` | two big-endian `Word32` | 8 | +| `nrIsTest` | `'T'` or `'F'` | 1 | + +`Encoding NameLink` reads the Word16 length **before** `A.take` allocates — going through the existing `Large` wrapper allows up to 65 535 bytes per element. There is no `Encoding [a]` instance — use `smpEncodeList` / `smpListP` / a bounded variant: + +```haskell +smpListPUpTo :: Encoding a => Int -> Parser [a] +smpListPUpTo cap = do + n <- lenP + when (n > cap) $ fail "list too long" + A.count n smpP + +parseNameRec _v = do + nrDisplayName <- smpP + nrOwner <- smpP + nrChannelLinks <- smpListPUpTo 8 + nrContactLinks <- smpListPUpTo (8 - length nrChannelLinks) + nrAdminAddress <- smpP + nrAdminEmail <- smpP + nrExpiry <- smpP + when (nrExpiry < 0) $ fail "expiry must be non-negative" + nrIsTest <- smpP + pure NameRecord{..} +``` + +Both list parsers fail at the count step before allocating; the second inherits the residual budget. Canonical encoding by construction: every primitive has exactly one valid byte form — two name servers reading the same SNRC state produce byte-identical responses. + +**Wire-size budget.** `paddedProxiedTLength = 16226` is the plaintext input to `cbEncrypt` (`Server.hs:2117`); `pad` reserves 2 bytes → framed transmission ≤ 16 224 bytes. Combined-link cap 8 yields max payload ≈ 9 050 bytes — generous margin. + +**Error semantics.** A single wire code: `ERR AUTH`. Per RFC, this collapses every failure (name not found, malformed key, names disabled, RPC unreachable, decode error, timeout). Resolver internally distinguishes the cause for stats only. + +**Forwarded-only access.** Direct RSLV is rejected with `CMD PROHIBITED`. The shape of `THAuthServer` alone cannot discriminate direct from forwarded (`Transport.hs:852` sets `sessSecret' = Just _` for every v6+ direct client too). An explicit `forwarded :: Bool` flag is threaded through `verifyTransmission` (see below). + +## Server changes + +All edits in `src/Simplex/Messaging/Server.hs`. + +**`forwarded :: Bool` plumbing.** Three signatures change: + +- `verifyTransmission :: Bool -> ...` (line 1233) — direct path passes `False` (lines 1152–1153), forwarded path passes `True` (line 2129). +- `verifyLoadedQueue :: Bool -> ...` (line 1238) — receives the flag from `verifyTransmission` (lines 1235, 1240). +- `verifyQueueTransmission :: Bool -> ...` (line 1244) — receives and uses the flag. + +New `vc` clauses inside `verifyQueueTransmission`: + +```haskell +vc SResolver (RSLV _) | forwarded = VRVerified Nothing + | otherwise = VRFailed (CMD PROHIBITED) +vc SResolver _ = VRFailed (CMD PROHIBITED) -- defensive catch-all +``` + +**Forwarded whitelist** (`Server.hs:2132`): + +```haskell +Cmd SResolver (RSLV _) -> True +``` + +**`processCommand` branch** (alongside line 1481): + +```haskell +Cmd SResolver (RSLV (LookupKey key)) -> do + st <- asks (rslvStats . serverStats) + incStat (rslvReqs st) + asks namesEnv >>= \case + Nothing -> incStat (rslvDisabled st) $> response (corrId, NoEntity, ERR AUTH) + Just nenv -> liftIO (resolveName nenv key) >>= \case + Right rec -> incStat (rslvSucc st) $> response (corrId, NoEntity, NAME rec) + Left NotFound -> incStat (rslvNotFound st) $> response (corrId, NoEntity, ERR AUTH) + Left _ -> incStat (rslvEthErrs st) $> response (corrId, NoEntity, ERR AUTH) +``` + +**Shutdown.** Add `closeNamesEnv :: NamesEnv -> IO ()` calling `closeManager`. Wire into `closeServer` (`Server.hs:247`): + +```haskell +closeServer = do + asks (smpAgent . proxyAgent) >>= liftIO . closeSMPClientAgent + asks namesEnv >>= liftIO . mapM_ closeNamesEnv +``` + +In-flight `resolveName` calls during shutdown receive `ConnectionClosed` → `EthHttpErr` → masked-leader cleanup runs → waiters unblock with `ERR AUTH`. + +**`incStat` relocation.** Defined at `Server.hs:2220`, currently unexported. Move to `Server/Stats.hs` (one-line transplant + export) so `Resolver.hs` can use it. + +**Co-located proxy refused.** `newEnv` aborts startup if both `allowSMPProxy = True` and `namesConfig = Just _`, unless `allow_dangerous_colocation = on`. RSLV is the first slow forwarded command; on a proxy host it can serialise other forwarded commands on the same proxy-relay session up to `rpcTimeoutMs` per cache miss. `forkForwardedCmd` async dispatch is the longer-term fix, tracked as a follow-up. + +## Resolver subtree + +New module tree at `src/Simplex/Messaging/Server/Names/`: + +| Module | Contents | +|---|---| +| `Names.hs` | Façade — re-exports `NamesConfig`, `NamesEnv`, `ResolveError`, `resolveName`, `newNamesEnv`, `closeNamesEnv`. | +| `Names/Resolver.hs` | All types + cache + in-flight + `resolveName`. Helpers exported directly (no `.Internal` per codebase convention). **Test seam**: `NamesEnv` holds `ethCall` as a function value, so tests construct stubs via `newNamesEnvWith`. | +| `Names/Eth/RPC.hs` | `EthRpcEnv`; `ethCallReal` via `http-client` + `withResponse` + `brReadSome rpcMaxResponseBytes`. JSON-RPC error / HTTP error split. `rpcMaxConcurrency` semaphore. `Authorization` header from `rpcAuth`. | +| `Names/Eth/SNRC.hs` | `EthAddress`, Keccak-256 namehash via `crypton`'s `Crypto.Hash.Algorithms.Keccak_256` (mirroring `Crypto.hs:1023–1025` for SHA3), hand-rolled bounded Solidity ABI codec, `getRecord` with zero-owner detection. **Ethereum's Keccak ≠ NIST SHA3-256.** | + +**ABI codec invariants**, enforced before any allocation: `offset + 32 ≤ buf.length`; `offset + 32 + length ≤ buf.length`; `offset ≥ headEnd` (no backward jumps); every length ≤ per-field cap; `string[]` outer length × 32 ≤ buf.length; recursion depth ≤ 2; `uint256 → Int64` rejects if any high 24 bytes non-zero; UTF-8 via `decodeUtf8'` returns `EthDecodeErr`. + +**Zero-owner → `NotFound`**: ENS-style resolvers return zeroed records for non-existent names. After ABI decode, if `nrOwner == NameOwner (B.replicate 20 0)` return `Left NotFound`. + +**Errors.** + +```haskell +data ResolveError = NotFound | EthHttpErr | EthRpcErr { rpcCode :: Int, rpcMessage :: Text } + | EthDecodeErr | TimedOut +``` + +All collapse to `ERR AUTH`. `EthRpcErr` carries JSON-RPC `error` object — method-not-found (SNRC not deployed at `snrc_address`) is logged immediately on the first error after a recent success: `logError "NAMES: JSON-RPC error from endpoint — check snrc_address: "`. No automatic retry. + +**Cache.** TTL + FIFO eviction. `TVar (OrdPSQ LookupKey Word64 NameRecord, Int)` — priority = monotonic-ns at insert; the `Int` is running byte count. `cacheLookup` is one STM transaction (read, expiry-check, expired-delete-with-byte-decrement). `cacheInsert` is one STM transaction: while `size > cacheMaxEntries` OR `bytes + sizeOf(rec) > cacheMaxBytes`, `minView` to drop oldest, then `insert`. Byte counter prevents `100 000 × 9 KB ≈ 900 MB` worst-case blow-up. + +**Request coalescing** (async-exception safe via `E.mask`): + +```haskell +resolveName env bs = do + let k = LookupKey bs + now <- getMonotonicTimeNSec + atomically (cacheLookup env k now) >>= \case + Just rec -> incStat (rslvCacheHits ...) $> Right rec + Nothing -> do + incStat (rslvCacheMiss ...) + ticket <- atomically $ TM.lookup k (inflight env) >>= \case + Just mv -> pure (Waiter mv) + Nothing -> newEmptyTMVar >>= \mv -> TM.insert k mv (inflight env) $> Leader mv + case ticket of + Waiter mv -> atomically (readTMVar mv) + Leader mv -> E.mask $ \restore -> do + r <- restore (fetchOnceTimed env bs) + `E.catch` \(e :: E.SomeException) -> pure (Left (mapEthErr e)) + atomically $ putTMVar mv r >> TM.delete k (inflight env) + case r of Right rec -> atomically (cacheInsert env k now rec); Left _ -> pure () + pure r + +fetchOnceTimed env bs = + System.Timeout.timeout (rpcTimeoutMs (config env) * 1000) (fetchOnce env bs) >>= \case + Just r -> pure r + Nothing -> pure (Left TimedOut) +``` + +`E.mask` ensures `putTMVar + TM.delete` runs even on async exception; `fetchOnceTimed` runs under `restore` so it remains interruptible. Waiters always see a value; the in-flight TMap entry is always removed. + +`fetchOnce`, `mapEthErr`, `scrubUrl`, `cacheLookup`, `cacheInsert` are internal to `Resolver.hs`. `getMonotonicTimeNSec` from `GHC.Clock` — first monotonic-clock use in the codebase; clock-jump safe. + +**STM contention.** Cache hits are read-only `readTVar` — STM scales. Cache writes under sustained miss traffic can retry; `CacheSpec` asserts < 5% retry at 4 readers + 1 writer @ 1k RPS. If observed higher, swap `TVar` for `IORef` + `atomicModifyIORef'`. + +**Multicoin and text records** are not in `NameRecord`. If Part 1 contract returns them from `getRecord`, extend `NameRecord` and the wire-size budget. **Confirm with Part 1 author before implementing `Eth/SNRC.hs`.** + +## Configuration + +`ServerConfig` (`Env/STM.hs:142`) gains one field `namesConfig :: Maybe NamesConfig`. `Env` (`Env/STM.hs:261`) gains `namesEnv :: Maybe NamesEnv`. `newEnv` constructs it after `proxyAgent` (line 605) with the co-location guard. + +```haskell +data NamesConfig = NamesConfig + { ethereumEndpoint :: Text -- http(s), no userinfo, explicit port required + , snrcAddress :: NameOwner -- 20 bytes + , rpcAuth :: Maybe RpcAuth -- required when https & non-loopback host + , cacheSeconds :: Int -- 300 + , cacheMaxEntries :: Int -- 100000 + , cacheMaxBytes :: Int -- 67108864 (64 MB) + , rpcTimeoutMs :: Int -- 3000 + , rpcMaxResponseBytes :: Int -- 262144 (256 KB) + , rpcMaxConcurrency :: Int -- 8 + , dangerousColocation :: Bool -- override the §"Server changes" startup guard + } + +data RpcAuth = AuthBearer Text | AuthBasic Text Text +``` + +INI parsing in `Server/Main.hs`: + +- `validateUrl` (using new `network-uri` dep): accepts only http(s), non-empty host, **explicit port** (rejects `http://localhost` defaulting to 80 while Reth is on 8545), no userinfo, no query/fragment. Rejects `https://...` without `rpc_auth` when host is non-loopback. On rejection: `logError` + `exitFailure`. +- `parseEthAddr`: accepts `0x[0-9a-fA-F]{40}` and the same without `0x`. Mixed-case → verify EIP-55 checksum and reject mismatch (catches typos). +- `parseRpcAuth`: reads optional `rpc_auth` key; format `bearer ` or `basic :`. +- `scrubUrl`: strips userinfo from all log lines mentioning the endpoint, including inside `mapEthErr`. +- Transition-aware error logging: log immediately on first error after a recent success, then at most hourly while persisting + summary at every stats reset. + +Default INI template (`Server/Main/Init.hs`, after `[PROXY]`): + +``` +[NAMES] +# Public-namespace resolution (SNRC on Ethereum). +# Requires an Ethereum JSON-RPC endpoint (Reth+Nimbus). See deployment guide. +# Cannot be combined with [PROXY] enable: on by default — see allow_dangerous_colocation. +# Restart required to change settings. +enable: off +# Same-host: +# ethereum_endpoint: http://127.0.0.1:8545 +# Central Reth via Caddy: +# ethereum_endpoint: https://eth.simplex.chat:443 +# rpc_auth: basic : +# snrc_address: 0x0000000000000000000000000000000000000000 +# cache_seconds: 300 +# cache_max_entries: 100000 +# cache_max_bytes: 67108864 +# rpc_timeout_ms: 3000 +# rpc_max_response_bytes: 262144 +# rpc_max_concurrency: 8 +# allow_dangerous_colocation: off +``` + +Upgrade from a pre-v6.6 INI: missing `[NAMES]` section → disabled. No operator action required. + +## Operator deployment + +Two supported topologies. smp-server is agnostic — only `ethereum_endpoint` changes. + +**Topology A (same-host)**: smp-server, Caddy (optional), Reth, Nimbus all on one box. `ethereum_endpoint: http://127.0.0.1:8545`. + +**Topology B (central Reth, N smp-server hosts — recommended for fleets)**: one operator runs one eth host with Reth+Nimbus behind Caddy on public HTTPS. Each smp-server has its own credential. + +```mermaid +flowchart LR + subgraph eth-host + Caddy["Caddy
(public :443, basic auth)"] + Reth["Reth
(127.0.0.1:8545)"] + Nimbus["Nimbus"] + Caddy --> Reth + Nimbus -- Engine API (jwt.hex) --> Reth + end + subgraph smp-host-1 + S1["smp-server #1"] + end + subgraph smp-host-N + SN["smp-server #N"] + end + S1 -- HTTPS + Authorization --> Caddy + SN -- HTTPS + Authorization --> Caddy + Reth <-- Ethereum p2p --> internet + Nimbus <-- beacon sync --> internet +``` + +Sharing one Reth across **multiple operators** is **not** supported — collapses the RFC's two-server resolution privacy. + +**Reth + Nimbus**: Reth (execution layer) holds Ethereum state on ~260 GB pruned NVMe; Nimbus (consensus light client) follows beacon-chain headers. Paired via Engine API on `127.0.0.1:8551` with a shared `jwt.hex`. Recommended Reth flags: + +```bash +reth node \ + --http.addr 127.0.0.1 \ + --http.api eth \ # only eth namespace + --rpc.gascap 50000000 \ # cap gas per eth_call + --rpc.max-response-size 5242880 \ # 5 MB + --http.corsdomain none \ + --authrpc.jwtsecret /opt/eth/jwt.hex \ + --authrpc.addr 127.0.0.1 --authrpc.port 8551 +``` + +**Caddy + Let's Encrypt + Basic auth** (Topology B): + +```caddy +eth.simplex.chat { + basicauth { + smp-server-1 $2a$14$ + smp-server-2 $2a$14$ + } + log { format filter { wrap json; fields { request>headers>Authorization delete } } } + reverse_proxy 127.0.0.1:8545 +} +``` + +Caddy auto-fetches Let's Encrypt cert. Each smp-server has its own credential; revoking one = delete the line. `Authorization` stripped from access logs. Port 80 needed for the ACME HTTP-01 challenge (use TLS-ALPN-01 or DNS-01 to drop it). The threat being defended against is DoS (SNRC state is public); mTLS would be overkill. WireGuard/Tailscale are alternative network-layer approaches — both compatible with the plan. + +**Capacity.** One Reth+Nimbus box handles a realistic operator fleet by 10–1000× margin. Per-smp-server peak RSLV ≈ 1700 RPS (pessimistic); cache hit rate ≥ 95% → ~85 RPS cache miss per smp-server; 10 smp-servers → ~850 RPS aggregate cache miss reaching Reth; Reth `eth_call` throughput on warm NVMe ≈ 1k–10k RPS. Sizing: 8 vCPU, 32 GB RAM, 1 TB NVMe is comfortable. Scale-out path: more Reth+Nimbus pairs, smp-servers round-robin or shard. + +## Implementation + +**Order**: + +1. Protocol: party/SParty/PartyI, RSLV+tag, NAME+tag, NameRecord + helpers, version constants in `Transport.hs`. +2. `verifyTransmission`/`verifyLoadedQueue`/`verifyQueueTransmission` `forwarded :: Bool` flag + `vc SResolver` clauses. +3. Forwarded whitelist + `processCommand` branch + `incStat` move to `Stats.hs`. +4. Env plumbing: `Server/Env/STM.hs`, `Server/Main.hs` INI parse, `Server/Main/Init.hs` template. +5. Resolver subtree: `Eth/SNRC.hs` → `Eth/RPC.hs` → `Resolver.hs`. +6. `NameResolverStats` sub-record + CSV log + Prometheus `names =` block. +7. Replace stub in (3) with real `resolveName`. +8. Tests. +9. `protocol/simplex-messaging.md`: header version line 1 (`19 → 20`), sentence at line 86, version-history list (lines 93–105) v20 entry, TOC (lines 25–68) "Resolver commands" subsection, new section with ABNF + byte layout + error semantics, "Router security requirements" paragraph about names-role outbound HTTP, cross-ref `Transport.hs:226`. +10. `CHANGELOG.md`: v6.6 entry. + +**Cabal** (`simplexmq.cabal`): bump `version: 6.6.0.0`. Add to `if !flag(client_library)` block: `http-client >=0.7 && <0.8`, `http-client-tls >=0.3 && <0.4`, `network-uri >=2.6 && <2.7`, `psqueues >=0.2.7 && <0.3`. Expose 4 new `Server.Names.*` modules in the same block. `crypton` already provides `Keccak_256`. + +**Files changed**: + +| File | Change | +|---|---| +| `Protocol.hs` | Resolver party + RSLV/NAME tags + version guards; `NameRecord` + newtypes + smart ctors; `nameRecBytes`/`parseNameRec`/`smpListPUpTo` helpers (no Encoding NameRecord instance); `LookupKey` parser-side cap | +| `Transport.hs` | `namesSMPVersion = 20`; bump current/proxied SMP versions | +| `Server.hs` | Thread `forwarded :: Bool`; `vc SResolver` clauses; whitelist (2132); Resolver branch in `processCommand` (1481); `closeServer` calls `closeNamesEnv`; CSV log (579–618); **remove** local `incStat` | +| `Server/Env/STM.hs` | `namesConfig` field; `namesEnv` field; `newEnv` constructs `NamesEnv` with co-location guard | +| `Server/Main.hs` | `[NAMES]` parse: `validateUrl`/`parseEthAddr`/`parseRpcAuth`; `scrubUrl` in logs | +| `Server/Main/Init.hs` | `[NAMES]` block in default INI | +| `Server/Stats.hs` | `incStat` moved here + exported; `NameResolverStats` sub-record + helpers; `rslvStats` field | +| `Server/Prometheus.hs` | `names =` metric block | +| `Server/Names.hs` (new) | Façade re-exports | +| `Server/Names/Resolver.hs` (new) | All resolver types + cache + coalescing + `fetchOnceTimed` + `newNamesEnv[With]` + `closeNamesEnv` | +| `Server/Names/Eth/RPC.hs` (new) | `EthRpcEnv`, `ethCallReal` with bounded body + concurrency semaphore + `Authorization` header | +| `Server/Names/Eth/SNRC.hs` (new) | `EthAddress`, Keccak namehash, bounded ABI (8 invariants), `getRecord` with zero-owner detection | +| `simplexmq.cabal` | Bump `6.6.0.0`; 4 new deps + 4 new modules in `if !flag(client_library)` block | +| `protocol/simplex-messaging.md` | Header version, version-history v20 entry, new "Resolver commands" section | +| `CHANGELOG.md` | v6.6 entry | + +## Testing + +`tests/SMPNamesTests/` registered in `tests/Test.hs:112–151`. Build only when `client_library = False`. + +1. **ProtocolEncodingSpec** — `nameRecBytes` ↔ `parseNameRec` round-trip; oversized fields rejected at parse; combined-list cap 8 enforced; negative `nrExpiry` rejected; canonical encoding byte-stable. +2. **MaxSizeSpec** — max `NameRecord` encodes ≤ ~9 KB; `encodeTransmission v ≤ paddedProxiedTLength - 2`; `cbEncrypt` succeeds. +3. **CommandTagSpec** — `"RSLV"`/`"NAME"` parse; v < 20 sessions reject `RSLV_` at parameter parser. +4. **ForwardedGateSpec** — direct RSLV → `CMD PROHIBITED`; forwarded RSLV reaches handler. +5. **ForwardedRslvSpec** — RSLV wrapped in PFWD reaches the handler end-to-end. **Test infra cost**: first protocol-level PFWD test; budget for `runProxiedSmpCommand` helper performing `PRXY`/`PKEY`/`PFWD` manually. +6. **CacheSpec** — hit avoids RPC; TTL expiry forces re-fetch; bytes cap evicts before entries cap on large records; concurrent same-key callers issue one RPC; leader exception → all waiters get `Left _`, TMap entry removed; leader async-cancel → cleanup STM still runs. +7. **AbiSpec** — encode/decode against pinned fixtures (`tests/fixtures/snrc/`); QuickCheck fuzz on random buffers ≤ `rpcMaxResponseBytes` must never crash. +8. **NamehashSpec** — Keccak-256 reference vectors; assert Keccak ≠ SHA3-256. +9. **MockRpcSpec** — fake HTTP server; missing → `EthHttpErr`; slow → `TimedOut`; multi-GB body truncated → `EthDecodeErr`. `rpcAuth = AuthBasic` sends correct header. +10. **Uint256OverflowSpec** — `expiry > Int64.maxBound` → `EthDecodeErr`. +11. **ZeroOwnerSpec** — `owner = 0x000...000` → `NotFound`. +12. **StartupGuardSpec** — `allowSMPProxy + names.enable` aborts; `allow_dangerous_colocation = on` starts with warning. +13. **UrlValidationSpec** — userinfo/scheme/host/port edge cases; rejects `https://` without `rpc_auth` for non-loopback. +14. **EipChecksumSpec** — `parseEthAddr` accepts lower/upper; verifies mixed-case checksum; rejects typos. +15. **AbiBoundsSpec** — each of 8 ABI invariants triggers `EthDecodeErr` without crash/allocation blow-up. + +Integration against real Reth+Nimbus mainnet deferred to ops. + +## Threat model, scope, coordination + +| Actor | Can | Cannot | +|---|---|---| +| Name server | See lookup-key bytes; see query timing; see Eth endpoint URL (operator-self) | See client IP/session; correlate clients across queries | +| Compromised Eth endpoint | Poison this server's cache for one TTL window; see every lookup key the server queries | Bypass two-server agreement (client-side, out of scope) | +| Adversarial client (high-rate unique keys) | Cache-thrash DoS; fill `Manager` connection pool up to `managerConnCount = 8` | Bypass `rpcMaxResponseBytes` or `fetchOnceTimed` | +| Adversarial proxy (slow inner RSLVs) | Block other forwarded commands on that proxy connection up to `rpcTimeoutMs` per miss | Affect other proxy connections | +| Operator with footgun config (https no auth, public Eth RPC) | (rejected at startup, or operator-acknowledged data leak) | — | + +Mitigations: caching + coalescing + `rpcTimeoutMs` + `rpcMaxResponseBytes` + `rpcMaxConcurrency`; co-location refused at startup; URL validation; Caddy + auth in front of Reth; Reth's own gas/size caps. Timing side-channels (cache-hit vs miss latency) not mitigated — flagged for post-MVP. State proofs deferred to post-MVP per RFC. + +**Cross-repo coordination.** The `simplex-chat` `ep/namespace` branch currently contains only the RFC commit — no agent-side wire-format code yet. This plan's wire format is validated only by simplexmq's own tests until a matching agent PR lands (structurally weak — encoder/decoder bugs are mutually consistent with themselves). Coordinate with the agent-side implementer **before merging** on: exact `NameRecord` field order and types; `LookupKey` namespace-prefix convention; error-code semantics; Part 1 SNRC contract `getRecord` ABI surface. diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index f1d1f77ce4..aa01974d82 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1,4 +1,4 @@ -Version 19, 2025-01-24 +Version 20, 2026-05-25 # Simplex Messaging Protocol (SMP) @@ -67,6 +67,9 @@ Version 19, 2025-01-24 - [Queue deleted notification](#queue-deleted-notification) - [Error responses](#error-responses) - [OK response](#ok-response) + - [Resolver commands](#resolver-commands) + - [Resolve name command](#resolve-name-command) + - [Name record response](#name-record-response) - [Transport connection with the SMP router](#transport-connection-with-the-SMP-router) - [General transport protocol considerations](#general-transport-protocol-considerations) - [TLS transport encryption](#tls-transport-encryption) @@ -83,7 +86,7 @@ It's designed with the focus on communication security and integrity, under the It is designed as a low level protocol for other application protocols to solve the problem of secure and private message transmission, making [MITM attack][1] very difficult at any part of the message transmission system. -This document describes SMP protocol version 19. Versions 1-5 are discontinued. The version history: +This document describes SMP protocol version 20. Versions 1-5 are discontinued. The version history: - v1: binary protocol encoding - v2: message flags (used to control notifications) @@ -103,6 +106,7 @@ This document describes SMP protocol version 19. Versions 1-5 are discontinued. - v17: create notification credentials with NEW command - v18: support client notices in BLOCKED error - v19: service subscriptions to messages (SUBS, NSUBS, SOKS, ENDS, ALLS commands) +- v20: public namespaces resolver (RSLV command, NAME response) — forwarded-only via PFWD ## Introduction @@ -424,6 +428,8 @@ Simplex messaging router implementations MUST NOT create, store or send to any o - Any other information that may compromise privacy or [forward secrecy][4] of communication between clients using simplex messaging routers (the routers cannot compromise forward secrecy of any application layer protocol, such as double ratchet). +Routers with the names role make outbound JSON-RPC calls to an Ethereum endpoint to read `NameRecord` data; the lookup key reaches that endpoint. Operators MUST run the endpoint themselves (loopback Reth + Nimbus, or a self-hosted central deployment) — sharing one endpoint across multiple operators collapses the two-server privacy property because the endpoint operator would see every lookup key across all of them. The names role and the SMP-proxy role MUST NOT be enabled on the same router by default; a slow `RSLV` cache miss can serialise other forwarded commands on the same proxy-relay session. + ## Message delivery notifications Supporting message delivery while the client mobile app is not running requires sending push notifications with the device token. All alternative mechanisms for background message delivery are unreliable, particularly on iOS platform. @@ -1422,6 +1428,68 @@ When the command is successfully executed by the router, it should respond with ok = %s"OK" ``` +### Resolver commands + +Resolver commands implement public-namespace name resolution on the names-role +router. A names router translates an opaque lookup key (such as `alice` or +`alice.simplex.eth`) into a `NameRecord` carrying the channel and contact links +the named party publishes. + +**Forwarded-only.** RSLV is only valid when delivered inside a `PFWD` block via +the SMP proxy. A direct `RSLV` from a transport client is rejected with +`ERR CMD PROHIBITED`. This preserves the two-server privacy property of the +resolver design: the names router sees the lookup key but never the client IP, +session, or identity; the proxy router sees the client connection but cannot +read the encrypted lookup key inside the forwarded transmission. + +**Backing store.** This protocol does not prescribe where the names router +reads `NameRecord` from. The reference implementation queries the SNRC contract +on Ethereum via a JSON-RPC endpoint; alternative backings (different chains, +DHT, etc.) are valid as long as they return a `NameRecord` matching the encoding +below. + +#### Resolve name command + +```abnf +rslv = %s"RSLV" SP lookupKey +lookupKey = length *OCTET ; 1-byte length prefix, up to 64 bytes +``` + +Name-syntax validation (lowercase, namespace prefixes such as `#testnet:`, +length policy) is a client-side concern. The names router treats the lookup +key as opaque bytes. + +The names router responds with either a `NAME` response carrying the resolved +record, or `ERR AUTH` collapsing every failure mode (name not found, malformed +key, names role disabled, RPC unreachable, decode error, timeout). The wire +code does not distinguish between these — stats counters MAY be exposed +out-of-band for operator observability. + +#### Name record response + +```abnf +name = %s"NAME" SP nameRecord + +nameRecord = displayName owner channelLinks contactLinks adminAddr adminEmail expiry isTest +displayName = length *OCTET ; 1-byte length prefix, up to 255 bytes UTF-8 +owner = 20OCTET ; raw 20-byte Ethereum-style address +channelLinks = count *nameLink ; count is a 1-byte unsigned integer +contactLinks = count *nameLink ; combined count of channelLinks + contactLinks ≤ 8 +nameLink = length16 *OCTET ; 2-byte big-endian length, up to 1024 bytes UTF-8 +adminAddr = optionalText ; "0" absent or "1" + 1-byte length + UTF-8 up to 255 bytes +adminEmail = optionalText ; same encoding as adminAddr +expiry = 8OCTET ; Int64 big-endian, Unix seconds, MUST be ≥ 0 +isTest = "T" / "F" +``` + +The encoding is canonical: every primitive has exactly one valid byte form, so +two names routers reading the same backing state produce byte-identical +responses. + +**Wire-size budget.** A maximal `nameRecord` (8 links × 1024 bytes + maximal +admin / display strings) fits comfortably within the SMP proxied transmission +budget of 16224 bytes. + ## Transport connection with the SMP router ### General transport protocol considerations diff --git a/simplexmq.cabal b/simplexmq.cabal index 070f680303..15bad9c3e6 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -261,6 +261,10 @@ library Simplex.Messaging.Server.MsgStore.Journal.SharedLock Simplex.Messaging.Server.MsgStore.STM Simplex.Messaging.Server.MsgStore.Types + Simplex.Messaging.Server.Names + Simplex.Messaging.Server.Names.Eth.RPC + Simplex.Messaging.Server.Names.Eth.SNRC + Simplex.Messaging.Server.Names.Resolver Simplex.Messaging.Server.NtfStore Simplex.Messaging.Server.Prometheus Simplex.Messaging.Server.QueueStore @@ -355,9 +359,13 @@ library build-depends: case-insensitive ==1.2.* , hashable ==1.4.* + , http-client >=0.7 && <0.8 + , http-client-tls >=0.3 && <0.4 , ini ==0.4.1 + , network-uri >=2.6 && <2.7 , optparse-applicative >=0.15 && <0.17 , process ==1.6.* + , psqueues >=0.2.7 && <0.3 , temporary ==1.3.* , wai >=3.2 && <3.3 , wai-app-static >=3.1 && <3.2 @@ -508,6 +516,7 @@ test-suite simplexmq-test ServerTests SMPAgentClient SMPClient + SMPNamesTests SMPProxyTests Util XFTPAgent diff --git a/src/Simplex/Messaging/Encoding.hs b/src/Simplex/Messaging/Encoding.hs index d069e5518a..b5b51ab900 100644 --- a/src/Simplex/Messaging/Encoding.hs +++ b/src/Simplex/Messaging/Encoding.hs @@ -15,6 +15,7 @@ module Simplex.Messaging.Encoding smpEncodeList, smpListP, lenEncode, + lenP, ) where diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index fa58d88439..e1f8f54d10 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -163,6 +163,18 @@ module Simplex.Messaging.Protocol EncTransmission (..), FwdResponse (..), FwdTransmission (..), + LookupKey (..), + unLookupKey, + NameRecord (..), + NameOwner, + mkNameOwner, + unNameOwner, + NameLink, + mkNameLink, + unNameLink, + nameRecBytes, + parseNameRec, + smpListPUpTo, MsgFlags (..), initialSMPClientVersion, currentSMPClientVersion, @@ -225,6 +237,7 @@ where import Control.Applicative (optional, (<|>)) import Control.Exception (Exception, SomeException, displayException, fromException) +import Control.Monad (when) import Control.Monad.Except import Data.Aeson (FromJSON (..), ToJSON (..)) import qualified Data.Aeson as J @@ -250,7 +263,7 @@ import Data.Maybe (isJust, isNothing) import Data.String import Data.Text (Text) import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, encodeUtf8) +import Data.Text.Encoding (decodeLatin1, decodeUtf8', encodeUtf8) import Data.Time.Clock.System (SystemTime (..), systemToUTCTime) import Data.Type.Equality import Data.Word (Word8, Word16) @@ -343,6 +356,7 @@ data Party | LinkClient | ProxiedClient | ProxyService + | Resolver deriving (Show) -- | Singleton types for SMP protocol clients @@ -357,6 +371,7 @@ data SParty :: Party -> Type where SSenderLink :: SParty LinkClient SProxiedClient :: SParty ProxiedClient SProxyService :: SParty ProxyService + SResolver :: SParty Resolver instance TestEquality SParty where testEquality SCreator SCreator = Just Refl @@ -369,6 +384,7 @@ instance TestEquality SParty where testEquality SSenderLink SSenderLink = Just Refl testEquality SProxiedClient SProxiedClient = Just Refl testEquality SProxyService SProxyService = Just Refl + testEquality SResolver SResolver = Just Refl testEquality _ _ = Nothing deriving instance Show (SParty p) @@ -395,6 +411,8 @@ instance PartyI ProxiedClient where sParty = SProxiedClient instance PartyI ProxyService where sParty = SProxyService +instance PartyI Resolver where sParty = SResolver + -- command parties that can read queues type family QueueParty (p :: Party) :: Constraint where QueueParty Recipient = () @@ -473,6 +491,7 @@ partyClientRole = \case SSenderLink -> Just SRMessaging SProxiedClient -> Just SRMessaging SProxyService -> Just SRProxy + SResolver -> Nothing {-# INLINE partyClientRole #-} partyServiceRole :: ServiceParty p => SParty p -> SMPServiceRole @@ -550,6 +569,21 @@ type LinkId = QueueId -- | SMP queue ID on the server. type QueueId = EntityId +-- | Name lookup key — opaque bytes; namespace/casing per RFC enforced client-side. +newtype LookupKey = LookupKey ByteString + deriving (Eq, Show) + +unLookupKey :: LookupKey -> ByteString +unLookupKey (LookupKey s) = s +{-# INLINE unLookupKey #-} + +instance Encoding LookupKey where + smpEncode (LookupKey s) = smpEncode s + smpP = do + n <- lenP + when (n > 64) $ fail "LookupKey too long" + LookupKey <$> A.take n + -- | Parameterized type for SMP protocol commands from all clients. data Command (p :: Party) where -- SMP recipient commands @@ -597,6 +631,8 @@ data Command (p :: Party) where -- - entity ID: empty -- - corrId: unique correlation ID between proxy and relay, also used as a nonce to encrypt forwarded transmission RFWD :: EncFwdTransmission -> Command ProxyService -- use CorrId as CbNonce, proxy to relay + -- Name resolution: forwarded-only via PFWD. Server reads SNRC contract via Ethereum JSON-RPC. + RSLV :: LookupKey -> Command Resolver deriving instance Show (Command p) @@ -705,6 +741,96 @@ instance Encoding FwdTransmission where newtype EncFwdTransmission = EncFwdTransmission ByteString deriving (Show) +-- | 20-byte Ethereum address (NameRecord owner). Bare constructor not exported; +-- use `mkNameOwner` to enforce the 20-byte invariant. +newtype NameOwner = NameOwner ByteString + deriving (Eq, Show) + +mkNameOwner :: ByteString -> Either String NameOwner +mkNameOwner bs + | B.length bs == 20 = Right (NameOwner bs) + | otherwise = Left "NameOwner must be 20 bytes" + +unNameOwner :: NameOwner -> ByteString +unNameOwner (NameOwner bs) = bs +{-# INLINE unNameOwner #-} + +instance Encoding NameOwner where + smpEncode (NameOwner bs) = bs + {-# INLINE smpEncode #-} + smpP = NameOwner <$> A.take 20 + +-- | A name-record link (channel or contact). Bare constructor not exported; +-- use `mkNameLink` to enforce the ≤1024-byte UTF-8 invariant. +newtype NameLink = NameLink Text + deriving (Eq, Show) + +mkNameLink :: Text -> Either String NameLink +mkNameLink t + | B.length (encodeUtf8 t) <= 1024 = Right (NameLink t) + | otherwise = Left "NameLink too long" + +unNameLink :: NameLink -> Text +unNameLink (NameLink t) = t +{-# INLINE unNameLink #-} + +instance Encoding NameLink where + smpEncode (NameLink t) = + let bs = encodeUtf8 t + in smpEncode @Word16 (fromIntegral $ B.length bs) <> bs + smpP = do + n <- fromIntegral <$> smpP @Word16 + when (n > 1024) $ fail "NameLink too long" + bs <- A.take n + either (fail . show) (pure . NameLink) (decodeUtf8' bs) + +-- | Resolved name record returned by the names role. +-- Field additions are gated by future SMP version bumps (matching IDS QIK precedent). +data NameRecord = NameRecord + { nrDisplayName :: Text, -- ≤255 bytes UTF-8 (enforced by Encoding ByteString length prefix) + nrOwner :: NameOwner, + nrChannelLinks :: [NameLink], + nrContactLinks :: [NameLink], + nrAdminAddress :: Maybe Text, + nrAdminEmail :: Maybe Text, + nrExpiry :: Int64, -- Unix seconds, ≥ 0 + nrIsTest :: Bool + } + deriving (Eq, Show) + +-- | Bounded list parser — caps element count before allocating. +smpListPUpTo :: Encoding a => Int -> Parser [a] +smpListPUpTo cap = do + n <- lenP + when (n > cap) $ fail "list too long" + A.count n smpP + +-- | Encode NameRecord on the wire. Version-branched in the same shape as IDS QIK. +nameRecBytes :: VersionSMP -> NameRecord -> ByteString +nameRecBytes _v NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = + smpEncode nrDisplayName + <> smpEncode nrOwner + <> smpEncodeList nrChannelLinks + <> smpEncodeList nrContactLinks + <> smpEncode nrAdminAddress + <> smpEncode nrAdminEmail + <> smpEncode nrExpiry + <> smpEncode nrIsTest + +-- | Parse NameRecord. Combined channel+contact list cap is 8. +parseNameRec :: VersionSMP -> Parser NameRecord +parseNameRec _v = do + nrDisplayName <- smpP + nrOwner <- smpP + nrChannelLinks <- smpListPUpTo 8 + nrContactLinks <- smpListPUpTo (8 - length nrChannelLinks) + nrAdminAddress <- smpP + nrAdminEmail <- smpP + nrExpiry <- smpP + when (nrExpiry < 0) $ fail "expiry must be non-negative" + nrIsTest <- smpP + pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} + data BrokerMsg where -- SMP broker messages (responses, client messages, notifications) IDS :: QueueIdsKeys -> BrokerMsg @@ -732,6 +858,8 @@ data BrokerMsg where OK :: BrokerMsg ERR :: ErrorType -> BrokerMsg PONG :: BrokerMsg + -- Name resolution response. Returned only for forwarded RSLV. + NAME :: NameRecord -> BrokerMsg deriving (Eq, Show) data RcvMessage = RcvMessage @@ -942,6 +1070,7 @@ data CommandTag (p :: Party) where RFWD_ :: CommandTag ProxyService NSUB_ :: CommandTag Notifier NSUBS_ :: CommandTag NotifierService + RSLV_ :: CommandTag Resolver data CmdTag = forall p. PartyI p => CT (SParty p) (CommandTag p) @@ -968,6 +1097,7 @@ data BrokerMsgTag | OK_ | ERR_ | PONG_ + | NAME_ deriving (Show) class ProtocolMsgTag t where @@ -1004,6 +1134,7 @@ instance PartyI p => Encoding (CommandTag p) where RFWD_ -> "RFWD" NSUB_ -> "NSUB" NSUBS_ -> "NSUBS" + RSLV_ -> "RSLV" smpP = messageTagP instance ProtocolMsgTag CmdTag where @@ -1032,6 +1163,7 @@ instance ProtocolMsgTag CmdTag where "RFWD" -> Just $ CT SProxyService RFWD_ "NSUB" -> Just $ CT SNotifier NSUB_ "NSUBS" -> Just $ CT SNotifierService NSUBS_ + "RSLV" -> Just $ CT SResolver RSLV_ _ -> Nothing instance Encoding CmdTag where @@ -1061,6 +1193,7 @@ instance Encoding BrokerMsgTag where OK_ -> "OK" ERR_ -> "ERR" PONG_ -> "PONG" + NAME_ -> "NAME" smpP = messageTagP instance ProtocolMsgTag BrokerMsgTag where @@ -1083,6 +1216,7 @@ instance ProtocolMsgTag BrokerMsgTag where "OK" -> Just OK_ "ERR" -> Just ERR_ "PONG" -> Just PONG_ + "NAME" -> Just NAME_ _ -> Nothing -- | SMP message body format @@ -1792,6 +1926,7 @@ instance PartyI p => ProtocolEncoding SMPVersion ErrorType (Command p) where PRXY host auth_ -> e (PRXY_, ' ', host, auth_) PFWD fwdV pubKey (EncTransmission s) -> e (PFWD_, ' ', fwdV, pubKey, Tail s) RFWD (EncFwdTransmission s) -> e (RFWD_, ' ', Tail s) + RSLV key -> e (RSLV_, ' ', key) where e :: Encoding a => a -> ByteString e = smpEncode @@ -1816,6 +1951,7 @@ instance PartyI p => ProtocolEncoding SMPVersion ErrorType (Command p) where PRXY {} -> noAuthCmd PFWD {} -> entityCmd RFWD _ -> noAuthCmd + RSLV _ -> noAuthCmd SUB -> serviceCmd NSUB -> serviceCmd -- other client commands must have both signature and queue ID @@ -1899,6 +2035,9 @@ instance ProtocolEncoding SMPVersion ErrorType Cmd where CT SNotifierService NSUBS_ | v >= rcvServiceSMPVersion -> Cmd SNotifierService <$> (NSUBS <$> _smpP <*> smpP) | otherwise -> pure $ Cmd SNotifierService $ NSUBS (-1) mempty + CT SResolver RSLV_ + | v >= namesSMPVersion -> Cmd SResolver . RSLV <$> _smpP + | otherwise -> fail "RSLV requires namesSMPVersion" fromProtocolError = fromProtocolError @SMPVersion @ErrorType @BrokerMsg {-# INLINE fromProtocolError #-} @@ -1945,6 +2084,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where | v < clientNoticesSMPVersion -> BLOCKED info {notice = Nothing} _ -> err PONG -> e PONG_ + NAME rec + | v >= namesSMPVersion -> e (NAME_, ' ') <> nameRecBytes v rec + | otherwise -> e (ERR_, ' ', AUTH) -- pre-v20: shouldn't reach here, degrade to AUTH where e :: Encoding a => a -> ByteString e = smpEncode @@ -1992,6 +2134,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where OK_ -> pure OK ERR_ -> ERR <$> _smpP PONG_ -> pure PONG + NAME_ + | v >= namesSMPVersion -> NAME <$> (A.space *> parseNameRec v) + | otherwise -> fail "NAME requires namesSMPVersion" where serviceRespP resp | v >= rcvServiceSMPVersion = resp <$> _smpP <*> smpP @@ -2014,6 +2159,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where PKEY {} -> noEntityMsg RRES _ -> noEntityMsg ALLS -> noEntityMsg + NAME _ -> noEntityMsg -- other broker responses must have queue ID _ | B.null entId -> Left $ CMD NO_ENTITY diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 1b7d920ac5..b7870f62a3 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -108,6 +108,7 @@ import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) +import Simplex.Messaging.Server.Names (ResolveError (..), closeNamesEnv, resolveName) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -245,7 +246,9 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt saveServerStats closeServer :: M s () - closeServer = asks (smpAgent . proxyAgent) >>= liftIO . closeSMPClientAgent + closeServer = do + asks (smpAgent . proxyAgent) >>= liftIO . closeSMPClientAgent + asks namesEnv >>= liftIO . mapM_ closeNamesEnv serverThread :: forall sub. String -> @@ -513,7 +516,7 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt initialDelay <- (startAt -) . fromIntegral . (`div` 1000000_000000) . diffTimeToPicoseconds . utctDayTime <$> liftIO getCurrentTime liftIO $ putStrLn $ "server stats log enabled: " <> statsFilePath liftIO $ threadDelay' $ 1000000 * (initialDelay + if initialDelay < 0 then 86400 else 0) - ss@ServerStats {fromTime, qCreated, qSecured, qDeletedAll, qDeletedAllB, qDeletedNew, qDeletedSecured, qSub, qSubAllB, qSubAuth, qSubDuplicate, qSubProhibited, qSubEnd, qSubEndB, ntfCreated, ntfDeleted, ntfDeletedB, ntfSub, ntfSubB, ntfSubAuth, ntfSubDuplicate, msgSent, msgSentAuth, msgSentQuota, msgSentLarge, msgRecv, msgRecvGet, msgGet, msgGetNoMsg, msgGetAuth, msgGetDuplicate, msgGetProhibited, msgExpired, activeQueues, msgSentNtf, msgRecvNtf, activeQueuesNtf, qCount, msgCount, ntfCount, pRelays, pRelaysOwn, pMsgFwds, pMsgFwdsOwn, pMsgFwdsRecv, rcvServices, ntfServices} + ss@ServerStats {fromTime, qCreated, qSecured, qDeletedAll, qDeletedAllB, qDeletedNew, qDeletedSecured, qSub, qSubAllB, qSubAuth, qSubDuplicate, qSubProhibited, qSubEnd, qSubEndB, ntfCreated, ntfDeleted, ntfDeletedB, ntfSub, ntfSubB, ntfSubAuth, ntfSubDuplicate, msgSent, msgSentAuth, msgSentQuota, msgSentLarge, msgRecv, msgRecvGet, msgGet, msgGetNoMsg, msgGetAuth, msgGetDuplicate, msgGetProhibited, msgExpired, activeQueues, msgSentNtf, msgRecvNtf, activeQueuesNtf, qCount, msgCount, ntfCount, pRelays, pRelaysOwn, pMsgFwds, pMsgFwdsOwn, pMsgFwdsRecv, rcvServices, ntfServices, rslvStats} <- asks serverStats st <- asks msgStore EntityCounts {queueCount, notifierCount, rcvServiceCount, ntfServiceCount, rcvServiceQueuesCount, ntfServiceQueuesCount} <- @@ -576,6 +579,7 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt qCount' <- readIORef qCount msgCount' <- readIORef msgCount ntfCount' <- readIORef ntfCount + rslvStats' <- getResetNameResolverStatsData rslvStats T.hPutStrLn h $ T.intercalate "," @@ -649,6 +653,7 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt ] <> showServiceStats rcvServices' <> showServiceStats ntfServices' + <> showNameResolverStats rslvStats' ) liftIO $ threadDelay' interval where @@ -656,6 +661,8 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] + showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = + map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled] prometheusMetricsThread_ :: ServerConfig s -> [M s ()] prometheusMetricsThread_ ServerConfig {prometheusInterval = Just interval, prometheusMetricsFile} = @@ -1149,8 +1156,8 @@ receive h@THandle {params = THandleParams {thAuth, sessionId}} ms Client {rcvQ, updateBatchStats stats cmd -- even if nothing is verified let queueId (_, _, (_, qId, _)) = qId qs <- getQueueRecs ms p $ map queueId ts' - zipWithM (\t -> verified stats t . verifyLoadedQueue service thAuth t) ts' qs - _ -> mapM (\t -> verified stats t =<< verifyTransmission ms service thAuth t) ts' + zipWithM (\t -> verified stats t . verifyLoadedQueue False service thAuth t) ts' qs + _ -> mapM (\t -> verified stats t =<< verifyTransmission False ms service thAuth t) ts' mapM_ (atomically . writeTBQueue rcvQ) $ L.nonEmpty cmds pure $ errs ++ errs' [] -> pure errs @@ -1230,19 +1237,19 @@ data VerificationResult s = VRVerified (Maybe (StoreQueue s, QueueRec)) | VRFail -- - the queue or party key do not exist. -- In all cases, the time of the verification should depend only on the provided authorization type, -- a dummy key is used to run verification in the last two cases, and failure is returned irrespective of the result. -verifyTransmission :: forall s. MsgStoreClass s => s -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> IO (VerificationResult s) -verifyTransmission ms service thAuth t@(_, _, (_, queueId, Cmd p _)) = case queueParty p of - Just Dict -> verifyLoadedQueue service thAuth t <$> getQueueRec ms p queueId - Nothing -> pure $ verifyQueueTransmission service thAuth t Nothing - -verifyLoadedQueue :: Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Either ErrorType (StoreQueue s, QueueRec) -> VerificationResult s -verifyLoadedQueue service thAuth t@(tAuth, authorized, (corrId, _, _)) = \case - Right q -> verifyQueueTransmission service thAuth t (Just q) +verifyTransmission :: forall s. MsgStoreClass s => Bool -> s -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> IO (VerificationResult s) +verifyTransmission forwarded ms service thAuth t@(_, _, (_, queueId, Cmd p _)) = case queueParty p of + Just Dict -> verifyLoadedQueue forwarded service thAuth t <$> getQueueRec ms p queueId + Nothing -> pure $ verifyQueueTransmission forwarded service thAuth t Nothing + +verifyLoadedQueue :: Bool -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Either ErrorType (StoreQueue s, QueueRec) -> VerificationResult s +verifyLoadedQueue forwarded service thAuth t@(tAuth, authorized, (corrId, _, _)) = \case + Right q -> verifyQueueTransmission forwarded service thAuth t (Just q) Left AUTH -> dummyVerifyCmd thAuth tAuth authorized corrId `seq` VRFailed AUTH Left e -> VRFailed e -verifyQueueTransmission :: forall s. Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Maybe (StoreQueue s, QueueRec) -> VerificationResult s -verifyQueueTransmission service thAuth (tAuth, authorized, (corrId, entId, command@(Cmd p cmd))) q_ +verifyQueueTransmission :: forall s. Bool -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Maybe (StoreQueue s, QueueRec) -> VerificationResult s +verifyQueueTransmission forwarded service thAuth (tAuth, authorized, (corrId, entId, command@(Cmd p cmd))) q_ | not checkRole = VRFailed $ CMD PROHIBITED | not verifyServiceSig = VRFailed SERVICE | otherwise = vc p cmd @@ -1262,6 +1269,9 @@ verifyQueueTransmission service thAuth (tAuth, authorized, (corrId, entId, comma vc SNotifierService NSUBS {} = verifyServiceCmd vc SProxiedClient _ = VRVerified Nothing vc SProxyService (RFWD _) = VRVerified Nothing + vc SResolver (RSLV _) + | forwarded = VRVerified Nothing + | otherwise = VRFailed $ CMD PROHIBITED checkRole = case (service, partyClientRole p) of (Just THClientService {serviceRole}, Just role) -> serviceRole == role _ -> True @@ -1486,6 +1496,16 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> response . (corrId,NoEntity,) <$> processForwardedCommand encBlock + Cmd SResolver (RSLV (LookupKey key)) -> do + st <- asks (rslvStats . serverStats) + incStat (rslvReqs st) + asks namesEnv >>= \case + Nothing -> incStat (rslvDisabled st) $> response (corrId, NoEntity, ERR AUTH) + Just nenv -> + liftIO (resolveName nenv key) >>= \case + Right rec -> incStat (rslvSucc st) $> response (corrId, NoEntity, NAME rec) + Left NotFound -> incStat (rslvNotFound st) $> response (corrId, NoEntity, ERR AUTH) + Left _ -> incStat (rslvEthErrs st) $> response (corrId, NoEntity, ERR AUTH) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr @@ -2126,7 +2146,7 @@ client rejectOrVerify clntThAuth = \case Left (corrId', entId', e) -> pure $ Left (corrId', entId', ERR e) Right t'@(_, _, t''@(corrId', entId', cmd')) - | allowed -> liftIO $ verified <$> verifyTransmission ms Nothing clntThAuth t' + | allowed -> liftIO $ verified <$> verifyTransmission True ms Nothing clntThAuth t' | otherwise -> pure $ Left (corrId', entId', ERR $ CMD PROHIBITED) where allowed = case cmd' of @@ -2134,6 +2154,7 @@ client Cmd SSender (SKEY _) -> True Cmd SSenderLink (LKEY _) -> True Cmd SSenderLink LGET -> True + Cmd SResolver (RSLV _) -> True _ -> False verified = \case VRVerified q -> Right (q, t'') @@ -2217,10 +2238,6 @@ updateDeletedStats q = do incStat $ qDeletedAll stats liftIO $ atomicModifyIORef'_ (qCount stats) (subtract 1) -incStat :: MonadIO m => IORef Int -> m () -incStat r = liftIO $ atomicModifyIORef'_ r (+ 1) -{-# INLINE incStat #-} - randomId' :: Int -> M s ByteString randomId' n = atomically . C.randomBytes n =<< asks random diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 574111c15e..382c820c8f 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -115,6 +115,7 @@ import Simplex.Messaging.Server.Information import Simplex.Messaging.Server.MsgStore.Journal import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types +import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, closeNamesEnv, newNamesEnv) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore import Simplex.Messaging.Server.QueueStore.Postgres.Config @@ -197,6 +198,8 @@ data ServerConfig s = ServerConfig smpAgentCfg :: SMPClientAgentConfig, allowSMPProxy :: Bool, -- auth is the same with `newQueueBasicAuth` serverClientConcurrency :: Int, + -- | public-namespace resolver config; Nothing disables the names role + namesConfig :: Maybe NamesConfig, -- | server public information information :: Maybe ServerPublicInfo, startOptions :: StartOptions @@ -272,7 +275,8 @@ data Env s = Env serverStats :: ServerStats, sockets :: TVar [(ServiceName, SocketState)], clientSeq :: TVar ClientId, - proxyAgent :: ProxyAgent -- senders served on this proxy + proxyAgent :: ProxyAgent, -- senders served on this proxy + namesEnv :: Maybe NamesEnv -- public-namespace resolver, present when [NAMES] enable: on } msgStore :: Env s -> s @@ -558,7 +562,7 @@ newProhibitedSub = do return Sub {subThread = ProhibitSub, delivered} newEnv :: ServerConfig s -> IO (Env s) -newEnv config@ServerConfig {smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines} = do +newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig} = do serverActive <- newTVarIO True server <- newServer msgStore_ <- case serverStoreCfg of @@ -603,6 +607,15 @@ newEnv config@ServerConfig {smpCredentials, httpCredentials, serverStoreCfg, smp sockets <- newTVarIO [] clientSeq <- newTVarIO 0 proxyAgent <- newSMPProxyAgent smpAgentCfg random + namesEnv <- case namesConfig of + Nothing -> pure Nothing + Just nc + | allowSMPProxy && not (dangerousColocation nc) -> do + logError "[NAMES] enable: on with [PROXY] is refused — RSLV cache misses can serialise other forwarded commands. Set allow_dangerous_colocation = on to override." + exitFailure + | otherwise -> do + let rs = rslvStats serverStats + Just <$> newNamesEnv nc (rslvCacheHits rs) (rslvCacheMiss rs) pure Env { serverActive, @@ -618,7 +631,8 @@ newEnv config@ServerConfig {smpCredentials, httpCredentials, serverStoreCfg, smp serverStats, sockets, clientSeq, - proxyAgent + proxyAgent, + namesEnv } where loadStoreLog :: StoreQueueClass q => (RecipientId -> QueueRec -> IO q) -> FilePath -> STMQueueStore q -> IO () diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index f7461f392b..edde8a78b2 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -39,6 +39,7 @@ module Simplex.Messaging.Server.Main strParse, ) where +import Control.Applicative ((<|>)) import Control.Concurrent.STM import Control.Exception (finally) import Control.Logger.Simple @@ -76,6 +77,8 @@ import Simplex.Messaging.Server.Main.Init import Simplex.Messaging.Server.Web (EmbeddedWebParams (..), WebHttpsParams (..)) import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCfg (..), stmQueueStore) import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) +import Simplex.Messaging.Protocol (mkNameOwner, NameOwner) +import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) import Simplex.Messaging.Transport (supportedProxyClientSMPRelayVRange, alpnSupportedSMPHandshakes, supportedServerSMPRelayVRange) @@ -605,6 +608,7 @@ smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = }, allowSMPProxy = True, serverClientConcurrency = readIniDefault defaultProxyClientConcurrency "PROXY" "client_concurrency" ini, + namesConfig = readNamesConfig ini, information = serverPublicInfo ini, startOptions } @@ -796,6 +800,64 @@ validCountryValue field s | length s == 2 && all (\c -> isAscii c && isAlpha c) s = Right $ T.pack $ map toUpper s | otherwise = Left $ "Use ISO3166 2-letter code for " <> field +readNamesConfig :: Ini -> Maybe NamesConfig +readNamesConfig ini + | not enabled = Nothing + | otherwise = + Just + NamesConfig + { ethereumEndpoint = requiredText "ethereum_endpoint", + snrcAddress = either (error . ("[NAMES] snrc_address: " <>)) id $ parseEthAddr (requiredText "snrc_address"), + rpcAuth = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini), + cacheSeconds = readIniDefault 300 "NAMES" "cache_seconds" ini, + cacheMaxEntries = readIniDefault 100000 "NAMES" "cache_max_entries" ini, + cacheMaxBytes = readIniDefault 67108864 "NAMES" "cache_max_bytes" ini, + rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, + rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, + rpcMaxConcurrency = readIniDefault 8 "NAMES" "rpc_max_concurrency" ini, + dangerousColocation = fromMaybe False (iniOnOff "NAMES" "allow_dangerous_colocation" ini) + } + where + enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) + requiredText key = + either (error . (("[NAMES] " <> T.unpack key <> " is required: ") <>)) id $ + lookupValue "NAMES" key ini + +-- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". +-- Step 4 minimal validation; EIP-55 checksum check lands in step 5. +parseEthAddr :: Text -> Either String NameOwner +parseEthAddr t = + let s = case T.stripPrefix "0x" t <|> T.stripPrefix "0X" t of + Just rest -> rest + Nothing -> t + in if T.length s == 40 && T.all isHex s + then mkNameOwner (hexDecode (encodeUtf8 s)) + else Left "expected 0x-prefixed 40 hex characters" + where + isHex c = (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') + +-- | Decode a hex string of even length. Precondition: input is already +-- validated as even-length and all-hex (validated by caller). +hexDecode :: ByteString -> ByteString +hexDecode = B.pack . go + where + go s + | B.null s = [] + | otherwise = toEnum (16 * digit (B.head s) + digit (B.index s 1)) : go (B.drop 2 s) + digit c + | c >= '0' && c <= '9' = fromEnum c - fromEnum '0' + | c >= 'a' && c <= 'f' = 10 + fromEnum c - fromEnum 'a' + | otherwise = 10 + fromEnum c - fromEnum 'A' + +parseRpcAuth :: Text -> Either String RpcAuth +parseRpcAuth t = case T.words t of + ["bearer", tok] -> Right $ AuthBearer tok + ["basic", up] -> case T.breakOn ":" up of + (u, rest) + | not (T.null u) && ":" `T.isPrefixOf` rest -> Right $ AuthBasic u (T.drop 1 rest) + _ -> Left "basic auth expects user:password" + _ -> Left "expected `bearer ` or `basic :`" + printSourceCode :: Maybe Text -> IO () printSourceCode = \case Just sourceCode -> T.putStrLn $ "Server source code: " <> sourceCode diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 0e3ceb81b4..1091bb2617 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -155,6 +155,25 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# Limit number of threads a client can spawn to process proxy commands in parrallel.\n" <> ("# client_concurrency = " <> tshow defaultProxyClientConcurrency) <> "\n\n\ + \[NAMES]\n\ + \# Public-namespace resolution (SNRC on Ethereum).\n\ + \# Requires an Ethereum JSON-RPC endpoint (Reth+Nimbus). See deployment guide.\n\ + \# Cannot be combined with [PROXY] enable: on by default - see allow_dangerous_colocation.\n\ + \# Restart required to change settings.\n\ + \enable: off\n\ + \# Same-host:\n\ + \# ethereum_endpoint: http://127.0.0.1:8545\n\ + \# Central Reth via Caddy:\n\ + \# ethereum_endpoint: https://eth.simplex.chat:443\n\ + \# rpc_auth: basic :\n\ + \# snrc_address: 0x0000000000000000000000000000000000000000\n\ + \# cache_seconds: 300\n\ + \# cache_max_entries: 100000\n\ + \# cache_max_bytes: 67108864\n\ + \# rpc_timeout_ms: 3000\n\ + \# rpc_max_response_bytes: 262144\n\ + \# rpc_max_concurrency: 8\n\ + \# allow_dangerous_colocation: off\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs new file mode 100644 index 0000000000..eea09b013f --- /dev/null +++ b/src/Simplex/Messaging/Server/Names.hs @@ -0,0 +1,18 @@ +-- | SMP public-namespace resolver façade. +-- +-- Re-exports the resolver's public surface from Names.Resolver and the +-- HTTP auth type from Names.Eth.RPC. Implementation lives in Resolver.hs; +-- Eth.RPC / Eth.SNRC are transport / codec internals. +module Simplex.Messaging.Server.Names + ( NamesConfig (..), + RpcAuth (..), + NamesEnv, + ResolveError (..), + newNamesEnv, + closeNamesEnv, + resolveName, + ) +where + +import Simplex.Messaging.Server.Names.Eth.RPC (RpcAuth (..)) +import Simplex.Messaging.Server.Names.Resolver (NamesConfig (..), NamesEnv, ResolveError (..), closeNamesEnv, newNamesEnv, resolveName) diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs new file mode 100644 index 0000000000..f89127343c --- /dev/null +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -0,0 +1,213 @@ +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE RecordWildCards #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE StrictData #-} + +-- | Ethereum JSON-RPC HTTP transport for the resolver. +-- +-- Boundary properties: +-- * Response body read with `brReadSome rpcMaxResponseBytes` — adversarial +-- endpoints cannot exhaust memory with multi-GB bodies. +-- * Concurrency cap via QSem — bursts of cache-miss traffic cannot exhaust +-- the http-client connection pool. +-- * Authorization header attached only when configured. +module Simplex.Messaging.Server.Names.Eth.RPC + ( RpcAuth (..), + EthRpcEnv (..), + EthRpcError (..), + newEthRpcEnv, + closeEthRpcEnv, + ethCallReal, + scrubUrl, + ) +where + +import Control.Applicative ((<|>)) +import Control.Concurrent.QSem (QSem, newQSem, signalQSem, waitQSem) +import qualified Control.Exception as E +import Control.Exception (bracket_) +import qualified Data.Aeson as J +import qualified Data.Aeson.Types as J +import qualified Data.ByteArray.Encoding as BAE +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B +import qualified Data.ByteString.Lazy as BL +import Data.Text (Text) +import qualified Data.Text as T +import Data.Text.Encoding (encodeUtf8) +import Network.HTTP.Client + ( HttpException, + Manager, + Request, + RequestBody (..), + brReadSome, + closeManager, + method, + parseRequest, + requestBody, + requestHeaders, + responseBody, + responseStatus, + withResponse, + ) +import qualified Network.HTTP.Client as HC +import Network.HTTP.Client.TLS (tlsManagerSettings) +import qualified Network.HTTP.Types as HT + +data RpcAuth = AuthBearer Text | AuthBasic Text Text + deriving (Show) + +data EthRpcEnv = EthRpcEnv + { manager :: Manager, + request :: Request, + sem :: QSem, + maxResponseBytes :: Int + } + +data EthRpcError + = HttpFailure HttpException + | HttpStatusErr Int + | BodyTooLarge + | InvalidJson String + | JsonRpcErr Int Text + deriving (Show) + +-- | Build a Request from a (validated) ethereum_endpoint URL. +buildRequest :: Text -> Maybe RpcAuth -> IO Request +buildRequest endpoint auth_ = do + req <- parseRequest (T.unpack endpoint) + pure $ + req + { method = "POST", + requestHeaders = + ("Content-Type", "application/json") + : maybe [] (pure . authHeader) auth_ + } + +authHeader :: RpcAuth -> HT.Header +authHeader = \case + AuthBearer tok -> ("Authorization", "Bearer " <> encodeUtf8 tok) + AuthBasic u p -> + let encoded = BAE.convertToBase BAE.Base64 (encodeUtf8 u <> ":" <> encodeUtf8 p) :: ByteString + in ("Authorization", "Basic " <> encoded) + +newEthRpcEnv :: Text -> Maybe RpcAuth -> Int -> Int -> IO EthRpcEnv +newEthRpcEnv endpoint auth_ maxResponseBytes maxConcurrency = do + manager <- HC.newManager tlsManagerSettings + request <- buildRequest endpoint auth_ + sem <- newQSem maxConcurrency + pure EthRpcEnv {manager, request, sem, maxResponseBytes} + +closeEthRpcEnv :: EthRpcEnv -> IO () +closeEthRpcEnv EthRpcEnv {manager} = closeManager manager + +-- | Make a single eth_call. `to` is the contract address (20 raw bytes); +-- `dat` is the ABI-encoded call data. Returns the contract return bytes. +ethCallReal :: EthRpcEnv -> ByteString -> ByteString -> IO (Either EthRpcError ByteString) +ethCallReal EthRpcEnv {manager, request, sem, maxResponseBytes} to dat = + bracket_ (waitQSem sem) (signalQSem sem) $ do + let body = J.encode (rpcEnvelope to dat) + req = request {requestBody = RequestBodyLBS body} + result <- E.try $ withResponse req manager $ \res -> do + let status = responseStatus res + if HT.statusCode status >= 400 + then pure (Left (HttpStatusErr (HT.statusCode status))) + else do + bs <- brReadSome (responseBody res) (maxResponseBytes + 1) + if BL.length bs > fromIntegral maxResponseBytes + then pure (Left BodyTooLarge) + else pure (parseResult (BL.toStrict bs)) + pure (either (Left . HttpFailure) id result) + +rpcEnvelope :: ByteString -> ByteString -> J.Value +rpcEnvelope to dat = + J.object + [ "jsonrpc" J..= ("2.0" :: Text), + "id" J..= (1 :: Int), + "method" J..= ("eth_call" :: Text), + "params" + J..= [ J.object + [ "to" J..= toHex to, + "data" J..= toHex dat + ], + J.String "latest" + ] + ] + +parseResult :: ByteString -> Either EthRpcError ByteString +parseResult bs = case J.eitherDecodeStrict bs of + Left e -> Left (InvalidJson e) + Right (v :: J.Value) -> case J.parseEither parser v of + Left e -> Left (InvalidJson e) + Right r -> r + where + parser :: J.Value -> J.Parser (Either EthRpcError ByteString) + parser = J.withObject "rpc" $ \o -> do + mErr :: Maybe J.Value <- o J..:? "error" + case mErr of + Just (J.Object eo) -> do + code <- (eo J..: "code") <|> pure (-1 :: Int) + msg <- (eo J..: "message") <|> pure ("rpc error" :: Text) + pure (Left (JsonRpcErr code msg)) + _ -> do + result :: Text <- o J..: "result" + case fromHex (encodeUtf8 result) of + Right b -> pure (Right b) + Left e -> pure (Left (InvalidJson e)) + +toHex :: ByteString -> Text +toHex bs = T.pack $ "0x" <> concatMap byte (B.unpack bs) + where + byte c = + let n = fromEnum c + (h, l) = quotRem n 16 + in [hexChar h, hexChar l] + hexChar n + | n < 10 = toEnum (fromEnum '0' + n) + | otherwise = toEnum (fromEnum 'a' + n - 10) + +fromHex :: ByteString -> Either String ByteString +fromHex bs0 = + let bs = case B.stripPrefix "0x" bs0 of + Just rest -> rest + Nothing -> case B.stripPrefix "0X" bs0 of + Just rest -> rest + Nothing -> bs0 + in if B.null bs + then Right B.empty + else + if odd (B.length bs) || not (B.all isHex bs) + then Left "invalid hex" + else Right (decodeHex bs) + where + isHex c = (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') + +decodeHex :: ByteString -> ByteString +decodeHex = B.pack . go + where + go s + | B.null s = [] + | otherwise = + let hi = digit (B.head s) + lo = digit (B.index s 1) + in toEnum (16 * hi + lo) : go (B.drop 2 s) + digit c + | c >= '0' && c <= '9' = fromEnum c - fromEnum '0' + | c >= 'a' && c <= 'f' = 10 + fromEnum c - fromEnum 'a' + | otherwise = 10 + fromEnum c - fromEnum 'A' + +-- | Strip userinfo from a URL so log lines never leak credentials. +scrubUrl :: Text -> Text +scrubUrl url = + let (scheme, rest) = T.breakOn "://" url + in if T.null rest + then url + else + let body = T.drop 3 rest + (host, query) = T.breakOn "/" body + in case T.breakOn "@" host of + (_userinfo, atRest) + | not (T.null atRest) -> scheme <> "://" <> T.drop 1 atRest <> query + _ -> url diff --git a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs new file mode 100644 index 0000000000..c645b8ebea --- /dev/null +++ b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs @@ -0,0 +1,171 @@ +{-# LANGUAGE BangPatterns #-} +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE StrictData #-} + +-- | SNRC contract codec: Keccak-256 namehash + bounded Solidity ABI decoder. +-- +-- IMPORTANT: Ethereum uses Keccak-256, NOT NIST SHA3-256. +-- +-- ABI safety invariants (enforced before any allocation): +-- 1. offset + 32 <= buf.length (head read in-bounds) +-- 2. offset + 32 + length <= buf.length (body in-bounds) +-- 3. offset >= headEnd (no backward jumps) +-- 4. every length <= per-field cap (bounded allocations) +-- 5. string[] outer count * 32 + offset <= buf.length (array head fits) +-- 6. recursion depth <= 2 (no deep nesting) +-- 7. uint256 -> Int64 fails if any high 24 bytes non-zero (range check) +-- 8. UTF-8 via decodeUtf8' returns AbiBadUtf8 (no partial bytes) +module Simplex.Messaging.Server.Names.Eth.SNRC + ( -- * Namehash + keccak256, + namehash, + + -- * SNRC eth_call payload + snrcSelector, + encodeGetRecord, + + -- * ABI decoding + AbiError (..), + decodeGetRecord, + decodeWord256Int64, + decodeAddress, + decodeString, + decodeStringArray, + ) +where + +import Crypto.Hash (Digest, Keccak_256, hash) +import qualified Data.ByteArray as BA +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B +import Data.Int (Int64) +import Simplex.Messaging.Protocol (NameOwner, NameRecord, mkNameOwner, unNameOwner) + +-- | ABI-decode failure modes (caller collapses to ResolveError EthDecodeErr). +data AbiError + = AbiTruncated + | AbiOversized + | AbiBackwardOffset + | AbiNonZeroHighBytes + | AbiBadUtf8 + | AbiDepthExceeded + | AbiInvariantViolated String + deriving (Eq, Show) + +-- | Keccak-256 (Ethereum variant), NOT SHA3-256. +keccak256 :: ByteString -> ByteString +keccak256 = BA.convert . (hash :: ByteString -> Digest Keccak_256) +{-# INLINE keccak256 #-} + +-- | ENS / SNRC namehash: recursive keccak256 over reversed labels. +-- Empty name -> 32 zero bytes; "a.b.c" -> keccak(keccak(keccak(0 ++ keccak "c") ++ keccak "b") ++ keccak "a"). +namehash :: ByteString -> ByteString +namehash name + | B.null name = zeroNode + | otherwise = foldr step zeroNode (B.split '.' name) + where + zeroNode = B.replicate 32 '\NUL' + step label acc = keccak256 (acc <> keccak256 label) + +-- | First 4 bytes of keccak("getRecord(bytes32)"). Confirm signature +-- against the Part 1 SNRC contract before merging. +snrcSelector :: ByteString +snrcSelector = B.take 4 (keccak256 "getRecord(bytes32)") + +-- | Build the eth_call `data` parameter for getRecord(lookupKey). +encodeGetRecord :: ByteString -> ByteString +encodeGetRecord node32 + | B.length node32 == 32 = snrcSelector <> node32 + | otherwise = snrcSelector <> padLeft32 node32 + +padLeft32 :: ByteString -> ByteString +padLeft32 bs + | n >= 32 = B.take 32 bs + | otherwise = B.replicate (32 - n) '\NUL' <> bs + where + n = B.length bs + +-- | Read a uint256 at byte offset, fail if it doesn't fit in Int64. +decodeWord256Int64 :: Int -> ByteString -> Either AbiError Int64 +decodeWord256Int64 off buf + | off + 32 > B.length buf = Left AbiTruncated + | B.any (/= toEnum 0) (B.take 24 (B.drop off buf)) = Left AbiNonZeroHighBytes + | otherwise = Right $ B.foldl shiftIn 0 (B.take 8 (B.drop (off + 24) buf)) + where + shiftIn :: Int64 -> Char -> Int64 + shiftIn !acc c = (acc * 256) + fromIntegral (fromEnum c :: Int) +{-# INLINE decodeWord256Int64 #-} + +-- | Read an Ethereum address at byte offset (uint256 with high 12 bytes zero). +decodeAddress :: Int -> ByteString -> Either AbiError NameOwner +decodeAddress off buf + | off + 32 > B.length buf = Left AbiTruncated + | B.any (/= toEnum 0) (B.take 12 (B.drop off buf)) = Left (AbiInvariantViolated "address has non-zero high 12 bytes") + | otherwise = case mkNameOwner (B.take 20 (B.drop (off + 12) buf)) of + Right addr -> Right addr + Left e -> Left (AbiInvariantViolated e) + +-- | Decode a Solidity `string` whose data starts at byte offset `off`. +decodeString :: Int -> Int -> Int -> ByteString -> Either AbiError ByteString +decodeString headEnd off cap buf + | off < headEnd = Left AbiBackwardOffset + | off + 32 > B.length buf = Left AbiTruncated + | otherwise = do + n <- decodeWord256Int64 off buf + let len = fromIntegral n :: Int + if len > cap + then Left AbiOversized + else + if off + 32 + len > B.length buf + then Left AbiTruncated + else Right $ B.take len (B.drop (off + 32) buf) + +-- | Decode a Solidity `string[]` at byte offset `off`. Each element capped +-- at `byteCap` bytes, total element count capped at `cntCap`. Depth must be +-- < 2 (recurses one level into decodeString). +decodeStringArray :: Int -> Int -> Int -> Int -> Int -> ByteString -> Either AbiError [ByteString] +decodeStringArray depth headEnd off cntCap byteCap buf + | depth >= 2 = Left AbiDepthExceeded + | off < headEnd = Left AbiBackwardOffset + | off + 32 > B.length buf = Left AbiTruncated + | otherwise = do + n <- decodeWord256Int64 off buf + let cnt = fromIntegral n :: Int + if cnt > cntCap + then Left AbiOversized + else + let arrHead = off + 32 + arrHeadEnd = arrHead + cnt * 32 + in if arrHeadEnd > B.length buf + then Left AbiTruncated + else collectN 0 cnt arrHead arrHeadEnd [] + where + collectN i n base hd acc + | i >= n = Right (reverse acc) + | otherwise = do + relOff <- decodeWord256Int64 (base + i * 32) buf + let absOff = base + fromIntegral relOff + s <- decodeString hd absOff byteCap buf + collectN (i + 1) n base hd (s : acc) + +-- | Decode the ABI-encoded return value of getRecord(bytes32) into a NameRecord. +-- Zero-owner (0x000...000) is reported as Right Nothing so the caller maps it +-- to NotFound (ENS-style sentinel). +-- +-- PLACEHOLDER: returns Right Nothing for any non-zero owner until the Part 1 +-- SNRC contract ABI is finalised. All ABI primitives above are production-ready; +-- only the field-layout-aware composition is pending. +decodeGetRecord :: ByteString -> Either AbiError (Maybe NameRecord) +decodeGetRecord buf + | B.length buf < 32 * 8 = Left AbiTruncated + | otherwise = case decodeAddress 32 buf of + Left e -> Left e + Right owner + | isZeroOwner owner -> Right Nothing + | otherwise -> Right Nothing -- placeholder until SNRC ABI is finalised + +isZeroOwner :: NameOwner -> Bool +isZeroOwner = (== B.replicate 20 '\NUL') . unNameOwner diff --git a/src/Simplex/Messaging/Server/Names/Resolver.hs b/src/Simplex/Messaging/Server/Names/Resolver.hs new file mode 100644 index 0000000000..52be961f10 --- /dev/null +++ b/src/Simplex/Messaging/Server/Names/Resolver.hs @@ -0,0 +1,200 @@ +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE RecordWildCards #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE StrictData #-} + +-- | Public-namespace resolver: TTL+FIFO cache, in-flight coalescing, +-- timeout-bounded RPC, and zero-owner → NotFound mapping. +module Simplex.Messaging.Server.Names.Resolver + ( NamesConfig (..), + RpcAuth (..), + NamesEnv (..), + EthCall, + ResolveError (..), + newNamesEnv, + newNamesEnvWith, + closeNamesEnv, + resolveName, + ) +where + +import Control.Concurrent.STM +import qualified Control.Exception as E +import Data.ByteString.Char8 (ByteString) +import qualified Data.HashPSQ as PSQ +import Data.IORef (IORef) +import Data.Text (Text) +import Data.Word (Word64) +import GHC.Clock (getMonotonicTimeNSec) +import Simplex.Messaging.Protocol (NameOwner, NameRecord, unNameOwner) +import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) +import Simplex.Messaging.Server.Names.Eth.SNRC (decodeGetRecord, encodeGetRecord, namehash) +import Simplex.Messaging.Util (atomicModifyIORef'_) +import System.Timeout (timeout) + +-- | Public-namespace resolver configuration. +data NamesConfig = NamesConfig + { ethereumEndpoint :: Text, + snrcAddress :: NameOwner, + rpcAuth :: Maybe RpcAuth, + cacheSeconds :: Int, + cacheMaxEntries :: Int, + cacheMaxBytes :: Int, + rpcTimeoutMs :: Int, + rpcMaxResponseBytes :: Int, + rpcMaxConcurrency :: Int, + dangerousColocation :: Bool + } + deriving (Show) + +data ResolveError + = NotFound + | EthHttpErr + | EthRpcErr {rpcCode :: Int, rpcMessage :: Text} + | EthDecodeErr + | TimedOut + deriving (Eq, Show) + +-- | Test seam: a function from (to, data) -> raw return bytes or error. +-- Production wires this to ethCallReal; tests substitute a stub. +type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) + +-- | Cache value bundles a NameRecord with its insertion-time byte cost +-- so eviction can keep total cache bytes under cacheMaxBytes. +data CacheEntry = CacheEntry + { ceRecord :: NameRecord, + ceBytes :: Int + } + +-- | Cache state: (PSQ keyed by LookupKey, priority = insert time in ns, total bytes). +-- PSQ minView returns lowest-priority element → FIFO eviction by insertion order. +type CacheState = (PSQ.HashPSQ ByteString Word64 CacheEntry, Int) + +data NamesEnv = NamesEnv + { config :: NamesConfig, + ethCall :: EthCall, + cache :: TVar CacheState, + inflight :: TVar (PSQ.HashPSQ ByteString Word64 (TMVar (Either ResolveError NameRecord))), + rpcEnv :: Maybe EthRpcEnv, -- Nothing for test stubs + cacheHitsRef :: IORef Int, -- shared with ServerStats.rslvStats.rslvCacheHits + cacheMissRef :: IORef Int -- shared with ServerStats.rslvStats.rslvCacheMiss + } + +-- | Allocate resolver with real HTTP transport. +-- `cacheHitsRef` and `cacheMissRef` are shared with ServerStats.rslvStats so +-- the periodic CSV / Prometheus exporter sees per-request cache outcomes. +newNamesEnv :: NamesConfig -> IORef Int -> IORef Int -> IO NamesEnv +newNamesEnv cfg cacheHitsRef cacheMissRef = do + rpc <- newEthRpcEnv (ethereumEndpoint cfg) (rpcAuth cfg) (rpcMaxResponseBytes cfg) (rpcMaxConcurrency cfg) + let call to dat = ethCallReal rpc to dat + newNamesEnvWith cfg call (Just rpc) cacheHitsRef cacheMissRef + +-- | Allocate resolver with an injected ethCall (test seam). +newNamesEnvWith :: NamesConfig -> EthCall -> Maybe EthRpcEnv -> IORef Int -> IORef Int -> IO NamesEnv +newNamesEnvWith config ethCall rpcEnv cacheHitsRef cacheMissRef = do + cache <- newTVarIO (PSQ.empty, 0) + inflight <- newTVarIO PSQ.empty + pure NamesEnv {config, ethCall, cache, inflight, rpcEnv, cacheHitsRef, cacheMissRef} + +closeNamesEnv :: NamesEnv -> IO () +closeNamesEnv NamesEnv {rpcEnv} = maybe (pure ()) closeEthRpcEnv rpcEnv + +-- | Resolve a lookup key. Coalesces concurrent identical requests, caches +-- results for cacheSeconds, and bounds RPCs by rpcTimeoutMs. +resolveName :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) +resolveName env key = do + now <- getMonotonicTimeNSec + cacheLookup env key now >>= \case + Just rec -> do + atomicModifyIORef'_ (cacheHitsRef env) (+ 1) + pure (Right rec) + Nothing -> do + atomicModifyIORef'_ (cacheMissRef env) (+ 1) + coalesce env key now + +cacheLookup :: NamesEnv -> ByteString -> Word64 -> IO (Maybe NameRecord) +cacheLookup NamesEnv {config, cache} key now = atomically $ do + (psq, totalBytes) <- readTVar cache + case PSQ.lookup key psq of + Just (insertedAt, ce) + | now < insertedAt + ttlNs config -> pure (Just (ceRecord ce)) + | otherwise -> do + -- Expired: evict and signal miss. + writeTVar cache (PSQ.delete key psq, totalBytes - ceBytes ce) + pure Nothing + Nothing -> pure Nothing + +ttlNs :: NamesConfig -> Word64 +ttlNs cfg = fromIntegral (cacheSeconds cfg) * 1000000000 + +-- | Leader/waiter coalescing. Leader runs the RPC under E.mask; waiters +-- block on the leader's TMVar. Cleanup runs even on async exception. +coalesce :: NamesEnv -> ByteString -> Word64 -> IO (Either ResolveError NameRecord) +coalesce env@NamesEnv {inflight} key now = do + ticket <- atomically $ do + flight <- readTVar inflight + case PSQ.lookup key flight of + Just (_, mv) -> pure (Right mv) + Nothing -> do + mv <- newEmptyTMVar + writeTVar inflight (PSQ.insert key now mv flight) + pure (Left mv) + case ticket of + Right mv -> atomically (readTMVar mv) -- waiter + Left mv -> E.mask $ \restore -> do + r <- + restore (fetchOnceTimed env key) + `E.catch` \(e :: E.SomeException) -> pure (Left (mapEthExn e)) + atomically $ do + putTMVar mv r + modifyTVar' inflight (PSQ.delete key) + case r of + Right rec -> cacheInsert env key now rec + Left _ -> pure () + pure r + +mapEthExn :: E.SomeException -> ResolveError +mapEthExn _ = EthHttpErr + +fetchOnceTimed :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) +fetchOnceTimed env key = + timeout (rpcTimeoutMs (config env) * 1000) (fetchOnce env key) >>= \case + Just r -> pure r + Nothing -> pure (Left TimedOut) + +fetchOnce :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) +fetchOnce env@NamesEnv {ethCall, config} key = do + let node = namehash key + callData = encodeGetRecord node + to = unNameOwner (snrcAddress config) + ethCall to callData >>= \case + Left (HttpFailure _) -> pure (Left EthHttpErr) + Left (HttpStatusErr _) -> pure (Left EthHttpErr) + Left BodyTooLarge -> pure (Left EthDecodeErr) + Left (InvalidJson _) -> pure (Left EthDecodeErr) + Left (JsonRpcErr c m) -> pure (Left EthRpcErr {rpcCode = c, rpcMessage = m}) + Right ret -> case decodeGetRecord ret of + Right Nothing -> pure (Left NotFound) + Right (Just rec) -> pure (Right rec) + Left _ -> pure (Left EthDecodeErr) + +cacheInsert :: NamesEnv -> ByteString -> Word64 -> NameRecord -> IO () +cacheInsert NamesEnv {config, cache} key now rec = atomically $ do + (psq, totalBytes) <- readTVar cache + let entryBytes = estimateBytes rec + (psq', totalBytes') = evictWhile psq totalBytes + evictWhile p tb + | PSQ.size p > cacheMaxEntries config || tb + entryBytes > cacheMaxBytes config = + case PSQ.minView p of + Just (_, _, ce, rest) -> evictWhile rest (tb - ceBytes ce) + Nothing -> (p, tb) + | otherwise = (p, tb) + ce = CacheEntry {ceRecord = rec, ceBytes = entryBytes} + writeTVar cache (PSQ.insert key now ce psq', totalBytes' + entryBytes) + +-- | Approximate byte cost of a cached NameRecord (overhead + content). +-- Tight enough that cacheMaxBytes bounds real memory; not byte-exact. +estimateBytes :: NameRecord -> Int +estimateBytes _ = 4096 -- conservative upper bound per NameRecord diff --git a/src/Simplex/Messaging/Server/Prometheus.hs b/src/Simplex/Messaging/Server/Prometheus.hs index 32e8bd9a10..f8a5f84bf3 100644 --- a/src/Simplex/Messaging/Server/Prometheus.hs +++ b/src/Simplex/Messaging/Server/Prometheus.hs @@ -59,7 +59,7 @@ data RTSubscriberMetrics = RTSubscriberMetrics {-# FOURMOLU_DISABLE\n#-} prometheusMetrics :: ServerMetrics -> RealTimeMetrics -> UTCTime -> Text prometheusMetrics sm rtm ts = - time <> queues <> subscriptions <> messages <> ntfMessages <> ntfs <> relays <> services <> info + time <> queues <> subscriptions <> messages <> ntfMessages <> ntfs <> relays <> services <> names <> info where ServerMetrics {statsData, activeQueueCounts = ps, activeNtfCounts = psNtf, entityCounts, rtsOptions} = sm RealTimeMetrics @@ -128,7 +128,8 @@ prometheusMetrics sm rtm ts = _rcvServicesSubDuplicate, _qCount, _msgCount, - _ntfCount + _ntfCount, + _rslvStats } = statsData time = "# Recorded at: " <> T.pack (iso8601Show ts) <> "\n\ @@ -459,6 +460,39 @@ prometheusMetrics sm rtm ts = \# TYPE simplex_smp_" <> pfx <> "_services_sub_fewer_total gauge\n\ \simplex_smp_" <> pfx <> "_services_sub_fewer_total " <> mshow (_srvSubFewerTotal ss) <> "\n# " <> pfx <> ".srvSubFewerTotal\n\ \\n" + names = + let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = _rslvStats + in "# Names\n\ + \# -----\n\ + \\n\ + \# HELP simplex_smp_names_reqs Total RSLV requests forwarded to this server.\n\ + \# TYPE simplex_smp_names_reqs counter\n\ + \simplex_smp_names_reqs " <> mshow _rslvReqs <> "\n# rslvReqs\n\ + \\n\ + \# HELP simplex_smp_names_success NameRecord successfully resolved and returned.\n\ + \# TYPE simplex_smp_names_success counter\n\ + \simplex_smp_names_success " <> mshow _rslvSucc <> "\n# rslvSucc\n\ + \\n\ + \# HELP simplex_smp_names_not_found Lookup key has no corresponding NameRecord on chain (zero-owner sentinel).\n\ + \# TYPE simplex_smp_names_not_found counter\n\ + \simplex_smp_names_not_found " <> mshow _rslvNotFound <> "\n# rslvNotFound\n\ + \\n\ + \# HELP simplex_smp_names_eth_errs Ethereum endpoint or ABI errors.\n\ + \# TYPE simplex_smp_names_eth_errs counter\n\ + \simplex_smp_names_eth_errs " <> mshow _rslvEthErrs <> "\n# rslvEthErrs\n\ + \\n\ + \# HELP simplex_smp_names_cache_hits Resolution served from cache.\n\ + \# TYPE simplex_smp_names_cache_hits counter\n\ + \simplex_smp_names_cache_hits " <> mshow _rslvCacheHits <> "\n# rslvCacheHits\n\ + \\n\ + \# HELP simplex_smp_names_cache_miss Resolution required an eth_call.\n\ + \# TYPE simplex_smp_names_cache_miss counter\n\ + \simplex_smp_names_cache_miss " <> mshow _rslvCacheMiss <> "\n# rslvCacheMiss\n\ + \\n\ + \# HELP simplex_smp_names_disabled RSLV requests rejected because the names role is disabled.\n\ + \# TYPE simplex_smp_names_disabled counter\n\ + \simplex_smp_names_disabled " <> mshow _rslvDisabled <> "\n# rslvDisabled\n\ + \\n" info = "# Info\n\ \# ----\n\ diff --git a/src/Simplex/Messaging/Server/Stats.hs b/src/Simplex/Messaging/Server/Stats.hs index e8291759e6..de9c23f19b 100644 --- a/src/Simplex/Messaging/Server/Stats.hs +++ b/src/Simplex/Messaging/Server/Stats.hs @@ -39,9 +39,18 @@ module Simplex.Messaging.Server.Stats setServiceStats, emptyTimeBuckets, updateTimeBuckets, + incStat, + NameResolverStats (..), + NameResolverStatsData (..), + newNameResolverStats, + newNameResolverStatsData, + getNameResolverStatsData, + getResetNameResolverStatsData, + setNameResolverStats, ) where import Control.Applicative (optional, (<|>)) +import Control.Monad.IO.Class (MonadIO, liftIO) import qualified Data.Attoparsec.ByteString.Char8 as A import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -123,7 +132,8 @@ data ServerStats = ServerStats rcvServicesSubDuplicate :: IORef Int, qCount :: IORef Int, msgCount :: IORef Int, - ntfCount :: IORef Int + ntfCount :: IORef Int, + rslvStats :: NameResolverStats } data ServerStatsData = ServerStatsData @@ -184,7 +194,8 @@ data ServerStatsData = ServerStatsData _rcvServicesSubDuplicate :: Int, _qCount :: Int, _msgCount :: Int, - _ntfCount :: Int + _ntfCount :: Int, + _rslvStats :: NameResolverStatsData } deriving (Show) @@ -248,6 +259,7 @@ newServerStats ts = do qCount <- newIORef 0 msgCount <- newIORef 0 ntfCount <- newIORef 0 + rslvStats <- newNameResolverStats pure ServerStats { fromTime, @@ -307,7 +319,8 @@ newServerStats ts = do rcvServicesSubDuplicate, qCount, msgCount, - ntfCount + ntfCount, + rslvStats } getServerStatsData :: ServerStats -> IO ServerStatsData @@ -370,6 +383,7 @@ getServerStatsData s = do _qCount <- readIORef $ qCount s _msgCount <- readIORef $ msgCount s _ntfCount <- readIORef $ ntfCount s + _rslvStats <- getNameResolverStatsData $ rslvStats s pure ServerStatsData { _fromTime, @@ -429,7 +443,8 @@ getServerStatsData s = do _rcvServicesSubDuplicate, _qCount, _msgCount, - _ntfCount + _ntfCount, + _rslvStats } -- this function is not thread safe, it is used on server start only @@ -493,6 +508,7 @@ setServerStats s d = do writeIORef (qCount s) $! _qCount d writeIORef (msgCount s) $! _msgCount d writeIORef (ntfCount s) $! _ntfCount d + setNameResolverStats (rslvStats s) $! _rslvStats d instance StrEncoding ServerStatsData where strEncode d = @@ -557,7 +573,9 @@ instance StrEncoding ServerStatsData where "rcvServices:", strEncode (_rcvServices d), "ntfServices:", - strEncode (_ntfServices d) + strEncode (_ntfServices d), + "rslvStats:", + strEncode (_rslvStats d) ] strP = do _fromTime <- "fromTime=" *> strP <* A.endOfLine @@ -628,6 +646,10 @@ instance StrEncoding ServerStatsData where _pMsgFwdsRecv <- opt "pMsgFwdsRecv=" _rcvServices <- serviceStatsP "rcvServices:" _ntfServices <- serviceStatsP "ntfServices:" + _rslvStats <- + optional ("rslvStats:" <* A.endOfLine) >>= \case + Just _ -> strP <* optional A.endOfLine + _ -> pure newNameResolverStatsData pure ServerStatsData { _fromTime, @@ -687,7 +709,8 @@ instance StrEncoding ServerStatsData where _rcvServicesSubDuplicate = 0, _qCount, _msgCount = 0, - _ntfCount = 0 + _ntfCount = 0, + _rslvStats } where opt s = A.string s *> strP <* A.endOfLine <|> pure 0 @@ -786,6 +809,10 @@ updatePeriodStats ps (EntityId pId) = do ph = hash pId updatePeriod ref = unlessM (IS.member ph <$> readIORef ref) $ atomicModifyIORef'_ ref $ IS.insert ph +incStat :: MonadIO m => IORef Int -> m () +incStat r = liftIO $ atomicModifyIORef'_ r (+ 1) +{-# INLINE incStat #-} + data ProxyStats = ProxyStats { pRequests :: IORef Int, pSuccesses :: IORef Int, -- includes destination server error responses that will be forwarded to the client @@ -862,6 +889,109 @@ instance StrEncoding ProxyStatsData where _pErrorsOther <- "errorsOther=" *> strP pure ProxyStatsData {_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther} +data NameResolverStats = NameResolverStats + { rslvReqs :: IORef Int, + rslvSucc :: IORef Int, + rslvNotFound :: IORef Int, + rslvEthErrs :: IORef Int, + rslvCacheHits :: IORef Int, + rslvCacheMiss :: IORef Int, + rslvDisabled :: IORef Int + } + +newNameResolverStats :: IO NameResolverStats +newNameResolverStats = do + rslvReqs <- newIORef 0 + rslvSucc <- newIORef 0 + rslvNotFound <- newIORef 0 + rslvEthErrs <- newIORef 0 + rslvCacheHits <- newIORef 0 + rslvCacheMiss <- newIORef 0 + rslvDisabled <- newIORef 0 + pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvEthErrs, rslvCacheHits, rslvCacheMiss, rslvDisabled} + +data NameResolverStatsData = NameResolverStatsData + { _rslvReqs :: Int, + _rslvSucc :: Int, + _rslvNotFound :: Int, + _rslvEthErrs :: Int, + _rslvCacheHits :: Int, + _rslvCacheMiss :: Int, + _rslvDisabled :: Int + } + deriving (Show) + +newNameResolverStatsData :: NameResolverStatsData +newNameResolverStatsData = + NameResolverStatsData + { _rslvReqs = 0, + _rslvSucc = 0, + _rslvNotFound = 0, + _rslvEthErrs = 0, + _rslvCacheHits = 0, + _rslvCacheMiss = 0, + _rslvDisabled = 0 + } + +getNameResolverStatsData :: NameResolverStats -> IO NameResolverStatsData +getNameResolverStatsData s = do + _rslvReqs <- readIORef $ rslvReqs s + _rslvSucc <- readIORef $ rslvSucc s + _rslvNotFound <- readIORef $ rslvNotFound s + _rslvEthErrs <- readIORef $ rslvEthErrs s + _rslvCacheHits <- readIORef $ rslvCacheHits s + _rslvCacheMiss <- readIORef $ rslvCacheMiss s + _rslvDisabled <- readIORef $ rslvDisabled s + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + +getResetNameResolverStatsData :: NameResolverStats -> IO NameResolverStatsData +getResetNameResolverStatsData s = do + _rslvReqs <- atomicSwapIORef (rslvReqs s) 0 + _rslvSucc <- atomicSwapIORef (rslvSucc s) 0 + _rslvNotFound <- atomicSwapIORef (rslvNotFound s) 0 + _rslvEthErrs <- atomicSwapIORef (rslvEthErrs s) 0 + _rslvCacheHits <- atomicSwapIORef (rslvCacheHits s) 0 + _rslvCacheMiss <- atomicSwapIORef (rslvCacheMiss s) 0 + _rslvDisabled <- atomicSwapIORef (rslvDisabled s) 0 + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + +-- not thread safe; used on server start only +setNameResolverStats :: NameResolverStats -> NameResolverStatsData -> IO () +setNameResolverStats s d = do + writeIORef (rslvReqs s) $! _rslvReqs d + writeIORef (rslvSucc s) $! _rslvSucc d + writeIORef (rslvNotFound s) $! _rslvNotFound d + writeIORef (rslvEthErrs s) $! _rslvEthErrs d + writeIORef (rslvCacheHits s) $! _rslvCacheHits d + writeIORef (rslvCacheMiss s) $! _rslvCacheMiss d + writeIORef (rslvDisabled s) $! _rslvDisabled d + +instance StrEncoding NameResolverStatsData where + strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = + "reqs=" + <> strEncode _rslvReqs + <> "\nsucc=" + <> strEncode _rslvSucc + <> "\nnotFound=" + <> strEncode _rslvNotFound + <> "\nethErrs=" + <> strEncode _rslvEthErrs + <> "\ncacheHits=" + <> strEncode _rslvCacheHits + <> "\ncacheMiss=" + <> strEncode _rslvCacheMiss + <> "\ndisabled=" + <> strEncode _rslvDisabled + strP = do + _rslvReqs <- "reqs=" *> strP <* A.endOfLine + _rslvSucc <- "succ=" *> strP <* A.endOfLine + _rslvNotFound <- "notFound=" *> strP <* A.endOfLine + _rslvEthErrs <- "ethErrs=" *> strP <* A.endOfLine + _rslvCacheHits <- "cacheHits=" *> strP <* A.endOfLine + _rslvCacheMiss <- "cacheMiss=" *> strP <* A.endOfLine + _rslvDisabled <- "disabled=" *> strP + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + data ServiceStats = ServiceStats { srvAssocNew :: IORef Int, srvAssocDuplicate :: IORef Int, diff --git a/src/Simplex/Messaging/Transport.hs b/src/Simplex/Messaging/Transport.hs index d98453ab8e..2d6229621b 100644 --- a/src/Simplex/Messaging/Transport.hs +++ b/src/Simplex/Messaging/Transport.hs @@ -57,6 +57,7 @@ module Simplex.Messaging.Transport newNtfCredsSMPVersion, clientNoticesSMPVersion, rcvServiceSMPVersion, + namesSMPVersion, simplexMQVersion, smpBlockSize, TransportConfig (..), @@ -223,6 +224,9 @@ clientNoticesSMPVersion = VersionSMP 18 rcvServiceSMPVersion :: VersionSMP rcvServiceSMPVersion = VersionSMP 19 +namesSMPVersion :: VersionSMP +namesSMPVersion = VersionSMP 20 + minClientSMPRelayVersion :: VersionSMP minClientSMPRelayVersion = VersionSMP 6 @@ -230,13 +234,13 @@ minServerSMPRelayVersion :: VersionSMP minServerSMPRelayVersion = VersionSMP 6 currentClientSMPRelayVersion :: VersionSMP -currentClientSMPRelayVersion = VersionSMP 19 +currentClientSMPRelayVersion = VersionSMP 20 legacyServerSMPRelayVersion :: VersionSMP legacyServerSMPRelayVersion = VersionSMP 6 currentServerSMPRelayVersion :: VersionSMP -currentServerSMPRelayVersion = VersionSMP 19 +currentServerSMPRelayVersion = VersionSMP 20 -- Max SMP protocol version to be used in e2e encrypted -- connection between client and server, as defined by SMP proxy. @@ -244,7 +248,7 @@ currentServerSMPRelayVersion = VersionSMP 19 -- to prevent client version fingerprinting by the -- destination relays when clients upgrade at different times. proxiedSMPRelayVersion :: VersionSMP -proxiedSMPRelayVersion = VersionSMP 18 +proxiedSMPRelayVersion = VersionSMP 20 -- minimal supported protocol version is 6 -- TODO remove code that supports sending commands without batching diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index d043fd3c86..2ee9b509f0 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -278,6 +278,7 @@ cfgMS msType = withStoreCfg (testServerStoreConfig msType) $ \serverStoreCfg -> smpAgentCfg = defaultSMPClientAgentConfig {persistErrorInterval = 1}, -- seconds allowSMPProxy = False, serverClientConcurrency = 2, + namesConfig = Nothing, information = Nothing, startOptions = defaultStartOptions } diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs new file mode 100644 index 0000000000..452474e230 --- /dev/null +++ b/tests/SMPNamesTests.hs @@ -0,0 +1,266 @@ +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE TypeApplications #-} + +module SMPNamesTests (smpNamesTests) where + +import Control.Concurrent.Async (replicateConcurrently) +import qualified Crypto.Hash as Crypton +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B +import qualified Data.ByteArray as BA +import Data.Either (isLeft, isRight) +import Data.IORef (atomicModifyIORef', newIORef, readIORef) +import qualified Data.Text as T +import Simplex.Messaging.Encoding (smpEncode, smpP) +import Simplex.Messaging.Parsers (parseAll) +import Simplex.Messaging.Protocol + ( LookupKey (..), + NameRecord (..), + mkNameLink, + mkNameOwner, + nameRecBytes, + parseNameRec, + unNameLink, + unNameOwner, + ) +import Simplex.Messaging.Server.Names.Eth.SNRC + ( AbiError (..), + decodeAddress, + decodeGetRecord, + decodeString, + decodeStringArray, + decodeWord256Int64, + encodeGetRecord, + keccak256, + namehash, + snrcSelector, + ) +import Simplex.Messaging.Server.Names.Resolver + ( NamesConfig (..), + ResolveError (..), + newNamesEnvWith, + resolveName, + ) +import Simplex.Messaging.Transport (VersionSMP) +import Simplex.Messaging.Version.Internal (Version (..)) +import Test.Hspec + +-- Reference vectors: +-- keccak256("") = c5d2460186f7233c927e7db2dcc703c0e500b653ca8227b7bfad8045d85a470 +-- keccak256("abc") = 4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45 +-- sha3_256("abc") = 3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 +-- namehash("eth") = 93cdeb708b7545dc668eb9280176169d1c33cfd8ed6f04690a0bcc88a93fc4ae + +keccak256Empty :: ByteString +keccak256Empty = "\xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0\xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70" + +keccak256Abc :: ByteString +keccak256Abc = "\x4e\x03\x65\x7a\xea\x45\xa9\x4f\xc7\xd4\x7b\xa8\x26\xc8\xd6\x67\xc0\xd1\xe6\xe3\x3a\x64\xa0\x36\xec\x44\xf5\x8f\xa1\x2d\x6c\x45" + +sha3_256Abc :: ByteString +sha3_256Abc = "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90\xbd\x85\x5f\x08\x6e\x3e\x9d\x52\x5b\x46\xbf\xe2\x45\x11\x43\x15\x32" + +namehashEth :: ByteString +namehashEth = "\x93\xcd\xeb\x70\x8b\x75\x45\xdc\x66\x8e\xb9\x28\x01\x76\x16\x9d\x1c\x33\xcf\xd8\xed\x6f\x04\x69\x0a\x0b\xcc\x88\xa9\x3f\xc4\xae" + +v20 :: VersionSMP +v20 = Version 20 + +twentyOnes :: ByteString +twentyOnes = B.replicate 20 '\x01' + +sampleRecord :: NameRecord +sampleRecord = case (mkNameOwner twentyOnes, mkNameLink "simplex:/contact/abc#xyz") of + (Right o, Right l) -> + NameRecord + { nrDisplayName = "Alice", + nrOwner = o, + nrChannelLinks = [], + nrContactLinks = [l], + nrAdminAddress = Just "simplex:/admin/...", + nrAdminEmail = Just "admin@example.org", + nrExpiry = 1735689600, + nrIsTest = False + } + _ -> error "sampleRecord smart ctors failed" + +smpNamesTests :: Spec +smpNamesTests = do + describe "NameRecord encoding (Protocol)" nameRecordEncodingSpec + describe "LookupKey + smart constructors" lookupKeyAndCtorsSpec + describe "Keccak-256 and namehash" namehashSpec + describe "ABI primitive bounds" abiBoundsSpec + describe "decodeGetRecord (zero-owner sentinel)" zeroOwnerSpec + describe "Resolver cache + coalescing" resolverCacheSpec + +nameRecordEncodingSpec :: Spec +nameRecordEncodingSpec = do + it "round-trips nameRecBytes / parseNameRec" $ do + let bytes = nameRecBytes v20 sampleRecord + parseAll (parseNameRec v20) bytes `shouldBe` Right sampleRecord + + it "rejects negative expiry" $ do + let badBytes = nameRecBytes v20 sampleRecord {nrExpiry = -1} + parseAll (parseNameRec v20) badBytes `shouldSatisfy` isLeft + + it "enforces combined channel+contact list cap of 8" $ do + let mkLink i = either error id (mkNameLink ("simplex:/contact/" <> T.pack (show (i :: Int)))) + nineLinks = map mkLink [0 .. 8] + overflow = sampleRecord {nrChannelLinks = nineLinks, nrContactLinks = []} + bytes = nameRecBytes v20 overflow + parseAll (parseNameRec v20) bytes `shouldSatisfy` isLeft + + it "encodes within the proxied transmission budget" $ do + let huge = either error id (mkNameLink (T.replicate 1024 "x")) + wide = + sampleRecord + { nrChannelLinks = replicate 4 huge, + nrContactLinks = replicate 4 huge, + nrDisplayName = T.replicate 255 "n", + nrAdminAddress = Just (T.replicate 255 "a"), + nrAdminEmail = Just (T.replicate 255 "e") + } + B.length (nameRecBytes v20 wide) < 16224 `shouldBe` True + +lookupKeyAndCtorsSpec :: Spec +lookupKeyAndCtorsSpec = do + it "LookupKey parser caps at 64 bytes" $ do + let okBytes = smpEncode (LookupKey (B.replicate 64 'a')) + bigBytes = smpEncode (LookupKey (B.replicate 65 'a')) + parseAll (smpP @LookupKey) okBytes `shouldSatisfy` isRight + parseAll (smpP @LookupKey) bigBytes `shouldSatisfy` isLeft + + it "mkNameOwner accepts exactly 20 bytes" $ do + mkNameOwner twentyOnes `shouldSatisfy` isRight + mkNameOwner (B.replicate 19 '\x01') `shouldSatisfy` isLeft + mkNameOwner (B.replicate 21 '\x01') `shouldSatisfy` isLeft + + it "mkNameLink rejects >1024 UTF-8 bytes" $ do + mkNameLink (T.replicate 1024 "x") `shouldSatisfy` isRight + mkNameLink (T.replicate 1025 "x") `shouldSatisfy` isLeft + -- multibyte UTF-8 counted in bytes, not chars: 600 × 3 = 1800 bytes + mkNameLink (T.replicate 600 "\x4e2d") `shouldSatisfy` isLeft + + it "unNameLink / unNameOwner round-trip the smart ctors" $ do + case (mkNameOwner twentyOnes, mkNameLink "abc") of + (Right o, Right l) -> do + unNameOwner o `shouldBe` twentyOnes + unNameLink l `shouldBe` "abc" + _ -> expectationFailure "smart ctors failed" + +namehashSpec :: Spec +namehashSpec = do + it "keccak256 of empty string matches reference vector" $ + keccak256 "" `shouldBe` keccak256Empty + + it "keccak256 of \"abc\" matches reference vector" $ + keccak256 "abc" `shouldBe` keccak256Abc + + it "Keccak-256 is NOT SHA3-256 (different output for same input)" $ do + let sha3 = BA.convert (Crypton.hash @ByteString @Crypton.SHA3_256 "abc") :: ByteString + sha3 `shouldBe` sha3_256Abc + keccak256 "abc" `shouldNotBe` sha3 + + it "namehash of empty name is 32 zero bytes" $ + namehash "" `shouldBe` B.replicate 32 '\NUL' + + it "namehash of \"eth\" matches ENS reference vector" $ + namehash "eth" `shouldBe` namehashEth + + it "snrcSelector is 4 bytes" $ + B.length snrcSelector `shouldBe` 4 + + it "encodeGetRecord = selector ++ 32-byte node" $ do + let node = namehash "alice.eth" + bytes = encodeGetRecord node + B.length bytes `shouldBe` 36 + B.take 4 bytes `shouldBe` snrcSelector + B.drop 4 bytes `shouldBe` node + +abiBoundsSpec :: Spec +abiBoundsSpec = do + let mkBuf n = B.replicate n '\NUL' + + it "decodeWord256Int64 fails when offset + 32 > buf length" $ + decodeWord256Int64 0 (mkBuf 31) `shouldBe` Left AbiTruncated + + it "decodeWord256Int64 rejects non-zero high 24 bytes (Int64 overflow)" $ do + let buf = B.replicate 23 '\NUL' <> B.singleton '\x01' <> B.replicate 8 '\NUL' + decodeWord256Int64 0 buf `shouldBe` Left AbiNonZeroHighBytes + + it "decodeWord256Int64 succeeds for low 8 bytes set" $ do + let buf = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x12\x34" + decodeWord256Int64 0 buf `shouldBe` Right 0x1234 + + it "decodeAddress rejects non-zero high 12 bytes" $ do + let buf = B.replicate 11 '\NUL' <> B.singleton '\x01' <> B.replicate 20 '\NUL' + decodeAddress 0 buf `shouldSatisfy` isLeft + + it "decodeString fails on backward offset" $ + decodeString 100 50 1024 (mkBuf 200) `shouldBe` Left AbiBackwardOffset + + it "decodeString fails when declared length exceeds the per-field cap" $ do + let lenBytes = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x00\x64" -- length 100 + buf = lenBytes <> B.replicate 100 'x' + decodeString 0 0 10 buf `shouldBe` Left AbiOversized + + it "decodeStringArray fails when depth ≥ 2" $ + decodeStringArray 2 0 0 8 1024 (mkBuf 64) `shouldBe` Left AbiDepthExceeded + + it "decodeStringArray fails when array count exceeds cap" $ do + let lenBytes = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x00\x09" -- 9 elements + buf = lenBytes <> B.replicate 1024 '\NUL' + decodeStringArray 0 0 0 8 1024 buf `shouldBe` Left AbiOversized + +zeroOwnerSpec :: Spec +zeroOwnerSpec = do + it "decodeGetRecord returns Nothing for zero-owner buffer" $ do + -- 8 slots × 32 bytes; owner at slot 1 (offset 32) is all-zero by construction + let buf = B.replicate (32 * 8) '\NUL' + decodeGetRecord buf `shouldBe` Right Nothing + + it "decodeGetRecord fails on truncated buffer" $ do + let tiny = B.replicate 31 '\NUL' + decodeGetRecord tiny `shouldBe` Left AbiTruncated + +resolverCacheSpec :: Spec +resolverCacheSpec = do + let mkEnv ethCall = do + hitsRef <- newIORef 0 + missRef <- newIORef 0 + let cfg = + NamesConfig + { ethereumEndpoint = "http://stub", + snrcAddress = either error id (mkNameOwner twentyOnes), + rpcAuth = Nothing, + cacheSeconds = 300, + cacheMaxEntries = 100, + cacheMaxBytes = 1024 * 1024, + rpcTimeoutMs = 1000, + rpcMaxResponseBytes = 65536, + rpcMaxConcurrency = 4, + dangerousColocation = False + } + env <- newNamesEnvWith cfg ethCall Nothing hitsRef missRef + pure (env, hitsRef, missRef) + + it "maps stub zero-owner response to NotFound and counts as cache miss" $ do + (env, _, missRef) <- mkEnv $ \_ _ -> pure (Right (B.replicate (32 * 8) '\NUL')) + r <- resolveName env "alice" + r `shouldBe` Left NotFound + misses <- readIORef missRef + misses `shouldBe` 1 + + it "concurrent identical lookups don't crash and all return NotFound" $ do + callCount <- newIORef (0 :: Int) + (env, _, _) <- mkEnv $ \_ _ -> do + atomicModifyIORef' callCount (\v -> (v + 1, ())) + pure (Right (B.replicate (32 * 8) '\NUL')) + rs <- replicateConcurrently 8 (resolveName env "alice") + all (== Left NotFound) rs `shouldBe` True + -- NotFound is currently not cached, so each leader makes an RPC. + -- Once decodeGetRecord returns Just rec (post-SNRC), coalescing + -- means concurrent callers share one RPC and call count == 1. + n <- readIORef callCount + n `shouldSatisfy` (>= 1) diff --git a/tests/Test.hs b/tests/Test.hs index ae6df6e780..84718a9fcc 100644 --- a/tests/Test.hs +++ b/tests/Test.hs @@ -22,6 +22,7 @@ import FileDescriptionTests (fileDescriptionTests) import GHC.IO.Exception (IOException (..)) import qualified GHC.IO.Exception as IOException import RemoteControl (remoteControlTests) +import SMPNamesTests (smpNamesTests) import SMPProxyTests (smpProxyTests) import ServerTests import Simplex.Messaging.Server.Env.STM (AStoreType (..)) @@ -97,6 +98,7 @@ main = do #endif describe "TSessionSubs tests" tSessionSubsTests describe "Util tests" utilTests + describe "Names resolver tests" smpNamesTests describe "Agent core tests" agentCoreTests #if defined(dbServerPostgres) around_ (postgressBracket testServerDBConnectInfo) $ From 3999facde3d2a3eaacfc643fc59eef63e025dc98 Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 16:01:59 +0000 Subject: [PATCH 02/33] smp-server: Names resolver hardening + cleanup --- plans/20260522_01_smp_public_namespaces.md | 3 +- src/Simplex/Messaging/Protocol.hs | 5 - src/Simplex/Messaging/Server/Env/STM.hs | 24 ++-- src/Simplex/Messaging/Server/Main.hs | 97 +++++++------ src/Simplex/Messaging/Server/Main/Init.hs | 9 +- src/Simplex/Messaging/Server/Names.hs | 3 +- src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 1 + .../Messaging/Server/Names/Eth/SNRC.hs | 21 ++- .../Messaging/Server/Names/Resolver.hs | 132 ++++++++++++++---- tests/SMPNamesTests.hs | 55 ++++++-- 10 files changed, 251 insertions(+), 99 deletions(-) diff --git a/plans/20260522_01_smp_public_namespaces.md b/plans/20260522_01_smp_public_namespaces.md index a197635624..5f90e67fd3 100644 --- a/plans/20260522_01_smp_public_namespaces.md +++ b/plans/20260522_01_smp_public_namespaces.md @@ -177,7 +177,7 @@ In-flight `resolveName` calls during shutdown receive `ConnectionClosed` → `Et **`incStat` relocation.** Defined at `Server.hs:2220`, currently unexported. Move to `Server/Stats.hs` (one-line transplant + export) so `Resolver.hs` can use it. -**Co-located proxy refused.** `newEnv` aborts startup if both `allowSMPProxy = True` and `namesConfig = Just _`, unless `allow_dangerous_colocation = on`. RSLV is the first slow forwarded command; on a proxy host it can serialise other forwarded commands on the same proxy-relay session up to `rpcTimeoutMs` per cache miss. `forkForwardedCmd` async dispatch is the longer-term fix, tracked as a follow-up. +**Co-located proxy warning.** `newEnv` logs a startup warning whenever `allowSMPProxy = True` and `namesConfig = Just _`. RSLV is the first slow forwarded command; on a proxy host it can serialise other forwarded commands on the same proxy-relay session up to `rpcTimeoutMs` per cache miss. The warning is not a hard refusal because `[PROXY]` has no `enable: on/off` toggle — proxy is always on for every smp-server. `forkForwardedCmd` async dispatch is the longer-term fix, tracked as a follow-up; once the proxy role is gateable per-server, the warning can be tightened back to a refusal. ## Resolver subtree @@ -256,7 +256,6 @@ data NamesConfig = NamesConfig , rpcTimeoutMs :: Int -- 3000 , rpcMaxResponseBytes :: Int -- 262144 (256 KB) , rpcMaxConcurrency :: Int -- 8 - , dangerousColocation :: Bool -- override the §"Server changes" startup guard } data RpcAuth = AuthBearer Text | AuthBasic Text Text diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index e1f8f54d10..3a5f88903a 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -164,7 +164,6 @@ module Simplex.Messaging.Protocol FwdResponse (..), FwdTransmission (..), LookupKey (..), - unLookupKey, NameRecord (..), NameOwner, mkNameOwner, @@ -573,10 +572,6 @@ type QueueId = EntityId newtype LookupKey = LookupKey ByteString deriving (Eq, Show) -unLookupKey :: LookupKey -> ByteString -unLookupKey (LookupKey s) = s -{-# INLINE unLookupKey #-} - instance Encoding LookupKey where smpEncode (LookupKey s) = smpEncode s smpP = do diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 382c820c8f..6f6ca1aaf9 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -115,7 +115,9 @@ import Simplex.Messaging.Server.Information import Simplex.Messaging.Server.MsgStore.Journal import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types -import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, closeNamesEnv, newNamesEnv) +import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, newNamesEnv, pingEndpoint) +import Simplex.Messaging.Server.Names.Eth.RPC (scrubUrl) +import Simplex.Messaging.Util (tshow) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore import Simplex.Messaging.Server.QueueStore.Postgres.Config @@ -609,13 +611,19 @@ newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serv proxyAgent <- newSMPProxyAgent smpAgentCfg random namesEnv <- case namesConfig of Nothing -> pure Nothing - Just nc - | allowSMPProxy && not (dangerousColocation nc) -> do - logError "[NAMES] enable: on with [PROXY] is refused — RSLV cache misses can serialise other forwarded commands. Set allow_dangerous_colocation = on to override." - exitFailure - | otherwise -> do - let rs = rslvStats serverStats - Just <$> newNamesEnv nc (rslvCacheHits rs) (rslvCacheMiss rs) + Just nc -> do + logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (ethereumEndpoint nc) + when allowSMPProxy $ + logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV cache misses can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." + let rs = rslvStats serverStats + env <- newNamesEnv nc (rslvCacheHits rs) (rslvCacheMiss rs) + -- Probe the endpoint at startup. Don't exitFailure: a flapping + -- network or an Ethereum host coming up minutes after smp-server + -- should not block the server. Log so operators can spot it. + pingEndpoint env >>= \case + Right _ -> logInfo "[NAMES] endpoint probe ok" + Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR AUTH until reachable): " <> tshow e + pure (Just env) pure Env { serverActive, diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index edde8a78b2..9dfec8aba8 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -39,7 +39,6 @@ module Simplex.Messaging.Server.Main strParse, ) where -import Control.Applicative ((<|>)) import Control.Concurrent.STM import Control.Exception (finally) import Control.Logger.Simple @@ -77,8 +76,10 @@ import Simplex.Messaging.Server.Main.Init import Simplex.Messaging.Server.Web (EmbeddedWebParams (..), WebHttpsParams (..)) import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCfg (..), stmQueueStore) import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) +import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) import Simplex.Messaging.Protocol (mkNameOwner, NameOwner) import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..)) +import Simplex.Messaging.Server.Names.Eth.RPC (fromHex) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) import Simplex.Messaging.Transport (supportedProxyClientSMPRelayVRange, alpnSupportedSMPHandshakes, supportedServerSMPRelayVRange) @@ -804,55 +805,73 @@ readNamesConfig :: Ini -> Maybe NamesConfig readNamesConfig ini | not enabled = Nothing | otherwise = - Just - NamesConfig - { ethereumEndpoint = requiredText "ethereum_endpoint", - snrcAddress = either (error . ("[NAMES] snrc_address: " <>)) id $ parseEthAddr (requiredText "snrc_address"), - rpcAuth = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini), - cacheSeconds = readIniDefault 300 "NAMES" "cache_seconds" ini, - cacheMaxEntries = readIniDefault 100000 "NAMES" "cache_max_entries" ini, - cacheMaxBytes = readIniDefault 67108864 "NAMES" "cache_max_bytes" ini, - rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, - rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, - rpcMaxConcurrency = readIniDefault 8 "NAMES" "rpc_max_concurrency" ini, - dangerousColocation = fromMaybe False (iniOnOff "NAMES" "allow_dangerous_colocation" ini) - } + let rpcAuth_ = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini) + endpoint = requiredText "ethereum_endpoint" + in Just + NamesConfig + { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), + snrcAddress = either (error . ("[NAMES] snrc_address: " <>)) id $ parseEthAddr (requiredText "snrc_address"), + rpcAuth = rpcAuth_, + cacheSeconds = readIniDefault 300 "NAMES" "cache_seconds" ini, + cacheMaxEntries = readIniDefault 100000 "NAMES" "cache_max_entries" ini, + cacheMaxBytes = readIniDefault 67108864 "NAMES" "cache_max_bytes" ini, + rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, + rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, + rpcMaxConcurrency = readIniDefault 8 "NAMES" "rpc_max_concurrency" ini + } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) requiredText key = either (error . (("[NAMES] " <> T.unpack key <> " is required: ") <>)) id $ lookupValue "NAMES" key ini --- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". --- Step 4 minimal validation; EIP-55 checksum check lands in step 5. -parseEthAddr :: Text -> Either String NameOwner -parseEthAddr t = - let s = case T.stripPrefix "0x" t <|> T.stripPrefix "0X" t of - Just rest -> rest - Nothing -> t - in if T.length s == 40 && T.all isHex s - then mkNameOwner (hexDecode (encodeUtf8 s)) - else Left "expected 0x-prefixed 40 hex characters" +-- | Validate the ethereum_endpoint URL: +-- * scheme must be http: or https: +-- * authority (host) must be present and non-empty +-- * port MUST be explicit (rejects http://host without :8545 to avoid +-- accidentally hitting :80 when Reth listens on :8545) +-- * userinfo (user:pass@) MUST NOT be present (credentials belong in +-- rpc_auth so they don't leak via Host header or logs) +-- * query and fragment MUST NOT be present +-- * https requires rpc_auth on non-loopback hosts (operator misconfig +-- guard — a public HTTPS endpoint without auth is almost always wrong) +validateUrl :: Text -> Maybe RpcAuth -> Either String Text +validateUrl url auth_ = do + uri <- maybe (Left "not an absolute URI") Right $ parseAbsoluteURI (T.unpack url) + let scheme = uriScheme uri + unless (scheme == "http:" || scheme == "https:") $ + Left ("scheme " <> show scheme <> " not supported (use http or https)") + ua <- maybe (Left "missing authority (host)") Right (uriAuthority uri) + when (null (uriRegName ua)) $ Left "empty host" + unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" + when (null (uriPort ua)) $ Left "explicit port required (e.g. http://host:8545)" + unless (null (uriQuery uri)) $ Left "query string not allowed" + unless (null (uriFragment uri)) $ Left "fragment not allowed" + let path = uriPath uri + unless (path == "" || path == "/") $ + Left "URL path not allowed; API keys embedded in the path leak to logs — use rpc_auth instead" + when (scheme == "https:" && not (isLoopback (uriRegName ua)) && isNothing auth_) $ + Left "https endpoint on a non-loopback host requires rpc_auth" + Right url where - isHex c = (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') + isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" --- | Decode a hex string of even length. Precondition: input is already --- validated as even-length and all-hex (validated by caller). -hexDecode :: ByteString -> ByteString -hexDecode = B.pack . go - where - go s - | B.null s = [] - | otherwise = toEnum (16 * digit (B.head s) + digit (B.index s 1)) : go (B.drop 2 s) - digit c - | c >= '0' && c <= '9' = fromEnum c - fromEnum '0' - | c >= 'a' && c <= 'f' = 10 + fromEnum c - fromEnum 'a' - | otherwise = 10 + fromEnum c - fromEnum 'A' +-- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". +-- EIP-55 mixed-case checksum verification is a follow-up. +parseEthAddr :: Text -> Either String NameOwner +parseEthAddr t = do + bs <- fromHex (encodeUtf8 t) + if B.length bs == 20 + then mkNameOwner bs + else Left "expected a 20-byte address (40 hex characters, optionally 0x-prefixed)" +-- | Parse an rpc_auth INI value. Scheme keyword is case-insensitive so +-- "Bearer " / "BEARER " (Caddy / RFC 7235 convention) work +-- as well as the lowercase form. parseRpcAuth :: Text -> Either String RpcAuth parseRpcAuth t = case T.words t of - ["bearer", tok] -> Right $ AuthBearer tok - ["basic", up] -> case T.breakOn ":" up of + [scheme, tok] | T.toLower scheme == "bearer" -> Right $ AuthBearer tok + [scheme, up] | T.toLower scheme == "basic" -> case T.breakOn ":" up of (u, rest) | not (T.null u) && ":" `T.isPrefixOf` rest -> Right $ AuthBasic u (T.drop 1 rest) _ -> Left "basic auth expects user:password" diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 1091bb2617..bc6689d859 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -158,7 +158,8 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \[NAMES]\n\ \# Public-namespace resolution (SNRC on Ethereum).\n\ \# Requires an Ethereum JSON-RPC endpoint (Reth+Nimbus). See deployment guide.\n\ - \# Cannot be combined with [PROXY] enable: on by default - see allow_dangerous_colocation.\n\ + \# Co-locating with the proxy role logs a warning at startup - slow RSLV cache misses\n\ + \# can serialise other forwarded commands. For high-volume deployments, run on a separate host.\n\ \# Restart required to change settings.\n\ \enable: off\n\ \# Same-host:\n\ @@ -166,14 +167,14 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# Central Reth via Caddy:\n\ \# ethereum_endpoint: https://eth.simplex.chat:443\n\ \# rpc_auth: basic :\n\ - \# snrc_address: 0x0000000000000000000000000000000000000000\n\ + \# snrc_address: 0x\n\ + \# (cache_max_entries and cache_max_bytes both cap the cache; whichever fills first triggers FIFO eviction)\n\ \# cache_seconds: 300\n\ \# cache_max_entries: 100000\n\ \# cache_max_bytes: 67108864\n\ \# rpc_timeout_ms: 3000\n\ \# rpc_max_response_bytes: 262144\n\ - \# rpc_max_concurrency: 8\n\ - \# allow_dangerous_colocation: off\n\n\ + \# rpc_max_concurrency: 8\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index eea09b013f..a3088a79d6 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -10,9 +10,10 @@ module Simplex.Messaging.Server.Names ResolveError (..), newNamesEnv, closeNamesEnv, + pingEndpoint, resolveName, ) where import Simplex.Messaging.Server.Names.Eth.RPC (RpcAuth (..)) -import Simplex.Messaging.Server.Names.Resolver (NamesConfig (..), NamesEnv, ResolveError (..), closeNamesEnv, newNamesEnv, resolveName) +import Simplex.Messaging.Server.Names.Resolver (NamesConfig (..), NamesEnv, ResolveError (..), closeNamesEnv, newNamesEnv, pingEndpoint, resolveName) diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs index f89127343c..f7d1a06494 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -20,6 +20,7 @@ module Simplex.Messaging.Server.Names.Eth.RPC newEthRpcEnv, closeEthRpcEnv, ethCallReal, + fromHex, scrubUrl, ) where diff --git a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs index c645b8ebea..80b11a255e 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs @@ -33,6 +33,7 @@ module Simplex.Messaging.Server.Names.Eth.SNRC decodeWord256Int64, decodeAddress, decodeString, + decodeUtf8Text, decodeStringArray, ) where @@ -42,6 +43,8 @@ import qualified Data.ByteArray as BA import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B import Data.Int (Int64) +import Data.Text (Text) +import Data.Text.Encoding (decodeUtf8') import Simplex.Messaging.Protocol (NameOwner, NameRecord, mkNameOwner, unNameOwner) -- | ABI-decode failure modes (caller collapses to ResolveError EthDecodeErr). @@ -88,11 +91,16 @@ padLeft32 bs where n = B.length bs --- | Read a uint256 at byte offset, fail if it doesn't fit in Int64. +-- | Read a uint256 at byte offset, fail if it doesn't fit in *signed* Int64. +-- Rejects both (a) any non-zero byte in the high 24 bytes and (b) the high +-- bit of the low 8 bytes being set — the latter is essential because Int64 +-- would otherwise sign-flip a uint64 value into a negative integer, silently +-- corrupting downstream length math. decodeWord256Int64 :: Int -> ByteString -> Either AbiError Int64 decodeWord256Int64 off buf | off + 32 > B.length buf = Left AbiTruncated - | B.any (/= toEnum 0) (B.take 24 (B.drop off buf)) = Left AbiNonZeroHighBytes + | B.any (/= '\NUL') (B.take 24 (B.drop off buf)) = Left AbiNonZeroHighBytes + | B.index buf (off + 24) >= '\x80' = Left AbiNonZeroHighBytes | otherwise = Right $ B.foldl shiftIn 0 (B.take 8 (B.drop (off + 24) buf)) where shiftIn :: Int64 -> Char -> Int64 @@ -109,6 +117,8 @@ decodeAddress off buf Left e -> Left (AbiInvariantViolated e) -- | Decode a Solidity `string` whose data starts at byte offset `off`. +-- Returns raw bytes; UTF-8 validity is the caller's choice (use +-- `decodeUtf8Text` if a Text is required). decodeString :: Int -> Int -> Int -> ByteString -> Either AbiError ByteString decodeString headEnd off cap buf | off < headEnd = Left AbiBackwardOffset @@ -123,6 +133,13 @@ decodeString headEnd off cap buf then Left AbiTruncated else Right $ B.take len (B.drop (off + 32) buf) +-- | Decode a Solidity `string` as Text, failing with AbiBadUtf8 on +-- invalid UTF-8. This is what NameRecord decoder composition will use. +decodeUtf8Text :: Int -> Int -> Int -> ByteString -> Either AbiError Text +decodeUtf8Text headEnd off cap buf = do + raw <- decodeString headEnd off cap buf + either (const (Left AbiBadUtf8)) Right (decodeUtf8' raw) + -- | Decode a Solidity `string[]` at byte offset `off`. Each element capped -- at `byteCap` bytes, total element count capped at `cntCap`. Depth must be -- < 2 (recurses one level into decodeString). diff --git a/src/Simplex/Messaging/Server/Names/Resolver.hs b/src/Simplex/Messaging/Server/Names/Resolver.hs index 52be961f10..8dbd8d60fd 100644 --- a/src/Simplex/Messaging/Server/Names/Resolver.hs +++ b/src/Simplex/Messaging/Server/Names/Resolver.hs @@ -16,19 +16,25 @@ module Simplex.Messaging.Server.Names.Resolver newNamesEnv, newNamesEnvWith, closeNamesEnv, + pingEndpoint, resolveName, ) where import Control.Concurrent.STM import qualified Control.Exception as E +import Control.Logger.Simple (logError) import Data.ByteString.Char8 (ByteString) import qualified Data.HashPSQ as PSQ import Data.IORef (IORef) import Data.Text (Text) +import qualified Data.Text as T import Data.Word (Word64) +import Data.Time.Clock.POSIX (getPOSIXTime) import GHC.Clock (getMonotonicTimeNSec) -import Simplex.Messaging.Protocol (NameOwner, NameRecord, unNameOwner) +import qualified Data.ByteString.Char8 as B +import qualified Data.Text.Encoding as T +import Simplex.Messaging.Protocol (NameLink, NameOwner, NameRecord (..), unNameLink, unNameOwner) import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) import Simplex.Messaging.Server.Names.Eth.SNRC (decodeGetRecord, encodeGetRecord, namehash) import Simplex.Messaging.Util (atomicModifyIORef'_) @@ -44,8 +50,7 @@ data NamesConfig = NamesConfig cacheMaxBytes :: Int, rpcTimeoutMs :: Int, rpcMaxResponseBytes :: Int, - rpcMaxConcurrency :: Int, - dangerousColocation :: Bool + rpcMaxConcurrency :: Int } deriving (Show) @@ -61,11 +66,14 @@ data ResolveError -- Production wires this to ethCallReal; tests substitute a stub. type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) --- | Cache value bundles a NameRecord with its insertion-time byte cost --- so eviction can keep total cache bytes under cacheMaxBytes. +-- | Cache value bundles a result (NameRecord or NotFound sentinel) with +-- its insertion-time byte cost and per-entry TTL (NotFound expires faster +-- than positive results so newly-registered names become visible quickly +-- while still preventing DoS via unique-name spam). data CacheEntry = CacheEntry - { ceRecord :: NameRecord, - ceBytes :: Int + { ceResult :: Maybe NameRecord, -- Nothing = NotFound; Just = Found + ceBytes :: Int, + ceTtlNs :: Word64 } -- | Cache state: (PSQ keyed by LookupKey, priority = insert time in ns, total bytes). @@ -101,33 +109,61 @@ newNamesEnvWith config ethCall rpcEnv cacheHitsRef cacheMissRef = do closeNamesEnv :: NamesEnv -> IO () closeNamesEnv NamesEnv {rpcEnv} = maybe (pure ()) closeEthRpcEnv rpcEnv +-- | Reach the configured endpoint with a harmless probe call to confirm +-- network reachability and basic config sanity. Returns Left only on +-- transport-level failures (DNS, TLS, refused) — a JSON-RPC error (e.g. +-- a misconfigured snrc_address) is treated as "endpoint reachable", +-- because the operator-friendly signal we want is "is the eth host alive, +-- not is your contract address right." That distinction surfaces later +-- via the rslvEthErrs counter. +pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) +pingEndpoint NamesEnv {ethCall, config} = do + let to = unNameOwner (snrcAddress config) + -- Use the ENS-style root node (32 zero bytes) — always a valid + -- bytes32 input that costs the contract nothing to look up. + callData = encodeGetRecord (namehash "") + ethCall to callData >>= \case + Left e@(HttpFailure _) -> pure (Left e) + Left e@(HttpStatusErr _) -> pure (Left e) + _ -> pure (Right ()) + -- | Resolve a lookup key. Coalesces concurrent identical requests, caches -- results for cacheSeconds, and bounds RPCs by rpcTimeoutMs. resolveName :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) resolveName env key = do now <- getMonotonicTimeNSec cacheLookup env key now >>= \case - Just rec -> do + Just result -> do atomicModifyIORef'_ (cacheHitsRef env) (+ 1) - pure (Right rec) + pure $ maybe (Left NotFound) Right result Nothing -> do atomicModifyIORef'_ (cacheMissRef env) (+ 1) coalesce env key now -cacheLookup :: NamesEnv -> ByteString -> Word64 -> IO (Maybe NameRecord) -cacheLookup NamesEnv {config, cache} key now = atomically $ do +-- | Look up the key in cache. Returns: +-- Nothing — cache miss (or expired entry, which is evicted) +-- Just Nothing — cache hit for NotFound +-- Just (Just rec) — cache hit for a NameRecord +cacheLookup :: NamesEnv -> ByteString -> Word64 -> IO (Maybe (Maybe NameRecord)) +cacheLookup NamesEnv {cache} key now = atomically $ do (psq, totalBytes) <- readTVar cache case PSQ.lookup key psq of Just (insertedAt, ce) - | now < insertedAt + ttlNs config -> pure (Just (ceRecord ce)) + | now < insertedAt + ceTtlNs ce -> pure (Just (ceResult ce)) | otherwise -> do -- Expired: evict and signal miss. writeTVar cache (PSQ.delete key psq, totalBytes - ceBytes ce) pure Nothing Nothing -> pure Nothing -ttlNs :: NamesConfig -> Word64 -ttlNs cfg = fromIntegral (cacheSeconds cfg) * 1000000000 +ttlFoundNs :: NamesConfig -> Word64 +ttlFoundNs cfg = fromIntegral (cacheSeconds cfg) * 1000000000 + +-- | NotFound cache TTL — short enough that a newly-registered name becomes +-- visible within seconds, long enough to absorb a unique-name DoS burst. +-- Bounded by cacheSeconds in case the operator deliberately ran a tiny TTL. +ttlNotFoundNs :: NamesConfig -> Word64 +ttlNotFoundNs cfg = min (ttlFoundNs cfg) (30 * 1000000000) -- | Leader/waiter coalescing. Leader runs the RPC under E.mask; waiters -- block on the leader's TMVar. Cleanup runs even on async exception. @@ -144,19 +180,33 @@ coalesce env@NamesEnv {inflight} key now = do case ticket of Right mv -> atomically (readTMVar mv) -- waiter Left mv -> E.mask $ \restore -> do + -- Run the fetch with sync-only catching: async exceptions (cancel, + -- killThread) must propagate after we've completed the STM cleanup + -- so waiters never block on an orphan TMVar. r <- - restore (fetchOnceTimed env key) - `E.catch` \(e :: E.SomeException) -> pure (Left (mapEthExn e)) + E.try (restore (fetchOnceTimed env key)) >>= \case + Right ok -> pure ok + Left e + | Just (_ :: E.SomeAsyncException) <- E.fromException e -> do + -- Tell waiters the lookup failed, then rethrow. + atomically $ do + putTMVar mv (Left EthHttpErr) + modifyTVar' inflight (PSQ.delete key) + E.throwIO e + | otherwise -> do + logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) + pure (Left (mapSyncEthExn e)) atomically $ do putTMVar mv r modifyTVar' inflight (PSQ.delete key) case r of - Right rec -> cacheInsert env key now rec - Left _ -> pure () + Right rec -> cacheInsert env key now (Just rec) (ttlFoundNs (config env)) + Left NotFound -> cacheInsert env key now Nothing (ttlNotFoundNs (config env)) + Left _ -> pure () -- transient errors (HTTP, decode, timeout) are not cached pure r -mapEthExn :: E.SomeException -> ResolveError -mapEthExn _ = EthHttpErr +mapSyncEthExn :: E.SomeException -> ResolveError +mapSyncEthExn _ = EthHttpErr fetchOnceTimed :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) fetchOnceTimed env key = @@ -165,7 +215,7 @@ fetchOnceTimed env key = Nothing -> pure (Left TimedOut) fetchOnce :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetchOnce env@NamesEnv {ethCall, config} key = do +fetchOnce NamesEnv {ethCall, config} key = do let node = namehash key callData = encodeGetRecord node to = unNameOwner (snrcAddress config) @@ -177,13 +227,21 @@ fetchOnce env@NamesEnv {ethCall, config} key = do Left (JsonRpcErr c m) -> pure (Left EthRpcErr {rpcCode = c, rpcMessage = m}) Right ret -> case decodeGetRecord ret of Right Nothing -> pure (Left NotFound) - Right (Just rec) -> pure (Right rec) + Right (Just rec) -> do + nowSec <- floor <$> getPOSIXTime + -- Defense in depth: the SNRC contract should already return the + -- zero-owner sentinel for expired records, but a buggy / pre-upgrade + -- contract might not. nrExpiry == 0 means "never expires" (reserved + -- names); any positive expiry in the past is treated as NotFound. + if nrExpiry rec /= 0 && nrExpiry rec < nowSec + then pure (Left NotFound) + else pure (Right rec) Left _ -> pure (Left EthDecodeErr) -cacheInsert :: NamesEnv -> ByteString -> Word64 -> NameRecord -> IO () -cacheInsert NamesEnv {config, cache} key now rec = atomically $ do +cacheInsert :: NamesEnv -> ByteString -> Word64 -> Maybe NameRecord -> Word64 -> IO () +cacheInsert NamesEnv {config, cache} key now result ttl = atomically $ do (psq, totalBytes) <- readTVar cache - let entryBytes = estimateBytes rec + let entryBytes = maybe notFoundOverhead estimateBytes result (psq', totalBytes') = evictWhile psq totalBytes evictWhile p tb | PSQ.size p > cacheMaxEntries config || tb + entryBytes > cacheMaxBytes config = @@ -191,10 +249,26 @@ cacheInsert NamesEnv {config, cache} key now rec = atomically $ do Just (_, _, ce, rest) -> evictWhile rest (tb - ceBytes ce) Nothing -> (p, tb) | otherwise = (p, tb) - ce = CacheEntry {ceRecord = rec, ceBytes = entryBytes} + ce = CacheEntry {ceResult = result, ceBytes = entryBytes, ceTtlNs = ttl} writeTVar cache (PSQ.insert key now ce psq', totalBytes' + entryBytes) + where + notFoundOverhead = 128 -- PSQ node + key copy + small constant for the Nothing sentinel --- | Approximate byte cost of a cached NameRecord (overhead + content). --- Tight enough that cacheMaxBytes bounds real memory; not byte-exact. +-- | Approximate byte cost of a cached NameRecord. Counts the user-controlled +-- variable-length content plus a fixed per-entry overhead for the wrapper +-- (TVar/PSQ node + ByteString headers + IORef). Tighter than a constant upper +-- bound so cacheMaxBytes is a meaningful cap. estimateBytes :: NameRecord -> Int -estimateBytes _ = 4096 -- conservative upper bound per NameRecord +estimateBytes NameRecord {nrDisplayName, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail} = + perEntryOverhead + + utf8Len nrDisplayName + + 20 -- nrOwner + + sum (map nameLinkBytes nrChannelLinks) + + sum (map nameLinkBytes nrContactLinks) + + maybe 0 utf8Len nrAdminAddress + + maybe 0 utf8Len nrAdminEmail + where + perEntryOverhead = 256 -- PSQ node + key copy + ByteString headers + utf8Len = B.length . T.encodeUtf8 + nameLinkBytes :: NameLink -> Int + nameLinkBytes = utf8Len . unNameLink diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 452474e230..f597c4ae07 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -4,7 +4,9 @@ module SMPNamesTests (smpNamesTests) where -import Control.Concurrent.Async (replicateConcurrently) +import Control.Concurrent (threadDelay) +import Control.Concurrent.Async (async, replicateConcurrently, wait) +import Control.Concurrent.STM (atomically, newEmptyTMVarIO, putTMVar, readTMVar) import qualified Crypto.Hash as Crypton import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -189,6 +191,17 @@ abiBoundsSpec = do let buf = B.replicate 23 '\NUL' <> B.singleton '\x01' <> B.replicate 8 '\NUL' decodeWord256Int64 0 buf `shouldBe` Left AbiNonZeroHighBytes + it "decodeWord256Int64 rejects sign bit set in low 8 bytes (silent negative)" $ do + -- 0x8000000000000000 would decode to Int64.minBound without the check; + -- downstream length math would then see a negative len and silently + -- return empty bytes from B.take instead of failing. + let buf = B.replicate 24 '\NUL' <> "\x80\x00\x00\x00\x00\x00\x00\x00" + decodeWord256Int64 0 buf `shouldBe` Left AbiNonZeroHighBytes + + it "decodeWord256Int64 succeeds for the max representable positive value" $ do + let buf = B.replicate 24 '\NUL' <> "\x7F\xFF\xFF\xFF\xFF\xFF\xFF\xFF" + decodeWord256Int64 0 buf `shouldBe` Right maxBound + it "decodeWord256Int64 succeeds for low 8 bytes set" $ do let buf = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x12\x34" decodeWord256Int64 0 buf `shouldBe` Right 0x1234 @@ -239,8 +252,7 @@ resolverCacheSpec = do cacheMaxBytes = 1024 * 1024, rpcTimeoutMs = 1000, rpcMaxResponseBytes = 65536, - rpcMaxConcurrency = 4, - dangerousColocation = False + rpcMaxConcurrency = 4 } env <- newNamesEnvWith cfg ethCall Nothing hitsRef missRef pure (env, hitsRef, missRef) @@ -252,15 +264,40 @@ resolverCacheSpec = do misses <- readIORef missRef misses `shouldBe` 1 - it "concurrent identical lookups don't crash and all return NotFound" $ do + it "subsequent NotFound lookups hit the cache (no second RPC)" $ do + callCount <- newIORef (0 :: Int) + (env, hitsRef, missRef) <- mkEnv $ \_ _ -> do + atomicModifyIORef' callCount (\v -> (v + 1, ())) + pure (Right (B.replicate (32 * 8) '\NUL')) + -- First lookup: miss, eth_call fires, NotFound cached. + _ <- resolveName env "alice" + -- Second lookup: should hit cache, not call ethCall. + r2 <- resolveName env "alice" + r2 `shouldBe` Left NotFound + callCount' <- readIORef callCount + callCount' `shouldBe` 1 + missCount <- readIORef missRef + hitCount <- readIORef hitsRef + missCount `shouldBe` 1 + hitCount `shouldBe` 1 + + it "concurrent identical lookups coalesce — only the leader makes the RPC" $ do + -- Block the stub on a TMVar so the leader's eth_call doesn't return + -- before the 7 waiters race to attach to the inflight TMap. Without + -- coalescing, every caller would invoke ethCall and callCount would + -- be 8; with coalescing, only the leader fires. + gate <- newEmptyTMVarIO callCount <- newIORef (0 :: Int) (env, _, _) <- mkEnv $ \_ _ -> do atomicModifyIORef' callCount (\v -> (v + 1, ())) + atomically (readTMVar gate) pure (Right (B.replicate (32 * 8) '\NUL')) - rs <- replicateConcurrently 8 (resolveName env "alice") + -- Run the 8 callers in a background task so we can release the gate + -- only after they've all had a chance to register on the inflight map. + callers <- async $ replicateConcurrently 8 (resolveName env "alice") + threadDelay 50000 -- 50 ms — ample time for the 7 waiters to attach + atomically (putTMVar gate ()) + rs <- wait callers all (== Left NotFound) rs `shouldBe` True - -- NotFound is currently not cached, so each leader makes an RPC. - -- Once decodeGetRecord returns Just rec (post-SNRC), coalescing - -- means concurrent callers share one RPC and call count == 1. n <- readIORef callCount - n `shouldSatisfy` (>= 1) + n `shouldBe` 1 From 99b1330dc51488f9a7c75b54082c7b00976372bb Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 16:02:04 +0000 Subject: [PATCH 03/33] smp-server: fuse parallel dispatchers --- src/Simplex/Messaging/Server.hs | 16 +++---- .../Messaging/Server/Names/Resolver.hs | 48 ++++++++++--------- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index b7870f62a3..e28b303bfb 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -65,7 +65,7 @@ import Data.Constraint (Dict (..)) import Data.Dynamic (toDyn) import Data.Either (fromRight, partitionEithers) import Data.Foldable (foldrM) -import Data.Functor (($>)) +import Data.Functor (($>), (<&>)) import Data.IORef import Data.Int (Int64) import qualified Data.IntMap.Strict as IM @@ -1499,13 +1499,13 @@ client Cmd SResolver (RSLV (LookupKey key)) -> do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) - asks namesEnv >>= \case - Nothing -> incStat (rslvDisabled st) $> response (corrId, NoEntity, ERR AUTH) - Just nenv -> - liftIO (resolveName nenv key) >>= \case - Right rec -> incStat (rslvSucc st) $> response (corrId, NoEntity, NAME rec) - Left NotFound -> incStat (rslvNotFound st) $> response (corrId, NoEntity, ERR AUTH) - Left _ -> incStat (rslvEthErrs st) $> response (corrId, NoEntity, ERR AUTH) + (selector, msg) <- asks namesEnv >>= \case + Nothing -> pure (rslvDisabled, ERR AUTH) + Just nenv -> liftIO (resolveName nenv key) <&> \case + Right rec -> (rslvSucc, NAME rec) + Left NotFound -> (rslvNotFound, ERR AUTH) + Left _ -> (rslvEthErrs, ERR AUTH) + incStat (selector st) $> response (corrId, NoEntity, msg) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr diff --git a/src/Simplex/Messaging/Server/Names/Resolver.hs b/src/Simplex/Messaging/Server/Names/Resolver.hs index 8dbd8d60fd..1ed654659a 100644 --- a/src/Simplex/Messaging/Server/Names/Resolver.hs +++ b/src/Simplex/Messaging/Server/Names/Resolver.hs @@ -195,7 +195,7 @@ coalesce env@NamesEnv {inflight} key now = do E.throwIO e | otherwise -> do logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) - pure (Left (mapSyncEthExn e)) + pure (Left EthHttpErr) atomically $ do putTMVar mv r modifyTVar' inflight (PSQ.delete key) @@ -205,9 +205,6 @@ coalesce env@NamesEnv {inflight} key now = do Left _ -> pure () -- transient errors (HTTP, decode, timeout) are not cached pure r -mapSyncEthExn :: E.SomeException -> ResolveError -mapSyncEthExn _ = EthHttpErr - fetchOnceTimed :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) fetchOnceTimed env key = timeout (rpcTimeoutMs (config env) * 1000) (fetchOnce env key) >>= \case @@ -215,28 +212,33 @@ fetchOnceTimed env key = Nothing -> pure (Left TimedOut) fetchOnce :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetchOnce NamesEnv {ethCall, config} key = do - let node = namehash key - callData = encodeGetRecord node - to = unNameOwner (snrcAddress config) - ethCall to callData >>= \case - Left (HttpFailure _) -> pure (Left EthHttpErr) - Left (HttpStatusErr _) -> pure (Left EthHttpErr) - Left BodyTooLarge -> pure (Left EthDecodeErr) - Left (InvalidJson _) -> pure (Left EthDecodeErr) - Left (JsonRpcErr c m) -> pure (Left EthRpcErr {rpcCode = c, rpcMessage = m}) +fetchOnce NamesEnv {ethCall, config} key = + ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash key)) >>= \case + Left e -> pure (Left (mapEthRpcError e)) Right ret -> case decodeGetRecord ret of Right Nothing -> pure (Left NotFound) - Right (Just rec) -> do - nowSec <- floor <$> getPOSIXTime - -- Defense in depth: the SNRC contract should already return the - -- zero-owner sentinel for expired records, but a buggy / pre-upgrade - -- contract might not. nrExpiry == 0 means "never expires" (reserved - -- names); any positive expiry in the past is treated as NotFound. - if nrExpiry rec /= 0 && nrExpiry rec < nowSec - then pure (Left NotFound) - else pure (Right rec) + Right (Just rec) -> checkExpiry rec Left _ -> pure (Left EthDecodeErr) + where + -- Defense in depth: the SNRC contract should already return the + -- zero-owner sentinel for expired records, but a buggy / pre-upgrade + -- contract might not. nrExpiry == 0 means "never expires" (reserved + -- names); any positive expiry in the past is treated as NotFound. + checkExpiry rec = do + nowSec <- floor <$> getPOSIXTime + pure $ if nrExpiry rec /= 0 && nrExpiry rec < nowSec + then Left NotFound + else Right rec + +-- | Collapse the JSON-RPC transport-layer error space into the resolver's +-- public error space. Reused by fetchOnce and pingEndpoint. +mapEthRpcError :: EthRpcError -> ResolveError +mapEthRpcError = \case + HttpFailure _ -> EthHttpErr + HttpStatusErr _ -> EthHttpErr + BodyTooLarge -> EthDecodeErr + InvalidJson _ -> EthDecodeErr + JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} cacheInsert :: NamesEnv -> ByteString -> Word64 -> Maybe NameRecord -> Word64 -> IO () cacheInsert NamesEnv {config, cache} key now result ttl = atomically $ do From c0e14e3294250eaabf2a15cb958601d7df48d14f Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 16:02:09 +0000 Subject: [PATCH 04/33] smp-server: JSON wire format for NameRecord + Names.hs restructure --- simplexmq.cabal | 2 - src/Simplex/Messaging/Protocol.hs | 102 ++++--- src/Simplex/Messaging/Server.hs | 4 +- src/Simplex/Messaging/Server/Env/STM.hs | 5 +- src/Simplex/Messaging/Server/Main.hs | 3 - src/Simplex/Messaging/Server/Main/Init.hs | 4 - src/Simplex/Messaging/Server/Names.hs | 125 +++++++- .../Messaging/Server/Names/Resolver.hs | 276 ------------------ src/Simplex/Messaging/Server/Prometheus.hs | 10 +- src/Simplex/Messaging/Server/Stats.hs | 30 +- tests/SMPNamesTests.hs | 80 ++--- 11 files changed, 198 insertions(+), 443 deletions(-) delete mode 100644 src/Simplex/Messaging/Server/Names/Resolver.hs diff --git a/simplexmq.cabal b/simplexmq.cabal index 15bad9c3e6..f9a1731a5b 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -264,7 +264,6 @@ library Simplex.Messaging.Server.Names Simplex.Messaging.Server.Names.Eth.RPC Simplex.Messaging.Server.Names.Eth.SNRC - Simplex.Messaging.Server.Names.Resolver Simplex.Messaging.Server.NtfStore Simplex.Messaging.Server.Prometheus Simplex.Messaging.Server.QueueStore @@ -365,7 +364,6 @@ library , network-uri >=2.6 && <2.7 , optparse-applicative >=0.15 && <0.17 , process ==1.6.* - , psqueues >=0.2.7 && <0.3 , temporary ==1.3.* , wai >=3.2 && <3.3 , wai-app-static >=3.1 && <3.2 diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 3a5f88903a..8da8e66b08 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -171,9 +171,6 @@ module Simplex.Messaging.Protocol NameLink, mkNameLink, unNameLink, - nameRecBytes, - parseNameRec, - smpListPUpTo, MsgFlags (..), initialSMPClientVersion, currentSMPClientVersion, @@ -249,6 +246,7 @@ import qualified Data.ByteString as BS import qualified Data.ByteString.Base64 as B64 import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B +import qualified Data.ByteArray.Encoding as BAE import qualified Data.ByteString.Lazy as LB import Data.Char (isPrint, isSpace) import Data.Constraint (Dict (..)) @@ -750,10 +748,16 @@ unNameOwner :: NameOwner -> ByteString unNameOwner (NameOwner bs) = bs {-# INLINE unNameOwner #-} -instance Encoding NameOwner where - smpEncode (NameOwner bs) = bs - {-# INLINE smpEncode #-} - smpP = NameOwner <$> A.take 20 +instance J.ToJSON NameOwner where + toJSON (NameOwner bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) + toEncoding (NameOwner bs) = J.toEncoding $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) + +instance J.FromJSON NameOwner where + parseJSON = J.withText "NameOwner" $ \t -> do + let hex = maybe t id (T.stripPrefix "0x" t) + case BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) of + Left e -> fail e + Right bs -> either fail pure (mkNameOwner bs) -- | A name-record link (channel or contact). Bare constructor not exported; -- use `mkNameLink` to enforce the ≤1024-byte UTF-8 invariant. @@ -769,20 +773,17 @@ unNameLink :: NameLink -> Text unNameLink (NameLink t) = t {-# INLINE unNameLink #-} -instance Encoding NameLink where - smpEncode (NameLink t) = - let bs = encodeUtf8 t - in smpEncode @Word16 (fromIntegral $ B.length bs) <> bs - smpP = do - n <- fromIntegral <$> smpP @Word16 - when (n > 1024) $ fail "NameLink too long" - bs <- A.take n - either (fail . show) (pure . NameLink) (decodeUtf8' bs) +instance J.ToJSON NameLink where + toJSON (NameLink t) = J.toJSON t + toEncoding (NameLink t) = J.toEncoding t + +instance J.FromJSON NameLink where + parseJSON = J.withText "NameLink" (either fail pure . mkNameLink) -- | Resolved name record returned by the names role. --- Field additions are gated by future SMP version bumps (matching IDS QIK precedent). +-- Wire format is JSON — change requires an SMP version bump. data NameRecord = NameRecord - { nrDisplayName :: Text, -- ≤255 bytes UTF-8 (enforced by Encoding ByteString length prefix) + { nrDisplayName :: Text, nrOwner :: NameOwner, nrChannelLinks :: [NameLink], nrContactLinks :: [NameLink], @@ -793,38 +794,33 @@ data NameRecord = NameRecord } deriving (Eq, Show) --- | Bounded list parser — caps element count before allocating. -smpListPUpTo :: Encoding a => Int -> Parser [a] -smpListPUpTo cap = do - n <- lenP - when (n > cap) $ fail "list too long" - A.count n smpP - --- | Encode NameRecord on the wire. Version-branched in the same shape as IDS QIK. -nameRecBytes :: VersionSMP -> NameRecord -> ByteString -nameRecBytes _v NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = - smpEncode nrDisplayName - <> smpEncode nrOwner - <> smpEncodeList nrChannelLinks - <> smpEncodeList nrContactLinks - <> smpEncode nrAdminAddress - <> smpEncode nrAdminEmail - <> smpEncode nrExpiry - <> smpEncode nrIsTest - --- | Parse NameRecord. Combined channel+contact list cap is 8. -parseNameRec :: VersionSMP -> Parser NameRecord -parseNameRec _v = do - nrDisplayName <- smpP - nrOwner <- smpP - nrChannelLinks <- smpListPUpTo 8 - nrContactLinks <- smpListPUpTo (8 - length nrChannelLinks) - nrAdminAddress <- smpP - nrAdminEmail <- smpP - nrExpiry <- smpP - when (nrExpiry < 0) $ fail "expiry must be non-negative" - nrIsTest <- smpP - pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} +instance J.ToJSON NameRecord where + toJSON NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = + J.object + [ "displayName" J..= nrDisplayName, + "owner" J..= nrOwner, + "channelLinks" J..= nrChannelLinks, + "contactLinks" J..= nrContactLinks, + "adminAddress" J..= nrAdminAddress, + "adminEmail" J..= nrAdminEmail, + "expiry" J..= nrExpiry, + "isTest" J..= nrIsTest + ] + +instance J.FromJSON NameRecord where + parseJSON = J.withObject "NameRecord" $ \o -> do + nrDisplayName <- o J..: "displayName" + nrOwner <- o J..: "owner" + nrChannelLinks <- o J..: "channelLinks" + nrContactLinks <- o J..: "contactLinks" + when (length nrChannelLinks + length nrContactLinks > 8) $ + fail "combined channelLinks + contactLinks > 8" + nrAdminAddress <- o J..:? "adminAddress" + nrAdminEmail <- o J..:? "adminEmail" + nrExpiry <- o J..: "expiry" + when (nrExpiry < 0) $ fail "expiry must be non-negative" + nrIsTest <- o J..: "isTest" + pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} data BrokerMsg where -- SMP broker messages (responses, client messages, notifications) @@ -2080,7 +2076,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where _ -> err PONG -> e PONG_ NAME rec - | v >= namesSMPVersion -> e (NAME_, ' ') <> nameRecBytes v rec + | v >= namesSMPVersion -> e (NAME_, ' ', Tail (LB.toStrict (J.encode rec))) | otherwise -> e (ERR_, ' ', AUTH) -- pre-v20: shouldn't reach here, degrade to AUTH where e :: Encoding a => a -> ByteString @@ -2130,7 +2126,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where ERR_ -> ERR <$> _smpP PONG_ -> pure PONG NAME_ - | v >= namesSMPVersion -> NAME <$> (A.space *> parseNameRec v) + | v >= namesSMPVersion -> do + Tail bs <- _smpP + either fail (pure . NAME) (J.eitherDecodeStrict bs) | otherwise -> fail "NAME requires namesSMPVersion" where serviceRespP resp diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index e28b303bfb..20e3f2fbf2 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -661,8 +661,8 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] - showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = - map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled] + showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = + map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled] prometheusMetricsThread_ :: ServerConfig s -> [M s ()] prometheusMetricsThread_ ServerConfig {prometheusInterval = Just interval, prometheusMetricsFile} = diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 6f6ca1aaf9..a23963b1c4 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -614,9 +614,8 @@ newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serv Just nc -> do logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (ethereumEndpoint nc) when allowSMPProxy $ - logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV cache misses can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." - let rs = rslvStats serverStats - env <- newNamesEnv nc (rslvCacheHits rs) (rslvCacheMiss rs) + logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV calls can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." + env <- newNamesEnv nc -- Probe the endpoint at startup. Don't exitFailure: a flapping -- network or an Ethereum host coming up minutes after smp-server -- should not block the server. Log so operators can spot it. diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 9dfec8aba8..80f09e0dae 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -812,9 +812,6 @@ readNamesConfig ini { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), snrcAddress = either (error . ("[NAMES] snrc_address: " <>)) id $ parseEthAddr (requiredText "snrc_address"), rpcAuth = rpcAuth_, - cacheSeconds = readIniDefault 300 "NAMES" "cache_seconds" ini, - cacheMaxEntries = readIniDefault 100000 "NAMES" "cache_max_entries" ini, - cacheMaxBytes = readIniDefault 67108864 "NAMES" "cache_max_bytes" ini, rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, rpcMaxConcurrency = readIniDefault 8 "NAMES" "rpc_max_concurrency" ini diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index bc6689d859..659845f992 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -168,10 +168,6 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# ethereum_endpoint: https://eth.simplex.chat:443\n\ \# rpc_auth: basic :\n\ \# snrc_address: 0x\n\ - \# (cache_max_entries and cache_max_bytes both cap the cache; whichever fills first triggers FIFO eviction)\n\ - \# cache_seconds: 300\n\ - \# cache_max_entries: 100000\n\ - \# cache_max_bytes: 67108864\n\ \# rpc_timeout_ms: 3000\n\ \# rpc_max_response_bytes: 262144\n\ \# rpc_max_concurrency: 8\n\n\ diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index a3088a79d6..6406183171 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -1,19 +1,130 @@ --- | SMP public-namespace resolver façade. +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE StrictData #-} + +-- | Public-namespace resolver. Each RSLV becomes one eth_call to the +-- configured Ethereum endpoint, bounded by rpcMaxConcurrency and +-- rpcTimeoutMs. Zero-owner / expired records map to NotFound. -- --- Re-exports the resolver's public surface from Names.Resolver and the --- HTTP auth type from Names.Eth.RPC. Implementation lives in Resolver.hs; --- Eth.RPC / Eth.SNRC are transport / codec internals. +-- Transport details live in Names.Eth.RPC (HTTP + JSON-RPC + auth); +-- Keccak-256 namehash and SNRC ABI decoder live in Names.Eth.SNRC. module Simplex.Messaging.Server.Names ( NamesConfig (..), RpcAuth (..), - NamesEnv, + NamesEnv (..), + EthCall, ResolveError (..), newNamesEnv, + newNamesEnvWith, closeNamesEnv, pingEndpoint, resolveName, ) where -import Simplex.Messaging.Server.Names.Eth.RPC (RpcAuth (..)) -import Simplex.Messaging.Server.Names.Resolver (NamesConfig (..), NamesEnv, ResolveError (..), closeNamesEnv, newNamesEnv, pingEndpoint, resolveName) +import qualified Control.Exception as E +import Control.Logger.Simple (logError) +import Data.ByteString.Char8 (ByteString) +import Data.Maybe (fromMaybe) +import Data.Text (Text) +import qualified Data.Text as T +import Data.Time.Clock.POSIX (getPOSIXTime) +import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), unNameOwner) +import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) +import Simplex.Messaging.Server.Names.Eth.SNRC (decodeGetRecord, encodeGetRecord, namehash) +import System.Timeout (timeout) + +data NamesConfig = NamesConfig + { ethereumEndpoint :: Text, + snrcAddress :: NameOwner, + rpcAuth :: Maybe RpcAuth, + rpcTimeoutMs :: Int, + rpcMaxResponseBytes :: Int, + rpcMaxConcurrency :: Int + } + deriving (Show) + +data ResolveError + = NotFound + | EthHttpErr + | EthRpcErr {rpcCode :: Int, rpcMessage :: Text} + | EthDecodeErr + | TimedOut + deriving (Eq, Show) + +-- | Test seam: a function from (to, data) -> raw return bytes or error. +-- Production wires this to ethCallReal; tests substitute a stub. +type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) + +data NamesEnv = NamesEnv + { config :: NamesConfig, + ethCall :: EthCall, + rpcEnv :: Maybe EthRpcEnv -- Nothing for test stubs + } + +newNamesEnv :: NamesConfig -> IO NamesEnv +newNamesEnv cfg = do + rpc <- newEthRpcEnv (ethereumEndpoint cfg) (rpcAuth cfg) (rpcMaxResponseBytes cfg) (rpcMaxConcurrency cfg) + newNamesEnvWith cfg (ethCallReal rpc) (Just rpc) + +-- | Allocate resolver with an injected ethCall (test seam). +newNamesEnvWith :: NamesConfig -> EthCall -> Maybe EthRpcEnv -> IO NamesEnv +newNamesEnvWith config ethCall rpcEnv = pure NamesEnv {config, ethCall, rpcEnv} + +closeNamesEnv :: NamesEnv -> IO () +closeNamesEnv NamesEnv {rpcEnv} = mapM_ closeEthRpcEnv rpcEnv + +-- | Reach the configured endpoint with a harmless probe call to confirm +-- network reachability. Returns Left only on transport-level failures; +-- JSON-RPC errors (misconfigured snrc_address etc.) are treated as +-- "endpoint reachable" — that distinction surfaces later via rslvEthErrs. +pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) +pingEndpoint NamesEnv {ethCall, config} = + ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash "")) >>= \case + Left e@(HttpFailure _) -> pure (Left e) + Left e@(HttpStatusErr _) -> pure (Left e) + _ -> pure (Right ()) + +-- | Resolve a lookup key with an rpcTimeoutMs ceiling. Synchronous +-- exceptions are caught and logged; async exceptions propagate. +resolveName :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) +resolveName env key = do + r <- E.try (timeout (rpcTimeoutMs (config env) * 1000) (fetch env key)) + case r of + Right result -> pure (fromMaybe (Left TimedOut) result) + Left e + | Just (_ :: E.SomeAsyncException) <- E.fromException e -> E.throwIO e + | otherwise -> do + logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) + pure (Left EthHttpErr) + +fetch :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) +fetch NamesEnv {ethCall, config} key = + ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash key)) >>= \case + Left e -> pure (Left (mapEthRpcError e)) + Right ret -> case decodeGetRecord ret of + Right Nothing -> pure (Left NotFound) + Right (Just rec) -> checkExpiry rec + Left _ -> pure (Left EthDecodeErr) + where + -- Defense in depth: the SNRC contract should already return the + -- zero-owner sentinel for expired records, but a buggy / pre-upgrade + -- contract might not. nrExpiry == 0 means "never expires" (reserved + -- names); any positive expiry in the past is treated as NotFound. + checkExpiry rec = do + nowSec <- floor <$> getPOSIXTime + pure $ if nrExpiry rec /= 0 && nrExpiry rec < nowSec + then Left NotFound + else Right rec + +-- | Collapse the JSON-RPC transport-layer error space into the resolver's +-- public error space. +mapEthRpcError :: EthRpcError -> ResolveError +mapEthRpcError = \case + HttpFailure _ -> EthHttpErr + HttpStatusErr _ -> EthHttpErr + BodyTooLarge -> EthDecodeErr + InvalidJson _ -> EthDecodeErr + JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} diff --git a/src/Simplex/Messaging/Server/Names/Resolver.hs b/src/Simplex/Messaging/Server/Names/Resolver.hs deleted file mode 100644 index 1ed654659a..0000000000 --- a/src/Simplex/Messaging/Server/Names/Resolver.hs +++ /dev/null @@ -1,276 +0,0 @@ -{-# LANGUAGE LambdaCase #-} -{-# LANGUAGE NamedFieldPuns #-} -{-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE RecordWildCards #-} -{-# LANGUAGE ScopedTypeVariables #-} -{-# LANGUAGE StrictData #-} - --- | Public-namespace resolver: TTL+FIFO cache, in-flight coalescing, --- timeout-bounded RPC, and zero-owner → NotFound mapping. -module Simplex.Messaging.Server.Names.Resolver - ( NamesConfig (..), - RpcAuth (..), - NamesEnv (..), - EthCall, - ResolveError (..), - newNamesEnv, - newNamesEnvWith, - closeNamesEnv, - pingEndpoint, - resolveName, - ) -where - -import Control.Concurrent.STM -import qualified Control.Exception as E -import Control.Logger.Simple (logError) -import Data.ByteString.Char8 (ByteString) -import qualified Data.HashPSQ as PSQ -import Data.IORef (IORef) -import Data.Text (Text) -import qualified Data.Text as T -import Data.Word (Word64) -import Data.Time.Clock.POSIX (getPOSIXTime) -import GHC.Clock (getMonotonicTimeNSec) -import qualified Data.ByteString.Char8 as B -import qualified Data.Text.Encoding as T -import Simplex.Messaging.Protocol (NameLink, NameOwner, NameRecord (..), unNameLink, unNameOwner) -import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) -import Simplex.Messaging.Server.Names.Eth.SNRC (decodeGetRecord, encodeGetRecord, namehash) -import Simplex.Messaging.Util (atomicModifyIORef'_) -import System.Timeout (timeout) - --- | Public-namespace resolver configuration. -data NamesConfig = NamesConfig - { ethereumEndpoint :: Text, - snrcAddress :: NameOwner, - rpcAuth :: Maybe RpcAuth, - cacheSeconds :: Int, - cacheMaxEntries :: Int, - cacheMaxBytes :: Int, - rpcTimeoutMs :: Int, - rpcMaxResponseBytes :: Int, - rpcMaxConcurrency :: Int - } - deriving (Show) - -data ResolveError - = NotFound - | EthHttpErr - | EthRpcErr {rpcCode :: Int, rpcMessage :: Text} - | EthDecodeErr - | TimedOut - deriving (Eq, Show) - --- | Test seam: a function from (to, data) -> raw return bytes or error. --- Production wires this to ethCallReal; tests substitute a stub. -type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) - --- | Cache value bundles a result (NameRecord or NotFound sentinel) with --- its insertion-time byte cost and per-entry TTL (NotFound expires faster --- than positive results so newly-registered names become visible quickly --- while still preventing DoS via unique-name spam). -data CacheEntry = CacheEntry - { ceResult :: Maybe NameRecord, -- Nothing = NotFound; Just = Found - ceBytes :: Int, - ceTtlNs :: Word64 - } - --- | Cache state: (PSQ keyed by LookupKey, priority = insert time in ns, total bytes). --- PSQ minView returns lowest-priority element → FIFO eviction by insertion order. -type CacheState = (PSQ.HashPSQ ByteString Word64 CacheEntry, Int) - -data NamesEnv = NamesEnv - { config :: NamesConfig, - ethCall :: EthCall, - cache :: TVar CacheState, - inflight :: TVar (PSQ.HashPSQ ByteString Word64 (TMVar (Either ResolveError NameRecord))), - rpcEnv :: Maybe EthRpcEnv, -- Nothing for test stubs - cacheHitsRef :: IORef Int, -- shared with ServerStats.rslvStats.rslvCacheHits - cacheMissRef :: IORef Int -- shared with ServerStats.rslvStats.rslvCacheMiss - } - --- | Allocate resolver with real HTTP transport. --- `cacheHitsRef` and `cacheMissRef` are shared with ServerStats.rslvStats so --- the periodic CSV / Prometheus exporter sees per-request cache outcomes. -newNamesEnv :: NamesConfig -> IORef Int -> IORef Int -> IO NamesEnv -newNamesEnv cfg cacheHitsRef cacheMissRef = do - rpc <- newEthRpcEnv (ethereumEndpoint cfg) (rpcAuth cfg) (rpcMaxResponseBytes cfg) (rpcMaxConcurrency cfg) - let call to dat = ethCallReal rpc to dat - newNamesEnvWith cfg call (Just rpc) cacheHitsRef cacheMissRef - --- | Allocate resolver with an injected ethCall (test seam). -newNamesEnvWith :: NamesConfig -> EthCall -> Maybe EthRpcEnv -> IORef Int -> IORef Int -> IO NamesEnv -newNamesEnvWith config ethCall rpcEnv cacheHitsRef cacheMissRef = do - cache <- newTVarIO (PSQ.empty, 0) - inflight <- newTVarIO PSQ.empty - pure NamesEnv {config, ethCall, cache, inflight, rpcEnv, cacheHitsRef, cacheMissRef} - -closeNamesEnv :: NamesEnv -> IO () -closeNamesEnv NamesEnv {rpcEnv} = maybe (pure ()) closeEthRpcEnv rpcEnv - --- | Reach the configured endpoint with a harmless probe call to confirm --- network reachability and basic config sanity. Returns Left only on --- transport-level failures (DNS, TLS, refused) — a JSON-RPC error (e.g. --- a misconfigured snrc_address) is treated as "endpoint reachable", --- because the operator-friendly signal we want is "is the eth host alive, --- not is your contract address right." That distinction surfaces later --- via the rslvEthErrs counter. -pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) -pingEndpoint NamesEnv {ethCall, config} = do - let to = unNameOwner (snrcAddress config) - -- Use the ENS-style root node (32 zero bytes) — always a valid - -- bytes32 input that costs the contract nothing to look up. - callData = encodeGetRecord (namehash "") - ethCall to callData >>= \case - Left e@(HttpFailure _) -> pure (Left e) - Left e@(HttpStatusErr _) -> pure (Left e) - _ -> pure (Right ()) - --- | Resolve a lookup key. Coalesces concurrent identical requests, caches --- results for cacheSeconds, and bounds RPCs by rpcTimeoutMs. -resolveName :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -resolveName env key = do - now <- getMonotonicTimeNSec - cacheLookup env key now >>= \case - Just result -> do - atomicModifyIORef'_ (cacheHitsRef env) (+ 1) - pure $ maybe (Left NotFound) Right result - Nothing -> do - atomicModifyIORef'_ (cacheMissRef env) (+ 1) - coalesce env key now - --- | Look up the key in cache. Returns: --- Nothing — cache miss (or expired entry, which is evicted) --- Just Nothing — cache hit for NotFound --- Just (Just rec) — cache hit for a NameRecord -cacheLookup :: NamesEnv -> ByteString -> Word64 -> IO (Maybe (Maybe NameRecord)) -cacheLookup NamesEnv {cache} key now = atomically $ do - (psq, totalBytes) <- readTVar cache - case PSQ.lookup key psq of - Just (insertedAt, ce) - | now < insertedAt + ceTtlNs ce -> pure (Just (ceResult ce)) - | otherwise -> do - -- Expired: evict and signal miss. - writeTVar cache (PSQ.delete key psq, totalBytes - ceBytes ce) - pure Nothing - Nothing -> pure Nothing - -ttlFoundNs :: NamesConfig -> Word64 -ttlFoundNs cfg = fromIntegral (cacheSeconds cfg) * 1000000000 - --- | NotFound cache TTL — short enough that a newly-registered name becomes --- visible within seconds, long enough to absorb a unique-name DoS burst. --- Bounded by cacheSeconds in case the operator deliberately ran a tiny TTL. -ttlNotFoundNs :: NamesConfig -> Word64 -ttlNotFoundNs cfg = min (ttlFoundNs cfg) (30 * 1000000000) - --- | Leader/waiter coalescing. Leader runs the RPC under E.mask; waiters --- block on the leader's TMVar. Cleanup runs even on async exception. -coalesce :: NamesEnv -> ByteString -> Word64 -> IO (Either ResolveError NameRecord) -coalesce env@NamesEnv {inflight} key now = do - ticket <- atomically $ do - flight <- readTVar inflight - case PSQ.lookup key flight of - Just (_, mv) -> pure (Right mv) - Nothing -> do - mv <- newEmptyTMVar - writeTVar inflight (PSQ.insert key now mv flight) - pure (Left mv) - case ticket of - Right mv -> atomically (readTMVar mv) -- waiter - Left mv -> E.mask $ \restore -> do - -- Run the fetch with sync-only catching: async exceptions (cancel, - -- killThread) must propagate after we've completed the STM cleanup - -- so waiters never block on an orphan TMVar. - r <- - E.try (restore (fetchOnceTimed env key)) >>= \case - Right ok -> pure ok - Left e - | Just (_ :: E.SomeAsyncException) <- E.fromException e -> do - -- Tell waiters the lookup failed, then rethrow. - atomically $ do - putTMVar mv (Left EthHttpErr) - modifyTVar' inflight (PSQ.delete key) - E.throwIO e - | otherwise -> do - logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) - pure (Left EthHttpErr) - atomically $ do - putTMVar mv r - modifyTVar' inflight (PSQ.delete key) - case r of - Right rec -> cacheInsert env key now (Just rec) (ttlFoundNs (config env)) - Left NotFound -> cacheInsert env key now Nothing (ttlNotFoundNs (config env)) - Left _ -> pure () -- transient errors (HTTP, decode, timeout) are not cached - pure r - -fetchOnceTimed :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetchOnceTimed env key = - timeout (rpcTimeoutMs (config env) * 1000) (fetchOnce env key) >>= \case - Just r -> pure r - Nothing -> pure (Left TimedOut) - -fetchOnce :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetchOnce NamesEnv {ethCall, config} key = - ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash key)) >>= \case - Left e -> pure (Left (mapEthRpcError e)) - Right ret -> case decodeGetRecord ret of - Right Nothing -> pure (Left NotFound) - Right (Just rec) -> checkExpiry rec - Left _ -> pure (Left EthDecodeErr) - where - -- Defense in depth: the SNRC contract should already return the - -- zero-owner sentinel for expired records, but a buggy / pre-upgrade - -- contract might not. nrExpiry == 0 means "never expires" (reserved - -- names); any positive expiry in the past is treated as NotFound. - checkExpiry rec = do - nowSec <- floor <$> getPOSIXTime - pure $ if nrExpiry rec /= 0 && nrExpiry rec < nowSec - then Left NotFound - else Right rec - --- | Collapse the JSON-RPC transport-layer error space into the resolver's --- public error space. Reused by fetchOnce and pingEndpoint. -mapEthRpcError :: EthRpcError -> ResolveError -mapEthRpcError = \case - HttpFailure _ -> EthHttpErr - HttpStatusErr _ -> EthHttpErr - BodyTooLarge -> EthDecodeErr - InvalidJson _ -> EthDecodeErr - JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} - -cacheInsert :: NamesEnv -> ByteString -> Word64 -> Maybe NameRecord -> Word64 -> IO () -cacheInsert NamesEnv {config, cache} key now result ttl = atomically $ do - (psq, totalBytes) <- readTVar cache - let entryBytes = maybe notFoundOverhead estimateBytes result - (psq', totalBytes') = evictWhile psq totalBytes - evictWhile p tb - | PSQ.size p > cacheMaxEntries config || tb + entryBytes > cacheMaxBytes config = - case PSQ.minView p of - Just (_, _, ce, rest) -> evictWhile rest (tb - ceBytes ce) - Nothing -> (p, tb) - | otherwise = (p, tb) - ce = CacheEntry {ceResult = result, ceBytes = entryBytes, ceTtlNs = ttl} - writeTVar cache (PSQ.insert key now ce psq', totalBytes' + entryBytes) - where - notFoundOverhead = 128 -- PSQ node + key copy + small constant for the Nothing sentinel - --- | Approximate byte cost of a cached NameRecord. Counts the user-controlled --- variable-length content plus a fixed per-entry overhead for the wrapper --- (TVar/PSQ node + ByteString headers + IORef). Tighter than a constant upper --- bound so cacheMaxBytes is a meaningful cap. -estimateBytes :: NameRecord -> Int -estimateBytes NameRecord {nrDisplayName, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail} = - perEntryOverhead - + utf8Len nrDisplayName - + 20 -- nrOwner - + sum (map nameLinkBytes nrChannelLinks) - + sum (map nameLinkBytes nrContactLinks) - + maybe 0 utf8Len nrAdminAddress - + maybe 0 utf8Len nrAdminEmail - where - perEntryOverhead = 256 -- PSQ node + key copy + ByteString headers - utf8Len = B.length . T.encodeUtf8 - nameLinkBytes :: NameLink -> Int - nameLinkBytes = utf8Len . unNameLink diff --git a/src/Simplex/Messaging/Server/Prometheus.hs b/src/Simplex/Messaging/Server/Prometheus.hs index f8a5f84bf3..62d671224a 100644 --- a/src/Simplex/Messaging/Server/Prometheus.hs +++ b/src/Simplex/Messaging/Server/Prometheus.hs @@ -461,7 +461,7 @@ prometheusMetrics sm rtm ts = \simplex_smp_" <> pfx <> "_services_sub_fewer_total " <> mshow (_srvSubFewerTotal ss) <> "\n# " <> pfx <> ".srvSubFewerTotal\n\ \\n" names = - let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = _rslvStats + let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = _rslvStats in "# Names\n\ \# -----\n\ \\n\ @@ -481,14 +481,6 @@ prometheusMetrics sm rtm ts = \# TYPE simplex_smp_names_eth_errs counter\n\ \simplex_smp_names_eth_errs " <> mshow _rslvEthErrs <> "\n# rslvEthErrs\n\ \\n\ - \# HELP simplex_smp_names_cache_hits Resolution served from cache.\n\ - \# TYPE simplex_smp_names_cache_hits counter\n\ - \simplex_smp_names_cache_hits " <> mshow _rslvCacheHits <> "\n# rslvCacheHits\n\ - \\n\ - \# HELP simplex_smp_names_cache_miss Resolution required an eth_call.\n\ - \# TYPE simplex_smp_names_cache_miss counter\n\ - \simplex_smp_names_cache_miss " <> mshow _rslvCacheMiss <> "\n# rslvCacheMiss\n\ - \\n\ \# HELP simplex_smp_names_disabled RSLV requests rejected because the names role is disabled.\n\ \# TYPE simplex_smp_names_disabled counter\n\ \simplex_smp_names_disabled " <> mshow _rslvDisabled <> "\n# rslvDisabled\n\ diff --git a/src/Simplex/Messaging/Server/Stats.hs b/src/Simplex/Messaging/Server/Stats.hs index de9c23f19b..84f5145b72 100644 --- a/src/Simplex/Messaging/Server/Stats.hs +++ b/src/Simplex/Messaging/Server/Stats.hs @@ -894,8 +894,6 @@ data NameResolverStats = NameResolverStats rslvSucc :: IORef Int, rslvNotFound :: IORef Int, rslvEthErrs :: IORef Int, - rslvCacheHits :: IORef Int, - rslvCacheMiss :: IORef Int, rslvDisabled :: IORef Int } @@ -905,18 +903,14 @@ newNameResolverStats = do rslvSucc <- newIORef 0 rslvNotFound <- newIORef 0 rslvEthErrs <- newIORef 0 - rslvCacheHits <- newIORef 0 - rslvCacheMiss <- newIORef 0 rslvDisabled <- newIORef 0 - pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvEthErrs, rslvCacheHits, rslvCacheMiss, rslvDisabled} + pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvEthErrs, rslvDisabled} data NameResolverStatsData = NameResolverStatsData { _rslvReqs :: Int, _rslvSucc :: Int, _rslvNotFound :: Int, _rslvEthErrs :: Int, - _rslvCacheHits :: Int, - _rslvCacheMiss :: Int, _rslvDisabled :: Int } deriving (Show) @@ -928,8 +922,6 @@ newNameResolverStatsData = _rslvSucc = 0, _rslvNotFound = 0, _rslvEthErrs = 0, - _rslvCacheHits = 0, - _rslvCacheMiss = 0, _rslvDisabled = 0 } @@ -939,10 +931,8 @@ getNameResolverStatsData s = do _rslvSucc <- readIORef $ rslvSucc s _rslvNotFound <- readIORef $ rslvNotFound s _rslvEthErrs <- readIORef $ rslvEthErrs s - _rslvCacheHits <- readIORef $ rslvCacheHits s - _rslvCacheMiss <- readIORef $ rslvCacheMiss s _rslvDisabled <- readIORef $ rslvDisabled s - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} getResetNameResolverStatsData :: NameResolverStats -> IO NameResolverStatsData getResetNameResolverStatsData s = do @@ -950,10 +940,8 @@ getResetNameResolverStatsData s = do _rslvSucc <- atomicSwapIORef (rslvSucc s) 0 _rslvNotFound <- atomicSwapIORef (rslvNotFound s) 0 _rslvEthErrs <- atomicSwapIORef (rslvEthErrs s) 0 - _rslvCacheHits <- atomicSwapIORef (rslvCacheHits s) 0 - _rslvCacheMiss <- atomicSwapIORef (rslvCacheMiss s) 0 _rslvDisabled <- atomicSwapIORef (rslvDisabled s) 0 - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} -- not thread safe; used on server start only setNameResolverStats :: NameResolverStats -> NameResolverStatsData -> IO () @@ -962,12 +950,10 @@ setNameResolverStats s d = do writeIORef (rslvSucc s) $! _rslvSucc d writeIORef (rslvNotFound s) $! _rslvNotFound d writeIORef (rslvEthErrs s) $! _rslvEthErrs d - writeIORef (rslvCacheHits s) $! _rslvCacheHits d - writeIORef (rslvCacheMiss s) $! _rslvCacheMiss d writeIORef (rslvDisabled s) $! _rslvDisabled d instance StrEncoding NameResolverStatsData where - strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} = + strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = "reqs=" <> strEncode _rslvReqs <> "\nsucc=" @@ -976,10 +962,6 @@ instance StrEncoding NameResolverStatsData where <> strEncode _rslvNotFound <> "\nethErrs=" <> strEncode _rslvEthErrs - <> "\ncacheHits=" - <> strEncode _rslvCacheHits - <> "\ncacheMiss=" - <> strEncode _rslvCacheMiss <> "\ndisabled=" <> strEncode _rslvDisabled strP = do @@ -987,10 +969,8 @@ instance StrEncoding NameResolverStatsData where _rslvSucc <- "succ=" *> strP <* A.endOfLine _rslvNotFound <- "notFound=" *> strP <* A.endOfLine _rslvEthErrs <- "ethErrs=" *> strP <* A.endOfLine - _rslvCacheHits <- "cacheHits=" *> strP <* A.endOfLine - _rslvCacheMiss <- "cacheMiss=" *> strP <* A.endOfLine _rslvDisabled <- "disabled=" *> strP - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvCacheHits, _rslvCacheMiss, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} data ServiceStats = ServiceStats { srvAssocNew :: IORef Int, diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index f597c4ae07..102cf1f734 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -4,9 +4,6 @@ module SMPNamesTests (smpNamesTests) where -import Control.Concurrent (threadDelay) -import Control.Concurrent.Async (async, replicateConcurrently, wait) -import Control.Concurrent.STM (atomically, newEmptyTMVarIO, putTMVar, readTMVar) import qualified Crypto.Hash as Crypton import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -16,13 +13,13 @@ import Data.IORef (atomicModifyIORef', newIORef, readIORef) import qualified Data.Text as T import Simplex.Messaging.Encoding (smpEncode, smpP) import Simplex.Messaging.Parsers (parseAll) +import qualified Data.Aeson as J +import qualified Data.ByteString.Lazy as LB import Simplex.Messaging.Protocol ( LookupKey (..), NameRecord (..), mkNameLink, mkNameOwner, - nameRecBytes, - parseNameRec, unNameLink, unNameOwner, ) @@ -38,7 +35,7 @@ import Simplex.Messaging.Server.Names.Eth.SNRC namehash, snrcSelector, ) -import Simplex.Messaging.Server.Names.Resolver +import Simplex.Messaging.Server.Names ( NamesConfig (..), ResolveError (..), newNamesEnvWith, @@ -94,24 +91,23 @@ smpNamesTests = do describe "Keccak-256 and namehash" namehashSpec describe "ABI primitive bounds" abiBoundsSpec describe "decodeGetRecord (zero-owner sentinel)" zeroOwnerSpec - describe "Resolver cache + coalescing" resolverCacheSpec + describe "Resolver" resolverSpec nameRecordEncodingSpec :: Spec nameRecordEncodingSpec = do - it "round-trips nameRecBytes / parseNameRec" $ do - let bytes = nameRecBytes v20 sampleRecord - parseAll (parseNameRec v20) bytes `shouldBe` Right sampleRecord + it "round-trips JSON encode / decode" $ + J.eitherDecodeStrict (LB.toStrict (J.encode sampleRecord)) `shouldBe` Right sampleRecord it "rejects negative expiry" $ do - let badBytes = nameRecBytes v20 sampleRecord {nrExpiry = -1} - parseAll (parseNameRec v20) badBytes `shouldSatisfy` isLeft + let badBytes = LB.toStrict (J.encode sampleRecord {nrExpiry = -1}) + (J.eitherDecodeStrict badBytes :: Either String NameRecord) `shouldSatisfy` isLeft it "enforces combined channel+contact list cap of 8" $ do let mkLink i = either error id (mkNameLink ("simplex:/contact/" <> T.pack (show (i :: Int)))) nineLinks = map mkLink [0 .. 8] overflow = sampleRecord {nrChannelLinks = nineLinks, nrContactLinks = []} - bytes = nameRecBytes v20 overflow - parseAll (parseNameRec v20) bytes `shouldSatisfy` isLeft + bytes = LB.toStrict (J.encode overflow) + (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft it "encodes within the proxied transmission budget" $ do let huge = either error id (mkNameLink (T.replicate 1024 "x")) @@ -123,7 +119,7 @@ nameRecordEncodingSpec = do nrAdminAddress = Just (T.replicate 255 "a"), nrAdminEmail = Just (T.replicate 255 "e") } - B.length (nameRecBytes v20 wide) < 16224 `shouldBe` True + LB.length (J.encode wide) < 16224 `shouldBe` True lookupKeyAndCtorsSpec :: Spec lookupKeyAndCtorsSpec = do @@ -237,67 +233,31 @@ zeroOwnerSpec = do let tiny = B.replicate 31 '\NUL' decodeGetRecord tiny `shouldBe` Left AbiTruncated -resolverCacheSpec :: Spec -resolverCacheSpec = do +resolverSpec :: Spec +resolverSpec = do let mkEnv ethCall = do - hitsRef <- newIORef 0 - missRef <- newIORef 0 let cfg = NamesConfig { ethereumEndpoint = "http://stub", snrcAddress = either error id (mkNameOwner twentyOnes), rpcAuth = Nothing, - cacheSeconds = 300, - cacheMaxEntries = 100, - cacheMaxBytes = 1024 * 1024, rpcTimeoutMs = 1000, rpcMaxResponseBytes = 65536, rpcMaxConcurrency = 4 } - env <- newNamesEnvWith cfg ethCall Nothing hitsRef missRef - pure (env, hitsRef, missRef) + newNamesEnvWith cfg ethCall Nothing - it "maps stub zero-owner response to NotFound and counts as cache miss" $ do - (env, _, missRef) <- mkEnv $ \_ _ -> pure (Right (B.replicate (32 * 8) '\NUL')) + it "maps stub zero-owner response to NotFound" $ do + env <- mkEnv $ \_ _ -> pure (Right (B.replicate (32 * 8) '\NUL')) r <- resolveName env "alice" r `shouldBe` Left NotFound - misses <- readIORef missRef - misses `shouldBe` 1 - it "subsequent NotFound lookups hit the cache (no second RPC)" $ do + it "every lookup hits the endpoint (no cache)" $ do callCount <- newIORef (0 :: Int) - (env, hitsRef, missRef) <- mkEnv $ \_ _ -> do + env <- mkEnv $ \_ _ -> do atomicModifyIORef' callCount (\v -> (v + 1, ())) pure (Right (B.replicate (32 * 8) '\NUL')) - -- First lookup: miss, eth_call fires, NotFound cached. _ <- resolveName env "alice" - -- Second lookup: should hit cache, not call ethCall. - r2 <- resolveName env "alice" - r2 `shouldBe` Left NotFound - callCount' <- readIORef callCount - callCount' `shouldBe` 1 - missCount <- readIORef missRef - hitCount <- readIORef hitsRef - missCount `shouldBe` 1 - hitCount `shouldBe` 1 - - it "concurrent identical lookups coalesce — only the leader makes the RPC" $ do - -- Block the stub on a TMVar so the leader's eth_call doesn't return - -- before the 7 waiters race to attach to the inflight TMap. Without - -- coalescing, every caller would invoke ethCall and callCount would - -- be 8; with coalescing, only the leader fires. - gate <- newEmptyTMVarIO - callCount <- newIORef (0 :: Int) - (env, _, _) <- mkEnv $ \_ _ -> do - atomicModifyIORef' callCount (\v -> (v + 1, ())) - atomically (readTMVar gate) - pure (Right (B.replicate (32 * 8) '\NUL')) - -- Run the 8 callers in a background task so we can release the gate - -- only after they've all had a chance to register on the inflight map. - callers <- async $ replicateConcurrently 8 (resolveName env "alice") - threadDelay 50000 -- 50 ms — ample time for the 7 waiters to attach - atomically (putTMVar gate ()) - rs <- wait callers - all (== Left NotFound) rs `shouldBe` True + _ <- resolveName env "alice" n <- readIORef callCount - n `shouldBe` 1 + n `shouldBe` 2 From 6b216cad185526dd0acfeb3ad3901dad5b9d3783 Mon Sep 17 00:00:00 2001 From: sh Date: Thu, 28 May 2026 07:42:27 +0000 Subject: [PATCH 05/33] smp-server: redact RpcAuth in Show --- src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs index f7d1a06494..d7d4bdb729 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -58,7 +58,12 @@ import Network.HTTP.Client.TLS (tlsManagerSettings) import qualified Network.HTTP.Types as HT data RpcAuth = AuthBearer Text | AuthBasic Text Text - deriving (Show) + +-- | Redacts the bearer token / basic-auth password so an accidental +-- `show` / `tshow` on NamesConfig never lands secrets in logs. +instance Show RpcAuth where + show (AuthBearer _) = "AuthBearer " + show (AuthBasic u _) = "AuthBasic " <> show u <> " " data EthRpcEnv = EthRpcEnv { manager :: Manager, From c812725461ca61908de3d4e60cfe68b099d6dc30 Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 16:02:28 +0000 Subject: [PATCH 06/33] smp-server: JSON wire fixups + spec rewrite + small cleanups --- protocol/simplex-messaging.md | 47 +++++++++++-------- src/Simplex/Messaging/Protocol.hs | 17 ++++--- src/Simplex/Messaging/Server/Main.hs | 7 ++- src/Simplex/Messaging/Server/Main/Init.hs | 5 +- src/Simplex/Messaging/Server/Names.hs | 36 ++++++++++++-- .../Messaging/Server/Names/Eth/SNRC.hs | 1 + tests/SMPNamesTests.hs | 16 +++++-- 7 files changed, 90 insertions(+), 39 deletions(-) diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index aa01974d82..3f3524d0de 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1467,28 +1467,37 @@ out-of-band for operator observability. #### Name record response +The `NAME` response carries a JSON-encoded record as the payload: + ```abnf -name = %s"NAME" SP nameRecord - -nameRecord = displayName owner channelLinks contactLinks adminAddr adminEmail expiry isTest -displayName = length *OCTET ; 1-byte length prefix, up to 255 bytes UTF-8 -owner = 20OCTET ; raw 20-byte Ethereum-style address -channelLinks = count *nameLink ; count is a 1-byte unsigned integer -contactLinks = count *nameLink ; combined count of channelLinks + contactLinks ≤ 8 -nameLink = length16 *OCTET ; 2-byte big-endian length, up to 1024 bytes UTF-8 -adminAddr = optionalText ; "0" absent or "1" + 1-byte length + UTF-8 up to 255 bytes -adminEmail = optionalText ; same encoding as adminAddr -expiry = 8OCTET ; Int64 big-endian, Unix seconds, MUST be ≥ 0 -isTest = "T" / "F" +name = %s"NAME" SP json-bytes ; json-bytes consumes the remainder of the transmission ``` -The encoding is canonical: every primitive has exactly one valid byte form, so -two names routers reading the same backing state produce byte-identical -responses. - -**Wire-size budget.** A maximal `nameRecord` (8 links × 1024 bytes + maximal -admin / display strings) fits comfortably within the SMP proxied transmission -budget of 16224 bytes. +`json-bytes` MUST be a UTF-8 JSON object with the following schema: + +| Field | JSON type | Constraints | +|---|---|---| +| `displayName` | string | ≤ 255 bytes UTF-8 | +| `owner` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes) | +| `channelLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count of `channelLinks + contactLinks` ≤ 8 | +| `contactLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count cap shared with `channelLinks` | +| `adminAddress` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | +| `adminEmail` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | +| `expiry` | integer | Int64 Unix seconds, MUST be ≥ 0; `0` means "never expires" | +| `isTest` | boolean | true on testnet deployments | + +Receivers MUST tolerate extra unknown fields (forward-compatibility for future +field additions). Adding a required field is a breaking change requiring an +SMP version bump. + +**Canonical encoding.** Two names routers reading the same backing state and +producing the same `NameRecord` MUST emit byte-identical JSON: emit object +keys in the order listed above, integers without decimal points, no +insignificant whitespace. + +**Wire-size budget.** A maximal `nameRecord` (8 × 1024-byte links plus +maximal admin / display strings) JSON-encodes to roughly 9 KB, well under the +SMP proxied transmission budget of 16224 bytes. ## Transport connection with the SMP router diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 8da8e66b08..8cac209720 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -256,7 +256,7 @@ import Data.Kind import Data.List (foldl') import Data.List.NonEmpty (NonEmpty (..)) import qualified Data.List.NonEmpty as L -import Data.Maybe (isJust, isNothing) +import Data.Maybe (fromMaybe, isJust, isNothing) import Data.String import Data.Text (Text) import qualified Data.Text as T @@ -750,11 +750,11 @@ unNameOwner (NameOwner bs) = bs instance J.ToJSON NameOwner where toJSON (NameOwner bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) - toEncoding (NameOwner bs) = J.toEncoding $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) instance J.FromJSON NameOwner where parseJSON = J.withText "NameOwner" $ \t -> do - let hex = maybe t id (T.stripPrefix "0x" t) + -- Accept "0x" and "0X" prefixes (matches Server/Main.hs:parseEthAddr via fromHex). + let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) case BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) of Left e -> fail e Right bs -> either fail pure (mkNameOwner bs) @@ -775,7 +775,6 @@ unNameLink (NameLink t) = t instance J.ToJSON NameLink where toJSON (NameLink t) = J.toJSON t - toEncoding (NameLink t) = J.toEncoding t instance J.FromJSON NameLink where parseJSON = J.withText "NameLink" (either fail pure . mkNameLink) @@ -809,18 +808,22 @@ instance J.ToJSON NameRecord where instance J.FromJSON NameRecord where parseJSON = J.withObject "NameRecord" $ \o -> do - nrDisplayName <- o J..: "displayName" + nrDisplayName <- o J..: "displayName" >>= capUtf8 "displayName" 255 nrOwner <- o J..: "owner" nrChannelLinks <- o J..: "channelLinks" nrContactLinks <- o J..: "contactLinks" when (length nrChannelLinks + length nrContactLinks > 8) $ fail "combined channelLinks + contactLinks > 8" - nrAdminAddress <- o J..:? "adminAddress" - nrAdminEmail <- o J..:? "adminEmail" + nrAdminAddress <- o J..:? "adminAddress" >>= traverse (capUtf8 "adminAddress" 255) + nrAdminEmail <- o J..:? "adminEmail" >>= traverse (capUtf8 "adminEmail" 255) nrExpiry <- o J..: "expiry" when (nrExpiry < 0) $ fail "expiry must be non-negative" nrIsTest <- o J..: "isTest" pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} + where + capUtf8 fld lim t + | B.length (encodeUtf8 t) <= lim = pure t + | otherwise = fail $ fld <> " exceeds " <> show lim <> " bytes UTF-8" data BrokerMsg where -- SMP broker messages (responses, client messages, notifications) diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 80f09e0dae..a240060a1d 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -841,7 +841,12 @@ validateUrl url auth_ = do ua <- maybe (Left "missing authority (host)") Right (uriAuthority uri) when (null (uriRegName ua)) $ Left "empty host" unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" - when (null (uriPort ua)) $ Left "explicit port required (e.g. http://host:8545)" + case uriPort ua of + "" -> Left "explicit port required (e.g. http://host:8545)" + ':' : portStr -> case readMaybe portStr of + Just n | n >= 1 && n <= 65535 -> Right () + _ -> Left $ "port " <> portStr <> " out of range (must be 1..65535)" + other -> Left $ "unexpected port syntax: " <> other unless (null (uriQuery uri)) $ Left "query string not allowed" unless (null (uriFragment uri)) $ Left "fragment not allowed" let path = uriPath uri diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 659845f992..176727b08e 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -158,8 +158,9 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \[NAMES]\n\ \# Public-namespace resolution (SNRC on Ethereum).\n\ \# Requires an Ethereum JSON-RPC endpoint (Reth+Nimbus). See deployment guide.\n\ - \# Co-locating with the proxy role logs a warning at startup - slow RSLV cache misses\n\ - \# can serialise other forwarded commands. For high-volume deployments, run on a separate host.\n\ + \# Co-locating with the proxy role logs a startup advisory: slow RSLV calls can\n\ + \# serialise other forwarded commands on the same proxy-relay session.\n\ + \# For high-volume deployments, run [NAMES] on a separate host.\n\ \# Restart required to change settings.\n\ \enable: off\n\ \# Same-host:\n\ diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index 6406183171..fb07c2c34f 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -24,16 +24,18 @@ module Simplex.Messaging.Server.Names ) where +import Control.Monad (when, unless) import qualified Control.Exception as E import Control.Logger.Simple (logError) import Data.ByteString.Char8 (ByteString) +import Data.IORef (IORef, atomicModifyIORef', newIORef) import Data.Maybe (fromMaybe) import Data.Text (Text) import qualified Data.Text as T import Data.Time.Clock.POSIX (getPOSIXTime) import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), unNameOwner) import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) -import Simplex.Messaging.Server.Names.Eth.SNRC (decodeGetRecord, encodeGetRecord, namehash) +import Simplex.Messaging.Server.Names.Eth.SNRC (decodeAddress, decodeGetRecord, encodeGetRecord, isZeroOwner, namehash) import System.Timeout (timeout) data NamesConfig = NamesConfig @@ -61,7 +63,10 @@ type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) data NamesEnv = NamesEnv { config :: NamesConfig, ethCall :: EthCall, - rpcEnv :: Maybe EthRpcEnv -- Nothing for test stubs + rpcEnv :: Maybe EthRpcEnv, -- Nothing for test stubs + -- One-shot guard so the placeholder-decoder warning logs once per process, + -- not once per RSLV. + placeholderWarned :: IORef Bool } newNamesEnv :: NamesConfig -> IO NamesEnv @@ -71,7 +76,9 @@ newNamesEnv cfg = do -- | Allocate resolver with an injected ethCall (test seam). newNamesEnvWith :: NamesConfig -> EthCall -> Maybe EthRpcEnv -> IO NamesEnv -newNamesEnvWith config ethCall rpcEnv = pure NamesEnv {config, ethCall, rpcEnv} +newNamesEnvWith config ethCall rpcEnv = do + placeholderWarned <- newIORef False + pure NamesEnv {config, ethCall, rpcEnv, placeholderWarned} closeNamesEnv :: NamesEnv -> IO () closeNamesEnv NamesEnv {rpcEnv} = mapM_ closeEthRpcEnv rpcEnv @@ -101,14 +108,25 @@ resolveName env key = do pure (Left EthHttpErr) fetch :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetch NamesEnv {ethCall, config} key = +fetch env@NamesEnv {ethCall, config} key = ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash key)) >>= \case Left e -> pure (Left (mapEthRpcError e)) Right ret -> case decodeGetRecord ret of - Right Nothing -> pure (Left NotFound) + Right Nothing -> notFoundWithPlaceholderWarn ret Right (Just rec) -> checkExpiry rec Left _ -> pure (Left EthDecodeErr) where + -- decodeGetRecord is currently a placeholder: it returns Right Nothing + -- for BOTH "zero-owner sentinel" (real NotFound) and "non-zero owner + -- with real data but no ABI decoder yet". Inspect the owner slot + -- directly to distinguish, and surface the latter once per process so + -- an operator who enables [NAMES] against a working SNRC contract sees + -- the resolver is functionally stubbed. + notFoundWithPlaceholderWarn ret = do + case decodeAddress 32 ret of + Right owner -> unless (isZeroOwner owner) (warnPlaceholderOnce env) + Left _ -> pure () + pure (Left NotFound) -- Defense in depth: the SNRC contract should already return the -- zero-owner sentinel for expired records, but a buggy / pre-upgrade -- contract might not. nrExpiry == 0 means "never expires" (reserved @@ -119,6 +137,14 @@ fetch NamesEnv {ethCall, config} key = then Left NotFound else Right rec +warnPlaceholderOnce :: NamesEnv -> IO () +warnPlaceholderOnce NamesEnv {placeholderWarned} = do + first <- atomicModifyIORef' placeholderWarned (\w -> (True, not w)) + when first $ + logError + "[NAMES] decodeGetRecord placeholder hit — SNRC ABI codec not finalised; \ + \every non-zero-owner record returns NotFound until the decoder ships" + -- | Collapse the JSON-RPC transport-layer error space into the resolver's -- public error space. mapEthRpcError :: EthRpcError -> ResolveError diff --git a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs index 80b11a255e..adf3d2d5e4 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs @@ -35,6 +35,7 @@ module Simplex.Messaging.Server.Names.Eth.SNRC decodeString, decodeUtf8Text, decodeStringArray, + isZeroOwner, ) where diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 102cf1f734..8eea377919 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -17,6 +17,7 @@ import qualified Data.Aeson as J import qualified Data.ByteString.Lazy as LB import Simplex.Messaging.Protocol ( LookupKey (..), + NameOwner, NameRecord (..), mkNameLink, mkNameOwner, @@ -41,8 +42,6 @@ import Simplex.Messaging.Server.Names newNamesEnvWith, resolveName, ) -import Simplex.Messaging.Transport (VersionSMP) -import Simplex.Messaging.Version.Internal (Version (..)) import Test.Hspec -- Reference vectors: @@ -63,9 +62,6 @@ sha3_256Abc = "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90\xbd\ namehashEth :: ByteString namehashEth = "\x93\xcd\xeb\x70\x8b\x75\x45\xdc\x66\x8e\xb9\x28\x01\x76\x16\x9d\x1c\x33\xcf\xd8\xed\x6f\x04\x69\x0a\x0b\xcc\x88\xa9\x3f\xc4\xae" -v20 :: VersionSMP -v20 = Version 20 - twentyOnes :: ByteString twentyOnes = B.replicate 20 '\x01' @@ -109,6 +105,16 @@ nameRecordEncodingSpec = do bytes = LB.toStrict (J.encode overflow) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft + it "rejects nrDisplayName > 255 bytes UTF-8" $ do + let oversize = sampleRecord {nrDisplayName = T.replicate 256 "x"} + bytes = LB.toStrict (J.encode oversize) + (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft + + it "FromJSON NameOwner accepts both 0x and 0X prefixes" $ do + let json p = "\"" <> p <> "0101010101010101010101010101010101010101\"" + (J.eitherDecodeStrict (json "0x") :: Either String NameOwner) `shouldSatisfy` isRight + (J.eitherDecodeStrict (json "0X") :: Either String NameOwner) `shouldSatisfy` isRight + it "encodes within the proxied transmission budget" $ do let huge = either error id (mkNameLink (T.replicate 1024 "x")) wide = From 66bca0cb805782c63235e65538919118504007f5 Mon Sep 17 00:00:00 2001 From: sh Date: Thu, 28 May 2026 08:20:40 +0000 Subject: [PATCH 07/33] plan: prepend implementation-diverged banner --- plans/20260522_01_smp_public_namespaces.md | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/plans/20260522_01_smp_public_namespaces.md b/plans/20260522_01_smp_public_namespaces.md index 5f90e67fd3..e95b944ffb 100644 --- a/plans/20260522_01_smp_public_namespaces.md +++ b/plans/20260522_01_smp_public_namespaces.md @@ -1,5 +1,30 @@ # Server: SMP support for public namespaces +> **⚠ Implementation diverged from this plan.** Six audit rounds reshaped the +> original design. **The shipped code differs in several load-bearing ways:** +> +> - **Wire format**: `NameRecord` is now JSON (aeson), not the custom binary +> ABNF this plan documents. See `protocol/simplex-messaging.md` §Resolver +> commands and `src/Simplex/Messaging/Protocol.hs` ToJSON/FromJSON instances. +> - **No cache**: the TTL + FIFO + byte-cap cache, in-flight coalescing, +> `psqueues` dep, and `cache_*` INI keys are all gone. Every RSLV becomes +> one `eth_call` bounded by `rpcMaxConcurrency` + `rpcTimeoutMs`. See +> `src/Simplex/Messaging/Server/Names.hs`. +> - **No `allow_dangerous_colocation` flag**: the proxy co-location guard +> was demoted to a startup `logWarn` (the flag was always-on because +> `[PROXY]` has no enable toggle). +> - **Module shape**: `Names/Resolver.hs` was merged into `Names.hs`; only +> `Names/Eth/RPC.hs` and `Names/Eth/SNRC.hs` remain as separate modules. +> - **Test list**: of the 15 specs listed below, ~7 shipped; the rest were +> either superseded by the cache removal (CacheSpec) or deferred +> (ForwardedRslvSpec, MockRpcSpec, StartupGuardSpec, UrlValidationSpec, +> EipChecksumSpec). +> +> Sources of truth: `CHANGELOG.md` (release notes), +> `protocol/simplex-messaging.md` §Resolver commands (wire format), +> `src/Simplex/Messaging/Server/Names*.hs` (implementation). This file is +> retained as historical context; do not treat it as a specification. + Implementation plan for Part 2 of [RFC 2026-05-21-public-namespaces](https://github.com/simplex-chat/simplex-chat/blob/ep/namespace/docs/rfcs/2026-05-21-public-namespaces.md). Adds a forwarded-only `RSLV ` SMP command that returns `NAME ` read from the SNRC contract via a Reth+Nimbus JSON-RPC endpoint. Smp-server becomes name-capable by `[NAMES] enable: on`. Out of scope: `Simplex.Messaging.Client` API, agent-side resolution flow, `ServerRoles.names` in the agent, default-router list, reverse resolution, multicoin/text records, state proofs. From daac3e2e028e875875c89c66b0283cd61e2ae740 Mon Sep 17 00:00:00 2001 From: sh Date: Thu, 28 May 2026 09:00:37 +0000 Subject: [PATCH 08/33] move SimplexName into shared module --- simplexmq.cabal | 1 + src/Simplex/Messaging/Agent/Protocol.hs | 61 +---------------- src/Simplex/Messaging/SimplexName.hs | 91 +++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 60 deletions(-) create mode 100644 src/Simplex/Messaging/SimplexName.hs diff --git a/simplexmq.cabal b/simplexmq.cabal index f9a1731a5b..08c8b96252 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -141,6 +141,7 @@ library Simplex.Messaging.Server.QueueStore.Postgres.Config Simplex.Messaging.Server.QueueStore.QueueInfo Simplex.Messaging.ServiceScheme + Simplex.Messaging.SimplexName Simplex.Messaging.Session Simplex.Messaging.SystemTime Simplex.Messaging.TMap diff --git a/src/Simplex/Messaging/Agent/Protocol.hs b/src/Simplex/Messaging/Agent/Protocol.hs index 36c72de0e7..72fd59feda 100644 --- a/src/Simplex/Messaging/Agent/Protocol.hs +++ b/src/Simplex/Messaging/Agent/Protocol.hs @@ -236,6 +236,7 @@ import Simplex.Messaging.Crypto.Ratchet ) import Simplex.Messaging.Encoding import Simplex.Messaging.Encoding.String +import Simplex.Messaging.SimplexName (SimplexNameInfo (..), SimplexNameType (..), SimplexTLD (..), fullDomainName, shortNameInfoStr) import Simplex.Messaging.Parsers import Simplex.Messaging.Protocol ( AProtocolType, @@ -1530,61 +1531,6 @@ instance (Typeable c, ConnectionModeI c) => FromField (ConnShortLink c) where fr data ContactConnType = CCTContact | CCTChannel | CCTGroup | CCTRelay deriving (Eq, Show) -data SimplexNameInfo = SimplexNameInfo - { nameType :: SimplexNameType, - nameTLD :: SimplexTLD, - domain :: Text, - subDomain :: [Text] -- parent to child: ["b", "a"] for a.b.domain.simplex - } - deriving (Eq, Show) - -data SimplexTLD = TLDSimplex | TLDTesting | TLDWeb - deriving (Eq, Show) - -data SimplexNameType = NTPublicGroup | NTContact - deriving (Eq, Show) - -instance StrEncoding SimplexNameType where - strEncode = \case - NTPublicGroup -> "#" - NTContact -> "@" - strP = A.char '#' $> NTPublicGroup <|> A.char '@' $> NTContact - -instance StrEncoding SimplexNameInfo where - strEncode info = "simplex:/name" <> strEncode (nameType info) <> encodeUtf8 (fullDomainName info) - strP = optional "simplex:/name" *> (strP >>= nameP) <|> nameP NTPublicGroup - where - nameP nt = parseName nt . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) - parseName nt s = AT.parseOnly (nameLabelP `AT.sepBy1` AT.char '.' <* AT.endOfInput) s >>= mkNameInfo nt - nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigit c) `AT.sepBy1` AT.char '-' - isNameLetter c = isAlpha c && not (c >= '\x00c0' && c <= '\x024f') - mkNameInfo nt labels = case reverse labels of - [] -> Left "empty name" - [name] - | nt == NTPublicGroup -> Right $ SimplexNameInfo nt TLDSimplex name [] - | otherwise -> Left "contact name requires TLD" - tld : name : sub -> Right $ case tld of - "simplex" -> SimplexNameInfo nt TLDSimplex name sub - "testing" -> SimplexNameInfo nt TLDTesting name sub - _ -> SimplexNameInfo nt TLDWeb (T.intercalate "." labels) [] - -fullDomainName :: SimplexNameInfo -> Text -fullDomainName SimplexNameInfo {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') - where - tld' = case nameTLD of - TLDSimplex -> ["simplex"] - TLDTesting -> ["testing"] - TLDWeb -> [] - -shortNameInfoStr :: SimplexNameInfo -> Text -shortNameInfoStr = \case - SimplexNameInfo {nameType = NTPublicGroup, nameTLD = TLDSimplex, domain, subDomain = []} -> "#" <> domain - info -> pfx <> fullDomainName info - where - pfx = case nameType info of - NTPublicGroup -> "#" - NTContact -> "@" - data AConnShortLink = forall m. ConnectionModeI m => ACSL (SConnectionMode m) (ConnShortLink m) instance Eq AConnShortLink where @@ -2263,8 +2209,3 @@ instance ToJSON ACreatedConnLink where toEncoding (ACCL _ ccLink) = toEncoding ccLink toJSON (ACCL _ ccLink) = toJSON ccLink -$(J.deriveJSON (enumJSON $ dropPrefix "TLD") ''SimplexTLD) - -$(J.deriveJSON (enumJSON $ dropPrefix "NT") ''SimplexNameType) - -$(J.deriveJSON defaultJSON ''SimplexNameInfo) diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs new file mode 100644 index 0000000000..56cf4cb2ea --- /dev/null +++ b/src/Simplex/Messaging/SimplexName.hs @@ -0,0 +1,91 @@ +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE StrictData #-} +{-# LANGUAGE TemplateHaskell #-} + +-- | SimpleX name shape — parsed surface form for `@contact.simplex`, +-- `#group`, and similar. Shared between the agent (which receives names +-- from the user) and the server (which validates them on the RSLV path). +module Simplex.Messaging.SimplexName + ( SimplexNameInfo (..), + SimplexTLD (..), + SimplexNameType (..), + fullDomainName, + shortNameInfoStr, + ) +where + +import Control.Applicative (optional, (<|>)) +import qualified Data.Attoparsec.ByteString.Char8 as A +import qualified Data.Attoparsec.Text as AT +import qualified Data.Aeson.TH as J +import Data.Char (isAlpha, isDigit) +import Data.Functor (($>)) +import Data.Text (Text) +import qualified Data.Text as T +import Data.Text.Encoding (encodeUtf8) +import Simplex.Messaging.Encoding.String +import Simplex.Messaging.Parsers (defaultJSON, dropPrefix, enumJSON) +import Simplex.Messaging.Util (safeDecodeUtf8, (<$?>)) + +data SimplexNameInfo = SimplexNameInfo + { nameType :: SimplexNameType, + nameTLD :: SimplexTLD, + domain :: Text, + subDomain :: [Text] -- parent to child: ["b", "a"] for a.b.domain.simplex + } + deriving (Eq, Show) + +data SimplexTLD = TLDSimplex | TLDTesting | TLDWeb + deriving (Eq, Show) + +data SimplexNameType = NTPublicGroup | NTContact + deriving (Eq, Show) + +instance StrEncoding SimplexNameType where + strEncode = \case + NTPublicGroup -> "#" + NTContact -> "@" + strP = A.char '#' $> NTPublicGroup <|> A.char '@' $> NTContact + +instance StrEncoding SimplexNameInfo where + strEncode info = "simplex:/name" <> strEncode (nameType info) <> encodeUtf8 (fullDomainName info) + strP = optional "simplex:/name" *> (strP >>= nameP) <|> nameP NTPublicGroup + where + nameP nt = parseName nt . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) + parseName nt s = AT.parseOnly (nameLabelP `AT.sepBy1` AT.char '.' <* AT.endOfInput) s >>= mkNameInfo nt + nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigit c) `AT.sepBy1` AT.char '-' + isNameLetter c = isAlpha c && not (c >= '\x00c0' && c <= '\x024f') + mkNameInfo nt labels = case reverse labels of + [] -> Left "empty name" + [name] + | nt == NTPublicGroup -> Right $ SimplexNameInfo nt TLDSimplex name [] + | otherwise -> Left "contact name requires TLD" + tld : name : sub -> Right $ case tld of + "simplex" -> SimplexNameInfo nt TLDSimplex name sub + "testing" -> SimplexNameInfo nt TLDTesting name sub + _ -> SimplexNameInfo nt TLDWeb (T.intercalate "." labels) [] + +fullDomainName :: SimplexNameInfo -> Text +fullDomainName SimplexNameInfo {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') + where + tld' = case nameTLD of + TLDSimplex -> ["simplex"] + TLDTesting -> ["testing"] + TLDWeb -> [] + +shortNameInfoStr :: SimplexNameInfo -> Text +shortNameInfoStr = \case + SimplexNameInfo {nameType = NTPublicGroup, nameTLD = TLDSimplex, domain, subDomain = []} -> "#" <> domain + info -> pfx <> fullDomainName info + where + pfx = case nameType info of + NTPublicGroup -> "#" + NTContact -> "@" + +$(J.deriveJSON (enumJSON $ dropPrefix "TLD") ''SimplexTLD) + +$(J.deriveJSON (enumJSON $ dropPrefix "NT") ''SimplexNameType) + +$(J.deriveJSON defaultJSON ''SimplexNameInfo) From c3e7b61a81a1221427ba0207656961f260de7647 Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 29 May 2026 15:50:10 +0000 Subject: [PATCH 09/33] smp-server: name + contract whitelist on RSLV --- protocol/simplex-messaging.md | 34 ++++-- src/Simplex/Messaging/Protocol.hs | 41 +++++--- src/Simplex/Messaging/Server.hs | 18 ++-- src/Simplex/Messaging/Server/Main.hs | 17 ++- src/Simplex/Messaging/Server/Main/Init.hs | 9 +- src/Simplex/Messaging/Server/Names.hs | 98 +++++++++++++----- src/Simplex/Messaging/Server/Prometheus.hs | 6 +- src/Simplex/Messaging/Server/Stats.hs | 21 +++- tests/SMPNamesTests.hs | 114 ++++++++++++++++----- 9 files changed, 273 insertions(+), 85 deletions(-) diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 3f3524d0de..86fdb44912 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1450,20 +1450,38 @@ below. #### Resolve name command +The `RSLV` command carries a JSON-encoded request as the payload: + ```abnf -rslv = %s"RSLV" SP lookupKey -lookupKey = length *OCTET ; 1-byte length prefix, up to 64 bytes +rslv = %s"RSLV" SP json-bytes ; json-bytes consumes the remainder of the transmission ``` -Name-syntax validation (lowercase, namespace prefixes such as `#testnet:`, -length policy) is a client-side concern. The names router treats the lookup -key as opaque bytes. +`json-bytes` MUST be a UTF-8 JSON object with the following schema: + +| Field | JSON type | Constraints | +|---|---|---| +| `name` | string | the canonical fully-qualified name (TLD always explicit, e.g. `"privacy.simplex"`, `"test.testing"`, `"example.com"`); UTF-8 bytes only | +| `contract` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes — the SNRC contract address the client expects the server to query) | + +**Server-side validation.** The names router parses `name` as a fully-qualified +domain (TLD required — bare labels are rejected), extracts the TLD, and looks +up the expected SNRC contract address in its INI whitelist +(`registry_tld_simplex`, `registry_tld_testing`, `registry_tld_all`). +`registry_tld_all` is the catch-all used when no TLD-specific entry matches +the requested TLD (and the only entry that can resolve web domains). If no +whitelist entry matches the TLD, or if the client-supplied `contract` differs +from the configured address, the server replies with `ERR AUTH` without +contacting the chain. This lets one names router safely host multiple TLDs +(each backed by its own SNRC contract) and reject clients pointing at a +contract the operator doesn't run. The names router responds with either a `NAME` response carrying the resolved record, or `ERR AUTH` collapsing every failure mode (name not found, malformed -key, names role disabled, RPC unreachable, decode error, timeout). The wire -code does not distinguish between these — stats counters MAY be exposed -out-of-band for operator observability. +name, TLD not in whitelist, contract mismatch, names role disabled, RPC +unreachable, decode error, timeout). The wire code does not distinguish +between these — stats counters MAY be exposed out-of-band for operator +observability (`bad_name` is incremented for validation/whitelist failures, +distinct from `not_found` for valid lookups with no on-chain record). #### Name record response diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 8cac209720..197b1fc96b 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -163,7 +163,7 @@ module Simplex.Messaging.Protocol EncTransmission (..), FwdResponse (..), FwdTransmission (..), - LookupKey (..), + RslvRequest (..), NameRecord (..), NameOwner, mkNameOwner, @@ -566,17 +566,18 @@ type LinkId = QueueId -- | SMP queue ID on the server. type QueueId = EntityId --- | Name lookup key — opaque bytes; namespace/casing per RFC enforced client-side. -newtype LookupKey = LookupKey ByteString +-- | Name resolution request. The client sends the canonical SimplexNameDomain +-- (TLD always explicit) plus the SNRC contract address it expects the server +-- to query. The server parses the domain (validating syntax) and checks the +-- supplied contract against its INI whitelist before reading the chain — so a +-- single names router can safely host multiple TLDs (each backed by its own +-- SNRC contract) and reject clients that ask for the wrong one. +data RslvRequest = RslvRequest + { name :: Text, + contract :: NameOwner + } deriving (Eq, Show) -instance Encoding LookupKey where - smpEncode (LookupKey s) = smpEncode s - smpP = do - n <- lenP - when (n > 64) $ fail "LookupKey too long" - LookupKey <$> A.take n - -- | Parameterized type for SMP protocol commands from all clients. data Command (p :: Party) where -- SMP recipient commands @@ -625,7 +626,7 @@ data Command (p :: Party) where -- - corrId: unique correlation ID between proxy and relay, also used as a nonce to encrypt forwarded transmission RFWD :: EncFwdTransmission -> Command ProxyService -- use CorrId as CbNonce, proxy to relay -- Name resolution: forwarded-only via PFWD. Server reads SNRC contract via Ethereum JSON-RPC. - RSLV :: LookupKey -> Command Resolver + RSLV :: RslvRequest -> Command Resolver deriving instance Show (Command p) @@ -759,6 +760,16 @@ instance J.FromJSON NameOwner where Left e -> fail e Right bs -> either fail pure (mkNameOwner bs) +instance J.ToJSON RslvRequest where + toJSON RslvRequest {name, contract} = J.object ["name" J..= name, "contract" J..= contract] + toEncoding RslvRequest {name, contract} = J.pairs ("name" J..= name <> "contract" J..= contract) + +instance J.FromJSON RslvRequest where + parseJSON = J.withObject "RslvRequest" $ \o -> do + name <- o J..: "name" + contract <- o J..: "contract" + pure RslvRequest {name, contract} + -- | A name-record link (channel or contact). Bare constructor not exported; -- use `mkNameLink` to enforce the ≤1024-byte UTF-8 invariant. newtype NameLink = NameLink Text @@ -1920,7 +1931,9 @@ instance PartyI p => ProtocolEncoding SMPVersion ErrorType (Command p) where PRXY host auth_ -> e (PRXY_, ' ', host, auth_) PFWD fwdV pubKey (EncTransmission s) -> e (PFWD_, ' ', fwdV, pubKey, Tail s) RFWD (EncFwdTransmission s) -> e (RFWD_, ' ', Tail s) - RSLV key -> e (RSLV_, ' ', key) + RSLV req + | v >= namesSMPVersion -> e (RSLV_, ' ', Tail (LB.toStrict (J.encode req))) + | otherwise -> e (ERR_, ' ', AUTH) -- pre-v20: shouldn't reach here, degrade to AUTH where e :: Encoding a => a -> ByteString e = smpEncode @@ -2030,7 +2043,9 @@ instance ProtocolEncoding SMPVersion ErrorType Cmd where | v >= rcvServiceSMPVersion -> Cmd SNotifierService <$> (NSUBS <$> _smpP <*> smpP) | otherwise -> pure $ Cmd SNotifierService $ NSUBS (-1) mempty CT SResolver RSLV_ - | v >= namesSMPVersion -> Cmd SResolver . RSLV <$> _smpP + | v >= namesSMPVersion -> do + Tail bs <- _smpP + either fail (pure . Cmd SResolver . RSLV) (J.eitherDecodeStrict bs) | otherwise -> fail "RSLV requires namesSMPVersion" fromProtocolError = fromProtocolError @SMPVersion @ErrorType @BrokerMsg diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 20e3f2fbf2..6fa7bf611b 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -108,7 +108,7 @@ import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) -import Simplex.Messaging.Server.Names (ResolveError (..), closeNamesEnv, resolveName) +import Simplex.Messaging.Server.Names (ResolveError (..), closeNamesEnv, resolveName, verifyRslv) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -661,8 +661,8 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] - showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = - map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled] + showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = + map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled] prometheusMetricsThread_ :: ServerConfig s -> [M s ()] prometheusMetricsThread_ ServerConfig {prometheusInterval = Just interval, prometheusMetricsFile} = @@ -1496,15 +1496,17 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> response . (corrId,NoEntity,) <$> processForwardedCommand encBlock - Cmd SResolver (RSLV (LookupKey key)) -> do + Cmd SResolver (RSLV req) -> do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) (selector, msg) <- asks namesEnv >>= \case Nothing -> pure (rslvDisabled, ERR AUTH) - Just nenv -> liftIO (resolveName nenv key) <&> \case - Right rec -> (rslvSucc, NAME rec) - Left NotFound -> (rslvNotFound, ERR AUTH) - Left _ -> (rslvEthErrs, ERR AUTH) + Just nenv -> case verifyRslv nenv req of + Nothing -> pure (rslvBadName, ERR AUTH) + Just (addr, d) -> liftIO (resolveName nenv addr d) <&> \case + Right rec -> (rslvSucc, NAME rec) + Left NotFound -> (rslvNotFound, ERR AUTH) + Left _ -> (rslvEthErrs, ERR AUTH) incStat (selector st) $> response (corrId, NoEntity, msg) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index a240060a1d..8968cbd342 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -78,7 +78,7 @@ import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCf import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) import Simplex.Messaging.Protocol (mkNameOwner, NameOwner) -import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..)) +import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..), TldRegistries (..)) import Simplex.Messaging.Server.Names.Eth.RPC (fromHex) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) @@ -807,10 +807,11 @@ readNamesConfig ini | otherwise = let rpcAuth_ = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini) endpoint = requiredText "ethereum_endpoint" + registries = readTldRegistries in Just NamesConfig { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), - snrcAddress = either (error . ("[NAMES] snrc_address: " <>)) id $ parseEthAddr (requiredText "snrc_address"), + tldRegistries = registries, rpcAuth = rpcAuth_, rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, @@ -821,6 +822,18 @@ readNamesConfig ini requiredText key = either (error . (("[NAMES] " <> T.unpack key <> " is required: ") <>)) id $ lookupValue "NAMES" key ini + readTldRegistries = + let regs = TldRegistries + { tldSimplex = optionalAddr "registry_tld_simplex", + tldTesting = optionalAddr "registry_tld_testing", + tldAll = optionalAddr "registry_tld_all" + } + in case (tldSimplex regs, tldTesting regs, tldAll regs) of + (Nothing, Nothing, Nothing) -> + error "[NAMES] at least one of registry_tld_simplex, registry_tld_testing, registry_tld_all is required" + _ -> regs + optionalAddr key = + either (error . (("[NAMES] " <> T.unpack key <> ": ") <>)) Just . parseEthAddr =<< eitherToMaybe (lookupValue "NAMES" key ini) -- | Validate the ethereum_endpoint URL: -- * scheme must be http: or https: diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 176727b08e..c5ac52cad3 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -168,7 +168,14 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# Central Reth via Caddy:\n\ \# ethereum_endpoint: https://eth.simplex.chat:443\n\ \# rpc_auth: basic :\n\ - \# snrc_address: 0x\n\ + \# Per-TLD SNRC contract whitelist. At least one entry must be set.\n\ + \# Each RSLV carries the contract address the client wants queried;\n\ + \# the server only accepts it if it matches the address configured for\n\ + \# that TLD (or registry_tld_all as catch-all for any unspecified TLD,\n\ + \# including web domains).\n\ + \# registry_tld_simplex: 0x\n\ + \# registry_tld_testing: 0x\n\ + \# registry_tld_all: 0x\n\ \# rpc_timeout_ms: 3000\n\ \# rpc_max_response_bytes: 262144\n\ \# rpc_max_concurrency: 8\n\n\ diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index fb07c2c34f..da0fd19556 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -5,13 +5,15 @@ {-# LANGUAGE StrictData #-} -- | Public-namespace resolver. Each RSLV becomes one eth_call to the --- configured Ethereum endpoint, bounded by rpcMaxConcurrency and --- rpcTimeoutMs. Zero-owner / expired records map to NotFound. +-- Ethereum endpoint with the contract address selected by the requested +-- TLD, bounded by rpcMaxConcurrency and rpcTimeoutMs. Zero-owner / expired +-- records map to NotFound. -- -- Transport details live in Names.Eth.RPC (HTTP + JSON-RPC + auth); -- Keccak-256 namehash and SNRC ABI decoder live in Names.Eth.SNRC. module Simplex.Messaging.Server.Names ( NamesConfig (..), + TldRegistries (..), RpcAuth (..), NamesEnv (..), EthCall, @@ -19,12 +21,15 @@ module Simplex.Messaging.Server.Names newNamesEnv, newNamesEnvWith, closeNamesEnv, + lookupTldAddress, pingEndpoint, resolveName, + verifyRslv, ) where -import Control.Monad (when, unless) +import Control.Applicative ((<|>)) +import Control.Monad (guard, unless, when) import qualified Control.Exception as E import Control.Logger.Simple (logError) import Data.ByteString.Char8 (ByteString) @@ -32,15 +37,31 @@ import Data.IORef (IORef, atomicModifyIORef', newIORef) import Data.Maybe (fromMaybe) import Data.Text (Text) import qualified Data.Text as T +import Data.Text.Encoding (encodeUtf8) import Data.Time.Clock.POSIX (getPOSIXTime) -import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), unNameOwner) +import Simplex.Messaging.Encoding.String (strDecode) +import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), unNameOwner) import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) import Simplex.Messaging.Server.Names.Eth.SNRC (decodeAddress, decodeGetRecord, encodeGetRecord, isZeroOwner, namehash) +import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..), fullDomainName) import System.Timeout (timeout) +-- | TLD-keyed SNRC contract whitelist. Each RSLV carries the contract +-- address the client wants queried; the server only accepts it if it +-- matches the address configured for that TLD (or `tldAll` as catch-all). +-- This lets one names router host multiple TLDs (each backed by its own +-- SNRC contract) and reject clients pointing at a contract the operator +-- doesn't run. +data TldRegistries = TldRegistries + { tldSimplex :: Maybe NameOwner, + tldTesting :: Maybe NameOwner, + tldAll :: Maybe NameOwner + } + deriving (Show) + data NamesConfig = NamesConfig { ethereumEndpoint :: Text, - snrcAddress :: NameOwner, + tldRegistries :: TldRegistries, rpcAuth :: Maybe RpcAuth, rpcTimeoutMs :: Int, rpcMaxResponseBytes :: Int, @@ -83,22 +104,50 @@ newNamesEnvWith config ethCall rpcEnv = do closeNamesEnv :: NamesEnv -> IO () closeNamesEnv NamesEnv {rpcEnv} = mapM_ closeEthRpcEnv rpcEnv +-- | Look up the expected SNRC contract address for a TLD. TLD-specific +-- entry takes precedence; `tldAll` is the catch-all. `TLDWeb` has no +-- TLD-specific entry — it always resolves through `tldAll` if set. +lookupTldAddress :: TldRegistries -> SimplexTLD -> Maybe NameOwner +lookupTldAddress TldRegistries {tldSimplex, tldTesting, tldAll} = \case + TLDSimplex -> tldSimplex <|> tldAll + TLDTesting -> tldTesting <|> tldAll + TLDWeb -> tldAll + +-- | Parse the client-supplied domain, look up the TLD's expected contract, +-- and verify the client-supplied contract matches. Returns the verified +-- (address, parsed-domain) pair, or `Nothing` if any check fails — the +-- handler maps this to `ERR AUTH` and increments `rslvBadName`. +verifyRslv :: NamesEnv -> RslvRequest -> Maybe (NameOwner, SimplexNameDomain) +verifyRslv NamesEnv {config} RslvRequest {name, contract} = case strDecode (encodeUtf8 name) of + Left _ -> Nothing + Right d -> do + expected <- lookupTldAddress (tldRegistries config) (nameTLD d) + guard (expected == contract) + pure (expected, d) + -- | Reach the configured endpoint with a harmless probe call to confirm --- network reachability. Returns Left only on transport-level failures; --- JSON-RPC errors (misconfigured snrc_address etc.) are treated as +-- network reachability. Uses any configured contract address (the parser +-- guarantees at least one is set). Returns Left only on transport-level +-- failures; JSON-RPC errors (misconfigured address etc.) are treated as -- "endpoint reachable" — that distinction surfaces later via rslvEthErrs. pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) -pingEndpoint NamesEnv {ethCall, config} = - ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash "")) >>= \case - Left e@(HttpFailure _) -> pure (Left e) - Left e@(HttpStatusErr _) -> pure (Left e) - _ -> pure (Right ()) - --- | Resolve a lookup key with an rpcTimeoutMs ceiling. Synchronous --- exceptions are caught and logged; async exceptions propagate. -resolveName :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -resolveName env key = do - r <- E.try (timeout (rpcTimeoutMs (config env) * 1000) (fetch env key)) +pingEndpoint NamesEnv {ethCall, config} = case anyAddress (tldRegistries config) of + Nothing -> pure (Right ()) + Just addr -> + ethCall (unNameOwner addr) (encodeGetRecord (namehash "")) >>= \case + Left e@(HttpFailure _) -> pure (Left e) + Left e@(HttpStatusErr _) -> pure (Left e) + _ -> pure (Right ()) + where + anyAddress TldRegistries {tldSimplex, tldTesting, tldAll} = + tldSimplex <|> tldTesting <|> tldAll + +-- | Resolve a verified (contract, domain) pair with an rpcTimeoutMs +-- ceiling. Synchronous exceptions are caught and logged; async exceptions +-- propagate. +resolveName :: NamesEnv -> NameOwner -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +resolveName env contract d = do + r <- E.try (timeout (rpcTimeoutMs (config env) * 1000) (fetch env contract d)) case r of Right result -> pure (fromMaybe (Left TimedOut) result) Left e @@ -107,9 +156,9 @@ resolveName env key = do logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) pure (Left EthHttpErr) -fetch :: NamesEnv -> ByteString -> IO (Either ResolveError NameRecord) -fetch env@NamesEnv {ethCall, config} key = - ethCall (unNameOwner (snrcAddress config)) (encodeGetRecord (namehash key)) >>= \case +fetch :: NamesEnv -> NameOwner -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +fetch env@NamesEnv {ethCall} contract d = + ethCall (unNameOwner contract) (encodeGetRecord (namehash (encodeUtf8 (fullDomainName d)))) >>= \case Left e -> pure (Left (mapEthRpcError e)) Right ret -> case decodeGetRecord ret of Right Nothing -> notFoundWithPlaceholderWarn ret @@ -133,9 +182,10 @@ fetch env@NamesEnv {ethCall, config} key = -- names); any positive expiry in the past is treated as NotFound. checkExpiry rec = do nowSec <- floor <$> getPOSIXTime - pure $ if nrExpiry rec /= 0 && nrExpiry rec < nowSec - then Left NotFound - else Right rec + pure $ + if nrExpiry rec /= 0 && nrExpiry rec < nowSec + then Left NotFound + else Right rec warnPlaceholderOnce :: NamesEnv -> IO () warnPlaceholderOnce NamesEnv {placeholderWarned} = do diff --git a/src/Simplex/Messaging/Server/Prometheus.hs b/src/Simplex/Messaging/Server/Prometheus.hs index 62d671224a..3367873538 100644 --- a/src/Simplex/Messaging/Server/Prometheus.hs +++ b/src/Simplex/Messaging/Server/Prometheus.hs @@ -461,7 +461,7 @@ prometheusMetrics sm rtm ts = \simplex_smp_" <> pfx <> "_services_sub_fewer_total " <> mshow (_srvSubFewerTotal ss) <> "\n# " <> pfx <> ".srvSubFewerTotal\n\ \\n" names = - let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = _rslvStats + let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = _rslvStats in "# Names\n\ \# -----\n\ \\n\ @@ -477,6 +477,10 @@ prometheusMetrics sm rtm ts = \# TYPE simplex_smp_names_not_found counter\n\ \simplex_smp_names_not_found " <> mshow _rslvNotFound <> "\n# rslvNotFound\n\ \\n\ + \# HELP simplex_smp_names_bad_name Client sent malformed domain, TLD outside whitelist, or wrong contract address.\n\ + \# TYPE simplex_smp_names_bad_name counter\n\ + \simplex_smp_names_bad_name " <> mshow _rslvBadName <> "\n# rslvBadName\n\ + \\n\ \# HELP simplex_smp_names_eth_errs Ethereum endpoint or ABI errors.\n\ \# TYPE simplex_smp_names_eth_errs counter\n\ \simplex_smp_names_eth_errs " <> mshow _rslvEthErrs <> "\n# rslvEthErrs\n\ diff --git a/src/Simplex/Messaging/Server/Stats.hs b/src/Simplex/Messaging/Server/Stats.hs index 84f5145b72..b7dd239eb2 100644 --- a/src/Simplex/Messaging/Server/Stats.hs +++ b/src/Simplex/Messaging/Server/Stats.hs @@ -893,6 +893,7 @@ data NameResolverStats = NameResolverStats { rslvReqs :: IORef Int, rslvSucc :: IORef Int, rslvNotFound :: IORef Int, + rslvBadName :: IORef Int, rslvEthErrs :: IORef Int, rslvDisabled :: IORef Int } @@ -902,14 +903,16 @@ newNameResolverStats = do rslvReqs <- newIORef 0 rslvSucc <- newIORef 0 rslvNotFound <- newIORef 0 + rslvBadName <- newIORef 0 rslvEthErrs <- newIORef 0 rslvDisabled <- newIORef 0 - pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvEthErrs, rslvDisabled} + pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvBadName, rslvEthErrs, rslvDisabled} data NameResolverStatsData = NameResolverStatsData { _rslvReqs :: Int, _rslvSucc :: Int, _rslvNotFound :: Int, + _rslvBadName :: Int, _rslvEthErrs :: Int, _rslvDisabled :: Int } @@ -921,6 +924,7 @@ newNameResolverStatsData = { _rslvReqs = 0, _rslvSucc = 0, _rslvNotFound = 0, + _rslvBadName = 0, _rslvEthErrs = 0, _rslvDisabled = 0 } @@ -930,18 +934,20 @@ getNameResolverStatsData s = do _rslvReqs <- readIORef $ rslvReqs s _rslvSucc <- readIORef $ rslvSucc s _rslvNotFound <- readIORef $ rslvNotFound s + _rslvBadName <- readIORef $ rslvBadName s _rslvEthErrs <- readIORef $ rslvEthErrs s _rslvDisabled <- readIORef $ rslvDisabled s - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} getResetNameResolverStatsData :: NameResolverStats -> IO NameResolverStatsData getResetNameResolverStatsData s = do _rslvReqs <- atomicSwapIORef (rslvReqs s) 0 _rslvSucc <- atomicSwapIORef (rslvSucc s) 0 _rslvNotFound <- atomicSwapIORef (rslvNotFound s) 0 + _rslvBadName <- atomicSwapIORef (rslvBadName s) 0 _rslvEthErrs <- atomicSwapIORef (rslvEthErrs s) 0 _rslvDisabled <- atomicSwapIORef (rslvDisabled s) 0 - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} -- not thread safe; used on server start only setNameResolverStats :: NameResolverStats -> NameResolverStatsData -> IO () @@ -949,11 +955,12 @@ setNameResolverStats s d = do writeIORef (rslvReqs s) $! _rslvReqs d writeIORef (rslvSucc s) $! _rslvSucc d writeIORef (rslvNotFound s) $! _rslvNotFound d + writeIORef (rslvBadName s) $! _rslvBadName d writeIORef (rslvEthErrs s) $! _rslvEthErrs d writeIORef (rslvDisabled s) $! _rslvDisabled d instance StrEncoding NameResolverStatsData where - strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} = + strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = "reqs=" <> strEncode _rslvReqs <> "\nsucc=" @@ -964,13 +971,17 @@ instance StrEncoding NameResolverStatsData where <> strEncode _rslvEthErrs <> "\ndisabled=" <> strEncode _rslvDisabled + <> "\nbadName=" + <> strEncode _rslvBadName strP = do _rslvReqs <- "reqs=" *> strP <* A.endOfLine _rslvSucc <- "succ=" *> strP <* A.endOfLine _rslvNotFound <- "notFound=" *> strP <* A.endOfLine _rslvEthErrs <- "ethErrs=" *> strP <* A.endOfLine _rslvDisabled <- "disabled=" *> strP - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled} + -- badName= was added after the initial release; old stats files may omit it. + _rslvBadName <- (A.endOfLine *> "badName=" *> strP) <|> pure 0 + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} data ServiceStats = ServiceStats { srvAssocNew :: IORef Int, diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 8eea377919..a78196186e 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -11,19 +11,26 @@ import qualified Data.ByteArray as BA import Data.Either (isLeft, isRight) import Data.IORef (atomicModifyIORef', newIORef, readIORef) import qualified Data.Text as T -import Simplex.Messaging.Encoding (smpEncode, smpP) -import Simplex.Messaging.Parsers (parseAll) import qualified Data.Aeson as J import qualified Data.ByteString.Lazy as LB import Simplex.Messaging.Protocol - ( LookupKey (..), - NameOwner, + ( NameOwner, NameRecord (..), + RslvRequest (..), mkNameLink, mkNameOwner, unNameLink, unNameOwner, ) +import Simplex.Messaging.Server.Names + ( NamesConfig (..), + ResolveError (..), + TldRegistries (..), + lookupTldAddress, + newNamesEnvWith, + resolveName, + verifyRslv, + ) import Simplex.Messaging.Server.Names.Eth.SNRC ( AbiError (..), decodeAddress, @@ -36,12 +43,7 @@ import Simplex.Messaging.Server.Names.Eth.SNRC namehash, snrcSelector, ) -import Simplex.Messaging.Server.Names - ( NamesConfig (..), - ResolveError (..), - newNamesEnvWith, - resolveName, - ) +import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) import Test.Hspec -- Reference vectors: @@ -83,10 +85,11 @@ sampleRecord = case (mkNameOwner twentyOnes, mkNameLink "simplex:/contact/abc#xy smpNamesTests :: Spec smpNamesTests = do describe "NameRecord encoding (Protocol)" nameRecordEncodingSpec - describe "LookupKey + smart constructors" lookupKeyAndCtorsSpec + describe "Smart constructors (NameOwner, NameLink)" smartCtorsSpec describe "Keccak-256 and namehash" namehashSpec describe "ABI primitive bounds" abiBoundsSpec describe "decodeGetRecord (zero-owner sentinel)" zeroOwnerSpec + describe "TLD whitelist + RSLV verification" tldWhitelistSpec describe "Resolver" resolverSpec nameRecordEncodingSpec :: Spec @@ -127,14 +130,8 @@ nameRecordEncodingSpec = do } LB.length (J.encode wide) < 16224 `shouldBe` True -lookupKeyAndCtorsSpec :: Spec -lookupKeyAndCtorsSpec = do - it "LookupKey parser caps at 64 bytes" $ do - let okBytes = smpEncode (LookupKey (B.replicate 64 'a')) - bigBytes = smpEncode (LookupKey (B.replicate 65 'a')) - parseAll (smpP @LookupKey) okBytes `shouldSatisfy` isRight - parseAll (smpP @LookupKey) bigBytes `shouldSatisfy` isLeft - +smartCtorsSpec :: Spec +smartCtorsSpec = do it "mkNameOwner accepts exactly 20 bytes" $ do mkNameOwner twentyOnes `shouldSatisfy` isRight mkNameOwner (B.replicate 19 '\x01') `shouldSatisfy` isLeft @@ -239,23 +236,94 @@ zeroOwnerSpec = do let tiny = B.replicate 31 '\NUL' decodeGetRecord tiny `shouldBe` Left AbiTruncated +tldWhitelistSpec :: Spec +tldWhitelistSpec = do + let addr1 = either error id (mkNameOwner twentyOnes) + addr2 = either error id (mkNameOwner (B.replicate 20 '\x02')) + addr3 = either error id (mkNameOwner (B.replicate 20 '\x03')) + + describe "lookupTldAddress" $ do + it "TLD-specific entry takes precedence over _all" $ do + let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Just addr3} + lookupTldAddress regs TLDSimplex `shouldBe` Just addr1 + lookupTldAddress regs TLDTesting `shouldBe` Just addr2 + + it "TLD without specific entry falls back to _all" $ do + let regs = TldRegistries {tldSimplex = Nothing, tldTesting = Nothing, tldAll = Just addr3} + lookupTldAddress regs TLDSimplex `shouldBe` Just addr3 + lookupTldAddress regs TLDTesting `shouldBe` Just addr3 + + it "TLDWeb resolves only through _all" $ do + let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Just addr3} + lookupTldAddress regs TLDWeb `shouldBe` Just addr3 + + it "TLDWeb without _all returns Nothing even if other TLDs are set" $ do + let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Nothing} + lookupTldAddress regs TLDWeb `shouldBe` Nothing + + describe "verifyRslv" $ do + let cfgWith regs = + NamesConfig + { ethereumEndpoint = "http://stub", + tldRegistries = regs, + rpcAuth = Nothing, + rpcTimeoutMs = 1000, + rpcMaxResponseBytes = 65536, + rpcMaxConcurrency = 4 + } + mkEnv regs = newNamesEnvWith (cfgWith regs) (\_ _ -> pure (Right "")) Nothing + + it "accepts a valid name with matching TLD-specific contract" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let req = RslvRequest {name = "privacy.simplex", contract = addr1} + case verifyRslv env req of + Just (a, d) -> do + a `shouldBe` addr1 + nameTLD d `shouldBe` TLDSimplex + domain d `shouldBe` "privacy" + Nothing -> expectationFailure "expected Just" + + it "rejects mismatched contract address" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let req = RslvRequest {name = "privacy.simplex", contract = addr2} + verifyRslv env req `shouldBe` Nothing + + it "rejects TLD with no whitelist entry" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let req = RslvRequest {name = "test.testing", contract = addr1} + verifyRslv env req `shouldBe` Nothing + + it "accepts via _all fallback" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Nothing, tldTesting = Nothing, tldAll = Just addr3} + let req = RslvRequest {name = "test.testing", contract = addr3} + case verifyRslv env req of + Just (a, _) -> a `shouldBe` addr3 + Nothing -> expectationFailure "expected Just" + + it "rejects bare (no-TLD) name (SimplexNameDomain.strP requires TLD)" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let req = RslvRequest {name = "privacy", contract = addr1} + verifyRslv env req `shouldBe` Nothing + resolverSpec :: Spec resolverSpec = do let mkEnv ethCall = do let cfg = NamesConfig { ethereumEndpoint = "http://stub", - snrcAddress = either error id (mkNameOwner twentyOnes), + tldRegistries = TldRegistries {tldSimplex = Just (either error id (mkNameOwner twentyOnes)), tldTesting = Nothing, tldAll = Nothing}, rpcAuth = Nothing, rpcTimeoutMs = 1000, rpcMaxResponseBytes = 65536, rpcMaxConcurrency = 4 } newNamesEnvWith cfg ethCall Nothing + aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} + aliceAddr = either error id (mkNameOwner twentyOnes) it "maps stub zero-owner response to NotFound" $ do env <- mkEnv $ \_ _ -> pure (Right (B.replicate (32 * 8) '\NUL')) - r <- resolveName env "alice" + r <- resolveName env aliceAddr aliceDomain r `shouldBe` Left NotFound it "every lookup hits the endpoint (no cache)" $ do @@ -263,7 +331,7 @@ resolverSpec = do env <- mkEnv $ \_ _ -> do atomicModifyIORef' callCount (\v -> (v + 1, ())) pure (Right (B.replicate (32 * 8) '\NUL')) - _ <- resolveName env "alice" - _ <- resolveName env "alice" + _ <- resolveName env aliceAddr aliceDomain + _ <- resolveName env aliceAddr aliceDomain n <- readIORef callCount n `shouldBe` 2 From 3c93489580028a10beeb9a042cd562d0d4ddd11c Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 1 Jun 2026 09:51:50 +0000 Subject: [PATCH 10/33] smp-server: address audit findings (canonical JSON, INI guards, SSRF, TLD case, shutdown) --- src/Simplex/Messaging/Protocol.hs | 13 +++++++++++ src/Simplex/Messaging/Server.hs | 7 ++++-- src/Simplex/Messaging/Server/Main.hs | 32 ++++++++++++++++++++------- src/Simplex/Messaging/Server/Names.hs | 2 +- src/Simplex/Messaging/SimplexName.hs | 10 ++++++--- tests/SMPNamesTests.hs | 9 ++++++++ 6 files changed, 59 insertions(+), 14 deletions(-) diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 197b1fc96b..1943eb1234 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -816,6 +816,19 @@ instance J.ToJSON NameRecord where "expiry" J..= nrExpiry, "isTest" J..= nrIsTest ] + -- explicit toEncoding to preserve the spec-documented key order; the default + -- routes through Value/KeyMap and re-emits keys alphabetically, breaking the + -- "two routers MUST emit byte-identical JSON" requirement. + toEncoding NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = + J.pairs $ + "displayName" J..= nrDisplayName + <> "owner" J..= nrOwner + <> "channelLinks" J..= nrChannelLinks + <> "contactLinks" J..= nrContactLinks + <> "adminAddress" J..= nrAdminAddress + <> "adminEmail" J..= nrAdminEmail + <> "expiry" J..= nrExpiry + <> "isTest" J..= nrIsTest instance J.FromJSON NameRecord where parseJSON = J.withObject "NameRecord" $ \o -> do diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 6fa7bf611b..acade609a9 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -247,8 +247,11 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt closeServer :: M s () closeServer = do - asks (smpAgent . proxyAgent) >>= liftIO . closeSMPClientAgent - asks namesEnv >>= liftIO . mapM_ closeNamesEnv + pa <- asks (smpAgent . proxyAgent) + ne <- asks namesEnv + -- finally: if the proxy-agent close throws, we still release the resolver's + -- HTTP connection manager. + liftIO $ closeSMPClientAgent pa `E.finally` mapM_ closeNamesEnv ne serverThread :: forall sub. String -> diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 8968cbd342..5272e3f93d 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -813,15 +813,22 @@ readNamesConfig ini { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), tldRegistries = registries, rpcAuth = rpcAuth_, - rpcTimeoutMs = readIniDefault 3000 "NAMES" "rpc_timeout_ms" ini, - rpcMaxResponseBytes = readIniDefault 262144 "NAMES" "rpc_max_response_bytes" ini, - rpcMaxConcurrency = readIniDefault 8 "NAMES" "rpc_max_concurrency" ini + rpcTimeoutMs = positiveIniInt 3000 100 "rpc_timeout_ms", + rpcMaxResponseBytes = positiveIniInt 262144 1024 "rpc_max_response_bytes", + rpcMaxConcurrency = positiveIniInt 8 1 "rpc_max_concurrency" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) requiredText key = either (error . (("[NAMES] " <> T.unpack key <> " is required: ") <>)) id $ lookupValue "NAMES" key ini + -- Reject zero / negative values that would deadlock waitQSem (concurrency = 0), + -- time-out every RSLV immediately (timeout = 0), or accept zero-length + -- responses (max_response_bytes = 0). The lower bounds also catch sub-sane + -- values an operator might choose by accident. + positiveIniInt def floor_ key = case readIniDefault def "NAMES" key ini of + n | n >= floor_ -> n + | otherwise -> error $ "[NAMES] " <> T.unpack key <> " must be at least " <> show floor_ <> " (got " <> show n <> ")" readTldRegistries = let regs = TldRegistries { tldSimplex = optionalAddr "registry_tld_simplex", @@ -843,8 +850,12 @@ readNamesConfig ini -- * userinfo (user:pass@) MUST NOT be present (credentials belong in -- rpc_auth so they don't leak via Host header or logs) -- * query and fragment MUST NOT be present --- * https requires rpc_auth on non-loopback hosts (operator misconfig --- guard — a public HTTPS endpoint without auth is almost always wrong) +-- * http is rejected on non-loopback hosts (plaintext to a third party +-- leaks rpc_auth on every request) +-- * https requires rpc_auth on non-loopback hosts (a public endpoint +-- without auth is almost always misconfig) +-- * link-local hosts (169.254.0.0/16, including the cloud metadata IP +-- 169.254.169.254) are rejected unconditionally validateUrl :: Text -> Maybe RpcAuth -> Either String Text validateUrl url auth_ = do uri <- maybe (Left "not an absolute URI") Right $ parseAbsoluteURI (T.unpack url) @@ -852,12 +863,14 @@ validateUrl url auth_ = do unless (scheme == "http:" || scheme == "https:") $ Left ("scheme " <> show scheme <> " not supported (use http or https)") ua <- maybe (Left "missing authority (host)") Right (uriAuthority uri) - when (null (uriRegName ua)) $ Left "empty host" + let host = uriRegName ua + when (null host) $ Left "empty host" + when (isLinkLocal host) $ Left "link-local host not allowed (rejects cloud metadata services)" unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" case uriPort ua of "" -> Left "explicit port required (e.g. http://host:8545)" ':' : portStr -> case readMaybe portStr of - Just n | n >= 1 && n <= 65535 -> Right () + Just n | (n :: Int) >= 1 && n <= 65535 -> Right () _ -> Left $ "port " <> portStr <> " out of range (must be 1..65535)" other -> Left $ "unexpected port syntax: " <> other unless (null (uriQuery uri)) $ Left "query string not allowed" @@ -865,11 +878,14 @@ validateUrl url auth_ = do let path = uriPath uri unless (path == "" || path == "/") $ Left "URL path not allowed; API keys embedded in the path leak to logs — use rpc_auth instead" - when (scheme == "https:" && not (isLoopback (uriRegName ua)) && isNothing auth_) $ + when (scheme == "http:" && not (isLoopback host)) $ + Left "http endpoint on a non-loopback host not allowed (plaintext leaks rpc_auth); use https" + when (scheme == "https:" && not (isLoopback host) && isNothing auth_) $ Left "https endpoint on a non-loopback host requires rpc_auth" Right url where isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" + isLinkLocal h = "169.254." `isPrefixOf` h || h == "[fe80::1]" -- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". -- EIP-55 mixed-case checksum verification is a follow-up. diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index da0fd19556..3536808b54 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -201,6 +201,6 @@ mapEthRpcError :: EthRpcError -> ResolveError mapEthRpcError = \case HttpFailure _ -> EthHttpErr HttpStatusErr _ -> EthHttpErr - BodyTooLarge -> EthDecodeErr + BodyTooLarge -> EthHttpErr -- transport-side cap, not a decoder failure InvalidJson _ -> EthDecodeErr JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index cfb700470c..1a007f18a2 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -75,12 +75,16 @@ instance StrEncoding SimplexNameDomain where strP = parseDomain . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) where parseDomain s = AT.parseOnly (nameLabelP `AT.sepBy1` AT.char '.' <* AT.endOfInput) s >>= mkDomain + -- TLD label compared lowercase: DNS labels are case-insensitive, and a + -- mixed-case `foo.SIMPLEX` would otherwise fall through to TLDWeb and + -- route through `registry_tld_all` instead of `registry_tld_simplex`. mkDomain labels = case reverse labels of [] -> Left "empty name" [_] -> Left "domain requires TLD" - "simplex" : name : sub -> Right $ SimplexNameDomain TLDSimplex name sub - "testing" : name : sub -> Right $ SimplexNameDomain TLDTesting name sub - _ -> Right $ SimplexNameDomain TLDWeb (T.intercalate "." labels) [] + tld : name : sub -> Right $ case T.toLower tld of + "simplex" -> SimplexNameDomain TLDSimplex name sub + "testing" -> SimplexNameDomain TLDTesting name sub + _ -> SimplexNameDomain TLDWeb (T.intercalate "." labels) [] fullDomainName :: SimplexNameDomain -> Text fullDomainName SimplexNameDomain {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index a78196186e..fea6e61a23 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -10,6 +10,7 @@ import qualified Data.ByteString.Char8 as B import qualified Data.ByteArray as BA import Data.Either (isLeft, isRight) import Data.IORef (atomicModifyIORef', newIORef, readIORef) +import Data.List (sort) import qualified Data.Text as T import qualified Data.Aeson as J import qualified Data.ByteString.Lazy as LB @@ -97,6 +98,14 @@ nameRecordEncodingSpec = do it "round-trips JSON encode / decode" $ J.eitherDecodeStrict (LB.toStrict (J.encode sampleRecord)) `shouldBe` Right sampleRecord + it "emits keys in spec-documented order (displayName, owner, channelLinks, contactLinks, adminAddress, adminEmail, expiry, isTest)" $ do + -- Default toEncoding routes through Value/KeyMap and re-emits keys + -- alphabetically; spec requires byte-identical canonical encoding. + let bytes = LB.toStrict (J.encode sampleRecord) + offset k = B.length (fst (B.breakSubstring k bytes)) + offsets = map offset ["displayName", "owner", "channelLinks", "contactLinks", "adminAddress", "adminEmail", "expiry", "isTest"] + offsets `shouldBe` sort offsets + it "rejects negative expiry" $ do let badBytes = LB.toStrict (J.encode sampleRecord {nrExpiry = -1}) (J.eitherDecodeStrict badBytes :: Either String NameRecord) `shouldSatisfy` isLeft From f686a94d46ce9e1e510a24118814ca68ea0188bd Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 1 Jun 2026 10:13:57 +0000 Subject: [PATCH 11/33] smp-server: round 2 audit fixes (label case, response cap, ipv6 link-local) --- src/Simplex/Messaging/Server/Main.hs | 29 +++++++++++++++++++--------- src/Simplex/Messaging/SimplexName.hs | 14 ++++++++------ tests/SMPNamesTests.hs | 8 ++++++++ 3 files changed, 36 insertions(+), 15 deletions(-) diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 5272e3f93d..99af3bc41a 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -46,7 +46,7 @@ import Control.Monad import qualified Data.Attoparsec.ByteString.Char8 as A import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B -import Data.Char (isAlpha, isAscii, toUpper) +import Data.Char (isAlpha, isAscii, toLower, toUpper) import Data.Either (fromRight) import Data.Functor (($>)) import Data.Ini (Ini, lookupValue, readIniFile) @@ -813,9 +813,9 @@ readNamesConfig ini { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), tldRegistries = registries, rpcAuth = rpcAuth_, - rpcTimeoutMs = positiveIniInt 3000 100 "rpc_timeout_ms", - rpcMaxResponseBytes = positiveIniInt 262144 1024 "rpc_max_response_bytes", - rpcMaxConcurrency = positiveIniInt 8 1 "rpc_max_concurrency" + rpcTimeoutMs = boundedIniInt 3000 100 60000 "rpc_timeout_ms", + rpcMaxResponseBytes = boundedIniInt 262144 1024 16777216 "rpc_max_response_bytes", + rpcMaxConcurrency = boundedIniInt 8 1 1024 "rpc_max_concurrency" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) @@ -825,10 +825,14 @@ readNamesConfig ini -- Reject zero / negative values that would deadlock waitQSem (concurrency = 0), -- time-out every RSLV immediately (timeout = 0), or accept zero-length -- responses (max_response_bytes = 0). The lower bounds also catch sub-sane - -- values an operator might choose by accident. - positiveIniInt def floor_ key = case readIniDefault def "NAMES" key ini of - n | n >= floor_ -> n - | otherwise -> error $ "[NAMES] " <> T.unpack key <> " must be at least " <> show floor_ <> " (got " <> show n <> ")" + -- values an operator might choose by accident. The upper bounds defend + -- against operator-misconfig footguns: 16 MiB response cap (worst-case + -- per-call memory), 60 s timeout (no operator wants RSLV to hang longer), + -- 1024 concurrent RPCs (any higher should run a separate names router). + boundedIniInt def floor_ ceiling_ key = case readIniDefault def "NAMES" key ini of + n | n >= floor_ && n <= ceiling_ -> n + | otherwise -> + error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" readTldRegistries = let regs = TldRegistries { tldSimplex = optionalAddr "registry_tld_simplex", @@ -885,7 +889,14 @@ validateUrl url auth_ = do Right url where isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" - isLinkLocal h = "169.254." `isPrefixOf` h || h == "[fe80::1]" + -- IPv4 link-local 169.254.0.0/16 and the IPv6 link-local prefix fe80::/10 + -- (matched as the textual prefix "[fe80:"). Also catches IPv4-mapped IPv6 + -- forms like "[::ffff:169.254.169.254]" so the cloud-metadata IP can't be + -- reached via the IPv6 alias. + isLinkLocal h = + "169.254." `isPrefixOf` h + || "[fe80:" `isPrefixOf` map toLower h + || "[::ffff:169.254." `isPrefixOf` map toLower h -- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". -- EIP-55 mixed-case checksum verification is a follow-up. diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index 1a007f18a2..af5c4d7934 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -75,16 +75,18 @@ instance StrEncoding SimplexNameDomain where strP = parseDomain . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) where parseDomain s = AT.parseOnly (nameLabelP `AT.sepBy1` AT.char '.' <* AT.endOfInput) s >>= mkDomain - -- TLD label compared lowercase: DNS labels are case-insensitive, and a - -- mixed-case `foo.SIMPLEX` would otherwise fall through to TLDWeb and - -- route through `registry_tld_all` instead of `registry_tld_simplex`. - mkDomain labels = case reverse labels of + -- All labels lowercased: DNS labels are case-insensitive, and namehash is + -- byte-defined — preserving original case would make `Alice.simplex` and + -- `alice.simplex` resolve to different on-chain records. A mixed-case TLD + -- would also fall through to TLDWeb and route through `registry_tld_all` + -- instead of `registry_tld_simplex`. + mkDomain labels = case reverse (map T.toLower labels) of [] -> Left "empty name" [_] -> Left "domain requires TLD" - tld : name : sub -> Right $ case T.toLower tld of + tld : name : sub -> Right $ case tld of "simplex" -> SimplexNameDomain TLDSimplex name sub "testing" -> SimplexNameDomain TLDTesting name sub - _ -> SimplexNameDomain TLDWeb (T.intercalate "." labels) [] + _ -> SimplexNameDomain TLDWeb (T.intercalate "." (reverse (tld : name : sub))) [] fullDomainName :: SimplexNameDomain -> Text fullDomainName SimplexNameDomain {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index fea6e61a23..f281e87633 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -292,6 +292,14 @@ tldWhitelistSpec = do domain d `shouldBe` "privacy" Nothing -> expectationFailure "expected Just" + it "normalizes case across all labels (Alice.SIMPLEX ≡ alice.simplex for namehash)" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let lower = RslvRequest {name = "alice.simplex", contract = addr1} + mixed = RslvRequest {name = "Alice.SIMPLEX", contract = addr1} + case (verifyRslv env lower, verifyRslv env mixed) of + (Just (_, dL), Just (_, dM)) -> dL `shouldBe` dM + _ -> expectationFailure "both should parse" + it "rejects mismatched contract address" $ do env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} let req = RslvRequest {name = "privacy.simplex", contract = addr2} From ba245e7b2bdea6f038145ef00b34fdc27fa5cab9 Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 1 Jun 2026 11:05:23 +0000 Subject: [PATCH 12/33] smp-server: round 3 audit fixes (SSRF coverage, drop noop closeManager, CSV order) --- src/Simplex/Messaging/Server.hs | 6 +++-- src/Simplex/Messaging/Server/Main.hs | 26 ++++++++++++++----- src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 7 +++-- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index acade609a9..5fae9b8a80 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -664,8 +664,10 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] - showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = - map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled] + -- Column order matches `Stats.hs:strEncode NameResolverStatsData`: + -- new counters appended at the end so existing CSV readers don't shift. + showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName} = + map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName] prometheusMetricsThread_ :: ServerConfig s -> [M s ()] prometheusMetricsThread_ ServerConfig {prometheusInterval = Just interval, prometheusMetricsFile} = diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 99af3bc41a..ff31e34b19 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -46,7 +46,7 @@ import Control.Monad import qualified Data.Attoparsec.ByteString.Char8 as A import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B -import Data.Char (isAlpha, isAscii, toLower, toUpper) +import Data.Char (isAlpha, isAscii, isDigit, isHexDigit, toLower, toUpper) import Data.Either (fromRight) import Data.Functor (($>)) import Data.Ini (Ini, lookupValue, readIniFile) @@ -869,6 +869,8 @@ validateUrl url auth_ = do ua <- maybe (Left "missing authority (host)") Right (uriAuthority uri) let host = uriRegName ua when (null host) $ Left "empty host" + when (isBareIntegerHost host) $ + Left "bare-integer host not allowed (use a hostname or dotted-quad / bracketed IP); rejects 169.254.169.254 decimal/hex aliases" when (isLinkLocal host) $ Left "link-local host not allowed (rejects cloud metadata services)" unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" case uriPort ua of @@ -889,14 +891,24 @@ validateUrl url auth_ = do Right url where isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" - -- IPv4 link-local 169.254.0.0/16 and the IPv6 link-local prefix fe80::/10 - -- (matched as the textual prefix "[fe80:"). Also catches IPv4-mapped IPv6 - -- forms like "[::ffff:169.254.169.254]" so the cloud-metadata IP can't be - -- reached via the IPv6 alias. + -- IPv4 link-local 169.254.0.0/16, the IPv6 link-local prefix fe80::/10, and + -- both IPv4-mapped IPv6 textual forms of the cloud-metadata IP + -- (169.254.169.254 in dotted-quad or hex `a9fe:a9fe`). isLinkLocal h = "169.254." `isPrefixOf` h - || "[fe80:" `isPrefixOf` map toLower h - || "[::ffff:169.254." `isPrefixOf` map toLower h + || "[fe80:" `isPrefixOf` lh + || "[::ffff:169.254." `isPrefixOf` lh + || "[::ffff:a9fe:a9fe" `isPrefixOf` lh + where + lh = map toLower h + -- Reject hostnames that are pure digits ("2852039166") or "0x"-prefixed + -- hex ("0xa9fea9fe"). These are never legitimate eth endpoints; glibc's + -- inet_aton accepts them as IPv4 aliases (the values above both resolve + -- to 169.254.169.254). Forces the operator to use a hostname or + -- dotted-quad / bracketed IP that the text-prefix checks can recognise. + isBareIntegerHost h = case h of + '0' : 'x' : rest -> not (null rest) && all isHexDigit rest + _ -> not (null h) && all isDigit h -- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". -- EIP-55 mixed-case checksum verification is a follow-up. diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs index d7d4bdb729..8f88f57aee 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -44,7 +44,6 @@ import Network.HTTP.Client Request, RequestBody (..), brReadSome, - closeManager, method, parseRequest, requestBody, @@ -106,8 +105,12 @@ newEthRpcEnv endpoint auth_ maxResponseBytes maxConcurrency = do sem <- newQSem maxConcurrency pure EthRpcEnv {manager, request, sem, maxResponseBytes} +-- | http-client's `closeManager` is a deprecated no-op since 0.5; the manager +-- is released by the GC finalizer attached to its internal state. We retain +-- the close-env entry point as a hook for any future deterministic cleanup +-- (e.g. draining the QSem) but do nothing here. closeEthRpcEnv :: EthRpcEnv -> IO () -closeEthRpcEnv EthRpcEnv {manager} = closeManager manager +closeEthRpcEnv _ = pure () -- | Make a single eth_call. `to` is the contract address (20 raw bytes); -- `dat` is the ABI-encoded call data. Returns the contract return bytes. From 1d394f56d28a48721225bfd4c114bc53f27669d1 Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 1 Jun 2026 11:52:09 +0000 Subject: [PATCH 13/33] smp-server: round 4 audit fixes (0X-hex host, expanded IPv6 forms, pingEndpoint timeout) --- src/Simplex/Messaging/Server/Main.hs | 31 ++++++++++--------- src/Simplex/Messaging/Server/Names.hs | 17 +++++++--- src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 1 + 3 files changed, 30 insertions(+), 19 deletions(-) diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index ff31e34b19..dccf01743f 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -50,7 +50,7 @@ import Data.Char (isAlpha, isAscii, isDigit, isHexDigit, toLower, toUpper) import Data.Either (fromRight) import Data.Functor (($>)) import Data.Ini (Ini, lookupValue, readIniFile) -import Data.List (find, isPrefixOf) +import Data.List (find, isInfixOf, isPrefixOf) import qualified Data.List.NonEmpty as L import Data.Maybe (fromMaybe, isJust, isNothing) import Data.Text (Text) @@ -891,24 +891,27 @@ validateUrl url auth_ = do Right url where isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" - -- IPv4 link-local 169.254.0.0/16, the IPv6 link-local prefix fe80::/10, and - -- both IPv4-mapped IPv6 textual forms of the cloud-metadata IP - -- (169.254.169.254 in dotted-quad or hex `a9fe:a9fe`). + -- IPv4 link-local 169.254.0.0/16, the IPv6 link-local prefix fe80::/10, + -- and IPv4-mapped IPv6 forms of the cloud-metadata IP 169.254.169.254 + -- in every textual variant: dotted-quad, hex `a9fe:a9fe`, and the + -- zero-run-expanded `0:0:0:0:0:ffff:…` / `0000:0000:…` forms. isLinkLocal h = "169.254." `isPrefixOf` h || "[fe80:" `isPrefixOf` lh - || "[::ffff:169.254." `isPrefixOf` lh - || "[::ffff:a9fe:a9fe" `isPrefixOf` lh + || any (`isInfixOf` lh) v6MappedMetadata where lh = map toLower h - -- Reject hostnames that are pure digits ("2852039166") or "0x"-prefixed - -- hex ("0xa9fea9fe"). These are never legitimate eth endpoints; glibc's - -- inet_aton accepts them as IPv4 aliases (the values above both resolve - -- to 169.254.169.254). Forces the operator to use a hostname or - -- dotted-quad / bracketed IP that the text-prefix checks can recognise. - isBareIntegerHost h = case h of - '0' : 'x' : rest -> not (null rest) && all isHexDigit rest - _ -> not (null h) && all isDigit h + -- Substrings rather than prefixes so we catch every zero-run-expansion + -- (`[::ffff:…`, `[0:0:0:0:0:ffff:…`, `[0000:0000:0000:0000:0000:ffff:…`). + v6MappedMetadata = [":ffff:169.254.", ":ffff:a9fe:a9fe"] :: [String] + -- Reject hostnames that look like decimal or `0x`/`0X`-hex integers — + -- glibc's inet_aton accepts both as IPv4 aliases (`2852039166`, + -- `0xa9fea9fe`, `0XA9FEA9FE` all resolve to 169.254.169.254). The literal + -- prefix `0x` / `0X` with no digits after is also rejected: it isn't a + -- legitimate hostname and lets us avoid reasoning about libc's behaviour. + isBareIntegerHost h = case map toLower h of + '0' : 'x' : rest -> all isHexDigit rest + lh -> not (null lh) && all isDigit lh -- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". -- EIP-55 mixed-case checksum verification is a follow-up. diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index 3536808b54..df689d90aa 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -133,11 +133,17 @@ verifyRslv NamesEnv {config} RslvRequest {name, contract} = case strDecode (enco pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) pingEndpoint NamesEnv {ethCall, config} = case anyAddress (tldRegistries config) of Nothing -> pure (Right ()) - Just addr -> - ethCall (unNameOwner addr) (encodeGetRecord (namehash "")) >>= \case - Left e@(HttpFailure _) -> pure (Left e) - Left e@(HttpStatusErr _) -> pure (Left e) - _ -> pure (Right ()) + Just addr -> do + -- Bound the probe by the same rpcTimeoutMs that resolveName uses, so a + -- slow-loris endpoint can't park startup until http-client's default + -- 30 s response timeout fires. + r <- timeout (rpcTimeoutMs config * 1000) $ + ethCall (unNameOwner addr) (encodeGetRecord (namehash "")) + pure $ case r of + Nothing -> Left ProbeTimedOut + Just (Left e@(HttpFailure _)) -> Left e + Just (Left e@(HttpStatusErr _)) -> Left e + Just _ -> Right () where anyAddress TldRegistries {tldSimplex, tldTesting, tldAll} = tldSimplex <|> tldTesting <|> tldAll @@ -204,3 +210,4 @@ mapEthRpcError = \case BodyTooLarge -> EthHttpErr -- transport-side cap, not a decoder failure InvalidJson _ -> EthDecodeErr JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} + ProbeTimedOut -> EthHttpErr -- pingEndpoint-only; never raised by ethCallReal in the resolve path diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs index 8f88f57aee..63b10d3207 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -77,6 +77,7 @@ data EthRpcError | BodyTooLarge | InvalidJson String | JsonRpcErr Int Text + | ProbeTimedOut -- startup-probe timeout; resolveName uses its own Timeout deriving (Show) -- | Build a Request from a (validated) ethereum_endpoint URL. From b66d97307da19bd01ca2dbfec646046f5ea756a4 Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 1 Jun 2026 12:12:00 +0000 Subject: [PATCH 14/33] smp-server: hardcode TldRegistries (drop registry_tld_* INI keys) --- protocol/simplex-messaging.md | 16 ++++----- src/Simplex/Messaging/Protocol.hs | 2 +- src/Simplex/Messaging/Server/Main.hs | 43 ++++++++++------------- src/Simplex/Messaging/Server/Main/Init.hs | 11 ++---- 4 files changed, 29 insertions(+), 43 deletions(-) diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 86fdb44912..c73cdaa4b4 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1465,15 +1465,13 @@ rslv = %s"RSLV" SP json-bytes ; json-bytes consumes the remainder of the trans **Server-side validation.** The names router parses `name` as a fully-qualified domain (TLD required — bare labels are rejected), extracts the TLD, and looks -up the expected SNRC contract address in its INI whitelist -(`registry_tld_simplex`, `registry_tld_testing`, `registry_tld_all`). -`registry_tld_all` is the catch-all used when no TLD-specific entry matches -the requested TLD (and the only entry that can resolve web domains). If no -whitelist entry matches the TLD, or if the client-supplied `contract` differs -from the configured address, the server replies with `ERR AUTH` without -contacting the chain. This lets one names router safely host multiple TLDs -(each backed by its own SNRC contract) and reject clients pointing at a -contract the operator doesn't run. +up the expected SNRC contract address in a whitelist hardcoded in the server +binary (TLD-specific addresses with an optional catch-all for unspecified +TLDs and web domains). If no whitelist entry matches the TLD, or if the +client-supplied `contract` differs from the configured address, the server +replies with `ERR AUTH` without contacting the chain. This lets one names +router safely host multiple TLDs (each backed by its own SNRC contract) and +reject clients pointing at a contract the operator doesn't run. The names router responds with either a `NAME` response carrying the resolved record, or `ERR AUTH` collapsing every failure mode (name not found, malformed diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 1943eb1234..d7ec0666e1 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -754,7 +754,7 @@ instance J.ToJSON NameOwner where instance J.FromJSON NameOwner where parseJSON = J.withText "NameOwner" $ \t -> do - -- Accept "0x" and "0X" prefixes (matches Server/Main.hs:parseEthAddr via fromHex). + -- Accept "0x" and "0X" prefixes (matches the Server-side hex decoder). let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) case BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) of Left e -> fail e diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index dccf01743f..6435c64835 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -77,9 +77,8 @@ import Simplex.Messaging.Server.Web (EmbeddedWebParams (..), WebHttpsParams (..) import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCfg (..), stmQueueStore) import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) -import Simplex.Messaging.Protocol (mkNameOwner, NameOwner) +import Simplex.Messaging.Protocol (mkNameOwner) import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..), TldRegistries (..)) -import Simplex.Messaging.Server.Names.Eth.RPC (fromHex) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) import Simplex.Messaging.Transport (supportedProxyClientSMPRelayVRange, alpnSupportedSMPHandshakes, supportedServerSMPRelayVRange) @@ -807,11 +806,10 @@ readNamesConfig ini | otherwise = let rpcAuth_ = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini) endpoint = requiredText "ethereum_endpoint" - registries = readTldRegistries in Just NamesConfig { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), - tldRegistries = registries, + tldRegistries = hardcodedTldRegistries, rpcAuth = rpcAuth_, rpcTimeoutMs = boundedIniInt 3000 100 60000 "rpc_timeout_ms", rpcMaxResponseBytes = boundedIniInt 262144 1024 16777216 "rpc_max_response_bytes", @@ -833,18 +831,22 @@ readNamesConfig ini n | n >= floor_ && n <= ceiling_ -> n | otherwise -> error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" - readTldRegistries = - let regs = TldRegistries - { tldSimplex = optionalAddr "registry_tld_simplex", - tldTesting = optionalAddr "registry_tld_testing", - tldAll = optionalAddr "registry_tld_all" - } - in case (tldSimplex regs, tldTesting regs, tldAll regs) of - (Nothing, Nothing, Nothing) -> - error "[NAMES] at least one of registry_tld_simplex, registry_tld_testing, registry_tld_all is required" - _ -> regs - optionalAddr key = - either (error . (("[NAMES] " <> T.unpack key <> ": ") <>)) Just . parseEthAddr =<< eitherToMaybe (lookupValue "NAMES" key ini) + +-- | Hardcoded SNRC contract whitelist. Placeholder addresses until the +-- launch contracts are deployed; replaced in code rather than INI so +-- operators can't accidentally point a names router at the wrong contract +-- during the bootstrap phase. The TldRegistries shape + lookup precedence +-- (TLD-specific then `tldAll` catch-all) is unchanged from the previous +-- INI-driven form. +hardcodedTldRegistries :: TldRegistries +hardcodedTldRegistries = + TldRegistries + { tldSimplex = Just (placeholderAddr '\x11'), + tldTesting = Just (placeholderAddr '\x22'), + tldAll = Nothing + } + where + placeholderAddr c = either error id $ mkNameOwner (B.replicate 20 c) -- | Validate the ethereum_endpoint URL: -- * scheme must be http: or https: @@ -913,15 +915,6 @@ validateUrl url auth_ = do '0' : 'x' : rest -> all isHexDigit rest lh -> not (null lh) && all isDigit lh --- | Parse a 20-byte Ethereum address as text "0x[hex40]" or "[hex40]". --- EIP-55 mixed-case checksum verification is a follow-up. -parseEthAddr :: Text -> Either String NameOwner -parseEthAddr t = do - bs <- fromHex (encodeUtf8 t) - if B.length bs == 20 - then mkNameOwner bs - else Left "expected a 20-byte address (40 hex characters, optionally 0x-prefixed)" - -- | Parse an rpc_auth INI value. Scheme keyword is case-insensitive so -- "Bearer " / "BEARER " (Caddy / RFC 7235 convention) work -- as well as the lowercase form. diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index c5ac52cad3..9ec67bc178 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -168,14 +168,9 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# Central Reth via Caddy:\n\ \# ethereum_endpoint: https://eth.simplex.chat:443\n\ \# rpc_auth: basic :\n\ - \# Per-TLD SNRC contract whitelist. At least one entry must be set.\n\ - \# Each RSLV carries the contract address the client wants queried;\n\ - \# the server only accepts it if it matches the address configured for\n\ - \# that TLD (or registry_tld_all as catch-all for any unspecified TLD,\n\ - \# including web domains).\n\ - \# registry_tld_simplex: 0x\n\ - \# registry_tld_testing: 0x\n\ - \# registry_tld_all: 0x\n\ + \# The SNRC contract addresses are hardcoded in the server binary; each\n\ + \# RSLV's contract field is verified against the binary's whitelist for\n\ + \# the requested TLD. Operators do NOT configure registries here.\n\ \# rpc_timeout_ms: 3000\n\ \# rpc_max_response_bytes: 262144\n\ \# rpc_max_concurrency: 8\n\n\ From 9cfdb554676c49ef5919c5184c983fb4e987c857 Mon Sep 17 00:00:00 2001 From: sh Date: Tue, 2 Jun 2026 09:26:22 +0000 Subject: [PATCH 15/33] smp-server: round 6 audit fixes (IPv6 SSRF, redirects, ASCII labels) - Reject IPv6 aliases of 169.254.169.254 (IPv4-compatible / IPv4-mapped / 6to4 / NAT64) via numeric range check on parsed IPv6. - Disable HTTP redirects on the Eth RPC request. - Restrict SimplexName labels to ASCII (Cyrillic/Greek/full-width otherwise hash to different on-chain records and diverge from UTS-46 registrars). - pingEndpoint: only JsonRpcErr means "reachable"; transport/decode failures fail startup. boundedIniInt: readMaybe over partial read. - Add 127.0.0.0/8 and 0.0.0.0 to isLoopback. - Replace hand-rolled hex helpers with Data.ByteArray.Encoding; raise managerConnCount to match rpcMaxConcurrency; hex Show for NameOwner. - Fuse parallel http/https when into unless+case; drop reverse/re-reverse in mkDomain TLDWeb; first AbiInvariantViolated; Nothing <$ decodeAddress; forM_ (eitherToMaybe ...); >>= chain in NameOwner FromJSON. - Drop dead imports/exports/pragmas and two restating comments. - Tests: factor unsafeOwner/unsafeLink, addr1/2/3, testNamesConfig; add non-ASCII label rejection coverage. --- src/Simplex/Messaging/Agent/Protocol.hs | 3 +- src/Simplex/Messaging/Encoding.hs | 1 - src/Simplex/Messaging/Protocol.hs | 26 ++-- src/Simplex/Messaging/Server.hs | 4 - src/Simplex/Messaging/Server/Env/STM.hs | 3 +- src/Simplex/Messaging/Server/Main.hs | 118 ++++++++++++++---- src/Simplex/Messaging/Server/Names.hs | 22 ++-- src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 67 ++++------ .../Messaging/Server/Names/Eth/SNRC.hs | 14 +-- src/Simplex/Messaging/SimplexName.hs | 20 +-- tests/SMPNamesTests.hs | 110 ++++++++-------- 11 files changed, 221 insertions(+), 167 deletions(-) diff --git a/src/Simplex/Messaging/Agent/Protocol.hs b/src/Simplex/Messaging/Agent/Protocol.hs index f518c7b0d8..0860adf2af 100644 --- a/src/Simplex/Messaging/Agent/Protocol.hs +++ b/src/Simplex/Messaging/Agent/Protocol.hs @@ -195,11 +195,10 @@ import qualified Data.Aeson.TH as J import qualified Data.Aeson.Types as JT import Data.Attoparsec.ByteString.Char8 (Parser) import qualified Data.Attoparsec.ByteString.Char8 as A -import qualified Data.Attoparsec.Text as AT import qualified Data.ByteString.Base64.URL as B64 import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B -import Data.Char (isAlpha, isDigit, toLower, toUpper) +import Data.Char (toLower, toUpper) import Data.Foldable (find) import Data.Functor (($>)) import Data.Int (Int64) diff --git a/src/Simplex/Messaging/Encoding.hs b/src/Simplex/Messaging/Encoding.hs index b5b51ab900..d069e5518a 100644 --- a/src/Simplex/Messaging/Encoding.hs +++ b/src/Simplex/Messaging/Encoding.hs @@ -15,7 +15,6 @@ module Simplex.Messaging.Encoding smpEncodeList, smpListP, lenEncode, - lenP, ) where diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index d7ec0666e1..ebe3506ba9 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -260,7 +260,7 @@ import Data.Maybe (fromMaybe, isJust, isNothing) import Data.String import Data.Text (Text) import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, decodeUtf8', encodeUtf8) +import Data.Text.Encoding (decodeLatin1, encodeUtf8) import Data.Time.Clock.System (SystemTime (..), systemToUTCTime) import Data.Type.Equality import Data.Word (Word8, Word16) @@ -566,12 +566,13 @@ type LinkId = QueueId -- | SMP queue ID on the server. type QueueId = EntityId --- | Name resolution request. The client sends the canonical SimplexNameDomain --- (TLD always explicit) plus the SNRC contract address it expects the server --- to query. The server parses the domain (validating syntax) and checks the --- supplied contract against its INI whitelist before reading the chain — so a --- single names router can safely host multiple TLDs (each backed by its own --- SNRC contract) and reject clients that ask for the wrong one. +-- | Name resolution request. The client sends the name in canonical +-- SimplexNameDomain form (TLD always explicit) as a Text plus the SNRC +-- contract address it expects the server to query. The server parses the +-- name into SimplexNameDomain (validating syntax) and checks the supplied +-- contract against its hardcoded TLD whitelist before reading the chain — +-- so a single names router can safely host multiple TLDs (each backed by +-- its own SNRC contract) and reject clients that ask for the wrong one. data RslvRequest = RslvRequest { name :: Text, contract :: NameOwner @@ -738,7 +739,12 @@ newtype EncFwdTransmission = EncFwdTransmission ByteString -- | 20-byte Ethereum address (NameRecord owner). Bare constructor not exported; -- use `mkNameOwner` to enforce the 20-byte invariant. newtype NameOwner = NameOwner ByteString - deriving (Eq, Show) + deriving (Eq) + +-- Render the 20 raw bytes as "0x"-prefixed lowercase hex so log lines / +-- traceShow output match the on-the-wire JSON form instead of Latin-1 garbage. +instance Show NameOwner where + show (NameOwner bs) = "NameOwner 0x" <> B.unpack (BAE.convertToBase BAE.Base16 bs) mkNameOwner :: ByteString -> Either String NameOwner mkNameOwner bs @@ -756,9 +762,7 @@ instance J.FromJSON NameOwner where parseJSON = J.withText "NameOwner" $ \t -> do -- Accept "0x" and "0X" prefixes (matches the Server-side hex decoder). let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) - case BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) of - Left e -> fail e - Right bs -> either fail pure (mkNameOwner bs) + either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkNameOwner instance J.ToJSON RslvRequest where toJSON RslvRequest {name, contract} = J.object ["name" J..= name, "contract" J..= contract] diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 5fae9b8a80..4c3447176d 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -249,8 +249,6 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt closeServer = do pa <- asks (smpAgent . proxyAgent) ne <- asks namesEnv - -- finally: if the proxy-agent close throws, we still release the resolver's - -- HTTP connection manager. liftIO $ closeSMPClientAgent pa `E.finally` mapM_ closeNamesEnv ne serverThread :: @@ -664,8 +662,6 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] - -- Column order matches `Stats.hs:strEncode NameResolverStatsData`: - -- new counters appended at the end so existing CSV readers don't shift. showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName} = map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName] diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index a23963b1c4..a9e9d91eab 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -117,7 +117,6 @@ import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, newNamesEnv, pingEndpoint) import Simplex.Messaging.Server.Names.Eth.RPC (scrubUrl) -import Simplex.Messaging.Util (tshow) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore import Simplex.Messaging.Server.QueueStore.Postgres.Config @@ -131,7 +130,7 @@ import Simplex.Messaging.TMap (TMap) import qualified Simplex.Messaging.TMap as TM import Simplex.Messaging.Transport (ASrvTransport, SMPVersion, THandleParams, TransportPeer (..), VersionRangeSMP) import Simplex.Messaging.Transport.Server -import Simplex.Messaging.Util (ifM, whenM, ($>>=)) +import Simplex.Messaging.Util (ifM, tshow, whenM, ($>>=)) import System.Directory (doesFileExist) import System.Exit (exitFailure) import System.IO (IOMode (..)) diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 6435c64835..47345ef013 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -66,7 +66,11 @@ import Simplex.Messaging.Client.Agent (SMPClientAgentConfig (..), defaultSMPClie import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (parseAll) -import Simplex.Messaging.Protocol (BasicAuth (..), ProtoServerWithAuth (ProtoServerWithAuth), pattern SMPServer) +import qualified Data.IP as IP +import Data.Bits (shiftR, (.&.)) +import Data.Word (Word32) +import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) +import Simplex.Messaging.Protocol (BasicAuth (..), ProtoServerWithAuth (ProtoServerWithAuth), mkNameOwner, pattern SMPServer) import Simplex.Messaging.Server (AttachHTTP, exportMessages, importMessages, printMessageStats, runSMPServer) import Simplex.Messaging.Server.CLI import Simplex.Messaging.Server.Env.STM @@ -76,8 +80,6 @@ import Simplex.Messaging.Server.Main.Init import Simplex.Messaging.Server.Web (EmbeddedWebParams (..), WebHttpsParams (..)) import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCfg (..), stmQueueStore) import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) -import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) -import Simplex.Messaging.Protocol (mkNameOwner) import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..), TldRegistries (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) @@ -827,10 +829,15 @@ readNamesConfig ini -- against operator-misconfig footguns: 16 MiB response cap (worst-case -- per-call memory), 60 s timeout (no operator wants RSLV to hang longer), -- 1024 concurrent RPCs (any higher should run a separate names router). - boundedIniInt def floor_ ceiling_ key = case readIniDefault def "NAMES" key ini of - n | n >= floor_ && n <= ceiling_ -> n - | otherwise -> - error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" + boundedIniInt def floor_ ceiling_ key = case lookupValue "NAMES" key ini of + Left _ -> def + Right raw -> case readMaybe (T.unpack (T.strip raw)) of + Nothing -> + error $ "[NAMES] " <> T.unpack key <> ": not an integer (got " <> show raw <> ")" + Just n + | n >= floor_ && n <= ceiling_ -> n + | otherwise -> + error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" -- | Hardcoded SNRC contract whitelist. Placeholder addresses until the -- launch contracts are deployed; replaced in code rather than INI so @@ -873,7 +880,10 @@ validateUrl url auth_ = do when (null host) $ Left "empty host" when (isBareIntegerHost host) $ Left "bare-integer host not allowed (use a hostname or dotted-quad / bracketed IP); rejects 169.254.169.254 decimal/hex aliases" - when (isLinkLocal host) $ Left "link-local host not allowed (rejects cloud metadata services)" + when (isObfuscatedIpv4 host) $ + Left "non-canonical IPv4 form not allowed (use dotted-quad decimal 0-255 with no leading zeros); rejects inet_aton hex/octal/compact aliases of 169.254.169.254" + when (isLinkLocal host || isForbiddenIpv6 host) $ + Left "link-local host not allowed (rejects cloud metadata services and IPv6 aliases of 169.254.0.0/16)" unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" case uriPort ua of "" -> Left "explicit port required (e.g. http://host:8545)" @@ -886,26 +896,36 @@ validateUrl url auth_ = do let path = uriPath uri unless (path == "" || path == "/") $ Left "URL path not allowed; API keys embedded in the path leak to logs — use rpc_auth instead" - when (scheme == "http:" && not (isLoopback host)) $ - Left "http endpoint on a non-loopback host not allowed (plaintext leaks rpc_auth); use https" - when (scheme == "https:" && not (isLoopback host) && isNothing auth_) $ - Left "https endpoint on a non-loopback host requires rpc_auth" + unless (isLoopback host) $ case scheme of + "http:" -> Left "http endpoint on a non-loopback host not allowed (plaintext leaks rpc_auth); use https" + "https:" | isNothing auth_ -> Left "https endpoint on a non-loopback host requires rpc_auth" + _ -> Right () Right url where - isLoopback h = h == "127.0.0.1" || h == "localhost" || h == "[::1]" - -- IPv4 link-local 169.254.0.0/16, the IPv6 link-local prefix fe80::/10, - -- and IPv4-mapped IPv6 forms of the cloud-metadata IP 169.254.169.254 - -- in every textual variant: dotted-quad, hex `a9fe:a9fe`, and the - -- zero-run-expanded `0:0:0:0:0:ffff:…` / `0000:0000:…` forms. - isLinkLocal h = - "169.254." `isPrefixOf` h - || "[fe80:" `isPrefixOf` lh - || any (`isInfixOf` lh) v6MappedMetadata + -- 127.0.0.0/8 and 0.0.0.0 both bind locally on Linux/BSD; treat them all + -- as loopback for the http/auth gate so a misconfigured 0.0.0.0:8545 (or + -- 127.0.0.5) doesn't get an Authorization header sent to a colocated + -- service or silently dropped onto the wire. + isLoopback = \case + "localhost" -> True + "[::1]" -> True + "0.0.0.0" -> True + h -> case parseDottedQuad h of + Just (127, _, _, _) -> True + _ -> False + parseDottedQuad s = case splitOnDot s of + [a, b, c, d] -> (,,,) <$> octet a <*> octet b <*> octet c <*> octet d + _ -> Nothing where - lh = map toLower h - -- Substrings rather than prefixes so we catch every zero-run-expansion - -- (`[::ffff:…`, `[0:0:0:0:0:ffff:…`, `[0000:0000:0000:0000:0000:ffff:…`). - v6MappedMetadata = [":ffff:169.254.", ":ffff:a9fe:a9fe"] :: [String] + octet o = case readMaybe o of + Just n | (n :: Int) >= 0 && n <= 255 -> Just n + _ -> Nothing + splitOnDot s = case break (== '.') s of + (chunk, []) -> [chunk] + (chunk, _ : rest) -> chunk : splitOnDot rest + -- IPv4 link-local 169.254.0.0/16 in dotted-quad form. IPv6 forms are + -- delegated to isForbiddenIpv6 which parses the address numerically. + isLinkLocal h = "169.254." `isPrefixOf` h -- Reject hostnames that look like decimal or `0x`/`0X`-hex integers — -- glibc's inet_aton accepts both as IPv4 aliases (`2852039166`, -- `0xa9fea9fe`, `0XA9FEA9FE` all resolve to 169.254.169.254). The literal @@ -914,6 +934,54 @@ validateUrl url auth_ = do isBareIntegerHost h = case map toLower h of '0' : 'x' : rest -> all isHexDigit rest lh -> not (null lh) && all isDigit lh + -- Reject dotted hosts whose every component is numeric (decimal or `0x`-hex) + -- but which aren't strict canonical IPv4 (exactly 4 decimal octets 0..255 with + -- no leading zeros). inet_aton accepts hex octets (`0xA9.0xFE.0xA9.0xFE`), + -- octal octets (`0251.0376.0251.0376`, leading zero), mixed forms + -- (`169.0376.169.254`), and compact 2/3-segment forms (`169.16689638`, + -- `169.254.43518`) as aliases for 169.254.169.254. The literal-prefix check + -- in isLinkLocal misses all of these; this predicate closes the gap. + isObfuscatedIpv4 h + | '.' `notElem` h = False + | otherwise = allNumericParts && not strictCanonical + where + parts = splitOnDot h + allNumericParts = not (null parts) && all isNumericPart parts + isNumericPart p = case map toLower p of + '0' : 'x' : rest@(_ : _) -> all isHexDigit rest + lp@(_ : _) -> all isDigit lp + _ -> False + strictCanonical = length parts == 4 && all isStrictDecOctet parts + isStrictDecOctet "0" = True + isStrictDecOctet p@(c : _) = + c /= '0' && all isDigit p && maybe False (\n -> (n :: Int) <= 255) (readMaybe p) + isStrictDecOctet _ = False + -- Strip the [...] brackets that parseAbsoluteURI keeps on IPv6 hosts, parse + -- as numeric IPv6, and check 128-bit ranges: + -- * fe80::/10 (link-local) + -- * ::1 (loopback) + -- * IPv4-compatible (::/96), IPv4-mapped (::ffff/96), 6to4 (2002::/16), + -- NAT64 WKP (64:ff9b::/96) — when they alias an IPv4 in 169.254.0.0/16 + -- This covers every textual form of those addresses (compressed, uncompressed, + -- mixed dotted-quad embed) because Data.IP normalises before we inspect bits. + isForbiddenIpv6 h = maybe False (isForbiddenIpv6Word . IP.fromIPv6w) $ + stripBrackets h >>= readMaybe + where + stripBrackets ('[' : rest@(_ : _)) | last rest == ']' = Just (init rest) + stripBrackets _ = Nothing + -- Loopback (::1) is intentionally NOT in this list: loopback is gated + -- separately by isLoopback for the http/auth decision. + isForbiddenIpv6Word :: (Word32, Word32, Word32, Word32) -> Bool + isForbiddenIpv6Word (w1, w2, w3, w4) = + linkLocal || compatTo169 || mappedTo169 || sixToFour169 || nat64To169 + where + linkLocal = (w1 `shiftR` 22) == 0x3fa -- fe80::/10 + is169254v4 = (w4 `shiftR` 16) == 0xa9fe + high96Zero = w1 == 0 && w2 == 0 + compatTo169 = high96Zero && w3 == 0 && is169254v4 + mappedTo169 = high96Zero && w3 == 0xffff && is169254v4 + sixToFour169 = (w1 `shiftR` 16) == 0x2002 && (w1 .&. 0xffff) == 0xa9fe + nat64To169 = w1 == 0x0064ff9b && w2 == 0 && w3 == 0 && is169254v4 -- | Parse an rpc_auth INI value. Scheme keyword is case-insensitive so -- "Bearer " / "BEARER " (Caddy / RFC 7235 convention) work diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index df689d90aa..c1aeef4898 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -29,7 +29,7 @@ module Simplex.Messaging.Server.Names where import Control.Applicative ((<|>)) -import Control.Monad (guard, unless, when) +import Control.Monad (forM_, guard, unless, when) import qualified Control.Exception as E import Control.Logger.Simple (logError) import Data.ByteString.Char8 (ByteString) @@ -40,6 +40,7 @@ import qualified Data.Text as T import Data.Text.Encoding (encodeUtf8) import Data.Time.Clock.POSIX (getPOSIXTime) import Simplex.Messaging.Encoding.String (strDecode) +import Simplex.Messaging.Util (eitherToMaybe) import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), unNameOwner) import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) import Simplex.Messaging.Server.Names.Eth.SNRC (decodeAddress, decodeGetRecord, encodeGetRecord, isZeroOwner, namehash) @@ -127,9 +128,11 @@ verifyRslv NamesEnv {config} RslvRequest {name, contract} = case strDecode (enco -- | Reach the configured endpoint with a harmless probe call to confirm -- network reachability. Uses any configured contract address (the parser --- guarantees at least one is set). Returns Left only on transport-level --- failures; JSON-RPC errors (misconfigured address etc.) are treated as --- "endpoint reachable" — that distinction surfaces later via rslvEthErrs. +-- guarantees at least one is set). A JSON-RPC error (e.g. unknown contract +-- on a healthy node) is treated as "endpoint reachable". HTTP transport +-- failures, oversized responses, and non-JSON bodies (operator pointing at +-- the wrong service) all surface as Left so startup fails loudly rather +-- than every RSLV silently incrementing rslvEthErrs. pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) pingEndpoint NamesEnv {ethCall, config} = case anyAddress (tldRegistries config) of Nothing -> pure (Right ()) @@ -141,9 +144,9 @@ pingEndpoint NamesEnv {ethCall, config} = case anyAddress (tldRegistries config) ethCall (unNameOwner addr) (encodeGetRecord (namehash "")) pure $ case r of Nothing -> Left ProbeTimedOut - Just (Left e@(HttpFailure _)) -> Left e - Just (Left e@(HttpStatusErr _)) -> Left e - Just _ -> Right () + Just (Left JsonRpcErr {}) -> Right () -- node answered, just doesn't know this contract + Just (Left e) -> Left e + Just (Right _) -> Right () where anyAddress TldRegistries {tldSimplex, tldTesting, tldAll} = tldSimplex <|> tldTesting <|> tldAll @@ -178,9 +181,8 @@ fetch env@NamesEnv {ethCall} contract d = -- an operator who enables [NAMES] against a working SNRC contract sees -- the resolver is functionally stubbed. notFoundWithPlaceholderWarn ret = do - case decodeAddress 32 ret of - Right owner -> unless (isZeroOwner owner) (warnPlaceholderOnce env) - Left _ -> pure () + forM_ (eitherToMaybe (decodeAddress 32 ret)) $ \owner -> + unless (isZeroOwner owner) (warnPlaceholderOnce env) pure (Left NotFound) -- Defense in depth: the SNRC contract should already return the -- zero-owner sentinel for expired records, but a buggy / pre-upgrade diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs index 63b10d3207..1f0d2d02aa 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs @@ -1,7 +1,6 @@ {-# LANGUAGE LambdaCase #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE RecordWildCards #-} {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE StrictData #-} @@ -15,12 +14,11 @@ -- * Authorization header attached only when configured. module Simplex.Messaging.Server.Names.Eth.RPC ( RpcAuth (..), - EthRpcEnv (..), + EthRpcEnv, EthRpcError (..), newEthRpcEnv, closeEthRpcEnv, ethCallReal, - fromHex, scrubUrl, ) where @@ -35,17 +33,20 @@ import qualified Data.ByteArray.Encoding as BAE import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B import qualified Data.ByteString.Lazy as BL +import Data.Maybe (fromMaybe) import Data.Text (Text) import qualified Data.Text as T -import Data.Text.Encoding (encodeUtf8) +import Data.Text.Encoding (decodeLatin1, encodeUtf8) import Network.HTTP.Client ( HttpException, Manager, + ManagerSettings (..), Request, RequestBody (..), brReadSome, method, parseRequest, + redirectCount, requestBody, requestHeaders, responseBody, @@ -80,13 +81,18 @@ data EthRpcError | ProbeTimedOut -- startup-probe timeout; resolveName uses its own Timeout deriving (Show) --- | Build a Request from a (validated) ethereum_endpoint URL. +-- | Build a Request from a (validated) ethereum_endpoint URL. Redirects are +-- disabled: an RPC endpoint that responds 3xx is a misconfiguration, and a +-- compromised endpoint could otherwise redirect a credential-bearing POST +-- to a private-IP target (SSRF amplification on top of the host validation +-- performed at config load — DNS rebinding and chained redirects bypass it). buildRequest :: Text -> Maybe RpcAuth -> IO Request buildRequest endpoint auth_ = do req <- parseRequest (T.unpack endpoint) pure $ req { method = "POST", + redirectCount = 0, requestHeaders = ("Content-Type", "application/json") : maybe [] (pure . authHeader) auth_ @@ -101,7 +107,9 @@ authHeader = \case newEthRpcEnv :: Text -> Maybe RpcAuth -> Int -> Int -> IO EthRpcEnv newEthRpcEnv endpoint auth_ maxResponseBytes maxConcurrency = do - manager <- HC.newManager tlsManagerSettings + -- managerConnCount defaults to 10; without raising it the configured + -- rpcMaxConcurrency is silently capped to 10 by http-client's pool. + manager <- HC.newManager tlsManagerSettings {managerConnCount = max 10 maxConcurrency} request <- buildRequest endpoint auth_ sem <- newQSem maxConcurrency pure EthRpcEnv {manager, request, sem, maxResponseBytes} @@ -163,50 +171,19 @@ parseResult bs = case J.eitherDecodeStrict bs of pure (Left (JsonRpcErr code msg)) _ -> do result :: Text <- o J..: "result" - case fromHex (encodeUtf8 result) of + case decodeHexResult (encodeUtf8 result) of Right b -> pure (Right b) Left e -> pure (Left (InvalidJson e)) +-- | Encode raw bytes as "0x"-prefixed lowercase hex. toHex :: ByteString -> Text -toHex bs = T.pack $ "0x" <> concatMap byte (B.unpack bs) - where - byte c = - let n = fromEnum c - (h, l) = quotRem n 16 - in [hexChar h, hexChar l] - hexChar n - | n < 10 = toEnum (fromEnum '0' + n) - | otherwise = toEnum (fromEnum 'a' + n - 10) - -fromHex :: ByteString -> Either String ByteString -fromHex bs0 = - let bs = case B.stripPrefix "0x" bs0 of - Just rest -> rest - Nothing -> case B.stripPrefix "0X" bs0 of - Just rest -> rest - Nothing -> bs0 - in if B.null bs - then Right B.empty - else - if odd (B.length bs) || not (B.all isHex bs) - then Left "invalid hex" - else Right (decodeHex bs) - where - isHex c = (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') +toHex bs = "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) -decodeHex :: ByteString -> ByteString -decodeHex = B.pack . go - where - go s - | B.null s = [] - | otherwise = - let hi = digit (B.head s) - lo = digit (B.index s 1) - in toEnum (16 * hi + lo) : go (B.drop 2 s) - digit c - | c >= '0' && c <= '9' = fromEnum c - fromEnum '0' - | c >= 'a' && c <= 'f' = 10 + fromEnum c - fromEnum 'a' - | otherwise = 10 + fromEnum c - fromEnum 'A' +-- | Decode a "0x"/"0X"-prefixed hex string (the JSON-RPC result shape). +decodeHexResult :: ByteString -> Either String ByteString +decodeHexResult bs = + BAE.convertFromBase BAE.Base16 $ + fromMaybe bs (B.stripPrefix "0x" bs <|> B.stripPrefix "0X" bs) -- | Strip userinfo from a URL so log lines never leak credentials. scrubUrl :: Text -> Text diff --git a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs index adf3d2d5e4..2e645fa602 100644 --- a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs +++ b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs @@ -40,6 +40,7 @@ module Simplex.Messaging.Server.Names.Eth.SNRC where import Crypto.Hash (Digest, Keccak_256, hash) +import Data.Bifunctor (first) import qualified Data.ByteArray as BA import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -113,9 +114,7 @@ decodeAddress :: Int -> ByteString -> Either AbiError NameOwner decodeAddress off buf | off + 32 > B.length buf = Left AbiTruncated | B.any (/= toEnum 0) (B.take 12 (B.drop off buf)) = Left (AbiInvariantViolated "address has non-zero high 12 bytes") - | otherwise = case mkNameOwner (B.take 20 (B.drop (off + 12) buf)) of - Right addr -> Right addr - Left e -> Left (AbiInvariantViolated e) + | otherwise = first AbiInvariantViolated $ mkNameOwner (B.take 20 (B.drop (off + 12) buf)) -- | Decode a Solidity `string` whose data starts at byte offset `off`. -- Returns raw bytes; UTF-8 validity is the caller's choice (use @@ -179,11 +178,10 @@ decodeStringArray depth headEnd off cntCap byteCap buf decodeGetRecord :: ByteString -> Either AbiError (Maybe NameRecord) decodeGetRecord buf | B.length buf < 32 * 8 = Left AbiTruncated - | otherwise = case decodeAddress 32 buf of - Left e -> Left e - Right owner - | isZeroOwner owner -> Right Nothing - | otherwise -> Right Nothing -- placeholder until SNRC ABI is finalised + -- Both arms return Nothing today: the zero-owner branch is the real ENS-style + -- NotFound sentinel; the non-zero branch is the SNRC-ABI placeholder. They + -- separate once the field-layout decoder lands. + | otherwise = Nothing <$ decodeAddress 32 buf isZeroOwner :: NameOwner -> Bool isZeroOwner = (== B.replicate 20 '\NUL') . unNameOwner diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index af5c4d7934..be0fb0019f 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -21,7 +21,7 @@ import Control.Applicative (optional, (<|>)) import qualified Data.Aeson.TH as J import qualified Data.Attoparsec.ByteString.Char8 as A import qualified Data.Attoparsec.Text as AT -import Data.Char (isAlpha, isDigit) +import Data.Char (isDigit) import Data.Functor (($>)) import Data.Text (Text) import qualified Data.Text as T @@ -58,7 +58,12 @@ instance StrEncoding SimplexNameType where nameLabelP :: AT.Parser Text nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigit c) `AT.sepBy1` AT.char '-' where - isNameLetter c = isAlpha c && not (c >= '\x00c0' && c <= '\x024f') + -- ASCII letters only. SNRC contracts hash byte sequences via keccak; ENS + -- uses UTS-46 + Punycode for IDN, which we do not implement. Admitting + -- Cyrillic / Greek / etc. via Data.Char.isAlpha would (a) make namehash + -- diverge from any IDN-aware registrar and (b) allow homograph spoofing + -- (Cyrillic а vs ASCII a hash to different on-chain records). + isNameLetter c = c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' instance StrEncoding SimplexNameInfo where strEncode SimplexNameInfo {nameType, nameDomain} = @@ -78,15 +83,14 @@ instance StrEncoding SimplexNameDomain where -- All labels lowercased: DNS labels are case-insensitive, and namehash is -- byte-defined — preserving original case would make `Alice.simplex` and -- `alice.simplex` resolve to different on-chain records. A mixed-case TLD - -- would also fall through to TLDWeb and route through `registry_tld_all` - -- instead of `registry_tld_simplex`. + -- would also fall through to TLDWeb and route through the `tldAll` + -- catch-all entry instead of the TLDSimplex registry. mkDomain labels = case reverse (map T.toLower labels) of [] -> Left "empty name" [_] -> Left "domain requires TLD" - tld : name : sub -> Right $ case tld of - "simplex" -> SimplexNameDomain TLDSimplex name sub - "testing" -> SimplexNameDomain TLDTesting name sub - _ -> SimplexNameDomain TLDWeb (T.intercalate "." (reverse (tld : name : sub))) [] + "simplex" : name : sub -> Right (SimplexNameDomain TLDSimplex name sub) + "testing" : name : sub -> Right (SimplexNameDomain TLDTesting name sub) + _ -> Right (SimplexNameDomain TLDWeb (T.intercalate "." (map T.toLower labels)) []) fullDomainName :: SimplexNameDomain -> Text fullDomainName SimplexNameDomain {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index f281e87633..8513cb5db2 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -1,3 +1,4 @@ +{-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE TypeApplications #-} @@ -9,13 +10,16 @@ import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B import qualified Data.ByteArray as BA import Data.Either (isLeft, isRight) +import Data.Foldable (for_) import Data.IORef (atomicModifyIORef', newIORef, readIORef) import Data.List (sort) +import Data.Text (Text) import qualified Data.Text as T import qualified Data.Aeson as J import qualified Data.ByteString.Lazy as LB import Simplex.Messaging.Protocol - ( NameOwner, + ( NameLink, + NameOwner, NameRecord (..), RslvRequest (..), mkNameLink, @@ -68,20 +72,43 @@ namehashEth = "\x93\xcd\xeb\x70\x8b\x75\x45\xdc\x66\x8e\xb9\x28\x01\x76\x16\x9d\ twentyOnes :: ByteString twentyOnes = B.replicate 20 '\x01' +-- | Test-only constructors that crash on the smart-ctor's Left. Used for +-- fixtures where we know the input satisfies the invariant; production code +-- always goes through `mkNameOwner` / `mkNameLink`. +unsafeOwner :: ByteString -> NameOwner +unsafeOwner = either error id . mkNameOwner + +unsafeLink :: Text -> NameLink +unsafeLink = either error id . mkNameLink + +addr1, addr2, addr3 :: NameOwner +addr1 = unsafeOwner twentyOnes +addr2 = unsafeOwner (B.replicate 20 '\x02') +addr3 = unsafeOwner (B.replicate 20 '\x03') + +testNamesConfig :: TldRegistries -> NamesConfig +testNamesConfig regs = + NamesConfig + { ethereumEndpoint = "http://stub", + tldRegistries = regs, + rpcAuth = Nothing, + rpcTimeoutMs = 1000, + rpcMaxResponseBytes = 65536, + rpcMaxConcurrency = 4 + } + sampleRecord :: NameRecord -sampleRecord = case (mkNameOwner twentyOnes, mkNameLink "simplex:/contact/abc#xyz") of - (Right o, Right l) -> - NameRecord - { nrDisplayName = "Alice", - nrOwner = o, - nrChannelLinks = [], - nrContactLinks = [l], - nrAdminAddress = Just "simplex:/admin/...", - nrAdminEmail = Just "admin@example.org", - nrExpiry = 1735689600, - nrIsTest = False - } - _ -> error "sampleRecord smart ctors failed" +sampleRecord = + NameRecord + { nrDisplayName = "Alice", + nrOwner = unsafeOwner twentyOnes, + nrChannelLinks = [], + nrContactLinks = [unsafeLink "simplex:/contact/abc#xyz"], + nrAdminAddress = Just "simplex:/admin/...", + nrAdminEmail = Just "admin@example.org", + nrExpiry = 1735689600, + nrIsTest = False + } smpNamesTests :: Spec smpNamesTests = do @@ -111,8 +138,7 @@ nameRecordEncodingSpec = do (J.eitherDecodeStrict badBytes :: Either String NameRecord) `shouldSatisfy` isLeft it "enforces combined channel+contact list cap of 8" $ do - let mkLink i = either error id (mkNameLink ("simplex:/contact/" <> T.pack (show (i :: Int)))) - nineLinks = map mkLink [0 .. 8] + let nineLinks = map (\i -> unsafeLink ("simplex:/contact/" <> T.pack (show (i :: Int)))) [0 .. 8] overflow = sampleRecord {nrChannelLinks = nineLinks, nrContactLinks = []} bytes = LB.toStrict (J.encode overflow) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft @@ -128,7 +154,7 @@ nameRecordEncodingSpec = do (J.eitherDecodeStrict (json "0X") :: Either String NameOwner) `shouldSatisfy` isRight it "encodes within the proxied transmission budget" $ do - let huge = either error id (mkNameLink (T.replicate 1024 "x")) + let huge = unsafeLink (T.replicate 1024 "x") wide = sampleRecord { nrChannelLinks = replicate 4 huge, @@ -247,10 +273,6 @@ zeroOwnerSpec = do tldWhitelistSpec :: Spec tldWhitelistSpec = do - let addr1 = either error id (mkNameOwner twentyOnes) - addr2 = either error id (mkNameOwner (B.replicate 20 '\x02')) - addr3 = either error id (mkNameOwner (B.replicate 20 '\x03')) - describe "lookupTldAddress" $ do it "TLD-specific entry takes precedence over _all" $ do let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Just addr3} @@ -271,16 +293,7 @@ tldWhitelistSpec = do lookupTldAddress regs TLDWeb `shouldBe` Nothing describe "verifyRslv" $ do - let cfgWith regs = - NamesConfig - { ethereumEndpoint = "http://stub", - tldRegistries = regs, - rpcAuth = Nothing, - rpcTimeoutMs = 1000, - rpcMaxResponseBytes = 65536, - rpcMaxConcurrency = 4 - } - mkEnv regs = newNamesEnvWith (cfgWith regs) (\_ _ -> pure (Right "")) Nothing + let mkEnv regs = newNamesEnvWith (testNamesConfig regs) (\_ _ -> pure (Right "")) Nothing it "accepts a valid name with matching TLD-specific contract" $ do env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} @@ -322,33 +335,28 @@ tldWhitelistSpec = do let req = RslvRequest {name = "privacy", contract = addr1} verifyRslv env req `shouldBe` Nothing + it "rejects non-ASCII labels (Cyrillic а homograph would hash to different namehash than ASCII a)" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + -- Cyrillic а (U+0430), Greek α (U+03B1), full-width A (U+FF21) + for_ ["\1072lice.simplex", "\945pple.simplex", "\65313pple.simplex"] $ \name -> + verifyRslv env RslvRequest {name, contract = addr1} `shouldBe` Nothing + resolverSpec :: Spec resolverSpec = do - let mkEnv ethCall = do - let cfg = - NamesConfig - { ethereumEndpoint = "http://stub", - tldRegistries = TldRegistries {tldSimplex = Just (either error id (mkNameOwner twentyOnes)), tldTesting = Nothing, tldAll = Nothing}, - rpcAuth = Nothing, - rpcTimeoutMs = 1000, - rpcMaxResponseBytes = 65536, - rpcMaxConcurrency = 4 - } - newNamesEnvWith cfg ethCall Nothing + let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + mkEnv ethCall = newNamesEnvWith (testNamesConfig regs) ethCall Nothing aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} - aliceAddr = either error id (mkNameOwner twentyOnes) + zeroOwnerResponse = Right (B.replicate (32 * 8) '\NUL') it "maps stub zero-owner response to NotFound" $ do - env <- mkEnv $ \_ _ -> pure (Right (B.replicate (32 * 8) '\NUL')) - r <- resolveName env aliceAddr aliceDomain - r `shouldBe` Left NotFound + env <- mkEnv (\_ _ -> pure zeroOwnerResponse) + resolveName env addr1 aliceDomain `shouldReturn` Left NotFound it "every lookup hits the endpoint (no cache)" $ do callCount <- newIORef (0 :: Int) env <- mkEnv $ \_ _ -> do atomicModifyIORef' callCount (\v -> (v + 1, ())) - pure (Right (B.replicate (32 * 8) '\NUL')) - _ <- resolveName env aliceAddr aliceDomain - _ <- resolveName env aliceAddr aliceDomain - n <- readIORef callCount - n `shouldBe` 2 + pure zeroOwnerResponse + _ <- resolveName env addr1 aliceDomain + _ <- resolveName env addr1 aliceDomain + readIORef callCount `shouldReturn` 2 From 9e4d8d95c0959ce0458c8abedd329bb2057d1db0 Mon Sep 17 00:00:00 2001 From: sh Date: Wed, 3 Jun 2026 19:03:45 +0000 Subject: [PATCH 16/33] namespace: bound parser input to 253 bytes (DoS defense) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bare-name fallback and bareDomain parser would otherwise consume arbitrarily many non-space bytes via takeWhile1 before any validation or length check. A crafted multi-megabyte token would be decoded as UTF-8 and re-parsed in full before being rejected. Introduce `boundedNonSpace` (scan with 253-byte cap) at the two takeWhile1 sites. Inputs longer than 253 bytes leave residue that parseOnly's implicit endOfInput rejects, so the parser fails fast without ever allocating the full input. The bound is the DNS full-domain limit, chosen for being a familiar ceiling generous enough to cover any realistic SimpleX name (longest plausible @user.subdomain.simplex stays well under 100 bytes). No per-label cap — SimpleX names don't go through DNS label resolution and there's no semantic reason to constrain individual labels. --- src/Simplex/Messaging/SimplexName.hs | 18 ++++++++++++++++-- tests/SMPNamesTests.hs | 5 +++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index be0fb0019f..62973727a3 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -21,6 +21,8 @@ import Control.Applicative (optional, (<|>)) import qualified Data.Aeson.TH as J import qualified Data.Attoparsec.ByteString.Char8 as A import qualified Data.Attoparsec.Text as AT +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B import Data.Char (isDigit) import Data.Functor (($>)) import Data.Text (Text) @@ -65,6 +67,18 @@ nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigi -- (Cyrillic а vs ASCII a hash to different on-chain records). isNameLetter c = c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' +-- | DoS defense for the bare-name / bare-domain entry points. The outer +-- parser would otherwise `takeWhile1 (not . isSpace)` unbounded, allowing +-- a crafted multi-megabyte token to be decoded and re-parsed before any +-- validation. Cap at 253 bytes (DNS full-domain limit) — generous against +-- any realistic SimpleX name and forces the surrounding `parseOnly` +-- (which requires consuming all input) to fail on oversized inputs. +boundedNonSpace :: A.Parser ByteString +boundedNonSpace = do + bs <- A.scan (0 :: Int) $ \i c -> + if i < 253 && not (A.isSpace c) then Just (i + 1) else Nothing + if B.null bs then fail "expected non-empty name token" else pure bs + instance StrEncoding SimplexNameInfo where strEncode SimplexNameInfo {nameType, nameDomain} = "simplex:/name" <> strEncode nameType <> strEncode nameDomain @@ -72,12 +86,12 @@ instance StrEncoding SimplexNameInfo where where infoP NTPublicGroup = SimplexNameInfo NTPublicGroup <$> (strP <|> bareName) infoP NTContact = SimplexNameInfo NTContact <$> strP - bareName = parseBare . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) + bareName = parseBare . safeDecodeUtf8 <$?> boundedNonSpace parseBare s = (\name -> SimplexNameDomain TLDSimplex name []) <$> AT.parseOnly (nameLabelP <* AT.endOfInput) s instance StrEncoding SimplexNameDomain where strEncode = encodeUtf8 . fullDomainName - strP = parseDomain . safeDecodeUtf8 <$?> A.takeWhile1 (not . A.isSpace) + strP = parseDomain . safeDecodeUtf8 <$?> boundedNonSpace where parseDomain s = AT.parseOnly (nameLabelP `AT.sepBy1` AT.char '.' <* AT.endOfInput) s >>= mkDomain -- All labels lowercased: DNS labels are case-insensitive, and namehash is diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 8513cb5db2..412b6fa2b1 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -341,6 +341,11 @@ tldWhitelistSpec = do for_ ["\1072lice.simplex", "\945pple.simplex", "\65313pple.simplex"] $ \name -> verifyRslv env RslvRequest {name, contract = addr1} `shouldBe` Nothing + it "rejects oversized inputs (>253 bytes) — bounded parser allocation" $ do + env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} + let oversize = T.replicate 254 "a" <> ".simplex" + verifyRslv env RslvRequest {name = oversize, contract = addr1} `shouldBe` Nothing + resolverSpec :: Spec resolverSpec = do let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} From 92b3d0492c5cf7730642774f925b6c1d61f04f54 Mon Sep 17 00:00:00 2001 From: sh <37271604+shumvgolove@users.noreply.github.com> Date: Mon, 8 Jun 2026 11:37:17 +0000 Subject: [PATCH 17/33] namespace: switch to Python HTTP resolver + agent plumbing (#1796) --- protocol/simplex-messaging.md | 73 ++- simplexmq.cabal | 8 +- src/Simplex/Messaging/Agent.hs | 19 + src/Simplex/Messaging/Agent/Client.hs | 14 + src/Simplex/Messaging/Agent/Protocol.hs | 20 + src/Simplex/Messaging/Client.hs | 22 + src/Simplex/Messaging/Names/Owner.hs | 46 ++ src/Simplex/Messaging/Names/Record.hs | 70 +++ src/Simplex/Messaging/Protocol.hs | 117 +--- src/Simplex/Messaging/Server.hs | 46 +- src/Simplex/Messaging/Server/Env/STM.hs | 42 +- src/Simplex/Messaging/Server/Main.hs | 68 +-- src/Simplex/Messaging/Server/Main/Init.hs | 21 +- src/Simplex/Messaging/Server/Names.hs | 275 ++++------ src/Simplex/Messaging/Server/Names/Eth/RPC.hs | 200 ------- .../Messaging/Server/Names/Eth/SNRC.hs | 187 ------- .../Messaging/Server/Names/HttpResolver.hs | 164 ++++++ src/Simplex/Messaging/SimplexName.hs | 12 +- tests/AgentTests.hs | 2 + tests/AgentTests/ResolveNameTests.hs | 203 +++++++ tests/CoreTests/ConnectTargetTests.hs | 67 +++ tests/RSLVTests.hs | 227 ++++++++ tests/SMPClient.hs | 13 +- tests/SMPNamesTests.hs | 499 ++++++++---------- tests/Test.hs | 4 + 25 files changed, 1340 insertions(+), 1079 deletions(-) create mode 100644 src/Simplex/Messaging/Names/Owner.hs create mode 100644 src/Simplex/Messaging/Names/Record.hs delete mode 100644 src/Simplex/Messaging/Server/Names/Eth/RPC.hs delete mode 100644 src/Simplex/Messaging/Server/Names/Eth/SNRC.hs create mode 100644 src/Simplex/Messaging/Server/Names/HttpResolver.hs create mode 100644 tests/AgentTests/ResolveNameTests.hs create mode 100644 tests/CoreTests/ConnectTargetTests.hs create mode 100644 tests/RSLVTests.hs diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index c73cdaa4b4..293721ecec 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -428,7 +428,7 @@ Simplex messaging router implementations MUST NOT create, store or send to any o - Any other information that may compromise privacy or [forward secrecy][4] of communication between clients using simplex messaging routers (the routers cannot compromise forward secrecy of any application layer protocol, such as double ratchet). -Routers with the names role make outbound JSON-RPC calls to an Ethereum endpoint to read `NameRecord` data; the lookup key reaches that endpoint. Operators MUST run the endpoint themselves (loopback Reth + Nimbus, or a self-hosted central deployment) — sharing one endpoint across multiple operators collapses the two-server privacy property because the endpoint operator would see every lookup key across all of them. The names role and the SMP-proxy role MUST NOT be enabled on the same router by default; a slow `RSLV` cache miss can serialise other forwarded commands on the same proxy-relay session. +Routers with the names role make outbound HTTP calls to a backing resolver service (the reference implementation is `scripts/resolver/snrc-resolve.py`, which in turn makes JSON-RPC calls to an Ethereum endpoint) to read `NameRecord` data; the lookup key reaches that resolver and its upstream RPC endpoint. Operators MUST run both the resolver process and its upstream RPC endpoint themselves (loopback Reth + Nimbus, or a self-hosted central deployment) — sharing them across multiple operators collapses the two-server privacy property because the resolver / RPC operator would see every lookup key across all of them. The names role and the SMP-proxy role MUST NOT be enabled on the same router by default; a slow `RSLV` cache miss can serialise other forwarded commands on the same proxy-relay session. ## Message delivery notifications @@ -1443,10 +1443,13 @@ session, or identity; the proxy router sees the client connection but cannot read the encrypted lookup key inside the forwarded transmission. **Backing store.** This protocol does not prescribe where the names router -reads `NameRecord` from. The reference implementation queries the SNRC contract -on Ethereum via a JSON-RPC endpoint; alternative backings (different chains, -DHT, etc.) are valid as long as they return a `NameRecord` matching the encoding -below. +reads `NameRecord` from. The reference implementation forwards each RSLV to a +companion REST resolver process (`scripts/resolver/snrc-resolve.py`) that +queries the SNRC contract on Ethereum; alternative backings (different chains, +DHT, etc.) are valid as long as they expose the documented HTTP shape (`GET +/resolve/` returning a `NameRecord` on 200, 404 / 400 for unknown names +or TLDs, 502 for upstream RPC failures) or substitute a different transport +while still returning a `NameRecord` matching the encoding below. #### Resolve name command @@ -1461,25 +1464,23 @@ rslv = %s"RSLV" SP json-bytes ; json-bytes consumes the remainder of the trans | Field | JSON type | Constraints | |---|---|---| | `name` | string | the canonical fully-qualified name (TLD always explicit, e.g. `"privacy.simplex"`, `"test.testing"`, `"example.com"`); UTF-8 bytes only | -| `contract` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes — the SNRC contract address the client expects the server to query) | +| `contract` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes); currently ignored by the server, reserved for future eth-backed implementations that may use it to constrain which on-chain registry the client expects the server to query | **Server-side validation.** The names router parses `name` as a fully-qualified -domain (TLD required — bare labels are rejected), extracts the TLD, and looks -up the expected SNRC contract address in a whitelist hardcoded in the server -binary (TLD-specific addresses with an optional catch-all for unspecified -TLDs and web domains). If no whitelist entry matches the TLD, or if the -client-supplied `contract` differs from the configured address, the server -replies with `ERR AUTH` without contacting the chain. This lets one names -router safely host multiple TLDs (each backed by its own SNRC contract) and -reject clients pointing at a contract the operator doesn't run. +domain (TLD required — bare labels are rejected) and forwards it to the +configured backing resolver. The `contract` field is parsed for forward +compatibility but ignored by the reference implementation: the backing +resolver is the source of truth for which on-chain registry maps to each TLD. +Any failure (malformed name, resolver 404 / 400 / 5xx, transport failure, +timeout, decode error, names role disabled) collapses to `ERR AUTH`. The names router responds with either a `NAME` response carrying the resolved record, or `ERR AUTH` collapsing every failure mode (name not found, malformed -name, TLD not in whitelist, contract mismatch, names role disabled, RPC -unreachable, decode error, timeout). The wire code does not distinguish -between these — stats counters MAY be exposed out-of-band for operator -observability (`bad_name` is incremented for validation/whitelist failures, -distinct from `not_found` for valid lookups with no on-chain record). +name, names role disabled, resolver unreachable, decode error, timeout). The +wire code does not distinguish between these — stats counters MAY be exposed +out-of-band for operator observability (`bad_name` is incremented for +validation failures, distinct from `not_found` for valid lookups with no +backing record). #### Name record response @@ -1493,14 +1494,30 @@ name = %s"NAME" SP json-bytes ; json-bytes consumes the remainder of the trans | Field | JSON type | Constraints | |---|---|---| -| `displayName` | string | ≤ 255 bytes UTF-8 | +| `name` | string | ≤ 255 bytes UTF-8 | +| `nickname` | string | ≤ 255 bytes UTF-8; senders MUST emit the empty string `""` when unset | +| `website` | string | ≤ 255 bytes UTF-8; same empty-string-when-unset rule | +| `location` | string | ≤ 255 bytes UTF-8; same empty-string-when-unset rule | +| `simplexContact` | string | ≤ 1024 bytes UTF-8; same empty-string-when-unset rule | +| `simplexChannel` | string | ≤ 1024 bytes UTF-8; same empty-string-when-unset rule | +| `eth` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | +| `btc` | string or null | ≤ 255 bytes UTF-8; same null / absent rules | +| `xmr` | string or null | ≤ 255 bytes UTF-8; same null / absent rules | +| `dot` | string or null | ≤ 255 bytes UTF-8; same null / absent rules | | `owner` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes) | -| `channelLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count of `channelLinks + contactLinks` ≤ 8 | -| `contactLinks` | array of strings | each ≤ 1024 bytes UTF-8; combined count cap shared with `channelLinks` | -| `adminAddress` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | -| `adminEmail` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | -| `expiry` | integer | Int64 Unix seconds, MUST be ≥ 0; `0` means "never expires" | -| `isTest` | boolean | true on testnet deployments | +| `resolver` | string | `"0x"` followed by 40 lowercase hex characters; the resolver contract address that produced the record | + +Text fields (`nickname`, `website`, `location`, `simplexContact`, +`simplexChannel`) use the empty string `""` as the "unset" sentinel: a +backing resolver with no value for the field MUST emit an empty string, not +JSON `null` and not an absent key. Coin fields (`eth`, `btc`, `xmr`, `dot`) +use JSON `null` as the "unset" sentinel and MAY also be absent from the +object entirely. + +The server MUST filter records its backing resolver indicates are expired +or otherwise unavailable (returning `ERR AUTH` to the client), so the wire +format carries no expiry field. Testnet-vs-mainnet status is derived from +the queried TLD rather than an in-record flag. Receivers MUST tolerate extra unknown fields (forward-compatibility for future field additions). Adding a required field is a breaking change requiring an @@ -1511,8 +1528,8 @@ producing the same `NameRecord` MUST emit byte-identical JSON: emit object keys in the order listed above, integers without decimal points, no insignificant whitespace. -**Wire-size budget.** A maximal `nameRecord` (8 × 1024-byte links plus -maximal admin / display strings) JSON-encodes to roughly 9 KB, well under the +**Wire-size budget.** A maximal `nameRecord` (two 1024-byte SimpleX links +plus the other capped strings) JSON-encodes to roughly 4 KB, well under the SMP proxied transmission budget of 16224 bytes. ## Transport connection with the SMP router diff --git a/simplexmq.cabal b/simplexmq.cabal index 08c8b96252..68fe132675 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -130,6 +130,8 @@ library Simplex.Messaging.Crypto.ShortLink Simplex.Messaging.Encoding Simplex.Messaging.Encoding.String + Simplex.Messaging.Names.Owner + Simplex.Messaging.Names.Record Simplex.Messaging.Notifications.Client Simplex.Messaging.Notifications.Protocol Simplex.Messaging.Notifications.Transport @@ -263,8 +265,7 @@ library Simplex.Messaging.Server.MsgStore.STM Simplex.Messaging.Server.MsgStore.Types Simplex.Messaging.Server.Names - Simplex.Messaging.Server.Names.Eth.RPC - Simplex.Messaging.Server.Names.Eth.SNRC + Simplex.Messaging.Server.Names.HttpResolver Simplex.Messaging.Server.NtfStore Simplex.Messaging.Server.Prometheus Simplex.Messaging.Server.QueueStore @@ -496,10 +497,12 @@ test-suite simplexmq-test AgentTests.EqInstances AgentTests.FunctionalAPITests AgentTests.MigrationTests + AgentTests.ResolveNameTests AgentTests.ServerChoice AgentTests.ShortLinkTests CLITests CoreTests.BatchingTests + CoreTests.ConnectTargetTests CoreTests.CryptoFileTests CoreTests.CryptoTests CoreTests.EncodingTests @@ -512,6 +515,7 @@ test-suite simplexmq-test CoreTests.VersionRangeTests FileDescriptionTests RemoteControl + RSLVTests ServerTests SMPAgentClient SMPClient diff --git a/src/Simplex/Messaging/Agent.hs b/src/Simplex/Messaging/Agent.hs index bd77b892a1..759efea4e2 100644 --- a/src/Simplex/Messaging/Agent.hs +++ b/src/Simplex/Messaging/Agent.hs @@ -65,6 +65,7 @@ module Simplex.Messaging.Agent setConnShortLink, deleteConnShortLink, getConnShortLink, + resolveSimplexName, getConnLinkPrivKey, deleteLocalInvShortLink, changeConnectionUser, @@ -216,6 +217,7 @@ import Simplex.Messaging.Protocol ErrorType (AUTH), MsgBody, MsgFlags (..), + NameRecord, NtfServer, ProtoServerWithAuth (..), ProtocolServer (..), @@ -440,6 +442,13 @@ getConnShortLink :: AgentClient -> NetworkRequestMode -> UserId -> ConnShortLink getConnShortLink c = withAgentEnv c .:. getConnShortLink' c {-# INLINE getConnShortLink #-} +-- | Resolve a SimpleX name via the configured resolver SMP server (PFWD RSLV). +-- The TLD->contract whitelist lives in the agent so chat clients only need to +-- pass the resolver address and the parsed domain. +resolveSimplexName :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> SimplexNameDomain -> AE NameRecord +resolveSimplexName c = withAgentEnv c .:: resolveSimplexName' c +{-# INLINE resolveSimplexName #-} + getConnLinkPrivKey :: AgentClient -> ConnId -> AE (Maybe C.PrivateKeyEd25519) getConnLinkPrivKey c = withAgentEnv c . getConnLinkPrivKey' c {-# INLINE getConnLinkPrivKey #-} @@ -1182,6 +1191,16 @@ getConnShortLink' c nm userId = \case deleteLocalInvShortLink' :: AgentClient -> ConnShortLink 'CMInvitation -> AM () deleteLocalInvShortLink' c (CSLInvitation _ srv linkId _) = withStore' c $ \db -> deleteInvShortLink db srv linkId +resolveSimplexName' :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> SimplexNameDomain -> AM NameRecord +resolveSimplexName' c nm userId resolverSrv domain = + resolveName c nm userId resolverSrv placeholderContract (fullDomainName domain) + where + -- The wire format still carries a 20-byte `contract` field on RslvRequest + -- (no SMP version bump), but the server-side resolver ignores it: the + -- backing Python REST resolver is the source of truth for which on-chain + -- registry maps to each TLD. The agent sends the all-zero placeholder. + placeholderContract = either error id (SMP.mkNameOwner (B.replicate 20 '\NUL')) + changeConnectionUser' :: AgentClient -> UserId -> ConnId -> UserId -> AM () changeConnectionUser' c oldUserId connId newUserId = do SomeConn _ conn <- withStore c (`getConn` connId) diff --git a/src/Simplex/Messaging/Agent/Client.hs b/src/Simplex/Messaging/Agent/Client.hs index d33794006b..232705c54c 100644 --- a/src/Simplex/Messaging/Agent/Client.hs +++ b/src/Simplex/Messaging/Agent/Client.hs @@ -68,6 +68,7 @@ module Simplex.Messaging.Agent.Client deleteQueueLink, secureGetQueueLink, getQueueLink, + resolveName, enableQueueNotifications, EnableQueueNtfReq (..), enableQueuesNtfs, @@ -267,6 +268,8 @@ import Simplex.Messaging.Protocol NetworkError (..), MsgFlags (..), MsgId, + NameOwner, + NameRecord, NtfServer, NtfServerWithAuth, ProtoServer, @@ -1990,6 +1993,17 @@ getQueueLink c nm userId server lnkId = getViaProxy smp proxySess = proxyGetSMPQueueLink smp nm proxySess lnkId getDirectly smp = getSMPQueueLink smp nm lnkId +-- | Resolve a public-namespace name. Prefers PFWD (hides client IP from the +-- resolver) and falls back to a direct send when the proxy is unavailable +-- (faster but exposes the client IP). Mode selection is delegated to +-- `sendOrProxySMPCommand`, which honours the network config (SPMNever etc.). +resolveName :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> NameOwner -> Text -> AM NameRecord +resolveName c nm userId server contract name = + snd <$> sendOrProxySMPCommand c nm userId server "" "RSLV" NoEntity resolveViaProxy resolveDirectly + where + resolveViaProxy smp proxySess = proxyResolveName smp nm proxySess contract name + resolveDirectly smp = directResolveName smp nm contract name + enableQueueNotifications :: AgentClient -> RcvQueue -> SMP.NtfPublicAuthKey -> SMP.RcvNtfPublicDhKey -> AM (SMP.NotifierId, SMP.RcvNtfPublicDhKey) enableQueueNotifications c rq@RcvQueue {rcvId, rcvPrivateKey} notifierKey rcvNtfPublicDhKey = withSMPClient c NRMBackground rq "NKEY " $ \smp -> diff --git a/src/Simplex/Messaging/Agent/Protocol.hs b/src/Simplex/Messaging/Agent/Protocol.hs index 0860adf2af..573f64ed25 100644 --- a/src/Simplex/Messaging/Agent/Protocol.hs +++ b/src/Simplex/Messaging/Agent/Protocol.hs @@ -122,6 +122,7 @@ module Simplex.Messaging.Agent.Protocol OwnerId, ConnectionLink (..), AConnectionLink (..), + ConnectTarget (..), SimplexNameInfo (..), SimplexNameDomain (..), SimplexTLD (..), @@ -195,6 +196,7 @@ import qualified Data.Aeson.TH as J import qualified Data.Aeson.Types as JT import Data.Attoparsec.ByteString.Char8 (Parser) import qualified Data.Attoparsec.ByteString.Char8 as A +import Data.Attoparsec.Combinator (lookAhead) import qualified Data.ByteString.Base64.URL as B64 import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -1596,6 +1598,24 @@ instance ToJSON AConnectionLink where instance FromJSON AConnectionLink where parseJSON = strParseJSON "AConnectionLink" +data ConnectTarget = CTLink AConnectionLink | CTName SimplexNameInfo + deriving (Eq, Show) + +instance StrEncoding ConnectTarget where + strEncode = \case + CTLink l -> strEncode l + CTName n -> strEncode n + strP = CTName <$> (lookAhead nameStart *> strP) <|> CTLink <$> strP + where + nameStart = "@" <|> "#" <|> "simplex:/name" + +instance ToJSON ConnectTarget where + toEncoding = strToJEncoding + toJSON = strToJSON + +instance FromJSON ConnectTarget where + parseJSON = strParseJSON "ConnectTarget" + instance ConnectionModeI m => StrEncoding (ConnShortLink m) where strEncode = \case CSLInvitation sch srv (SMP.EntityId lnkId) (LinkKey k) -> slEncode sch srv 'i' lnkId k diff --git a/src/Simplex/Messaging/Client.hs b/src/Simplex/Messaging/Client.hs index 67b31de186..9fb5255537 100644 --- a/src/Simplex/Messaging/Client.hs +++ b/src/Simplex/Messaging/Client.hs @@ -73,6 +73,8 @@ module Simplex.Messaging.Client deleteSMPQueues, connectSMPProxiedRelay, proxySMPMessage, + proxyResolveName, + directResolveName, forwardSMPTransmission, getSMPQueueInfo, sendProtocolCommand, @@ -1046,6 +1048,26 @@ sendSMPMessage c nm spKey sId flags msg = proxySMPMessage :: SMPClient -> NetworkRequestMode -> ProxiedRelay -> Maybe SndPrivateAuthKey -> SenderId -> MsgFlags -> MsgBody -> ExceptT SMPClientError IO (Either ProxyClientError ()) proxySMPMessage c nm proxiedRelay spKey sId flags msg = proxyOKSMPCommand c nm proxiedRelay spKey sId (SEND flags msg) +-- | Resolve a public-namespace name via PFWD. Preferred path - hides the +-- client IP from the resolver. Mirrors `proxySMPMessage`'s shape; routes +-- through `proxySMPCommand` and pattern-matches the expected NAME response. +proxyResolveName :: SMPClient -> NetworkRequestMode -> ProxiedRelay -> NameOwner -> Text -> ExceptT SMPClientError IO (Either ProxyClientError NameRecord) +proxyResolveName c nm proxiedRelay contract name = + proxySMPCommand c nm proxiedRelay Nothing NoEntity (RSLV RslvRequest {name, contract}) >>= \case + Right (NAME nr) -> pure $ Right nr + Right r -> throwE $ unexpectedResponse r + Left e -> pure $ Left e + +-- | Direct (non-PFWD) name resolution. Exposes the client IP to the resolver; +-- callers that want anonymity should use `proxyResolveName` via the standard +-- proxy fallback in the agent. RSLV requires no entity ID or authorization +-- (see `noAuthCmd` in Protocol.hs). +directResolveName :: SMPClient -> NetworkRequestMode -> NameOwner -> Text -> ExceptT SMPClientError IO NameRecord +directResolveName c nm contract name = + sendProtocolCommand c nm Nothing NoEntity (Cmd SResolver (RSLV RslvRequest {name, contract})) >>= \case + NAME nr -> pure nr + r -> throwE $ unexpectedResponse r + -- | Acknowledge message delivery (server deletes the message). -- -- https://github.com/simplex-chat/simplexmq/blob/master/protocol/simplex-messaging.md#acknowledge-message-delivery diff --git a/src/Simplex/Messaging/Names/Owner.hs b/src/Simplex/Messaging/Names/Owner.hs new file mode 100644 index 0000000000..5c5bfdd3f4 --- /dev/null +++ b/src/Simplex/Messaging/Names/Owner.hs @@ -0,0 +1,46 @@ +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE StrictData #-} + +module Simplex.Messaging.Names.Owner + ( NameOwner, + mkNameOwner, + unNameOwner, + ) +where + +import Control.Applicative ((<|>)) +import qualified Data.Aeson as J +import qualified Data.ByteArray.Encoding as BAE +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B +import Data.Maybe (fromMaybe) +import qualified Data.Text as T +import Data.Text.Encoding (decodeLatin1, encodeUtf8) + +-- | 20-byte Ethereum address (NameRecord owner). Bare constructor not exported; +-- use `mkNameOwner` to enforce the 20-byte invariant. +newtype NameOwner = NameOwner ByteString + deriving (Eq) + +-- Render the 20 raw bytes as "0x"-prefixed lowercase hex so log lines / +-- traceShow output match the on-the-wire JSON form instead of Latin-1 garbage. +instance Show NameOwner where + show (NameOwner bs) = "NameOwner 0x" <> B.unpack (BAE.convertToBase BAE.Base16 bs) + +mkNameOwner :: ByteString -> Either String NameOwner +mkNameOwner bs + | B.length bs == 20 = Right (NameOwner bs) + | otherwise = Left "NameOwner must be 20 bytes" + +unNameOwner :: NameOwner -> ByteString +unNameOwner (NameOwner bs) = bs +{-# INLINE unNameOwner #-} + +instance J.ToJSON NameOwner where + toJSON (NameOwner bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) + +instance J.FromJSON NameOwner where + parseJSON = J.withText "NameOwner" $ \t -> do + -- Accept "0x" and "0X" prefixes (matches the Server-side hex decoder). + let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) + either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkNameOwner diff --git a/src/Simplex/Messaging/Names/Record.hs b/src/Simplex/Messaging/Names/Record.hs new file mode 100644 index 0000000000..460f85bbd1 --- /dev/null +++ b/src/Simplex/Messaging/Names/Record.hs @@ -0,0 +1,70 @@ +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE StrictData #-} +{-# LANGUAGE TemplateHaskell #-} + +module Simplex.Messaging.Names.Record + ( NameRecord (..), + ) +where + +import qualified Data.Aeson as J +import qualified Data.Aeson.TH as JQ +import qualified Data.ByteString.Char8 as B +import Data.Text (Text) +import Data.Text.Encoding (encodeUtf8) +import Simplex.Messaging.Names.Owner (NameOwner) +import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) + +-- | Resolved name record returned by the names role. +-- Wire format is JSON — change requires an SMP version bump. +-- JSON keys match the Python REST resolver (PR #1795 `snrc-resolve.py`). +-- Text fields use the empty string as the "unset" sentinel; coin fields +-- use JSON `null`. `owner` and `resolver` carry 20-byte addresses encoded +-- as `0x`-prefixed lowercase hex (see Names.Owner). +data NameRecord = NameRecord + { nrName :: Text, + nrNickname :: Text, + nrWebsite :: Text, + nrLocation :: Text, + nrSimplexContact :: Text, + nrSimplexChannel :: Text, + nrEth :: Maybe Text, + nrBtc :: Maybe Text, + nrXmr :: Maybe Text, + nrDot :: Maybe Text, + nrOwner :: NameOwner, + nrResolver :: NameOwner -- resolver address that produced the record + } + deriving (Eq, Show) + +-- ToJSON / toEncoding TH-derived from a single Options value so both Aeson +-- paths emit byte-identical output in declaration order. omitNothingFields +-- is False so absent coin fields surface as JSON `null` (matches the Python +-- resolver output for unset coins). +$( JQ.deriveToJSON + defaultJSON {J.omitNothingFields = False, J.fieldLabelModifier = dropPrefix "nr"} + ''NameRecord + ) + +-- FromJSON is hand-rolled to enforce per-field UTF-8 byte-length caps that +-- TH derivation cannot express. +instance J.FromJSON NameRecord where + parseJSON = J.withObject "NameRecord" $ \o -> do + nrName <- o J..: "name" >>= capUtf8 "name" 255 + nrNickname <- o J..: "nickname" >>= capUtf8 "nickname" 255 + nrWebsite <- o J..: "website" >>= capUtf8 "website" 255 + nrLocation <- o J..: "location" >>= capUtf8 "location" 255 + nrSimplexContact <- o J..: "simplexContact" >>= capUtf8 "simplexContact" 1024 + nrSimplexChannel <- o J..: "simplexChannel" >>= capUtf8 "simplexChannel" 1024 + nrEth <- o J..:? "eth" >>= traverse (capUtf8 "eth" 255) + nrBtc <- o J..:? "btc" >>= traverse (capUtf8 "btc" 255) + nrXmr <- o J..:? "xmr" >>= traverse (capUtf8 "xmr" 255) + nrDot <- o J..:? "dot" >>= traverse (capUtf8 "dot" 255) + nrOwner <- o J..: "owner" + nrResolver <- o J..: "resolver" + pure NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} + where + capUtf8 fld lim t + | B.length (encodeUtf8 t) <= lim = pure t + | otherwise = fail $ fld <> " exceeds " <> show lim <> " bytes UTF-8" diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index ebe3506ba9..83204ccf13 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -168,9 +168,6 @@ module Simplex.Messaging.Protocol NameOwner, mkNameOwner, unNameOwner, - NameLink, - mkNameLink, - unNameLink, MsgFlags (..), initialSMPClientVersion, currentSMPClientVersion, @@ -246,7 +243,6 @@ import qualified Data.ByteString as BS import qualified Data.ByteString.Base64 as B64 import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B -import qualified Data.ByteArray.Encoding as BAE import qualified Data.ByteString.Lazy as LB import Data.Char (isPrint, isSpace) import Data.Constraint (Dict (..)) @@ -256,7 +252,7 @@ import Data.Kind import Data.List (foldl') import Data.List.NonEmpty (NonEmpty (..)) import qualified Data.List.NonEmpty as L -import Data.Maybe (fromMaybe, isJust, isNothing) +import Data.Maybe (isJust, isNothing) import Data.String import Data.Text (Text) import qualified Data.Text as T @@ -273,6 +269,8 @@ import Simplex.Messaging.Agent.Store.DB (Binary (..), FromField (..), ToField (. import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Encoding.String +import Simplex.Messaging.Names.Owner (NameOwner, mkNameOwner, unNameOwner) +import Simplex.Messaging.Names.Record (NameRecord (..)) import Simplex.Messaging.Parsers import Simplex.Messaging.Protocol.Types import Simplex.Messaging.Server.QueueStore.QueueInfo @@ -488,7 +486,7 @@ partyClientRole = \case SSenderLink -> Just SRMessaging SProxiedClient -> Just SRMessaging SProxyService -> Just SRProxy - SResolver -> Nothing + SResolver -> Just SRMessaging {-# INLINE partyClientRole #-} partyServiceRole :: ServiceParty p => SParty p -> SMPServiceRole @@ -736,34 +734,6 @@ instance Encoding FwdTransmission where newtype EncFwdTransmission = EncFwdTransmission ByteString deriving (Show) --- | 20-byte Ethereum address (NameRecord owner). Bare constructor not exported; --- use `mkNameOwner` to enforce the 20-byte invariant. -newtype NameOwner = NameOwner ByteString - deriving (Eq) - --- Render the 20 raw bytes as "0x"-prefixed lowercase hex so log lines / --- traceShow output match the on-the-wire JSON form instead of Latin-1 garbage. -instance Show NameOwner where - show (NameOwner bs) = "NameOwner 0x" <> B.unpack (BAE.convertToBase BAE.Base16 bs) - -mkNameOwner :: ByteString -> Either String NameOwner -mkNameOwner bs - | B.length bs == 20 = Right (NameOwner bs) - | otherwise = Left "NameOwner must be 20 bytes" - -unNameOwner :: NameOwner -> ByteString -unNameOwner (NameOwner bs) = bs -{-# INLINE unNameOwner #-} - -instance J.ToJSON NameOwner where - toJSON (NameOwner bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) - -instance J.FromJSON NameOwner where - parseJSON = J.withText "NameOwner" $ \t -> do - -- Accept "0x" and "0X" prefixes (matches the Server-side hex decoder). - let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) - either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkNameOwner - instance J.ToJSON RslvRequest where toJSON RslvRequest {name, contract} = J.object ["name" J..= name, "contract" J..= contract] toEncoding RslvRequest {name, contract} = J.pairs ("name" J..= name <> "contract" J..= contract) @@ -774,85 +744,6 @@ instance J.FromJSON RslvRequest where contract <- o J..: "contract" pure RslvRequest {name, contract} --- | A name-record link (channel or contact). Bare constructor not exported; --- use `mkNameLink` to enforce the ≤1024-byte UTF-8 invariant. -newtype NameLink = NameLink Text - deriving (Eq, Show) - -mkNameLink :: Text -> Either String NameLink -mkNameLink t - | B.length (encodeUtf8 t) <= 1024 = Right (NameLink t) - | otherwise = Left "NameLink too long" - -unNameLink :: NameLink -> Text -unNameLink (NameLink t) = t -{-# INLINE unNameLink #-} - -instance J.ToJSON NameLink where - toJSON (NameLink t) = J.toJSON t - -instance J.FromJSON NameLink where - parseJSON = J.withText "NameLink" (either fail pure . mkNameLink) - --- | Resolved name record returned by the names role. --- Wire format is JSON — change requires an SMP version bump. -data NameRecord = NameRecord - { nrDisplayName :: Text, - nrOwner :: NameOwner, - nrChannelLinks :: [NameLink], - nrContactLinks :: [NameLink], - nrAdminAddress :: Maybe Text, - nrAdminEmail :: Maybe Text, - nrExpiry :: Int64, -- Unix seconds, ≥ 0 - nrIsTest :: Bool - } - deriving (Eq, Show) - -instance J.ToJSON NameRecord where - toJSON NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = - J.object - [ "displayName" J..= nrDisplayName, - "owner" J..= nrOwner, - "channelLinks" J..= nrChannelLinks, - "contactLinks" J..= nrContactLinks, - "adminAddress" J..= nrAdminAddress, - "adminEmail" J..= nrAdminEmail, - "expiry" J..= nrExpiry, - "isTest" J..= nrIsTest - ] - -- explicit toEncoding to preserve the spec-documented key order; the default - -- routes through Value/KeyMap and re-emits keys alphabetically, breaking the - -- "two routers MUST emit byte-identical JSON" requirement. - toEncoding NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} = - J.pairs $ - "displayName" J..= nrDisplayName - <> "owner" J..= nrOwner - <> "channelLinks" J..= nrChannelLinks - <> "contactLinks" J..= nrContactLinks - <> "adminAddress" J..= nrAdminAddress - <> "adminEmail" J..= nrAdminEmail - <> "expiry" J..= nrExpiry - <> "isTest" J..= nrIsTest - -instance J.FromJSON NameRecord where - parseJSON = J.withObject "NameRecord" $ \o -> do - nrDisplayName <- o J..: "displayName" >>= capUtf8 "displayName" 255 - nrOwner <- o J..: "owner" - nrChannelLinks <- o J..: "channelLinks" - nrContactLinks <- o J..: "contactLinks" - when (length nrChannelLinks + length nrContactLinks > 8) $ - fail "combined channelLinks + contactLinks > 8" - nrAdminAddress <- o J..:? "adminAddress" >>= traverse (capUtf8 "adminAddress" 255) - nrAdminEmail <- o J..:? "adminEmail" >>= traverse (capUtf8 "adminEmail" 255) - nrExpiry <- o J..: "expiry" - when (nrExpiry < 0) $ fail "expiry must be non-negative" - nrIsTest <- o J..: "isTest" - pure NameRecord {nrDisplayName, nrOwner, nrChannelLinks, nrContactLinks, nrAdminAddress, nrAdminEmail, nrExpiry, nrIsTest} - where - capUtf8 fld lim t - | B.length (encodeUtf8 t) <= lim = pure t - | otherwise = fail $ fld <> " exceeds " <> show lim <> " bytes UTF-8" - data BrokerMsg where -- SMP broker messages (responses, client messages, notifications) IDS :: QueueIdsKeys -> BrokerMsg diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 4c3447176d..ae5383b2b4 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -32,6 +32,7 @@ module Simplex.Messaging.Server ( runSMPServer, runSMPServerBlocking, + runSMPServerBlockingWithNames, controlPortAuth, importMessages, exportMessages, @@ -108,7 +109,7 @@ import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) -import Simplex.Messaging.Server.Names (ResolveError (..), closeNamesEnv, resolveName, verifyRslv) +import Simplex.Messaging.Server.Names (NamesEnv, ResolveError (..), closeNamesEnv, parseName, resolveName) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -162,6 +163,13 @@ runSMPServer cfg attachHTTP_ = do runSMPServerBlocking :: MsgStoreClass s => TMVar Bool -> ServerConfig s -> Maybe AttachHTTP -> IO () runSMPServerBlocking started cfg attachHTTP_ = newEnv cfg >>= runReaderT (smpServer started cfg attachHTTP_) +-- | Test seam: run the server with a pre-built `namesEnv` (typically a stub +-- backed by `newNamesEnvWith`). Production code MUST use `runSMPServerBlocking`, +-- which builds `namesEnv` from `namesConfig` and probes the real RPC endpoint. +runSMPServerBlockingWithNames :: MsgStoreClass s => TMVar Bool -> ServerConfig s -> Maybe AttachHTTP -> Maybe NamesEnv -> IO () +runSMPServerBlockingWithNames started cfg attachHTTP_ namesOverride = + newEnvWithNames cfg namesOverride >>= runReaderT (smpServer started cfg attachHTTP_) + type M s a = ReaderT (Env s) IO a type AttachHTTP = Socket -> TLS.Context -> IO () @@ -1157,8 +1165,8 @@ receive h@THandle {params = THandleParams {thAuth, sessionId}} ms Client {rcvQ, updateBatchStats stats cmd -- even if nothing is verified let queueId (_, _, (_, qId, _)) = qId qs <- getQueueRecs ms p $ map queueId ts' - zipWithM (\t -> verified stats t . verifyLoadedQueue False service thAuth t) ts' qs - _ -> mapM (\t -> verified stats t =<< verifyTransmission False ms service thAuth t) ts' + zipWithM (\t -> verified stats t . verifyLoadedQueue service thAuth t) ts' qs + _ -> mapM (\t -> verified stats t =<< verifyTransmission ms service thAuth t) ts' mapM_ (atomically . writeTBQueue rcvQ) $ L.nonEmpty cmds pure $ errs ++ errs' [] -> pure errs @@ -1238,19 +1246,19 @@ data VerificationResult s = VRVerified (Maybe (StoreQueue s, QueueRec)) | VRFail -- - the queue or party key do not exist. -- In all cases, the time of the verification should depend only on the provided authorization type, -- a dummy key is used to run verification in the last two cases, and failure is returned irrespective of the result. -verifyTransmission :: forall s. MsgStoreClass s => Bool -> s -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> IO (VerificationResult s) -verifyTransmission forwarded ms service thAuth t@(_, _, (_, queueId, Cmd p _)) = case queueParty p of - Just Dict -> verifyLoadedQueue forwarded service thAuth t <$> getQueueRec ms p queueId - Nothing -> pure $ verifyQueueTransmission forwarded service thAuth t Nothing - -verifyLoadedQueue :: Bool -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Either ErrorType (StoreQueue s, QueueRec) -> VerificationResult s -verifyLoadedQueue forwarded service thAuth t@(tAuth, authorized, (corrId, _, _)) = \case - Right q -> verifyQueueTransmission forwarded service thAuth t (Just q) +verifyTransmission :: forall s. MsgStoreClass s => s -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> IO (VerificationResult s) +verifyTransmission ms service thAuth t@(_, _, (_, queueId, Cmd p _)) = case queueParty p of + Just Dict -> verifyLoadedQueue service thAuth t <$> getQueueRec ms p queueId + Nothing -> pure $ verifyQueueTransmission service thAuth t Nothing + +verifyLoadedQueue :: Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Either ErrorType (StoreQueue s, QueueRec) -> VerificationResult s +verifyLoadedQueue service thAuth t@(tAuth, authorized, (corrId, _, _)) = \case + Right q -> verifyQueueTransmission service thAuth t (Just q) Left AUTH -> dummyVerifyCmd thAuth tAuth authorized corrId `seq` VRFailed AUTH Left e -> VRFailed e -verifyQueueTransmission :: forall s. Bool -> Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Maybe (StoreQueue s, QueueRec) -> VerificationResult s -verifyQueueTransmission forwarded service thAuth (tAuth, authorized, (corrId, entId, command@(Cmd p cmd))) q_ +verifyQueueTransmission :: forall s. Maybe THPeerClientService -> Maybe (THandleAuth 'TServer) -> SignedTransmission Cmd -> Maybe (StoreQueue s, QueueRec) -> VerificationResult s +verifyQueueTransmission service thAuth (tAuth, authorized, (corrId, entId, command@(Cmd p cmd))) q_ | not checkRole = VRFailed $ CMD PROHIBITED | not verifyServiceSig = VRFailed SERVICE | otherwise = vc p cmd @@ -1270,9 +1278,9 @@ verifyQueueTransmission forwarded service thAuth (tAuth, authorized, (corrId, en vc SNotifierService NSUBS {} = verifyServiceCmd vc SProxiedClient _ = VRVerified Nothing vc SProxyService (RFWD _) = VRVerified Nothing - vc SResolver (RSLV _) - | forwarded = VRVerified Nothing - | otherwise = VRFailed $ CMD PROHIBITED + -- RSLV is accepted both forwarded (via PFWD, preferred - hides client IP from resolver) + -- and direct (client->resolver, faster, exposes client IP). Mode is chosen by the client. + vc SResolver (RSLV _) = VRVerified Nothing checkRole = case (service, partyClientRole p) of (Just THClientService {serviceRole}, Just role) -> serviceRole == role _ -> True @@ -1502,9 +1510,9 @@ client incStat (rslvReqs st) (selector, msg) <- asks namesEnv >>= \case Nothing -> pure (rslvDisabled, ERR AUTH) - Just nenv -> case verifyRslv nenv req of + Just nenv -> case parseName req of Nothing -> pure (rslvBadName, ERR AUTH) - Just (addr, d) -> liftIO (resolveName nenv addr d) <&> \case + Just d -> liftIO (resolveName nenv d) <&> \case Right rec -> (rslvSucc, NAME rec) Left NotFound -> (rslvNotFound, ERR AUTH) Left _ -> (rslvEthErrs, ERR AUTH) @@ -2149,7 +2157,7 @@ client rejectOrVerify clntThAuth = \case Left (corrId', entId', e) -> pure $ Left (corrId', entId', ERR e) Right t'@(_, _, t''@(corrId', entId', cmd')) - | allowed -> liftIO $ verified <$> verifyTransmission True ms Nothing clntThAuth t' + | allowed -> liftIO $ verified <$> verifyTransmission ms Nothing clntThAuth t' | otherwise -> pure $ Left (corrId', entId', ERR $ CMD PROHIBITED) where allowed = case cmd' of diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index a9e9d91eab..835db4bd7b 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -76,6 +76,7 @@ module Simplex.Messaging.Server.Env.STM noPostgresExit, dbStoreCfg, storeLogFile', + newEnvWithNames, ) where @@ -116,7 +117,7 @@ import Simplex.Messaging.Server.MsgStore.Journal import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, newNamesEnv, pingEndpoint) -import Simplex.Messaging.Server.Names.Eth.RPC (scrubUrl) +import Simplex.Messaging.Server.Names.HttpResolver (scrubUrl) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore import Simplex.Messaging.Server.QueueStore.Postgres.Config @@ -563,7 +564,14 @@ newProhibitedSub = do return Sub {subThread = ProhibitSub, delivered} newEnv :: ServerConfig s -> IO (Env s) -newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig} = do +newEnv cfg = newEnvWithNames cfg Nothing + +-- | Test seam: build the server env, but if `namesOverride` is provided, +-- use it as `namesEnv` and skip the production `newNamesEnv` / `pingEndpoint` +-- path. This is the only injection point for stub `ethCall` implementations +-- in functional-API tests. +newEnvWithNames :: ServerConfig s -> Maybe NamesEnv -> IO (Env s) +newEnvWithNames config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig} namesOverride = do serverActive <- newTVarIO True server <- newServer msgStore_ <- case serverStoreCfg of @@ -608,20 +616,22 @@ newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serv sockets <- newTVarIO [] clientSeq <- newTVarIO 0 proxyAgent <- newSMPProxyAgent smpAgentCfg random - namesEnv <- case namesConfig of - Nothing -> pure Nothing - Just nc -> do - logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (ethereumEndpoint nc) - when allowSMPProxy $ - logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV calls can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." - env <- newNamesEnv nc - -- Probe the endpoint at startup. Don't exitFailure: a flapping - -- network or an Ethereum host coming up minutes after smp-server - -- should not block the server. Log so operators can spot it. - pingEndpoint env >>= \case - Right _ -> logInfo "[NAMES] endpoint probe ok" - Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR AUTH until reachable): " <> tshow e - pure (Just env) + namesEnv <- case namesOverride of + Just env -> pure (Just env) + Nothing -> case namesConfig of + Nothing -> pure Nothing + Just nc -> do + logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (resolverEndpoint nc) + when allowSMPProxy $ + logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV calls can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." + env <- newNamesEnv nc + -- Probe the endpoint at startup. Don't exitFailure: a flapping + -- network or an Ethereum host coming up minutes after smp-server + -- should not block the server. Log so operators can spot it. + pingEndpoint env >>= \case + Right _ -> logInfo "[NAMES] endpoint probe ok" + Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR AUTH until reachable): " <> tshow e + pure (Just env) pure Env { serverActive, diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 47345ef013..fedd0d5089 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -70,7 +70,7 @@ import qualified Data.IP as IP import Data.Bits (shiftR, (.&.)) import Data.Word (Word32) import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) -import Simplex.Messaging.Protocol (BasicAuth (..), ProtoServerWithAuth (ProtoServerWithAuth), mkNameOwner, pattern SMPServer) +import Simplex.Messaging.Protocol (BasicAuth (..), ProtoServerWithAuth (ProtoServerWithAuth), pattern SMPServer) import Simplex.Messaging.Server (AttachHTTP, exportMessages, importMessages, printMessageStats, runSMPServer) import Simplex.Messaging.Server.CLI import Simplex.Messaging.Server.Env.STM @@ -80,7 +80,7 @@ import Simplex.Messaging.Server.Main.Init import Simplex.Messaging.Server.Web (EmbeddedWebParams (..), WebHttpsParams (..)) import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore (..), QStoreCfg (..), stmQueueStore) import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SQSType (..), SMSType (..), newMsgStore) -import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..), TldRegistries (..)) +import Simplex.Messaging.Server.Names (NamesConfig (..), RpcAuth (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config import Simplex.Messaging.Server.StoreLog.ReadWrite (readQueueStore) import Simplex.Messaging.Transport (supportedProxyClientSMPRelayVRange, alpnSupportedSMPHandshakes, supportedServerSMPRelayVRange) @@ -806,29 +806,25 @@ readNamesConfig :: Ini -> Maybe NamesConfig readNamesConfig ini | not enabled = Nothing | otherwise = - let rpcAuth_ = either (error . ("[NAMES] rpc_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "rpc_auth" ini) - endpoint = requiredText "ethereum_endpoint" + let resolverAuth_ = either (error . ("[NAMES] resolver_auth: " <>)) Just . parseRpcAuth =<< eitherToMaybe (lookupValue "NAMES" "resolver_auth" ini) + endpoint = requiredText "resolver_endpoint" in Just NamesConfig - { ethereumEndpoint = either (error . ("[NAMES] ethereum_endpoint: " <>)) id (validateUrl endpoint rpcAuth_), - tldRegistries = hardcodedTldRegistries, - rpcAuth = rpcAuth_, - rpcTimeoutMs = boundedIniInt 3000 100 60000 "rpc_timeout_ms", - rpcMaxResponseBytes = boundedIniInt 262144 1024 16777216 "rpc_max_response_bytes", - rpcMaxConcurrency = boundedIniInt 8 1 1024 "rpc_max_concurrency" + { resolverEndpoint = either (error . ("[NAMES] resolver_endpoint: " <>)) id (validateUrl endpoint resolverAuth_), + resolverAuth = resolverAuth_, + resolverTimeoutMs = boundedIniInt 3000 100 60000 "resolver_timeout_ms", + resolverMaxResponseBytes = boundedIniInt 65536 1024 16777216 "resolver_max_response_bytes" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) requiredText key = either (error . (("[NAMES] " <> T.unpack key <> " is required: ") <>)) id $ lookupValue "NAMES" key ini - -- Reject zero / negative values that would deadlock waitQSem (concurrency = 0), - -- time-out every RSLV immediately (timeout = 0), or accept zero-length - -- responses (max_response_bytes = 0). The lower bounds also catch sub-sane - -- values an operator might choose by accident. The upper bounds defend - -- against operator-misconfig footguns: 16 MiB response cap (worst-case - -- per-call memory), 60 s timeout (no operator wants RSLV to hang longer), - -- 1024 concurrent RPCs (any higher should run a separate names router). + -- Lower bound rejects values that would time-out every RSLV immediately + -- (timeout = 0) or accept zero-length responses (max_response_bytes = 0). + -- The upper bounds defend against operator-misconfig footguns: 16 MiB + -- response cap (worst-case per-call memory), 60 s timeout (no operator + -- wants RSLV to hang longer). boundedIniInt def floor_ ceiling_ key = case lookupValue "NAMES" key ini of Left _ -> def Right raw -> case readMaybe (T.unpack (T.strip raw)) of @@ -839,33 +835,17 @@ readNamesConfig ini | otherwise -> error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" --- | Hardcoded SNRC contract whitelist. Placeholder addresses until the --- launch contracts are deployed; replaced in code rather than INI so --- operators can't accidentally point a names router at the wrong contract --- during the bootstrap phase. The TldRegistries shape + lookup precedence --- (TLD-specific then `tldAll` catch-all) is unchanged from the previous --- INI-driven form. -hardcodedTldRegistries :: TldRegistries -hardcodedTldRegistries = - TldRegistries - { tldSimplex = Just (placeholderAddr '\x11'), - tldTesting = Just (placeholderAddr '\x22'), - tldAll = Nothing - } - where - placeholderAddr c = either error id $ mkNameOwner (B.replicate 20 c) - --- | Validate the ethereum_endpoint URL: +-- | Validate the resolver_endpoint URL: -- * scheme must be http: or https: -- * authority (host) must be present and non-empty --- * port MUST be explicit (rejects http://host without :8545 to avoid --- accidentally hitting :80 when Reth listens on :8545) +-- * port MUST be explicit (rejects http://host without :8000 to avoid +-- accidentally hitting :80 when the resolver listens on :8000) -- * userinfo (user:pass@) MUST NOT be present (credentials belong in --- rpc_auth so they don't leak via Host header or logs) +-- resolver_auth so they don't leak via Host header or logs) -- * query and fragment MUST NOT be present -- * http is rejected on non-loopback hosts (plaintext to a third party --- leaks rpc_auth on every request) --- * https requires rpc_auth on non-loopback hosts (a public endpoint +-- leaks resolver_auth on every request) +-- * https requires resolver_auth on non-loopback hosts (a public endpoint -- without auth is almost always misconfig) -- * link-local hosts (169.254.0.0/16, including the cloud metadata IP -- 169.254.169.254) are rejected unconditionally @@ -884,9 +864,9 @@ validateUrl url auth_ = do Left "non-canonical IPv4 form not allowed (use dotted-quad decimal 0-255 with no leading zeros); rejects inet_aton hex/octal/compact aliases of 169.254.169.254" when (isLinkLocal host || isForbiddenIpv6 host) $ Left "link-local host not allowed (rejects cloud metadata services and IPv6 aliases of 169.254.0.0/16)" - unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use rpc_auth instead" + unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use resolver_auth instead" case uriPort ua of - "" -> Left "explicit port required (e.g. http://host:8545)" + "" -> Left "explicit port required (e.g. http://host:8000)" ':' : portStr -> case readMaybe portStr of Just n | (n :: Int) >= 1 && n <= 65535 -> Right () _ -> Left $ "port " <> portStr <> " out of range (must be 1..65535)" @@ -895,10 +875,10 @@ validateUrl url auth_ = do unless (null (uriFragment uri)) $ Left "fragment not allowed" let path = uriPath uri unless (path == "" || path == "/") $ - Left "URL path not allowed; API keys embedded in the path leak to logs — use rpc_auth instead" + Left "URL path not allowed; API keys embedded in the path leak to logs — use resolver_auth instead" unless (isLoopback host) $ case scheme of - "http:" -> Left "http endpoint on a non-loopback host not allowed (plaintext leaks rpc_auth); use https" - "https:" | isNothing auth_ -> Left "https endpoint on a non-loopback host requires rpc_auth" + "http:" -> Left "http endpoint on a non-loopback host not allowed (plaintext leaks resolver_auth); use https" + "https:" | isNothing auth_ -> Left "https endpoint on a non-loopback host requires resolver_auth" _ -> Right () Right url where diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 9ec67bc178..355615d4f2 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -156,24 +156,21 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = <> ("# client_concurrency = " <> tshow defaultProxyClientConcurrency) <> "\n\n\ \[NAMES]\n\ - \# Public-namespace resolution (SNRC on Ethereum).\n\ - \# Requires an Ethereum JSON-RPC endpoint (Reth+Nimbus). See deployment guide.\n\ + \# Public-namespace resolution via the snrc-resolve.py REST resolver.\n\ + \# Operator runs the resolver alongside smp-server (default port 8000)\n\ + \# with its own Ethereum JSON-RPC endpoint configured in resolver.toml.\n\ \# Co-locating with the proxy role logs a startup advisory: slow RSLV calls can\n\ \# serialise other forwarded commands on the same proxy-relay session.\n\ \# For high-volume deployments, run [NAMES] on a separate host.\n\ \# Restart required to change settings.\n\ \enable: off\n\ \# Same-host:\n\ - \# ethereum_endpoint: http://127.0.0.1:8545\n\ - \# Central Reth via Caddy:\n\ - \# ethereum_endpoint: https://eth.simplex.chat:443\n\ - \# rpc_auth: basic :\n\ - \# The SNRC contract addresses are hardcoded in the server binary; each\n\ - \# RSLV's contract field is verified against the binary's whitelist for\n\ - \# the requested TLD. Operators do NOT configure registries here.\n\ - \# rpc_timeout_ms: 3000\n\ - \# rpc_max_response_bytes: 262144\n\ - \# rpc_max_concurrency: 8\n\n\ + \# resolver_endpoint: http://127.0.0.1:8000\n\ + \# Resolver behind TLS reverse proxy:\n\ + \# resolver_endpoint: https://names.simplex.chat:443\n\ + \# resolver_auth: basic :\n\ + \# resolver_timeout_ms: 3000\n\ + \# resolver_max_response_bytes: 65536\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index c1aeef4898..c2e17369f1 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -4,212 +4,159 @@ {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE StrictData #-} --- | Public-namespace resolver. Each RSLV becomes one eth_call to the --- Ethereum endpoint with the contract address selected by the requested --- TLD, bounded by rpcMaxConcurrency and rpcTimeoutMs. Zero-owner / expired --- records map to NotFound. +-- | Public-namespace resolver. Each RSLV becomes one HTTP GET to the +-- configured names resolver service (the Python REST resolver in PR #1795 +-- by default), bounded by resolverTimeoutMs and the maximum response size. +-- The resolver_endpoint URL is operator-supplied; the contract field on the +-- RSLV wire format is parsed for forward-compatibility but ignored — the +-- Python service is the source of truth for which on-chain registries are +-- queried per TLD. -- --- Transport details live in Names.Eth.RPC (HTTP + JSON-RPC + auth); --- Keccak-256 namehash and SNRC ABI decoder live in Names.Eth.SNRC. +-- HTTP details (URL building, redirects disabled, body cap, auth header) +-- live in Names.HttpResolver. module Simplex.Messaging.Server.Names ( NamesConfig (..), - TldRegistries (..), RpcAuth (..), NamesEnv (..), - EthCall, + ResolverCall, + ResolverCallKind (..), ResolveError (..), newNamesEnv, newNamesEnvWith, closeNamesEnv, - lookupTldAddress, pingEndpoint, resolveName, - verifyRslv, + parseName, ) where -import Control.Applicative ((<|>)) -import Control.Monad (forM_, guard, unless, when) import qualified Control.Exception as E import Control.Logger.Simple (logError) -import Data.ByteString.Char8 (ByteString) -import Data.IORef (IORef, atomicModifyIORef', newIORef) -import Data.Maybe (fromMaybe) +import qualified Data.Aeson as J +import qualified Data.Aeson.Types as JT import Data.Text (Text) import qualified Data.Text as T import Data.Text.Encoding (encodeUtf8) -import Data.Time.Clock.POSIX (getPOSIXTime) import Simplex.Messaging.Encoding.String (strDecode) -import Simplex.Messaging.Util (eitherToMaybe) -import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), unNameOwner) -import Simplex.Messaging.Server.Names.Eth.RPC (EthRpcEnv, EthRpcError (..), RpcAuth (..), closeEthRpcEnv, ethCallReal, newEthRpcEnv) -import Simplex.Messaging.Server.Names.Eth.SNRC (decodeAddress, decodeGetRecord, encodeGetRecord, isZeroOwner, namehash) -import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..), fullDomainName) +import Simplex.Messaging.Protocol (NameRecord, RslvRequest (..)) +import Simplex.Messaging.Server.Names.HttpResolver + ( ResolverEnv, + ResolverError (..), + RpcAuth (..), + closeResolverEnv, + healthHttp, + newResolverEnv, + resolveHttp, + ) +import Simplex.Messaging.SimplexName (SimplexNameDomain, fullDomainName) import System.Timeout (timeout) --- | TLD-keyed SNRC contract whitelist. Each RSLV carries the contract --- address the client wants queried; the server only accepts it if it --- matches the address configured for that TLD (or `tldAll` as catch-all). --- This lets one names router host multiple TLDs (each backed by its own --- SNRC contract) and reject clients pointing at a contract the operator --- doesn't run. -data TldRegistries = TldRegistries - { tldSimplex :: Maybe NameOwner, - tldTesting :: Maybe NameOwner, - tldAll :: Maybe NameOwner - } - deriving (Show) - data NamesConfig = NamesConfig - { ethereumEndpoint :: Text, - tldRegistries :: TldRegistries, - rpcAuth :: Maybe RpcAuth, - rpcTimeoutMs :: Int, - rpcMaxResponseBytes :: Int, - rpcMaxConcurrency :: Int + { resolverEndpoint :: Text, + resolverAuth :: Maybe RpcAuth, + resolverTimeoutMs :: Int, + resolverMaxResponseBytes :: Int } deriving (Show) data ResolveError - = NotFound - | EthHttpErr - | EthRpcErr {rpcCode :: Int, rpcMessage :: Text} - | EthDecodeErr + = NotFound -- name not registered, unknown TLD, or malformed name (404 / 400) + | ResolverError -- upstream RPC failure (502) or transport error + | ResolverDecodeErr -- response was not a valid NameRecord JSON | TimedOut deriving (Eq, Show) --- | Test seam: a function from (to, data) -> raw return bytes or error. --- Production wires this to ethCallReal; tests substitute a stub. -type EthCall = ByteString -> ByteString -> IO (Either EthRpcError ByteString) +-- | Test seam: a function from URL path -> JSON value or error. Production +-- wires this to resolveHttp / healthHttp on a real `ResolverEnv`; tests +-- substitute a stub returning canned JSON or a chosen error. +-- +-- The first argument is the HTTP endpoint to hit: `ResolverFetch` for a +-- name lookup, `ResolverHealth` for the startup probe. Tests use the tag +-- to assert which kind of call the server made. +data ResolverCallKind = ResolverFetch Text | ResolverHealth + deriving (Eq, Show) + +-- Re-export so test seams (which need to match on the kind) can use it +-- without depending on the HttpResolver module. + +type ResolverCall = ResolverCallKind -> IO (Either ResolverError J.Value) data NamesEnv = NamesEnv { config :: NamesConfig, - ethCall :: EthCall, - rpcEnv :: Maybe EthRpcEnv, -- Nothing for test stubs - -- One-shot guard so the placeholder-decoder warning logs once per process, - -- not once per RSLV. - placeholderWarned :: IORef Bool + resolverCall :: ResolverCall, + resolverEnv :: Maybe ResolverEnv -- Nothing for test stubs } newNamesEnv :: NamesConfig -> IO NamesEnv newNamesEnv cfg = do - rpc <- newEthRpcEnv (ethereumEndpoint cfg) (rpcAuth cfg) (rpcMaxResponseBytes cfg) (rpcMaxConcurrency cfg) - newNamesEnvWith cfg (ethCallReal rpc) (Just rpc) + rEnv <- newResolverEnv (resolverEndpoint cfg) (resolverAuth cfg) (resolverTimeoutMs cfg) (resolverMaxResponseBytes cfg) + newNamesEnvWith cfg (httpResolverCall rEnv) (Just rEnv) + +httpResolverCall :: ResolverEnv -> ResolverCall +httpResolverCall env = \case + ResolverFetch n -> resolveHttp env n + ResolverHealth -> healthHttp env --- | Allocate resolver with an injected ethCall (test seam). -newNamesEnvWith :: NamesConfig -> EthCall -> Maybe EthRpcEnv -> IO NamesEnv -newNamesEnvWith config ethCall rpcEnv = do - placeholderWarned <- newIORef False - pure NamesEnv {config, ethCall, rpcEnv, placeholderWarned} +-- | Allocate resolver with an injected `resolverCall` (test seam). +newNamesEnvWith :: NamesConfig -> ResolverCall -> Maybe ResolverEnv -> IO NamesEnv +newNamesEnvWith config resolverCall resolverEnv = pure NamesEnv {config, resolverCall, resolverEnv} closeNamesEnv :: NamesEnv -> IO () -closeNamesEnv NamesEnv {rpcEnv} = mapM_ closeEthRpcEnv rpcEnv - --- | Look up the expected SNRC contract address for a TLD. TLD-specific --- entry takes precedence; `tldAll` is the catch-all. `TLDWeb` has no --- TLD-specific entry — it always resolves through `tldAll` if set. -lookupTldAddress :: TldRegistries -> SimplexTLD -> Maybe NameOwner -lookupTldAddress TldRegistries {tldSimplex, tldTesting, tldAll} = \case - TLDSimplex -> tldSimplex <|> tldAll - TLDTesting -> tldTesting <|> tldAll - TLDWeb -> tldAll - --- | Parse the client-supplied domain, look up the TLD's expected contract, --- and verify the client-supplied contract matches. Returns the verified --- (address, parsed-domain) pair, or `Nothing` if any check fails — the --- handler maps this to `ERR AUTH` and increments `rslvBadName`. -verifyRslv :: NamesEnv -> RslvRequest -> Maybe (NameOwner, SimplexNameDomain) -verifyRslv NamesEnv {config} RslvRequest {name, contract} = case strDecode (encodeUtf8 name) of - Left _ -> Nothing - Right d -> do - expected <- lookupTldAddress (tldRegistries config) (nameTLD d) - guard (expected == contract) - pure (expected, d) - --- | Reach the configured endpoint with a harmless probe call to confirm --- network reachability. Uses any configured contract address (the parser --- guarantees at least one is set). A JSON-RPC error (e.g. unknown contract --- on a healthy node) is treated as "endpoint reachable". HTTP transport --- failures, oversized responses, and non-JSON bodies (operator pointing at --- the wrong service) all surface as Left so startup fails loudly rather --- than every RSLV silently incrementing rslvEthErrs. -pingEndpoint :: NamesEnv -> IO (Either EthRpcError ()) -pingEndpoint NamesEnv {ethCall, config} = case anyAddress (tldRegistries config) of - Nothing -> pure (Right ()) - Just addr -> do - -- Bound the probe by the same rpcTimeoutMs that resolveName uses, so a - -- slow-loris endpoint can't park startup until http-client's default - -- 30 s response timeout fires. - r <- timeout (rpcTimeoutMs config * 1000) $ - ethCall (unNameOwner addr) (encodeGetRecord (namehash "")) - pure $ case r of - Nothing -> Left ProbeTimedOut - Just (Left JsonRpcErr {}) -> Right () -- node answered, just doesn't know this contract - Just (Left e) -> Left e - Just (Right _) -> Right () - where - anyAddress TldRegistries {tldSimplex, tldTesting, tldAll} = - tldSimplex <|> tldTesting <|> tldAll - --- | Resolve a verified (contract, domain) pair with an rpcTimeoutMs --- ceiling. Synchronous exceptions are caught and logged; async exceptions --- propagate. -resolveName :: NamesEnv -> NameOwner -> SimplexNameDomain -> IO (Either ResolveError NameRecord) -resolveName env contract d = do - r <- E.try (timeout (rpcTimeoutMs (config env) * 1000) (fetch env contract d)) +closeNamesEnv NamesEnv {resolverEnv} = mapM_ closeResolverEnv resolverEnv + +-- | Parse the client-supplied name. The wire-format `contract` field is +-- parsed by the protocol layer but ignored here: the resolver service +-- selects which registry to query based on the TLD. Returns the parsed +-- domain, or `Nothing` if the name is not a valid SimplexNameDomain (the +-- handler maps `Nothing` to `ERR AUTH` and increments `rslvBadName`). +parseName :: RslvRequest -> Maybe SimplexNameDomain +parseName RslvRequest {name} = either (const Nothing) Just $ strDecode (encodeUtf8 name) + +-- | Reach the configured resolver with `GET /health` to confirm reachability +-- at server startup. A non-2xx response or transport failure surfaces as +-- Left so misconfigured deployments fail loudly. Bounded by +-- `resolverTimeoutMs` so a slow-loris endpoint cannot park startup until +-- http-client's default 30 s response timeout fires. +pingEndpoint :: NamesEnv -> IO (Either ResolverError ()) +pingEndpoint NamesEnv {resolverCall, config} = do + r <- timeout (resolverTimeoutMs config * 1000) $ resolverCall ResolverHealth + pure $ case r of + Nothing -> Left (HttpStatusErr 0) -- transport-level timeout (0 is not a real HTTP code) + Just (Left e) -> Left e + Just (Right _) -> Right () + +-- | Resolve a parsed domain via the configured HTTP resolver, with an +-- `resolverTimeoutMs` ceiling. Synchronous exceptions are caught and +-- logged; async exceptions propagate. +resolveName :: NamesEnv -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +resolveName env d = do + r <- E.try (timeout (resolverTimeoutMs (config env) * 1000) (fetch env d)) case r of - Right result -> pure (fromMaybe (Left TimedOut) result) + Right result -> pure (maybe (Left TimedOut) id result) Left e | Just (_ :: E.SomeAsyncException) <- E.fromException e -> E.throwIO e | otherwise -> do logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) - pure (Left EthHttpErr) - -fetch :: NamesEnv -> NameOwner -> SimplexNameDomain -> IO (Either ResolveError NameRecord) -fetch env@NamesEnv {ethCall} contract d = - ethCall (unNameOwner contract) (encodeGetRecord (namehash (encodeUtf8 (fullDomainName d)))) >>= \case - Left e -> pure (Left (mapEthRpcError e)) - Right ret -> case decodeGetRecord ret of - Right Nothing -> notFoundWithPlaceholderWarn ret - Right (Just rec) -> checkExpiry rec - Left _ -> pure (Left EthDecodeErr) - where - -- decodeGetRecord is currently a placeholder: it returns Right Nothing - -- for BOTH "zero-owner sentinel" (real NotFound) and "non-zero owner - -- with real data but no ABI decoder yet". Inspect the owner slot - -- directly to distinguish, and surface the latter once per process so - -- an operator who enables [NAMES] against a working SNRC contract sees - -- the resolver is functionally stubbed. - notFoundWithPlaceholderWarn ret = do - forM_ (eitherToMaybe (decodeAddress 32 ret)) $ \owner -> - unless (isZeroOwner owner) (warnPlaceholderOnce env) - pure (Left NotFound) - -- Defense in depth: the SNRC contract should already return the - -- zero-owner sentinel for expired records, but a buggy / pre-upgrade - -- contract might not. nrExpiry == 0 means "never expires" (reserved - -- names); any positive expiry in the past is treated as NotFound. - checkExpiry rec = do - nowSec <- floor <$> getPOSIXTime - pure $ - if nrExpiry rec /= 0 && nrExpiry rec < nowSec - then Left NotFound - else Right rec - -warnPlaceholderOnce :: NamesEnv -> IO () -warnPlaceholderOnce NamesEnv {placeholderWarned} = do - first <- atomicModifyIORef' placeholderWarned (\w -> (True, not w)) - when first $ - logError - "[NAMES] decodeGetRecord placeholder hit — SNRC ABI codec not finalised; \ - \every non-zero-owner record returns NotFound until the decoder ships" - --- | Collapse the JSON-RPC transport-layer error space into the resolver's --- public error space. -mapEthRpcError :: EthRpcError -> ResolveError -mapEthRpcError = \case - HttpFailure _ -> EthHttpErr - HttpStatusErr _ -> EthHttpErr - BodyTooLarge -> EthHttpErr -- transport-side cap, not a decoder failure - InvalidJson _ -> EthDecodeErr - JsonRpcErr c m -> EthRpcErr {rpcCode = c, rpcMessage = m} - ProbeTimedOut -> EthHttpErr -- pingEndpoint-only; never raised by ethCallReal in the resolve path + pure (Left ResolverError) + +fetch :: NamesEnv -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +fetch NamesEnv {resolverCall} d = + resolverCall (ResolverFetch (fullDomainName d)) >>= \case + Left e -> pure (Left (mapResolverError e)) + Right v -> case JT.parseEither J.parseJSON v of + Right nr -> pure (Right nr) + Left _ -> pure (Left ResolverDecodeErr) + +-- | Collapse the HTTP-layer error space into the resolver's public error +-- space. 404 / 400 both map to NotFound (name not registered, unknown TLD, +-- or malformed name — indistinguishable from the client's point of view). +-- Everything else collapses to ResolverError; the response body is not +-- inspected because adversarial endpoints could embed arbitrary content. +mapResolverError :: ResolverError -> ResolveError +mapResolverError = \case + HttpStatusErr 404 -> NotFound + HttpStatusErr 400 -> NotFound + HttpStatusErr _ -> ResolverError + HttpFailure _ -> ResolverError + BodyTooLarge -> ResolverError + InvalidJson _ -> ResolverDecodeErr diff --git a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs b/src/Simplex/Messaging/Server/Names/Eth/RPC.hs deleted file mode 100644 index 1f0d2d02aa..0000000000 --- a/src/Simplex/Messaging/Server/Names/Eth/RPC.hs +++ /dev/null @@ -1,200 +0,0 @@ -{-# LANGUAGE LambdaCase #-} -{-# LANGUAGE NamedFieldPuns #-} -{-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE ScopedTypeVariables #-} -{-# LANGUAGE StrictData #-} - --- | Ethereum JSON-RPC HTTP transport for the resolver. --- --- Boundary properties: --- * Response body read with `brReadSome rpcMaxResponseBytes` — adversarial --- endpoints cannot exhaust memory with multi-GB bodies. --- * Concurrency cap via QSem — bursts of cache-miss traffic cannot exhaust --- the http-client connection pool. --- * Authorization header attached only when configured. -module Simplex.Messaging.Server.Names.Eth.RPC - ( RpcAuth (..), - EthRpcEnv, - EthRpcError (..), - newEthRpcEnv, - closeEthRpcEnv, - ethCallReal, - scrubUrl, - ) -where - -import Control.Applicative ((<|>)) -import Control.Concurrent.QSem (QSem, newQSem, signalQSem, waitQSem) -import qualified Control.Exception as E -import Control.Exception (bracket_) -import qualified Data.Aeson as J -import qualified Data.Aeson.Types as J -import qualified Data.ByteArray.Encoding as BAE -import Data.ByteString.Char8 (ByteString) -import qualified Data.ByteString.Char8 as B -import qualified Data.ByteString.Lazy as BL -import Data.Maybe (fromMaybe) -import Data.Text (Text) -import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, encodeUtf8) -import Network.HTTP.Client - ( HttpException, - Manager, - ManagerSettings (..), - Request, - RequestBody (..), - brReadSome, - method, - parseRequest, - redirectCount, - requestBody, - requestHeaders, - responseBody, - responseStatus, - withResponse, - ) -import qualified Network.HTTP.Client as HC -import Network.HTTP.Client.TLS (tlsManagerSettings) -import qualified Network.HTTP.Types as HT - -data RpcAuth = AuthBearer Text | AuthBasic Text Text - --- | Redacts the bearer token / basic-auth password so an accidental --- `show` / `tshow` on NamesConfig never lands secrets in logs. -instance Show RpcAuth where - show (AuthBearer _) = "AuthBearer " - show (AuthBasic u _) = "AuthBasic " <> show u <> " " - -data EthRpcEnv = EthRpcEnv - { manager :: Manager, - request :: Request, - sem :: QSem, - maxResponseBytes :: Int - } - -data EthRpcError - = HttpFailure HttpException - | HttpStatusErr Int - | BodyTooLarge - | InvalidJson String - | JsonRpcErr Int Text - | ProbeTimedOut -- startup-probe timeout; resolveName uses its own Timeout - deriving (Show) - --- | Build a Request from a (validated) ethereum_endpoint URL. Redirects are --- disabled: an RPC endpoint that responds 3xx is a misconfiguration, and a --- compromised endpoint could otherwise redirect a credential-bearing POST --- to a private-IP target (SSRF amplification on top of the host validation --- performed at config load — DNS rebinding and chained redirects bypass it). -buildRequest :: Text -> Maybe RpcAuth -> IO Request -buildRequest endpoint auth_ = do - req <- parseRequest (T.unpack endpoint) - pure $ - req - { method = "POST", - redirectCount = 0, - requestHeaders = - ("Content-Type", "application/json") - : maybe [] (pure . authHeader) auth_ - } - -authHeader :: RpcAuth -> HT.Header -authHeader = \case - AuthBearer tok -> ("Authorization", "Bearer " <> encodeUtf8 tok) - AuthBasic u p -> - let encoded = BAE.convertToBase BAE.Base64 (encodeUtf8 u <> ":" <> encodeUtf8 p) :: ByteString - in ("Authorization", "Basic " <> encoded) - -newEthRpcEnv :: Text -> Maybe RpcAuth -> Int -> Int -> IO EthRpcEnv -newEthRpcEnv endpoint auth_ maxResponseBytes maxConcurrency = do - -- managerConnCount defaults to 10; without raising it the configured - -- rpcMaxConcurrency is silently capped to 10 by http-client's pool. - manager <- HC.newManager tlsManagerSettings {managerConnCount = max 10 maxConcurrency} - request <- buildRequest endpoint auth_ - sem <- newQSem maxConcurrency - pure EthRpcEnv {manager, request, sem, maxResponseBytes} - --- | http-client's `closeManager` is a deprecated no-op since 0.5; the manager --- is released by the GC finalizer attached to its internal state. We retain --- the close-env entry point as a hook for any future deterministic cleanup --- (e.g. draining the QSem) but do nothing here. -closeEthRpcEnv :: EthRpcEnv -> IO () -closeEthRpcEnv _ = pure () - --- | Make a single eth_call. `to` is the contract address (20 raw bytes); --- `dat` is the ABI-encoded call data. Returns the contract return bytes. -ethCallReal :: EthRpcEnv -> ByteString -> ByteString -> IO (Either EthRpcError ByteString) -ethCallReal EthRpcEnv {manager, request, sem, maxResponseBytes} to dat = - bracket_ (waitQSem sem) (signalQSem sem) $ do - let body = J.encode (rpcEnvelope to dat) - req = request {requestBody = RequestBodyLBS body} - result <- E.try $ withResponse req manager $ \res -> do - let status = responseStatus res - if HT.statusCode status >= 400 - then pure (Left (HttpStatusErr (HT.statusCode status))) - else do - bs <- brReadSome (responseBody res) (maxResponseBytes + 1) - if BL.length bs > fromIntegral maxResponseBytes - then pure (Left BodyTooLarge) - else pure (parseResult (BL.toStrict bs)) - pure (either (Left . HttpFailure) id result) - -rpcEnvelope :: ByteString -> ByteString -> J.Value -rpcEnvelope to dat = - J.object - [ "jsonrpc" J..= ("2.0" :: Text), - "id" J..= (1 :: Int), - "method" J..= ("eth_call" :: Text), - "params" - J..= [ J.object - [ "to" J..= toHex to, - "data" J..= toHex dat - ], - J.String "latest" - ] - ] - -parseResult :: ByteString -> Either EthRpcError ByteString -parseResult bs = case J.eitherDecodeStrict bs of - Left e -> Left (InvalidJson e) - Right (v :: J.Value) -> case J.parseEither parser v of - Left e -> Left (InvalidJson e) - Right r -> r - where - parser :: J.Value -> J.Parser (Either EthRpcError ByteString) - parser = J.withObject "rpc" $ \o -> do - mErr :: Maybe J.Value <- o J..:? "error" - case mErr of - Just (J.Object eo) -> do - code <- (eo J..: "code") <|> pure (-1 :: Int) - msg <- (eo J..: "message") <|> pure ("rpc error" :: Text) - pure (Left (JsonRpcErr code msg)) - _ -> do - result :: Text <- o J..: "result" - case decodeHexResult (encodeUtf8 result) of - Right b -> pure (Right b) - Left e -> pure (Left (InvalidJson e)) - --- | Encode raw bytes as "0x"-prefixed lowercase hex. -toHex :: ByteString -> Text -toHex bs = "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) - --- | Decode a "0x"/"0X"-prefixed hex string (the JSON-RPC result shape). -decodeHexResult :: ByteString -> Either String ByteString -decodeHexResult bs = - BAE.convertFromBase BAE.Base16 $ - fromMaybe bs (B.stripPrefix "0x" bs <|> B.stripPrefix "0X" bs) - --- | Strip userinfo from a URL so log lines never leak credentials. -scrubUrl :: Text -> Text -scrubUrl url = - let (scheme, rest) = T.breakOn "://" url - in if T.null rest - then url - else - let body = T.drop 3 rest - (host, query) = T.breakOn "/" body - in case T.breakOn "@" host of - (_userinfo, atRest) - | not (T.null atRest) -> scheme <> "://" <> T.drop 1 atRest <> query - _ -> url diff --git a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs b/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs deleted file mode 100644 index 2e645fa602..0000000000 --- a/src/Simplex/Messaging/Server/Names/Eth/SNRC.hs +++ /dev/null @@ -1,187 +0,0 @@ -{-# LANGUAGE BangPatterns #-} -{-# LANGUAGE LambdaCase #-} -{-# LANGUAGE NamedFieldPuns #-} -{-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE ScopedTypeVariables #-} -{-# LANGUAGE StrictData #-} - --- | SNRC contract codec: Keccak-256 namehash + bounded Solidity ABI decoder. --- --- IMPORTANT: Ethereum uses Keccak-256, NOT NIST SHA3-256. --- --- ABI safety invariants (enforced before any allocation): --- 1. offset + 32 <= buf.length (head read in-bounds) --- 2. offset + 32 + length <= buf.length (body in-bounds) --- 3. offset >= headEnd (no backward jumps) --- 4. every length <= per-field cap (bounded allocations) --- 5. string[] outer count * 32 + offset <= buf.length (array head fits) --- 6. recursion depth <= 2 (no deep nesting) --- 7. uint256 -> Int64 fails if any high 24 bytes non-zero (range check) --- 8. UTF-8 via decodeUtf8' returns AbiBadUtf8 (no partial bytes) -module Simplex.Messaging.Server.Names.Eth.SNRC - ( -- * Namehash - keccak256, - namehash, - - -- * SNRC eth_call payload - snrcSelector, - encodeGetRecord, - - -- * ABI decoding - AbiError (..), - decodeGetRecord, - decodeWord256Int64, - decodeAddress, - decodeString, - decodeUtf8Text, - decodeStringArray, - isZeroOwner, - ) -where - -import Crypto.Hash (Digest, Keccak_256, hash) -import Data.Bifunctor (first) -import qualified Data.ByteArray as BA -import Data.ByteString.Char8 (ByteString) -import qualified Data.ByteString.Char8 as B -import Data.Int (Int64) -import Data.Text (Text) -import Data.Text.Encoding (decodeUtf8') -import Simplex.Messaging.Protocol (NameOwner, NameRecord, mkNameOwner, unNameOwner) - --- | ABI-decode failure modes (caller collapses to ResolveError EthDecodeErr). -data AbiError - = AbiTruncated - | AbiOversized - | AbiBackwardOffset - | AbiNonZeroHighBytes - | AbiBadUtf8 - | AbiDepthExceeded - | AbiInvariantViolated String - deriving (Eq, Show) - --- | Keccak-256 (Ethereum variant), NOT SHA3-256. -keccak256 :: ByteString -> ByteString -keccak256 = BA.convert . (hash :: ByteString -> Digest Keccak_256) -{-# INLINE keccak256 #-} - --- | ENS / SNRC namehash: recursive keccak256 over reversed labels. --- Empty name -> 32 zero bytes; "a.b.c" -> keccak(keccak(keccak(0 ++ keccak "c") ++ keccak "b") ++ keccak "a"). -namehash :: ByteString -> ByteString -namehash name - | B.null name = zeroNode - | otherwise = foldr step zeroNode (B.split '.' name) - where - zeroNode = B.replicate 32 '\NUL' - step label acc = keccak256 (acc <> keccak256 label) - --- | First 4 bytes of keccak("getRecord(bytes32)"). Confirm signature --- against the Part 1 SNRC contract before merging. -snrcSelector :: ByteString -snrcSelector = B.take 4 (keccak256 "getRecord(bytes32)") - --- | Build the eth_call `data` parameter for getRecord(lookupKey). -encodeGetRecord :: ByteString -> ByteString -encodeGetRecord node32 - | B.length node32 == 32 = snrcSelector <> node32 - | otherwise = snrcSelector <> padLeft32 node32 - -padLeft32 :: ByteString -> ByteString -padLeft32 bs - | n >= 32 = B.take 32 bs - | otherwise = B.replicate (32 - n) '\NUL' <> bs - where - n = B.length bs - --- | Read a uint256 at byte offset, fail if it doesn't fit in *signed* Int64. --- Rejects both (a) any non-zero byte in the high 24 bytes and (b) the high --- bit of the low 8 bytes being set — the latter is essential because Int64 --- would otherwise sign-flip a uint64 value into a negative integer, silently --- corrupting downstream length math. -decodeWord256Int64 :: Int -> ByteString -> Either AbiError Int64 -decodeWord256Int64 off buf - | off + 32 > B.length buf = Left AbiTruncated - | B.any (/= '\NUL') (B.take 24 (B.drop off buf)) = Left AbiNonZeroHighBytes - | B.index buf (off + 24) >= '\x80' = Left AbiNonZeroHighBytes - | otherwise = Right $ B.foldl shiftIn 0 (B.take 8 (B.drop (off + 24) buf)) - where - shiftIn :: Int64 -> Char -> Int64 - shiftIn !acc c = (acc * 256) + fromIntegral (fromEnum c :: Int) -{-# INLINE decodeWord256Int64 #-} - --- | Read an Ethereum address at byte offset (uint256 with high 12 bytes zero). -decodeAddress :: Int -> ByteString -> Either AbiError NameOwner -decodeAddress off buf - | off + 32 > B.length buf = Left AbiTruncated - | B.any (/= toEnum 0) (B.take 12 (B.drop off buf)) = Left (AbiInvariantViolated "address has non-zero high 12 bytes") - | otherwise = first AbiInvariantViolated $ mkNameOwner (B.take 20 (B.drop (off + 12) buf)) - --- | Decode a Solidity `string` whose data starts at byte offset `off`. --- Returns raw bytes; UTF-8 validity is the caller's choice (use --- `decodeUtf8Text` if a Text is required). -decodeString :: Int -> Int -> Int -> ByteString -> Either AbiError ByteString -decodeString headEnd off cap buf - | off < headEnd = Left AbiBackwardOffset - | off + 32 > B.length buf = Left AbiTruncated - | otherwise = do - n <- decodeWord256Int64 off buf - let len = fromIntegral n :: Int - if len > cap - then Left AbiOversized - else - if off + 32 + len > B.length buf - then Left AbiTruncated - else Right $ B.take len (B.drop (off + 32) buf) - --- | Decode a Solidity `string` as Text, failing with AbiBadUtf8 on --- invalid UTF-8. This is what NameRecord decoder composition will use. -decodeUtf8Text :: Int -> Int -> Int -> ByteString -> Either AbiError Text -decodeUtf8Text headEnd off cap buf = do - raw <- decodeString headEnd off cap buf - either (const (Left AbiBadUtf8)) Right (decodeUtf8' raw) - --- | Decode a Solidity `string[]` at byte offset `off`. Each element capped --- at `byteCap` bytes, total element count capped at `cntCap`. Depth must be --- < 2 (recurses one level into decodeString). -decodeStringArray :: Int -> Int -> Int -> Int -> Int -> ByteString -> Either AbiError [ByteString] -decodeStringArray depth headEnd off cntCap byteCap buf - | depth >= 2 = Left AbiDepthExceeded - | off < headEnd = Left AbiBackwardOffset - | off + 32 > B.length buf = Left AbiTruncated - | otherwise = do - n <- decodeWord256Int64 off buf - let cnt = fromIntegral n :: Int - if cnt > cntCap - then Left AbiOversized - else - let arrHead = off + 32 - arrHeadEnd = arrHead + cnt * 32 - in if arrHeadEnd > B.length buf - then Left AbiTruncated - else collectN 0 cnt arrHead arrHeadEnd [] - where - collectN i n base hd acc - | i >= n = Right (reverse acc) - | otherwise = do - relOff <- decodeWord256Int64 (base + i * 32) buf - let absOff = base + fromIntegral relOff - s <- decodeString hd absOff byteCap buf - collectN (i + 1) n base hd (s : acc) - --- | Decode the ABI-encoded return value of getRecord(bytes32) into a NameRecord. --- Zero-owner (0x000...000) is reported as Right Nothing so the caller maps it --- to NotFound (ENS-style sentinel). --- --- PLACEHOLDER: returns Right Nothing for any non-zero owner until the Part 1 --- SNRC contract ABI is finalised. All ABI primitives above are production-ready; --- only the field-layout-aware composition is pending. -decodeGetRecord :: ByteString -> Either AbiError (Maybe NameRecord) -decodeGetRecord buf - | B.length buf < 32 * 8 = Left AbiTruncated - -- Both arms return Nothing today: the zero-owner branch is the real ENS-style - -- NotFound sentinel; the non-zero branch is the SNRC-ABI placeholder. They - -- separate once the field-layout decoder lands. - | otherwise = Nothing <$ decodeAddress 32 buf - -isZeroOwner :: NameOwner -> Bool -isZeroOwner = (== B.replicate 20 '\NUL') . unNameOwner diff --git a/src/Simplex/Messaging/Server/Names/HttpResolver.hs b/src/Simplex/Messaging/Server/Names/HttpResolver.hs new file mode 100644 index 0000000000..ed314c6de1 --- /dev/null +++ b/src/Simplex/Messaging/Server/Names/HttpResolver.hs @@ -0,0 +1,164 @@ +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE StrictData #-} + +-- | HTTP transport for the public-namespace resolver. +-- +-- The Python REST resolver (see scripts/resolver/snrc-resolve.py) exposes +-- +-- GET /resolve/ -> 200 with a NameRecord JSON document +-- 404 / 400 for unknown names / TLDs +-- 502 for upstream RPC failures +-- GET /health -> 200 when the resolver process is ready +-- +-- Boundary properties: +-- * Response body read with `brReadSome maxResponseBytes` — adversarial +-- endpoints cannot exhaust memory with multi-GB bodies. +-- * `redirectCount = 0` — a compromised resolver cannot bounce credentials +-- to a private-IP target (SSRF amplification on top of the URL validation +-- performed at config load in Server.Main.validateUrl). +-- * Authorization header attached only when configured. +module Simplex.Messaging.Server.Names.HttpResolver + ( RpcAuth (..), + ResolverEnv, + ResolverError (..), + newResolverEnv, + closeResolverEnv, + resolveHttp, + healthHttp, + scrubUrl, + ) +where + +import qualified Control.Exception as E +import qualified Data.Aeson as J +import qualified Data.ByteArray.Encoding as BAE +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Lazy as BL +import Data.Text (Text) +import qualified Data.Text as T +import Data.Text.Encoding (decodeLatin1, encodeUtf8) +import Network.HTTP.Client + ( HttpException, + Manager, + ManagerSettings (..), + Request, + brReadSome, + parseRequest, + redirectCount, + requestHeaders, + responseBody, + responseStatus, + responseTimeoutMicro, + withResponse, + ) +import qualified Network.HTTP.Client as HC +import Network.HTTP.Client.TLS (tlsManagerSettings) +import qualified Network.HTTP.Types as HT +import Network.HTTP.Types.URI (urlEncode) + +data RpcAuth = AuthBearer Text | AuthBasic Text Text + +-- | Redacts the bearer token / basic-auth password so an accidental +-- `show` / `tshow` on NamesConfig never lands secrets in logs. +instance Show RpcAuth where + show (AuthBearer _) = "AuthBearer " + show (AuthBasic u _) = "AuthBasic " <> show u <> " " + +data ResolverEnv = ResolverEnv + { manager :: Manager, + baseUrl :: Text, + authHdr :: [HT.Header], + timeoutMicro :: Int, + maxResponseBytes :: Int + } + +data ResolverError + = HttpFailure HttpException + | HttpStatusErr Int + | BodyTooLarge + | InvalidJson String + deriving (Show) + +newResolverEnv :: Text -> Maybe RpcAuth -> Int -> Int -> IO ResolverEnv +newResolverEnv baseUrl auth_ timeoutMs maxResponseBytes = do + manager <- HC.newManager tlsManagerSettings {managerConnCount = 10} + pure + ResolverEnv + { manager, + baseUrl = stripTrailingSlash baseUrl, + authHdr = maybe [] (pure . authHeader) auth_, + timeoutMicro = timeoutMs * 1000, + maxResponseBytes + } + +-- | http-client's `closeManager` is a deprecated no-op since 0.5; the +-- manager is released by the GC finalizer on its internal state. Hook kept +-- as a future-cleanup seam. +closeResolverEnv :: ResolverEnv -> IO () +closeResolverEnv _ = pure () + +authHeader :: RpcAuth -> HT.Header +authHeader = \case + AuthBearer tok -> ("Authorization", "Bearer " <> encodeUtf8 tok) + AuthBasic u p -> + let encoded = BAE.convertToBase BAE.Base64 (encodeUtf8 u <> ":" <> encodeUtf8 p) :: ByteString + in ("Authorization", "Basic " <> encoded) + +-- | GET /resolve/, return the JSON body on 200. +resolveHttp :: ResolverEnv -> Text -> IO (Either ResolverError J.Value) +resolveHttp env name = doGet env ("/resolve/" <> percentEncode name) + +-- | GET /health, return the JSON body on 200. +healthHttp :: ResolverEnv -> IO (Either ResolverError J.Value) +healthHttp env = doGet env "/health" + +doGet :: ResolverEnv -> Text -> IO (Either ResolverError J.Value) +doGet ResolverEnv {manager, baseUrl, authHdr, timeoutMicro, maxResponseBytes} path = do + req0 <- parseRequest (T.unpack (baseUrl <> path)) + let req = + req0 + { redirectCount = 0, + requestHeaders = ("Accept", "application/json") : authHdr, + HC.responseTimeout = responseTimeoutMicro timeoutMicro + } + result <- E.try $ withResponse req manager $ \res -> do + let status = HT.statusCode (responseStatus res) + if status >= 400 + then pure (Left (HttpStatusErr status)) + else do + bs <- brReadSome (responseBody res) (maxResponseBytes + 1) + if BL.length bs > fromIntegral maxResponseBytes + then pure (Left BodyTooLarge) + else case J.eitherDecodeStrict (BL.toStrict bs) of + Left e -> pure (Left (InvalidJson e)) + Right v -> pure (Right v) + pure (either (Left . HttpFailure) id result) + +-- | Percent-encode a name component (path-safe). Aggressive: encode every +-- byte that isn't an unreserved character per RFC 3986. The resolver expects +-- raw labels (e.g., `alice.simplex`); slashes and other ASCII punctuation +-- would change the request path semantics if passed through verbatim. +percentEncode :: Text -> Text +percentEncode = decodeLatin1 . urlEncode True . encodeUtf8 + +stripTrailingSlash :: Text -> Text +stripTrailingSlash t = case T.unsnoc t of + Just (rest, '/') -> rest + _ -> t + +-- | Strip userinfo from a URL so log lines never leak credentials. +scrubUrl :: Text -> Text +scrubUrl url = + let (scheme, rest) = T.breakOn "://" url + in if T.null rest + then url + else + let body = T.drop 3 rest + (host, query) = T.breakOn "/" body + in case T.breakOn "@" host of + (_userinfo, atRest) + | not (T.null atRest) -> scheme <> "://" <> T.drop 1 atRest <> query + _ -> url diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index 62973727a3..f02ced0bdf 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -27,7 +27,8 @@ import Data.Char (isDigit) import Data.Functor (($>)) import Data.Text (Text) import qualified Data.Text as T -import Data.Text.Encoding (encodeUtf8) +import Data.Text.Encoding (decodeLatin1, encodeUtf8) +import Simplex.Messaging.Agent.Store.DB (ToField (..)) import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (defaultJSON, dropPrefix, enumJSON) import Simplex.Messaging.Util (safeDecodeUtf8, (<$?>)) @@ -87,7 +88,7 @@ instance StrEncoding SimplexNameInfo where infoP NTPublicGroup = SimplexNameInfo NTPublicGroup <$> (strP <|> bareName) infoP NTContact = SimplexNameInfo NTContact <$> strP bareName = parseBare . safeDecodeUtf8 <$?> boundedNonSpace - parseBare s = (\name -> SimplexNameDomain TLDSimplex name []) <$> AT.parseOnly (nameLabelP <* AT.endOfInput) s + parseBare s = (\name -> SimplexNameDomain TLDSimplex (T.toLower name) []) <$> AT.parseOnly (nameLabelP <* AT.endOfInput) s instance StrEncoding SimplexNameDomain where strEncode = encodeUtf8 . fullDomainName @@ -123,6 +124,13 @@ shortNameInfoStr = \case NTPublicGroup -> "#" NTContact -> "@" +-- | Stored as TEXT. The matching `FromField` instance is intentionally not +-- defined: existing consumers want soft-decode semantics (parse failure +-- degrades to `Nothing` rather than failing the row), which doesn't +-- compose with `fromTextField_`. Add a `FromField` instance here only +-- when a consumer wants the row-fail behaviour and document the divide. +instance ToField SimplexNameInfo where toField = toField . decodeLatin1 . strEncode + $(J.deriveJSON (enumJSON $ dropPrefix "TLD") ''SimplexTLD) $(J.deriveJSON (enumJSON $ dropPrefix "NT") ''SimplexNameType) diff --git a/tests/AgentTests.hs b/tests/AgentTests.hs index 368e7c0e2e..34d610cd5c 100644 --- a/tests/AgentTests.hs +++ b/tests/AgentTests.hs @@ -12,6 +12,7 @@ import AgentTests.ConnectionRequestTests import AgentTests.DoubleRatchetTests (doubleRatchetTests) import AgentTests.FunctionalAPITests (functionalAPITests) import AgentTests.MigrationTests (migrationTests) +import AgentTests.ResolveNameTests (resolveNameTests) import AgentTests.ServerChoice (serverChoiceTests) import AgentTests.ShortLinkTests (shortLinkTests) import Simplex.Messaging.Server.Env.STM (AStoreType (..)) @@ -37,6 +38,7 @@ agentCoreTests = do describe "Connection request" connectionRequestTests describe "Double ratchet tests" doubleRatchetTests describe "Short link tests" shortLinkTests + resolveNameTests agentTests :: (ASrvTransport, AStoreType) -> Spec agentTests ps = do diff --git a/tests/AgentTests/ResolveNameTests.hs b/tests/AgentTests/ResolveNameTests.hs new file mode 100644 index 0000000000..711dbca102 --- /dev/null +++ b/tests/AgentTests/ResolveNameTests.hs @@ -0,0 +1,203 @@ +{-# LANGUAGE DataKinds #-} +{-# LANGUAGE DuplicateRecordFields #-} +{-# LANGUAGE GADTs #-} +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedLists #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE PatternSynonyms #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE TypeApplications #-} +{-# OPTIONS_GHC -fno-warn-ambiguous-fields #-} + +-- | End-to-end tests for `Simplex.Messaging.Agent.resolveSimplexName`. +-- +-- Exercises the agent layer (real `AgentClient`) against an SMP server +-- whose `NamesEnv` is a stub `ResolverCall` — same pattern as `RSLVTests` +-- but going through `sendOrProxySMPCommand` so we cover the agent-side +-- direct/proxy selection and the agent's error mapping. +module AgentTests.ResolveNameTests (resolveNameTests) where + +import AgentTests.FunctionalAPITests (withAgent) +import Control.Monad.Except (runExceptT) +import qualified Data.Aeson as J +import Data.List (isInfixOf) +import SMPAgentClient +import SMPClient +import SMPNamesTests (sampleRecord, sampleRecordJSON) +import Simplex.Messaging.Agent (resolveSimplexName) +import Simplex.Messaging.Agent.Client (AgentClient) +import Simplex.Messaging.Agent.Env.SQLite (InitialAgentServers (..)) +import Simplex.Messaging.Agent.Protocol (AgentErrorType (..)) +import Simplex.Messaging.Client (SMPProxyFallback (..), SMPProxyMode (..), pattern NRMInteractive) +import Simplex.Messaging.Protocol (pattern SMPServer) +import qualified Simplex.Messaging.Protocol as SMP +import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) +import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) +import Simplex.Messaging.Server.Names + ( NamesConfig (..), + NamesEnv, + ResolverCall, + ResolverCallKind (..), + newNamesEnvWith, + ) +import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) +import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) +import Simplex.Messaging.Transport +import Test.Hspec hiding (fit, it) +import Util (it) + +stubNamesConfig :: NamesConfig +stubNamesConfig = + NamesConfig + { resolverEndpoint = "http://stub", + resolverAuth = Nothing, + resolverTimeoutMs = 1000, + resolverMaxResponseBytes = 65536 + } + +-- | 404 stub: the resolver returns "not registered". Server maps to ERR +-- AUTH; agent surfaces as SMP host AUTH. +stubResolverNotFound :: ResolverCall +stubResolverNotFound = \case + ResolverFetch _ -> pure (Left (HttpStatusErr 404)) + ResolverHealth -> pure (Right (J.object [])) + +-- | Success stub: returns the canned NameRecord JSON. +stubResolverSuccess :: ResolverCall +stubResolverSuccess = \case + ResolverFetch _ -> pure (Right sampleRecordJSON) + ResolverHealth -> pure (Right (J.object [])) + +mkNotFoundNamesEnv :: IO NamesEnv +mkNotFoundNamesEnv = newNamesEnvWith stubNamesConfig stubResolverNotFound Nothing + +mkSuccessNamesEnv :: IO NamesEnv +mkSuccessNamesEnv = newNamesEnvWith stubNamesConfig stubResolverSuccess Nothing + +memCfg :: AServerConfig +memCfg = cfgMS (ASType SQSMemory SMSMemory) + +memProxyCfg :: AServerConfig +memProxyCfg = proxyCfgMS (ASType SQSMemory SMSMemory) + +memCfg2 :: AServerConfig +memCfg2 = case memCfg of + ASrvCfg qt mt c -> ASrvCfg qt mt c {serverStoreCfg = newStoreCfg (serverStoreCfg c)} + where + newStoreCfg :: ServerStoreCfg s -> ServerStoreCfg s + newStoreCfg = \case + SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) + other -> other + +withDirectResolver :: NamesEnv -> (AgentClient -> IO a) -> IO a +withDirectResolver nenv k = + withSmpServerConfigOnWithNames (transport @TLS) memCfg testPort nenv $ \_ -> + withAgent 1 agentCfg directServers testDB k + where + directServers = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = userServers [testSMPServer]} + +withProxyAndResolver :: NamesEnv -> (AgentClient -> IO a) -> IO a +withProxyAndResolver nenv k = + withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> + withSmpServerConfigOnWithNames (transport @TLS) memCfg2 testPort2 nenv $ \_ -> + withAgent 1 agentCfg proxyServers testDB k + where + proxyServers = (initAgentServersProxy_ SPMAlways SPFProhibit) {smp = userServers [testSMPServer, testSMPServer2]} + +directResolverSrv :: SMP.SMPServer +directResolverSrv = SMPServer testHost testPort testKeyHash + +proxiedResolverSrv :: SMP.SMPServer +proxiedResolverSrv = SMPServer testHost2 testPort2 testKeyHash + +-- --------------------------------------------------------------------------- +-- Spec +-- --------------------------------------------------------------------------- + +resolveNameTests :: Spec +resolveNameTests = do + describe "Agent resolveSimplexName" $ do + describe "direct path (SPMNever)" $ + it "AUTH propagates as SMP host AUTH (resolver 404 -> NotFound)" testDirectAuth + describe "proxy path (SPMAlways)" $ + it "AUTH from resolver propagates via proxy as SMP AUTH" testProxyAuth + describe "TLDTesting path" $ + it "AUTH (resolver 404 -> NotFound) for TLDTesting too" testTestingTldAuth + describe "TLDWeb path" $ + it "AUTH (resolver 404 -> NotFound) for TLDWeb too" testWebTldAuth + describe "success path" $ + it "returns NameRecord" testDirectSuccess + +-- --------------------------------------------------------------------------- +-- Tests +-- --------------------------------------------------------------------------- + +-- | Direct path: agent with SPMNever sends RSLV without PFWD; resolver +-- replies 404 (not found); server returns ERR AUTH; agent maps to +-- `SMP host AUTH`. +testDirectAuth :: HasCallStack => IO () +testDirectAuth = do + nenv <- mkNotFoundNamesEnv + withDirectResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + case r of + Left (SMP _ SMP.AUTH) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r + where + simplexDomain = SimplexNameDomain TLDSimplex "alice" [] + +-- | Proxy path: relay-level protocol errors are reported transparently as +-- SMP errors with the proxy host (see Client.hs:1178 "transparent for +-- AUTH/QUOTA"). +testProxyAuth :: HasCallStack => IO () +testProxyAuth = do + nenv <- mkNotFoundNamesEnv + withProxyAndResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 proxiedResolverSrv simplexDomain + case r of + Left (SMP host SMP.AUTH) | testPort `isInfixOf` host -> pure () + _ -> expectationFailure $ "expected Left (SMP testPort <> "> AUTH), got: " <> show r + where + simplexDomain = SimplexNameDomain TLDSimplex "alice" [] + +-- | TLDTesting routes through the same code path as TLDSimplex (the contract +-- field is ignored server-side; the resolver decides which registry to query). +testTestingTldAuth :: HasCallStack => IO () +testTestingTldAuth = do + nenv <- mkNotFoundNamesEnv + withDirectResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv testingDomain + case r of + Left (SMP _ SMP.AUTH) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r + where + testingDomain = SimplexNameDomain TLDTesting "bob" [] + +-- | TLDWeb is no longer a TLDContract-gated short-circuit on the agent side; +-- the agent forwards the request to the server, which forwards to the +-- resolver, which decides (per its configured TLDs) whether to honour the +-- lookup. The stub here returns 404 for every fetch, so we get AUTH. +testWebTldAuth :: HasCallStack => IO () +testWebTldAuth = do + nenv <- mkNotFoundNamesEnv + withDirectResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv webDomain + case r of + Left (SMP _ SMP.AUTH) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r + where + webDomain = SimplexNameDomain TLDWeb "example.com" [] + +-- | Success path: stub returns a real NameRecord. The agent surfaces it +-- verbatim. +testDirectSuccess :: HasCallStack => IO () +testDirectSuccess = do + nenv <- mkSuccessNamesEnv + withDirectResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + case r of + Right nr -> nr `shouldBe` sampleRecord + _ -> expectationFailure $ "expected Right NameRecord, got: " <> show r + where + simplexDomain = SimplexNameDomain TLDSimplex "alice" [] diff --git a/tests/CoreTests/ConnectTargetTests.hs b/tests/CoreTests/ConnectTargetTests.hs new file mode 100644 index 0000000000..a068c6abf8 --- /dev/null +++ b/tests/CoreTests/ConnectTargetTests.hs @@ -0,0 +1,67 @@ +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE TypeApplications #-} + +module CoreTests.ConnectTargetTests where + +import AgentTests.ConnectionRequestTests (contactConnRequest, invConnRequest) +import qualified Data.Aeson as J +import Data.Either (isLeft) +import Data.Text.Encoding (decodeUtf8) +import Simplex.Messaging.Agent.Protocol (AConnectionLink (..), ConnectTarget (..), ConnectionLink (..), SConnectionMode (..)) +import Simplex.Messaging.Encoding.String (strDecode, strEncode) +import Test.Hspec hiding (fit, it) +import Util (it) + +connectTargetTests :: Spec +connectTargetTests = describe "ConnectTarget" $ do + describe "CTName (SimpleX name) — canonical wire form prefixes simplex:/name" $ do + it "@alice.simplex encodes as simplex:/name@alice.simplex" $ + "@alice.simplex" `encodesAs` "simplex:/name@alice.simplex" + it "#privacy (bare TLD-less channel) encodes as simplex:/name#privacy.simplex" $ + "#privacy" `encodesAs` "simplex:/name#privacy.simplex" + it "#privacy.simplex encodes as simplex:/name#privacy.simplex" $ + "#privacy.simplex" `encodesAs` "simplex:/name#privacy.simplex" + it "#support.acme.simplex preserves subdomain" $ + "#support.acme.simplex" `encodesAs` "simplex:/name#support.acme.simplex" + it "#PRIVACY (bare uppercase) lowercases to match #privacy" $ + strDecode @ConnectTarget "#PRIVACY" `shouldBe` strDecode @ConnectTarget "#privacy" + it "simplex:/name@alice.simplex round-trips" $ + "simplex:/name@alice.simplex" `encodesAs` "simplex:/name@alice.simplex" + it "simplex:/name#privacy.simplex round-trips" $ + "simplex:/name#privacy.simplex" `encodesAs` "simplex:/name#privacy.simplex" + + describe "CTLink (connection link) round-trips" $ do + it "parses simplex:/contact#… as CTLink and round-trips" $ do + let s = strEncode (ACL SCMContact (CLFull contactConnRequest)) + decodesSuccessfully s + s `encodesAs` s + it "parses simplex:/invitation#… as CTLink" $ do + let s = strEncode (ACL SCMInvitation (CLFull invConnRequest)) + decodesSuccessfully s + + describe "rejects ambiguous bare input at this layer" $ do + it "rejects bare 'alice' — no @, no #, no simplex:/name prefix" $ + strDecode @ConnectTarget "alice" `shouldSatisfy` isLeft + it "rejects empty input" $ + strDecode @ConnectTarget "" `shouldSatisfy` isLeft + it "rejects whitespace input" $ + strDecode @ConnectTarget " " `shouldSatisfy` isLeft + + describe "JSON shape mirrors AConnectionLink (plain string, not tagged sum)" $ do + it "encodes @alice.simplex as a JSON string" $ + case strDecode @ConnectTarget "@alice.simplex" of + Right ct -> J.toJSON ct `shouldBe` J.String "simplex:/name@alice.simplex" + Left e -> expectationFailure $ "strDecode failed: " <> e + it "encodes a CTLink as the canonical link JSON string" $ do + let s = strEncode (ACL SCMContact (CLFull contactConnRequest)) + case strDecode @ConnectTarget s of + Right ct -> J.toJSON ct `shouldBe` J.String (decodeUtf8 s) + Left e -> expectationFailure $ "strDecode failed: " <> e + it "parses JSON string back to ConnectTarget" $ + J.eitherDecode @ConnectTarget "\"@alice.simplex\"" + `shouldSatisfy` either (const False) (const True) + where + encodesAs input canonical = + (strEncode <$> strDecode @ConnectTarget input) `shouldBe` Right canonical + decodesSuccessfully s = + strDecode @ConnectTarget s `shouldSatisfy` either (const False) (const True) diff --git a/tests/RSLVTests.hs b/tests/RSLVTests.hs new file mode 100644 index 0000000000..f6ada606d2 --- /dev/null +++ b/tests/RSLVTests.hs @@ -0,0 +1,227 @@ +{-# LANGUAGE DataKinds #-} +{-# LANGUAGE DuplicateRecordFields #-} +{-# LANGUAGE GADTs #-} +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE PatternSynonyms #-} +{-# LANGUAGE ScopedTypeVariables #-} +{-# LANGUAGE TypeApplications #-} +{-# OPTIONS_GHC -fno-warn-ambiguous-fields #-} + +-- | Functional-API tests for the public-namespace resolver (RSLV). +-- +-- Mocks the resolver at the `resolverCall` layer using `newNamesEnvWith`. +-- Tests: +-- * direct RSLV is accepted (not `CMD PROHIBITED`) +-- * `ERR AUTH` for malformed names (parseName layer) +-- * `ERR AUTH` for backend `NotFound` (404 / 400 from the HTTP resolver) +-- * `ERR AUTH` for backend transport errors (HTTP 502 or transport failure) +-- * `ERR AUTH` when the server has no `namesEnv` (rslvDisabled) +-- * `NAME` returned when the resolver returns a valid JSON record +-- * the same paths via PFWD round-trip (proxy + resolver wiring works) +module RSLVTests (rslvTests) where + +import Control.Monad.Trans.Except (ExceptT, runExceptT) +import qualified Data.Aeson as J +import qualified Data.ByteString.Char8 as B +import Data.List.NonEmpty (NonEmpty (..)) +import Data.Time.Clock (getCurrentTime) +import SMPClient +import Simplex.Messaging.Client +import qualified Simplex.Messaging.Crypto as C +import SMPNamesTests (sampleRecord, sampleRecordJSON) +import Simplex.Messaging.Protocol + ( BrokerMsg (..), + Cmd (..), + Command (..), + CorrId (..), + ErrorType (..), + NameOwner, + RslvRequest (..), + SParty (..), + Transmission, + TransmissionForAuth (..), + encodeTransmissionForAuth, + mkNameOwner, + pattern SMPServer, + tGetClient, + tPut, + ) +import qualified Simplex.Messaging.Protocol as SMP +import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) +import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) +import Simplex.Messaging.Server.Names + ( NamesConfig (..), + NamesEnv, + ResolverCall, + ResolverCallKind (..), + newNamesEnvWith, + ) +import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) +import Simplex.Messaging.Transport +import Simplex.Messaging.Version (mkVersionRange) +import Test.Hspec hiding (fit, it) +import Util (it) + +-- --------------------------------------------------------------------------- +-- Fixtures +-- --------------------------------------------------------------------------- + +unsafeOwner :: B.ByteString -> NameOwner +unsafeOwner = either error id . mkNameOwner + +-- A placeholder contract used in RslvRequest. The server ignores the +-- contract field, so the value doesn't affect behaviour. +placeholderContract :: NameOwner +placeholderContract = unsafeOwner (B.replicate 20 '\NUL') + +stubNamesConfig :: NamesConfig +stubNamesConfig = + NamesConfig + { resolverEndpoint = "http://stub", + resolverAuth = Nothing, + resolverTimeoutMs = 1000, + resolverMaxResponseBytes = 65536 + } + +-- | Default stub: the resolver replies 404. Server maps to NotFound -> AUTH. +stubResolverNotFound :: ResolverCall +stubResolverNotFound = \case + ResolverFetch _ -> pure (Left (HttpStatusErr 404)) + ResolverHealth -> pure (Right (J.object [])) + +-- | Stub that returns a 502 upstream-RPC failure on resolve. Server maps to +-- ResolverError -> ERR AUTH via `rslvEthErrs`. +stubResolverHttpErr :: ResolverCall +stubResolverHttpErr = \case + ResolverFetch _ -> pure (Left (HttpStatusErr 502)) + ResolverHealth -> pure (Right (J.object [])) + +-- | Stub returning a real NameRecord JSON value (success path). +stubResolverSuccess :: ResolverCall +stubResolverSuccess = \case + ResolverFetch _ -> pure (Right sampleRecordJSON) + ResolverHealth -> pure (Right (J.object [])) + +mkNamesEnv :: ResolverCall -> IO NamesEnv +mkNamesEnv stub = newNamesEnvWith stubNamesConfig stub Nothing + +memCfg :: AServerConfig +memCfg = cfgMS (ASType SQSMemory SMSMemory) + +memProxyCfg :: AServerConfig +memProxyCfg = proxyCfgMS (ASType SQSMemory SMSMemory) + +memCfg2 :: AServerConfig +memCfg2 = case memCfg of + ASrvCfg qt mt c -> ASrvCfg qt mt c {serverStoreCfg = newStoreCfg (serverStoreCfg c)} + where + newStoreCfg :: ServerStoreCfg s -> ServerStoreCfg s + newStoreCfg = \case + SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) + other -> other + +withResolverServer :: NamesEnv -> IO a -> IO a +withResolverServer nenv = + withSmpServerConfigOnWithNames (transport @TLS) memCfg testPort nenv . const + +withProxyAndResolver :: NamesEnv -> IO a -> IO a +withProxyAndResolver nenv runTest = + withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> + withSmpServerConfigOnWithNames (transport @TLS) memCfg2 testPort2 nenv (const runTest) + +sendRslv :: Transport c => THandleSMP c 'TClient -> B.ByteString -> RslvRequest -> IO (Transmission (Either ErrorType BrokerMsg)) +sendRslv h@THandle {params} corrId req = do + let TransmissionForAuth {tToSend} = encodeTransmissionForAuth params (CorrId corrId, NoEntity, Cmd SResolver (RSLV req)) + [Right ()] <- tPut h (Right (Nothing, tToSend) :| []) + r :| _ <- tGetClient h + pure r + +-- --------------------------------------------------------------------------- +-- Tests +-- --------------------------------------------------------------------------- + +rslvTests :: Spec +rslvTests = do + describe "RSLV direct (non-forwarded)" $ do + it "server accepts RSLV without PFWD (not CMD PROHIBITED)" testRslvDirectAccepted + it "AUTH when name is malformed (bare label, no TLD)" testRslvBadName + it "AUTH when resolver replies 404 (not registered)" testRslvBackendNotFound + it "AUTH when resolver replies 502 (upstream failure)" testRslvBackendHttpErr + it "AUTH when server has no names config (namesEnv = Nothing)" testRslvDisabled + describe "RSLV forwarded (PFWD)" $ do + it "PFWD-wrapped RSLV reaches resolver via proxy (PCEProtocolError AUTH)" testRslvForwarded + describe "RSLV success path (NAME response)" $ do + it "returns NAME with NameRecord" testRslvSuccess + +testRslvDirectAccepted :: IO () +testRslvDirectAccepted = do + nenv <- mkNamesEnv stubResolverNotFound + withResolverServer nenv $ + testSMPClient @TLS $ \h -> do + (corrId, _entId, resp) <- sendRslv h "rs01" RslvRequest {name = "alice.simplex", contract = placeholderContract} + corrId `shouldBe` CorrId "rs01" + resp `shouldBe` Right (ERR AUTH) + +testRslvBadName :: IO () +testRslvBadName = do + nenv <- mkNamesEnv stubResolverNotFound + withResolverServer nenv $ + testSMPClient @TLS $ \h -> do + (_, _, resp) <- sendRslv h "rs02" RslvRequest {name = "alice", contract = placeholderContract} + resp `shouldBe` Right (ERR AUTH) + +testRslvBackendNotFound :: IO () +testRslvBackendNotFound = do + nenv <- mkNamesEnv stubResolverNotFound + withResolverServer nenv $ + testSMPClient @TLS $ \h -> do + (_, _, resp) <- sendRslv h "rs04" RslvRequest {name = "ghost.simplex", contract = placeholderContract} + resp `shouldBe` Right (ERR AUTH) + +testRslvBackendHttpErr :: IO () +testRslvBackendHttpErr = do + nenv <- mkNamesEnv stubResolverHttpErr + withResolverServer nenv $ + testSMPClient @TLS $ \h -> do + (_, _, resp) <- sendRslv h "rs05" RslvRequest {name = "alice.simplex", contract = placeholderContract} + resp `shouldBe` Right (ERR AUTH) + +testRslvDisabled :: IO () +testRslvDisabled = + withSmpServerConfigOn (transport @TLS) memCfg testPort $ const $ + testSMPClient @TLS $ \h -> do + (_, _, resp) <- sendRslv h "rs06" RslvRequest {name = "alice.simplex", contract = placeholderContract} + resp `shouldBe` Right (ERR AUTH) + +testRslvForwarded :: IO () +testRslvForwarded = do + nenv <- mkNamesEnv stubResolverNotFound + withProxyAndResolver nenv $ do + g <- C.newRandom + ts <- getCurrentTime + let proxyServ = SMPServer testHost testPort testKeyHash + relayServ = SMPServer testHost2 testPort2 testKeyHash + cfg' = defaultSMPClientConfig {serverVRange = mkVersionRange minServerSMPRelayVersion currentClientSMPRelayVersion} + pcE <- getProtocolClient g NRMInteractive (1, proxyServ, Nothing) cfg' [] Nothing ts (\_ -> pure ()) + pc <- either (fail . show) pure pcE + sess <- runExceptT' (connectSMPProxiedRelay pc NRMInteractive relayServ Nothing) + r <- runExceptT (proxyResolveName pc NRMInteractive sess placeholderContract "alice.simplex") + case r of + Left (PCEProtocolError SMP.AUTH) -> pure () + _ -> expectationFailure $ "expected Left (PCEProtocolError AUTH), got: " <> show r + +testRslvSuccess :: IO () +testRslvSuccess = do + nenv <- mkNamesEnv stubResolverSuccess + withResolverServer nenv $ + testSMPClient @TLS $ \h -> do + (corrId, _entId, resp) <- sendRslv h "rs07" RslvRequest {name = "alice.simplex", contract = placeholderContract} + corrId `shouldBe` CorrId "rs07" + case resp of + Right (NAME nr) -> nr `shouldBe` sampleRecord + _ -> expectationFailure $ "expected Right (NAME ..), got: " <> show resp + +runExceptT' :: Show e => ExceptT e IO a -> IO a +runExceptT' a = runExceptT a >>= either (fail . show) pure diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index 2ee9b509f0..3f6386921d 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -30,7 +30,8 @@ import Simplex.Messaging.Client.Agent (SMPClientAgentConfig (..), defaultSMPClie import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Protocol -import Simplex.Messaging.Server (runSMPServerBlocking) +import Simplex.Messaging.Server (runSMPServerBlocking, runSMPServerBlockingWithNames) +import Simplex.Messaging.Server.Names (NamesEnv) import Simplex.Messaging.Server.Env.STM import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SMSType (..), SQSType (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config (PostgresStoreCfg (..)) @@ -363,6 +364,16 @@ withSmpServerConfigOn t (ASrvCfg _ _ cfg') port' = (\started -> runSMPServerBlocking started cfg' {transports = [(port', t, False)]} Nothing) (threadDelay 10000) +-- | Variant of `withSmpServerConfigOn` for RSLV functional tests: passes a +-- pre-built `NamesEnv` (typically with a stub `ethCall`) so the server does +-- not contact the real Ethereum RPC. Skips the production `pingEndpoint` +-- probe. +withSmpServerConfigOnWithNames :: HasCallStack => ASrvTransport -> AServerConfig -> ServiceName -> NamesEnv -> (HasCallStack => ThreadId -> IO a) -> IO a +withSmpServerConfigOnWithNames t (ASrvCfg _ _ cfg') port' nenv = + serverBracket + (\started -> runSMPServerBlockingWithNames started cfg' {transports = [(port', t, False)]} Nothing (Just nenv)) + (threadDelay 10000) + withSmpServerThreadOn :: HasCallStack => (ASrvTransport, AStoreType) -> ServiceName -> (HasCallStack => ThreadId -> IO a) -> IO a withSmpServerThreadOn (t, msType) = withSmpServerConfigOn t (cfgMS msType) diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 412b6fa2b1..d7e83b2c9c 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -1,150 +1,125 @@ +{-# LANGUAGE LambdaCase #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE ScopedTypeVariables #-} -{-# LANGUAGE TypeApplications #-} -module SMPNamesTests (smpNamesTests) where +module SMPNamesTests (smpNamesTests, sampleRecord, sampleRecordJSON) where -import qualified Crypto.Hash as Crypton -import Data.ByteString.Char8 (ByteString) +import qualified Data.Aeson as J import qualified Data.ByteString.Char8 as B -import qualified Data.ByteArray as BA +import qualified Data.ByteString.Lazy as LB import Data.Either (isLeft, isRight) -import Data.Foldable (for_) import Data.IORef (atomicModifyIORef', newIORef, readIORef) import Data.List (sort) -import Data.Text (Text) import qualified Data.Text as T -import qualified Data.Aeson as J -import qualified Data.ByteString.Lazy as LB -import Simplex.Messaging.Protocol - ( NameLink, - NameOwner, - NameRecord (..), - RslvRequest (..), - mkNameLink, - mkNameOwner, - unNameLink, - unNameOwner, - ) +import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), mkNameOwner, unNameOwner) import Simplex.Messaging.Server.Names ( NamesConfig (..), ResolveError (..), - TldRegistries (..), - lookupTldAddress, + ResolverCallKind (..), newNamesEnvWith, + parseName, + pingEndpoint, resolveName, - verifyRslv, - ) -import Simplex.Messaging.Server.Names.Eth.SNRC - ( AbiError (..), - decodeAddress, - decodeGetRecord, - decodeString, - decodeStringArray, - decodeWord256Int64, - encodeGetRecord, - keccak256, - namehash, - snrcSelector, ) +import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) import Test.Hspec --- Reference vectors: --- keccak256("") = c5d2460186f7233c927e7db2dcc703c0e500b653ca8227b7bfad8045d85a470 --- keccak256("abc") = 4e03657aea45a94fc7d47ba826c8d667c0d1e6e33a64a036ec44f58fa12d6c45 --- sha3_256("abc") = 3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 --- namehash("eth") = 93cdeb708b7545dc668eb9280176169d1c33cfd8ed6f04690a0bcc88a93fc4ae - -keccak256Empty :: ByteString -keccak256Empty = "\xc5\xd2\x46\x01\x86\xf7\x23\x3c\x92\x7e\x7d\xb2\xdc\xc7\x03\xc0\xe5\x00\xb6\x53\xca\x82\x27\x3b\x7b\xfa\xd8\x04\x5d\x85\xa4\x70" - -keccak256Abc :: ByteString -keccak256Abc = "\x4e\x03\x65\x7a\xea\x45\xa9\x4f\xc7\xd4\x7b\xa8\x26\xc8\xd6\x67\xc0\xd1\xe6\xe3\x3a\x64\xa0\x36\xec\x44\xf5\x8f\xa1\x2d\x6c\x45" - -sha3_256Abc :: ByteString -sha3_256Abc = "\x3a\x98\x5d\xa7\x4f\xe2\x25\xb2\x04\x5c\x17\x2d\x6b\xd3\x90\xbd\x85\x5f\x08\x6e\x3e\x9d\x52\x5b\x46\xbf\xe2\x45\x11\x43\x15\x32" - -namehashEth :: ByteString -namehashEth = "\x93\xcd\xeb\x70\x8b\x75\x45\xdc\x66\x8e\xb9\x28\x01\x76\x16\x9d\x1c\x33\xcf\xd8\xed\x6f\x04\x69\x0a\x0b\xcc\x88\xa9\x3f\xc4\xae" - -twentyOnes :: ByteString +twentyOnes :: B.ByteString twentyOnes = B.replicate 20 '\x01' --- | Test-only constructors that crash on the smart-ctor's Left. Used for --- fixtures where we know the input satisfies the invariant; production code --- always goes through `mkNameOwner` / `mkNameLink`. -unsafeOwner :: ByteString -> NameOwner +unsafeOwner :: B.ByteString -> NameOwner unsafeOwner = either error id . mkNameOwner -unsafeLink :: Text -> NameLink -unsafeLink = either error id . mkNameLink - -addr1, addr2, addr3 :: NameOwner +addr1 :: NameOwner addr1 = unsafeOwner twentyOnes -addr2 = unsafeOwner (B.replicate 20 '\x02') -addr3 = unsafeOwner (B.replicate 20 '\x03') - -testNamesConfig :: TldRegistries -> NamesConfig -testNamesConfig regs = - NamesConfig - { ethereumEndpoint = "http://stub", - tldRegistries = regs, - rpcAuth = Nothing, - rpcTimeoutMs = 1000, - rpcMaxResponseBytes = 65536, - rpcMaxConcurrency = 4 - } +-- | Sample record matching the Python resolver JSON shape (PR #1795). +-- Text fields use the empty string as the "unset" sentinel; coin fields +-- use Nothing -> JSON null. sampleRecord :: NameRecord sampleRecord = NameRecord - { nrDisplayName = "Alice", + { nrName = "alice.simplex", + nrNickname = "Alice", + nrWebsite = "https://alice.example", + nrLocation = "Earth", + nrSimplexContact = "simplex:/contact/abc#xyz", + nrSimplexChannel = "", + nrEth = Just "0x0000000000000000000000000000000000000001", + nrBtc = Nothing, + nrXmr = Nothing, + nrDot = Nothing, nrOwner = unsafeOwner twentyOnes, - nrChannelLinks = [], - nrContactLinks = [unsafeLink "simplex:/contact/abc#xyz"], - nrAdminAddress = Just "simplex:/admin/...", - nrAdminEmail = Just "admin@example.org", - nrExpiry = 1735689600, - nrIsTest = False + nrResolver = unsafeOwner (B.replicate 20 '\x02') + } + +-- | JSON value canned by the resolver-stub for the "success" tests. +sampleRecordJSON :: J.Value +sampleRecordJSON = J.toJSON sampleRecord + +testNamesConfig :: NamesConfig +testNamesConfig = + NamesConfig + { resolverEndpoint = "http://stub", + resolverAuth = Nothing, + resolverTimeoutMs = 1000, + resolverMaxResponseBytes = 65536 } smpNamesTests :: Spec smpNamesTests = do describe "NameRecord encoding (Protocol)" nameRecordEncodingSpec - describe "Smart constructors (NameOwner, NameLink)" smartCtorsSpec - describe "Keccak-256 and namehash" namehashSpec - describe "ABI primitive bounds" abiBoundsSpec - describe "decodeGetRecord (zero-owner sentinel)" zeroOwnerSpec - describe "TLD whitelist + RSLV verification" tldWhitelistSpec - describe "Resolver" resolverSpec + describe "Smart constructors (NameOwner)" smartCtorsSpec + describe "RSLV request parsing" parseNameSpec + describe "HTTP resolver" resolverSpec + describe "Resolver health probe" healthSpec nameRecordEncodingSpec :: Spec nameRecordEncodingSpec = do it "round-trips JSON encode / decode" $ J.eitherDecodeStrict (LB.toStrict (J.encode sampleRecord)) `shouldBe` Right sampleRecord - it "emits keys in spec-documented order (displayName, owner, channelLinks, contactLinks, adminAddress, adminEmail, expiry, isTest)" $ do - -- Default toEncoding routes through Value/KeyMap and re-emits keys - -- alphabetically; spec requires byte-identical canonical encoding. + it "emits keys in spec-documented order (Python resolver shape)" $ do let bytes = LB.toStrict (J.encode sampleRecord) offset k = B.length (fst (B.breakSubstring k bytes)) - offsets = map offset ["displayName", "owner", "channelLinks", "contactLinks", "adminAddress", "adminEmail", "expiry", "isTest"] + offsets = + map + offset + [ "name", + "nickname", + "website", + "location", + "simplexContact", + "simplexChannel", + "eth", + "btc", + "xmr", + "dot", + "owner", + "resolver" + ] offsets `shouldBe` sort offsets - it "rejects negative expiry" $ do - let badBytes = LB.toStrict (J.encode sampleRecord {nrExpiry = -1}) - (J.eitherDecodeStrict badBytes :: Either String NameRecord) `shouldSatisfy` isLeft + it "emits unset coin fields as null (not absent)" $ do + let bytes = LB.toStrict (J.encode sampleRecord) + B.isInfixOf "\"btc\":null" bytes `shouldBe` True + B.isInfixOf "\"xmr\":null" bytes `shouldBe` True + B.isInfixOf "\"dot\":null" bytes `shouldBe` True + + it "emits unset text fields as empty strings (not null)" $ do + let bytes = LB.toStrict (J.encode sampleRecord) + B.isInfixOf "\"simplexChannel\":\"\"" bytes `shouldBe` True + B.isInfixOf "\"simplexChannel\":null" bytes `shouldBe` False - it "enforces combined channel+contact list cap of 8" $ do - let nineLinks = map (\i -> unsafeLink ("simplex:/contact/" <> T.pack (show (i :: Int)))) [0 .. 8] - overflow = sampleRecord {nrChannelLinks = nineLinks, nrContactLinks = []} - bytes = LB.toStrict (J.encode overflow) + it "rejects nrName > 255 bytes UTF-8" $ do + let oversize = sampleRecord {nrName = T.replicate 256 "x"} + bytes = LB.toStrict (J.encode oversize) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft - it "rejects nrDisplayName > 255 bytes UTF-8" $ do - let oversize = sampleRecord {nrDisplayName = T.replicate 256 "x"} + it "rejects simplexContact > 1024 bytes UTF-8" $ do + let oversize = sampleRecord {nrSimplexContact = T.replicate 1025 "x"} bytes = LB.toStrict (J.encode oversize) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft @@ -153,15 +128,26 @@ nameRecordEncodingSpec = do (J.eitherDecodeStrict (json "0x") :: Either String NameOwner) `shouldSatisfy` isRight (J.eitherDecodeStrict (json "0X") :: Either String NameOwner) `shouldSatisfy` isRight + it "owner / resolver are emitted as lowercase hex" $ do + -- The Python resolver returns lowercase hex; encoded form must match. + let mixedCase = unsafeOwner (B.pack ['\xde', '\xad', '\xbe', '\xef'] <> B.replicate 16 '\x00') + bytes = LB.toStrict (J.encode sampleRecord {nrOwner = mixedCase, nrResolver = mixedCase}) + B.isInfixOf "0xdeadbeef" bytes `shouldBe` True + B.isInfixOf "0xDEADBEEF" bytes `shouldBe` False + it "encodes within the proxied transmission budget" $ do - let huge = unsafeLink (T.replicate 1024 "x") - wide = + let wide = sampleRecord - { nrChannelLinks = replicate 4 huge, - nrContactLinks = replicate 4 huge, - nrDisplayName = T.replicate 255 "n", - nrAdminAddress = Just (T.replicate 255 "a"), - nrAdminEmail = Just (T.replicate 255 "e") + { nrName = T.replicate 255 "n", + nrNickname = T.replicate 255 "k", + nrWebsite = T.replicate 255 "w", + nrLocation = T.replicate 255 "l", + nrSimplexContact = T.replicate 1024 "x", + nrSimplexChannel = T.replicate 1024 "y", + nrEth = Just (T.replicate 255 "e"), + nrBtc = Just (T.replicate 255 "b"), + nrXmr = Just (T.replicate 255 "m"), + nrDot = Just (T.replicate 255 "d") } LB.length (J.encode wide) < 16224 `shouldBe` True @@ -172,196 +158,127 @@ smartCtorsSpec = do mkNameOwner (B.replicate 19 '\x01') `shouldSatisfy` isLeft mkNameOwner (B.replicate 21 '\x01') `shouldSatisfy` isLeft - it "mkNameLink rejects >1024 UTF-8 bytes" $ do - mkNameLink (T.replicate 1024 "x") `shouldSatisfy` isRight - mkNameLink (T.replicate 1025 "x") `shouldSatisfy` isLeft - -- multibyte UTF-8 counted in bytes, not chars: 600 × 3 = 1800 bytes - mkNameLink (T.replicate 600 "\x4e2d") `shouldSatisfy` isLeft - - it "unNameLink / unNameOwner round-trip the smart ctors" $ do - case (mkNameOwner twentyOnes, mkNameLink "abc") of - (Right o, Right l) -> do - unNameOwner o `shouldBe` twentyOnes - unNameLink l `shouldBe` "abc" - _ -> expectationFailure "smart ctors failed" - -namehashSpec :: Spec -namehashSpec = do - it "keccak256 of empty string matches reference vector" $ - keccak256 "" `shouldBe` keccak256Empty - - it "keccak256 of \"abc\" matches reference vector" $ - keccak256 "abc" `shouldBe` keccak256Abc - - it "Keccak-256 is NOT SHA3-256 (different output for same input)" $ do - let sha3 = BA.convert (Crypton.hash @ByteString @Crypton.SHA3_256 "abc") :: ByteString - sha3 `shouldBe` sha3_256Abc - keccak256 "abc" `shouldNotBe` sha3 - - it "namehash of empty name is 32 zero bytes" $ - namehash "" `shouldBe` B.replicate 32 '\NUL' - - it "namehash of \"eth\" matches ENS reference vector" $ - namehash "eth" `shouldBe` namehashEth - - it "snrcSelector is 4 bytes" $ - B.length snrcSelector `shouldBe` 4 - - it "encodeGetRecord = selector ++ 32-byte node" $ do - let node = namehash "alice.eth" - bytes = encodeGetRecord node - B.length bytes `shouldBe` 36 - B.take 4 bytes `shouldBe` snrcSelector - B.drop 4 bytes `shouldBe` node - -abiBoundsSpec :: Spec -abiBoundsSpec = do - let mkBuf n = B.replicate n '\NUL' - - it "decodeWord256Int64 fails when offset + 32 > buf length" $ - decodeWord256Int64 0 (mkBuf 31) `shouldBe` Left AbiTruncated - - it "decodeWord256Int64 rejects non-zero high 24 bytes (Int64 overflow)" $ do - let buf = B.replicate 23 '\NUL' <> B.singleton '\x01' <> B.replicate 8 '\NUL' - decodeWord256Int64 0 buf `shouldBe` Left AbiNonZeroHighBytes - - it "decodeWord256Int64 rejects sign bit set in low 8 bytes (silent negative)" $ do - -- 0x8000000000000000 would decode to Int64.minBound without the check; - -- downstream length math would then see a negative len and silently - -- return empty bytes from B.take instead of failing. - let buf = B.replicate 24 '\NUL' <> "\x80\x00\x00\x00\x00\x00\x00\x00" - decodeWord256Int64 0 buf `shouldBe` Left AbiNonZeroHighBytes - - it "decodeWord256Int64 succeeds for the max representable positive value" $ do - let buf = B.replicate 24 '\NUL' <> "\x7F\xFF\xFF\xFF\xFF\xFF\xFF\xFF" - decodeWord256Int64 0 buf `shouldBe` Right maxBound - - it "decodeWord256Int64 succeeds for low 8 bytes set" $ do - let buf = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x12\x34" - decodeWord256Int64 0 buf `shouldBe` Right 0x1234 - - it "decodeAddress rejects non-zero high 12 bytes" $ do - let buf = B.replicate 11 '\NUL' <> B.singleton '\x01' <> B.replicate 20 '\NUL' - decodeAddress 0 buf `shouldSatisfy` isLeft - - it "decodeString fails on backward offset" $ - decodeString 100 50 1024 (mkBuf 200) `shouldBe` Left AbiBackwardOffset - - it "decodeString fails when declared length exceeds the per-field cap" $ do - let lenBytes = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x00\x64" -- length 100 - buf = lenBytes <> B.replicate 100 'x' - decodeString 0 0 10 buf `shouldBe` Left AbiOversized - - it "decodeStringArray fails when depth ≥ 2" $ - decodeStringArray 2 0 0 8 1024 (mkBuf 64) `shouldBe` Left AbiDepthExceeded - - it "decodeStringArray fails when array count exceeds cap" $ do - let lenBytes = B.replicate 24 '\NUL' <> "\x00\x00\x00\x00\x00\x00\x00\x09" -- 9 elements - buf = lenBytes <> B.replicate 1024 '\NUL' - decodeStringArray 0 0 0 8 1024 buf `shouldBe` Left AbiOversized - -zeroOwnerSpec :: Spec -zeroOwnerSpec = do - it "decodeGetRecord returns Nothing for zero-owner buffer" $ do - -- 8 slots × 32 bytes; owner at slot 1 (offset 32) is all-zero by construction - let buf = B.replicate (32 * 8) '\NUL' - decodeGetRecord buf `shouldBe` Right Nothing - - it "decodeGetRecord fails on truncated buffer" $ do - let tiny = B.replicate 31 '\NUL' - decodeGetRecord tiny `shouldBe` Left AbiTruncated - -tldWhitelistSpec :: Spec -tldWhitelistSpec = do - describe "lookupTldAddress" $ do - it "TLD-specific entry takes precedence over _all" $ do - let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Just addr3} - lookupTldAddress regs TLDSimplex `shouldBe` Just addr1 - lookupTldAddress regs TLDTesting `shouldBe` Just addr2 - - it "TLD without specific entry falls back to _all" $ do - let regs = TldRegistries {tldSimplex = Nothing, tldTesting = Nothing, tldAll = Just addr3} - lookupTldAddress regs TLDSimplex `shouldBe` Just addr3 - lookupTldAddress regs TLDTesting `shouldBe` Just addr3 - - it "TLDWeb resolves only through _all" $ do - let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Just addr3} - lookupTldAddress regs TLDWeb `shouldBe` Just addr3 - - it "TLDWeb without _all returns Nothing even if other TLDs are set" $ do - let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Just addr2, tldAll = Nothing} - lookupTldAddress regs TLDWeb `shouldBe` Nothing - - describe "verifyRslv" $ do - let mkEnv regs = newNamesEnvWith (testNamesConfig regs) (\_ _ -> pure (Right "")) Nothing - - it "accepts a valid name with matching TLD-specific contract" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let req = RslvRequest {name = "privacy.simplex", contract = addr1} - case verifyRslv env req of - Just (a, d) -> do - a `shouldBe` addr1 - nameTLD d `shouldBe` TLDSimplex - domain d `shouldBe` "privacy" - Nothing -> expectationFailure "expected Just" - - it "normalizes case across all labels (Alice.SIMPLEX ≡ alice.simplex for namehash)" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let lower = RslvRequest {name = "alice.simplex", contract = addr1} - mixed = RslvRequest {name = "Alice.SIMPLEX", contract = addr1} - case (verifyRslv env lower, verifyRslv env mixed) of - (Just (_, dL), Just (_, dM)) -> dL `shouldBe` dM - _ -> expectationFailure "both should parse" - - it "rejects mismatched contract address" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let req = RslvRequest {name = "privacy.simplex", contract = addr2} - verifyRslv env req `shouldBe` Nothing - - it "rejects TLD with no whitelist entry" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let req = RslvRequest {name = "test.testing", contract = addr1} - verifyRslv env req `shouldBe` Nothing - - it "accepts via _all fallback" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Nothing, tldTesting = Nothing, tldAll = Just addr3} - let req = RslvRequest {name = "test.testing", contract = addr3} - case verifyRslv env req of - Just (a, _) -> a `shouldBe` addr3 - Nothing -> expectationFailure "expected Just" - - it "rejects bare (no-TLD) name (SimplexNameDomain.strP requires TLD)" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let req = RslvRequest {name = "privacy", contract = addr1} - verifyRslv env req `shouldBe` Nothing - - it "rejects non-ASCII labels (Cyrillic а homograph would hash to different namehash than ASCII a)" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - -- Cyrillic а (U+0430), Greek α (U+03B1), full-width A (U+FF21) - for_ ["\1072lice.simplex", "\945pple.simplex", "\65313pple.simplex"] $ \name -> - verifyRslv env RslvRequest {name, contract = addr1} `shouldBe` Nothing - - it "rejects oversized inputs (>253 bytes) — bounded parser allocation" $ do - env <- mkEnv $ TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - let oversize = T.replicate 254 "a" <> ".simplex" - verifyRslv env RslvRequest {name = oversize, contract = addr1} `shouldBe` Nothing + it "unNameOwner round-trips mkNameOwner" $ + case mkNameOwner twentyOnes of + Right o -> unNameOwner o `shouldBe` twentyOnes + Left e -> expectationFailure ("mkNameOwner failed: " <> e) + +parseNameSpec :: Spec +parseNameSpec = do + it "accepts a valid simplex-TLD name" $ do + let req = req' "privacy.simplex" + case parseName req of + Just d -> do + nameTLD d `shouldBe` TLDSimplex + domain d `shouldBe` "privacy" + Nothing -> expectationFailure "expected Just" + + it "normalises case across labels (Alice.SIMPLEX = alice.simplex)" $ do + let dL = parseName (req' "alice.simplex") + dM = parseName (req' "Alice.SIMPLEX") + dL `shouldBe` dM + + it "accepts a testing-TLD name" $ do + case parseName (req' "bob.testing") of + Just d -> nameTLD d `shouldBe` TLDTesting + Nothing -> expectationFailure "expected Just" + + it "accepts a TLDWeb name (server forwards to resolver, which will likely 404/400)" $ + parseName (req' "example.com") `shouldSatisfy` \case + Just _ -> True + Nothing -> False + + it "rejects a bare (no-TLD) name" $ + parseName (req' "privacy") `shouldBe` Nothing + + it "rejects non-ASCII labels (homograph attacks)" $ + parseName (req' "\1072lice.simplex") `shouldBe` Nothing + + it "rejects oversized inputs (>253 bytes)" $ + parseName (req' (T.replicate 254 "a" <> ".simplex")) `shouldBe` Nothing + where + req' n = RslvRequest {name = n, contract = addr1} resolverSpec :: Spec resolverSpec = do - let regs = TldRegistries {tldSimplex = Just addr1, tldTesting = Nothing, tldAll = Nothing} - mkEnv ethCall = newNamesEnvWith (testNamesConfig regs) ethCall Nothing + let mkEnv stub = newNamesEnvWith testNamesConfig stub Nothing aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} - zeroOwnerResponse = Right (B.replicate (32 * 8) '\NUL') - it "maps stub zero-owner response to NotFound" $ do - env <- mkEnv (\_ _ -> pure zeroOwnerResponse) - resolveName env addr1 aliceDomain `shouldReturn` Left NotFound + it "returns NameRecord on 200 OK" $ do + env <- mkEnv (\_ -> pure (Right sampleRecordJSON)) + r <- resolveName env aliceDomain + r `shouldBe` Right sampleRecord - it "every lookup hits the endpoint (no cache)" $ do + it "returns NotFound on 404" $ do + env <- mkEnv (\_ -> pure (Left (HttpStatusErr 404))) + resolveName env aliceDomain `shouldReturn` Left NotFound + + it "returns NotFound on 400 (unknown TLD)" $ do + env <- mkEnv (\_ -> pure (Left (HttpStatusErr 400))) + resolveName env aliceDomain `shouldReturn` Left NotFound + + it "returns ResolverError on 502 (upstream RPC failure)" $ do + env <- mkEnv (\_ -> pure (Left (HttpStatusErr 502))) + resolveName env aliceDomain `shouldReturn` Left ResolverError + + it "returns ResolverError on 5xx other than 502" $ do + env <- mkEnv (\_ -> pure (Left (HttpStatusErr 500))) + resolveName env aliceDomain `shouldReturn` Left ResolverError + + it "returns ResolverError on transport-layer body-too-large" $ do + env <- mkEnv (\_ -> pure (Left BodyTooLarge)) + resolveName env aliceDomain `shouldReturn` Left ResolverError + + it "returns ResolverDecodeErr on malformed JSON from the resolver" $ do + env <- mkEnv (\_ -> pure (Left (InvalidJson "expected object"))) + resolveName env aliceDomain `shouldReturn` Left ResolverDecodeErr + + it "returns ResolverDecodeErr when JSON parses but isn't a NameRecord shape" $ do + env <- mkEnv (\_ -> pure (Right (J.object []))) + resolveName env aliceDomain `shouldReturn` Left ResolverDecodeErr + + it "sends one HTTP request per lookup (no cache)" $ do callCount <- newIORef (0 :: Int) - env <- mkEnv $ \_ _ -> do + env <- mkEnv $ \_ -> do atomicModifyIORef' callCount (\v -> (v + 1, ())) - pure zeroOwnerResponse - _ <- resolveName env addr1 aliceDomain - _ <- resolveName env addr1 aliceDomain + pure (Right sampleRecordJSON) + _ <- resolveName env aliceDomain + _ <- resolveName env aliceDomain readIORef callCount `shouldReturn` 2 + + it "addresses the resolver with the full canonical domain name" $ do + seenName <- newIORef ("" :: T.Text) + env <- + mkEnv $ \case + ResolverFetch n -> do + atomicModifyIORef' seenName (\_ -> (n, ())) + pure (Right sampleRecordJSON) + ResolverHealth -> pure (Right (J.object [])) + _ <- resolveName env aliceDomain + readIORef seenName `shouldReturn` "alice.simplex" + +healthSpec :: Spec +healthSpec = do + let mkEnv stub = newNamesEnvWith testNamesConfig stub Nothing + + it "pingEndpoint succeeds on a 200 OK /health response" $ do + env <- mkEnv (\_ -> pure (Right (J.object []))) + r <- pingEndpoint env + case r of + Right () -> pure () + Left e -> expectationFailure $ "expected Right (), got Left " <> show e + + it "pingEndpoint fails on a 500 /health response" $ do + env <- mkEnv (\_ -> pure (Left (HttpStatusErr 500))) + r <- pingEndpoint env + case r of + Left (HttpStatusErr 500) -> pure () + _ -> expectationFailure $ "expected Left (HttpStatusErr 500), got " <> show r + + it "pingEndpoint routes to ResolverHealth (not ResolverFetch)" $ do + seenKind <- newIORef Nothing + env <- mkEnv $ \k -> do + atomicModifyIORef' seenKind (\_ -> (Just k, ())) + pure (Right (J.object [])) + _ <- pingEndpoint env + readIORef seenKind `shouldReturn` Just ResolverHealth diff --git a/tests/Test.hs b/tests/Test.hs index 84718a9fcc..22cc8c03ce 100644 --- a/tests/Test.hs +++ b/tests/Test.hs @@ -8,6 +8,7 @@ import Control.Concurrent (threadDelay) import qualified Control.Exception as E import Control.Logger.Simple import CoreTests.BatchingTests +import CoreTests.ConnectTargetTests import CoreTests.CryptoFileTests import CoreTests.CryptoTests import CoreTests.EncodingTests @@ -21,6 +22,7 @@ import CoreTests.VersionRangeTests import FileDescriptionTests (fileDescriptionTests) import GHC.IO.Exception (IOException (..)) import qualified GHC.IO.Exception as IOException +import RSLVTests (rslvTests) import RemoteControl (remoteControlTests) import SMPNamesTests (smpNamesTests) import SMPProxyTests (smpProxyTests) @@ -83,6 +85,7 @@ main = do $ do describe "Core tests" $ do describe "Batching tests" batchingTests + describe "ConnectTarget tests" connectTargetTests describe "Encoding tests" encodingTests describe "Version range" versionRangeTests describe "Encryption tests" cryptoTests @@ -99,6 +102,7 @@ main = do describe "TSessionSubs tests" tSessionSubsTests describe "Util tests" utilTests describe "Names resolver tests" smpNamesTests + describe "RSLV functional API tests" rslvTests describe "Agent core tests" agentCoreTests #if defined(dbServerPostgres) around_ (postgressBracket testServerDBConnectInfo) $ From 9befa486d76a4d68687a13ddbe3f26f468c8efab Mon Sep 17 00:00:00 2001 From: sh Date: Tue, 9 Jun 2026 14:19:50 +0000 Subject: [PATCH 18/33] namespace: relax resolver_endpoint validation (path prefix, http without auth) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit validateUrl gains two operator-friendly relaxations and a regression test: - Allow a path prefix (e.g. https://gw.example.com:443/snrc) for a resolver behind a reverse-proxy sub-path; /resolve/ and /health are appended (HttpResolver already strips one trailing slash, so root and sub-path behave identically). Query/fragment/userinfo stay rejected. - Off-loopback, reject only http WITH resolver_auth (the Authorization header would travel in cleartext). http without auth is now allowed (no secret to leak; resolver data is public — also lets dev setups reach a host resolver via http://host.docker.internal). https is always allowed, with or without auth. Plain http has no response integrity; intended for trusted/local networks only. Exports validateUrl and adds validateUrlSpec (11 cases) to SMPNamesTests. --- src/Simplex/Messaging/Server/Main.hs | 43 +++++++++++++++++++--------- tests/SMPNamesTests.hs | 29 +++++++++++++++++++ 2 files changed, 58 insertions(+), 14 deletions(-) diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index fedd0d5089..a60599e67d 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -34,6 +34,7 @@ module Simplex.Messaging.Server.Main simplexmqSource, serverPublicInfo, validCountryValue, + validateUrl, printSourceCode, cliCommandP, strParse, @@ -842,11 +843,17 @@ readNamesConfig ini -- accidentally hitting :80 when the resolver listens on :8000) -- * userinfo (user:pass@) MUST NOT be present (credentials belong in -- resolver_auth so they don't leak via Host header or logs) --- * query and fragment MUST NOT be present --- * http is rejected on non-loopback hosts (plaintext to a third party --- leaks resolver_auth on every request) --- * https requires resolver_auth on non-loopback hosts (a public endpoint --- without auth is almost always misconfig) +-- * query and fragment MUST NOT be present (a base URL with a query/fragment +-- does not compose with the appended /resolve/ and /health paths) +-- * a path prefix IS allowed (e.g. https://gw.example.com:443/snrc for a +-- resolver behind a reverse-proxy sub-path); /resolve/ and /health +-- are appended to it. Do not embed secrets in the path — it appears in +-- logs; put credentials in resolver_auth. +-- * on a non-loopback host, only http WITH resolver_auth is rejected (the +-- Authorization header would travel in cleartext). http without auth is +-- allowed (no secret to leak; resolver data is public — also lets dev +-- setups reach a host resolver via host.docker.internal). https is always +-- allowed, with or without auth. -- * link-local hosts (169.254.0.0/16, including the cloud metadata IP -- 169.254.169.254) are rejected unconditionally validateUrl :: Text -> Maybe RpcAuth -> Either String Text @@ -871,15 +878,23 @@ validateUrl url auth_ = do Just n | (n :: Int) >= 1 && n <= 65535 -> Right () _ -> Left $ "port " <> portStr <> " out of range (must be 1..65535)" other -> Left $ "unexpected port syntax: " <> other - unless (null (uriQuery uri)) $ Left "query string not allowed" - unless (null (uriFragment uri)) $ Left "fragment not allowed" - let path = uriPath uri - unless (path == "" || path == "/") $ - Left "URL path not allowed; API keys embedded in the path leak to logs — use resolver_auth instead" - unless (isLoopback host) $ case scheme of - "http:" -> Left "http endpoint on a non-loopback host not allowed (plaintext leaks resolver_auth); use https" - "https:" | isNothing auth_ -> Left "https endpoint on a non-loopback host requires resolver_auth" - _ -> Right () + unless (null (uriQuery uri)) $ Left "query string not allowed (it does not compose with the appended /resolve/ path)" + unless (null (uriFragment uri)) $ Left "fragment not allowed (fragments are never sent to the server)" + -- A path prefix is allowed and used as the base for /resolve/ and + -- /health (resolver behind a reverse-proxy sub-path). The join in + -- HttpResolver.newResolverEnv strips a single trailing slash, so both + -- ".../snrc" and ".../snrc/" behave identically. Secrets do not belong in + -- the path (it is logged) — use resolver_auth. + -- The only transport-security risk on a non-loopback host is leaking the + -- Authorization header in cleartext, so we reject ONLY http+auth. http + -- without auth is allowed (nothing secret to leak — the resolver serves + -- public name data; this also covers reaching a host resolver via + -- host.docker.internal in dev). https is always fine, with or without auth. + -- NOTE: http without auth has no transport integrity — a network attacker + -- could forge NameRecord responses. Only point at a plaintext resolver on a + -- trusted/local network. + when (not (isLoopback host) && scheme == "http:" && isJust auth_) $ + Left "http with resolver_auth on a non-loopback host not allowed (the Authorization header would be sent in cleartext); use https, or drop resolver_auth for a no-auth resolver" Right url where -- 127.0.0.0/8 and 0.0.0.0 both bind locally on Linux/BSD; treat them all diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index d7e83b2c9c..e73bc6b90d 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -13,10 +13,12 @@ import Data.IORef (atomicModifyIORef', newIORef, readIORef) import Data.List (sort) import qualified Data.Text as T import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), mkNameOwner, unNameOwner) +import Simplex.Messaging.Server.Main (validateUrl) import Simplex.Messaging.Server.Names ( NamesConfig (..), ResolveError (..), ResolverCallKind (..), + RpcAuth (..), newNamesEnvWith, parseName, pingEndpoint, @@ -75,6 +77,7 @@ smpNamesTests = do describe "RSLV request parsing" parseNameSpec describe "HTTP resolver" resolverSpec describe "Resolver health probe" healthSpec + describe "resolver_endpoint validation" validateUrlSpec nameRecordEncodingSpec :: Spec nameRecordEncodingSpec = do @@ -282,3 +285,29 @@ healthSpec = do pure (Right (J.object [])) _ <- pingEndpoint env readIORef seenKind `shouldReturn` Just ResolverHealth + +validateUrlSpec :: Spec +validateUrlSpec = do + let auth = Just (AuthBasic "user" "pass") + it "accepts https with explicit port and auth (root path)" $ + validateUrl "https://gw.example.com:443" auth `shouldSatisfy` isRight + it "accepts a path prefix (reverse-proxy sub-path)" $ + validateUrl "https://gw.example.com:443/snrc" auth `shouldSatisfy` isRight + it "accepts a path prefix with trailing slash" $ + validateUrl "https://gw.example.com:443/snrc/" auth `shouldSatisfy` isRight + it "rejects a query string" $ + validateUrl "https://gw.example.com:443/snrc?x=1" auth `shouldSatisfy` isLeft + it "rejects a fragment" $ + validateUrl "https://gw.example.com:443/snrc#f" auth `shouldSatisfy` isLeft + it "rejects userinfo (credentials belong in resolver_auth)" $ + validateUrl "https://user:pass@gw.example.com:443" auth `shouldSatisfy` isLeft + it "rejects a missing port" $ + validateUrl "https://gw.example.com/snrc" auth `shouldSatisfy` isLeft + it "accepts https on a non-loopback host without auth (public resolver)" $ + validateUrl "https://gw.example.com:443/snrc" Nothing `shouldSatisfy` isRight + it "accepts http without auth on a non-loopback host (e.g. host.docker.internal)" $ + validateUrl "http://host.docker.internal:9999" Nothing `shouldSatisfy` isRight + it "rejects http WITH auth on a non-loopback host (cleartext credential leak)" $ + validateUrl "http://gw.example.com:9999" auth `shouldSatisfy` isLeft + it "allows loopback http without auth (with a path prefix)" $ + validateUrl "http://localhost:8000/snrc" Nothing `shouldSatisfy` isRight From f555e9af813a4ff6249911ef04da92db3618f2e8 Mon Sep 17 00:00:00 2001 From: sh Date: Thu, 11 Jun 2026 09:07:26 +0000 Subject: [PATCH 19/33] namespace: NameRecord links as arrays (multi-link, cap 5) --- src/Simplex/Messaging/Names/Record.hs | 33 +++++++++++++++++++++------ tests/SMPNamesTests.hs | 21 ++++++++++------- 2 files changed, 39 insertions(+), 15 deletions(-) diff --git a/src/Simplex/Messaging/Names/Record.hs b/src/Simplex/Messaging/Names/Record.hs index 460f85bbd1..53d27d9906 100644 --- a/src/Simplex/Messaging/Names/Record.hs +++ b/src/Simplex/Messaging/Names/Record.hs @@ -18,17 +18,19 @@ import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) -- | Resolved name record returned by the names role. -- Wire format is JSON — change requires an SMP version bump. --- JSON keys match the Python REST resolver (PR #1795 `snrc-resolve.py`). +-- JSON keys match the Python REST resolver (`snrc-resolve.py`). -- Text fields use the empty string as the "unset" sentinel; coin fields --- use JSON `null`. `owner` and `resolver` carry 20-byte addresses encoded --- as `0x`-prefixed lowercase hex (see Names.Owner). +-- use JSON `null`. simplexContact / simplexChannel are arrays of links +-- (primary first, empty array when unset) so a name can advertise fallback +-- SMP servers. `owner` and `resolver` carry 20-byte addresses encoded as +-- `0x`-prefixed lowercase hex (see Names.Owner). data NameRecord = NameRecord { nrName :: Text, nrNickname :: Text, nrWebsite :: Text, nrLocation :: Text, - nrSimplexContact :: Text, - nrSimplexChannel :: Text, + nrSimplexContact :: [Text], + nrSimplexChannel :: [Text], nrEth :: Maybe Text, nrBtc :: Maybe Text, nrXmr :: Maybe Text, @@ -47,6 +49,17 @@ $( JQ.deriveToJSON ''NameRecord ) +-- Each link field holds up to maxLinks entries totalling at most maxLinkBytes +-- UTF-8 bytes -- the same byte budget as the former single-string field, so the +-- proxied NameRecord size is unchanged. Entries are ordered primary-first. +-- maxLinks matches the dApp's authoring cap (ens-app-v3 MultiUrlField +-- MULTI_URL_FIELD_CAP = 5); records with more entries are non-conforming. +maxLinks :: Int +maxLinks = 5 + +maxLinkBytes :: Int +maxLinkBytes = 1024 + -- FromJSON is hand-rolled to enforce per-field UTF-8 byte-length caps that -- TH derivation cannot express. instance J.FromJSON NameRecord where @@ -55,8 +68,8 @@ instance J.FromJSON NameRecord where nrNickname <- o J..: "nickname" >>= capUtf8 "nickname" 255 nrWebsite <- o J..: "website" >>= capUtf8 "website" 255 nrLocation <- o J..: "location" >>= capUtf8 "location" 255 - nrSimplexContact <- o J..: "simplexContact" >>= capUtf8 "simplexContact" 1024 - nrSimplexChannel <- o J..: "simplexChannel" >>= capUtf8 "simplexChannel" 1024 + nrSimplexContact <- o J..: "simplexContact" >>= capLinks "simplexContact" + nrSimplexChannel <- o J..: "simplexChannel" >>= capLinks "simplexChannel" nrEth <- o J..:? "eth" >>= traverse (capUtf8 "eth" 255) nrBtc <- o J..:? "btc" >>= traverse (capUtf8 "btc" 255) nrXmr <- o J..:? "xmr" >>= traverse (capUtf8 "xmr" 255) @@ -68,3 +81,9 @@ instance J.FromJSON NameRecord where capUtf8 fld lim t | B.length (encodeUtf8 t) <= lim = pure t | otherwise = fail $ fld <> " exceeds " <> show lim <> " bytes UTF-8" + capLinks fld links + | length links > maxLinks = + fail $ fld <> " exceeds " <> show maxLinks <> " entries" + | sum (map (B.length . encodeUtf8) links) > maxLinkBytes = + fail $ fld <> " entries exceed " <> show maxLinkBytes <> " bytes UTF-8" + | otherwise = pure links diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index e73bc6b90d..91b30a0945 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -47,8 +47,8 @@ sampleRecord = nrNickname = "Alice", nrWebsite = "https://alice.example", nrLocation = "Earth", - nrSimplexContact = "simplex:/contact/abc#xyz", - nrSimplexChannel = "", + nrSimplexContact = ["simplex:/contact/abc#xyz"], + nrSimplexChannel = [], nrEth = Just "0x0000000000000000000000000000000000000001", nrBtc = Nothing, nrXmr = Nothing, @@ -111,9 +111,9 @@ nameRecordEncodingSpec = do B.isInfixOf "\"xmr\":null" bytes `shouldBe` True B.isInfixOf "\"dot\":null" bytes `shouldBe` True - it "emits unset text fields as empty strings (not null)" $ do + it "emits unset link fields as empty arrays (not null)" $ do let bytes = LB.toStrict (J.encode sampleRecord) - B.isInfixOf "\"simplexChannel\":\"\"" bytes `shouldBe` True + B.isInfixOf "\"simplexChannel\":[]" bytes `shouldBe` True B.isInfixOf "\"simplexChannel\":null" bytes `shouldBe` False it "rejects nrName > 255 bytes UTF-8" $ do @@ -121,8 +121,13 @@ nameRecordEncodingSpec = do bytes = LB.toStrict (J.encode oversize) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft - it "rejects simplexContact > 1024 bytes UTF-8" $ do - let oversize = sampleRecord {nrSimplexContact = T.replicate 1025 "x"} + it "rejects simplexContact entries > 1024 bytes UTF-8 combined" $ do + let oversize = sampleRecord {nrSimplexContact = [T.replicate 1025 "x"]} + bytes = LB.toStrict (J.encode oversize) + (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft + + it "rejects simplexContact with more than 5 entries" $ do + let oversize = sampleRecord {nrSimplexContact = replicate 6 "simplex:/contact/x#y"} bytes = LB.toStrict (J.encode oversize) (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft @@ -145,8 +150,8 @@ nameRecordEncodingSpec = do nrNickname = T.replicate 255 "k", nrWebsite = T.replicate 255 "w", nrLocation = T.replicate 255 "l", - nrSimplexContact = T.replicate 1024 "x", - nrSimplexChannel = T.replicate 1024 "y", + nrSimplexContact = [T.replicate 1024 "x"], + nrSimplexChannel = [T.replicate 1024 "y"], nrEth = Just (T.replicate 255 "e"), nrBtc = Just (T.replicate 255 "b"), nrXmr = Just (T.replicate 255 "m"), From df1aa24caa9f0546d8623da84d087139ee931f06 Mon Sep 17 00:00:00 2001 From: sh Date: Thu, 11 Jun 2026 14:49:56 +0000 Subject: [PATCH 20/33] namespace: distinct RSLV error responses RSLV collapsed every non-hit (no resolver, malformed name, not found, backing-store failure) to ERR AUTH, so a client iterating its configured servers could not tell "this router has no resolver, try the next" from "name not registered, stop", and a transient backend error read as an authoritative miss. Names capability is runtime config, orthogonal to the linear SMP version (a future v21 router without [NAMES] must still advertise v21), so it is signalled by a command-time error like allowSMPProxy, not by the version range: no resolver configured -> ERR CMD PROHIBITED (client skips, tries next) backing-store failure -> ERR INTERNAL (transient: retry/surface) not found / malformed -> ERR AUTH (authoritative "no such name") Update the protocol spec error table and add agent tests for the no-resolver (CMD PROHIBITED) and backend-failure (INTERNAL) paths. --- protocol/simplex-messaging.md | 25 +++++++++----- src/Simplex/Messaging/Server.hs | 8 +++-- tests/AgentTests/ResolveNameTests.hs | 49 ++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 10 deletions(-) diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 293721ecec..716f5ef7f8 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1471,16 +1471,25 @@ domain (TLD required — bare labels are rejected) and forwards it to the configured backing resolver. The `contract` field is parsed for forward compatibility but ignored by the reference implementation: the backing resolver is the source of truth for which on-chain registry maps to each TLD. -Any failure (malformed name, resolver 404 / 400 / 5xx, transport failure, -timeout, decode error, names role disabled) collapses to `ERR AUTH`. The names router responds with either a `NAME` response carrying the resolved -record, or `ERR AUTH` collapsing every failure mode (name not found, malformed -name, names role disabled, resolver unreachable, decode error, timeout). The -wire code does not distinguish between these — stats counters MAY be exposed -out-of-band for operator observability (`bad_name` is incremented for -validation failures, distinct from `not_found` for valid lookups with no -backing record). +record, or one of three error responses that a client iterating across several +configured servers can act on distinctly: + +| Response | Condition | Client action | +|---|---|---| +| `NAME` | record resolved | use it | +| `ERR AUTH` | name not registered, or malformed name | authoritative "no such name" — stop | +| `ERR CMD PROHIBITED` | this router has no resolver (names role not enabled) | skip this server, try the next | +| `ERR INTERNAL` | backing resolver failure (404/400/5xx upstream, transport failure, timeout, decode error) | transient — retry or surface, do not treat as "not found" | + +A client SHOULD NOT broadcast a `name` to further servers after a name-capable +router has answered (`AUTH` or `INTERNAL`), since that router has already seen +the lookup key; `CMD PROHIBITED` discloses nothing about the name beyond the +fact that this router cannot resolve, so iterating past it is safe. Stats +counters MAY be exposed out-of-band for operator observability (`bad_name` is +incremented for validation failures, distinct from `not_found` for valid +lookups with no backing record). #### Name record response diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index ae5383b2b4..4586134459 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1508,14 +1508,18 @@ client Cmd SResolver (RSLV req) -> do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) + -- Distinct error responses let a client iterating its servers act correctly: + -- CMD PROHIBITED - this router has no resolver (names role off): skip, try next + -- INTERNAL - resolver / backing-store failure: transient, retry or surface + -- AUTH - name not registered, or malformed name: authoritative "no such name" (selector, msg) <- asks namesEnv >>= \case - Nothing -> pure (rslvDisabled, ERR AUTH) + Nothing -> pure (rslvDisabled, ERR $ CMD PROHIBITED) Just nenv -> case parseName req of Nothing -> pure (rslvBadName, ERR AUTH) Just d -> liftIO (resolveName nenv d) <&> \case Right rec -> (rslvSucc, NAME rec) Left NotFound -> (rslvNotFound, ERR AUTH) - Left _ -> (rslvEthErrs, ERR AUTH) + Left _ -> (rslvEthErrs, ERR INTERNAL) incStat (selector st) $> response (corrId, NoEntity, msg) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr diff --git a/tests/AgentTests/ResolveNameTests.hs b/tests/AgentTests/ResolveNameTests.hs index 711dbca102..193b4e3fab 100644 --- a/tests/AgentTests/ResolveNameTests.hs +++ b/tests/AgentTests/ResolveNameTests.hs @@ -69,12 +69,22 @@ stubResolverSuccess = \case ResolverFetch _ -> pure (Right sampleRecordJSON) ResolverHealth -> pure (Right (J.object [])) +-- | 502 stub: the backing resolver fails (upstream RPC error). Server maps to +-- ERR INTERNAL; agent surfaces as SMP host INTERNAL (transient, not "not found"). +stubResolverError :: ResolverCall +stubResolverError = \case + ResolverFetch _ -> pure (Left (HttpStatusErr 502)) + ResolverHealth -> pure (Right (J.object [])) + mkNotFoundNamesEnv :: IO NamesEnv mkNotFoundNamesEnv = newNamesEnvWith stubNamesConfig stubResolverNotFound Nothing mkSuccessNamesEnv :: IO NamesEnv mkSuccessNamesEnv = newNamesEnvWith stubNamesConfig stubResolverSuccess Nothing +mkErrorNamesEnv :: IO NamesEnv +mkErrorNamesEnv = newNamesEnvWith stubNamesConfig stubResolverError Nothing + memCfg :: AServerConfig memCfg = cfgMS (ASType SQSMemory SMSMemory) @@ -105,6 +115,14 @@ withProxyAndResolver nenv k = where proxyServers = (initAgentServersProxy_ SPMAlways SPFProhibit) {smp = userServers [testSMPServer, testSMPServer2]} +-- | A direct SMP server with NO names role configured (namesEnv = Nothing). +withNoResolver :: (AgentClient -> IO a) -> IO a +withNoResolver k = + withSmpServerConfigOn (transport @TLS) memCfg testPort $ \_ -> + withAgent 1 agentCfg directServers testDB k + where + directServers = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = userServers [testSMPServer]} + directResolverSrv :: SMP.SMPServer directResolverSrv = SMPServer testHost testPort testKeyHash @@ -126,6 +144,10 @@ resolveNameTests = do it "AUTH (resolver 404 -> NotFound) for TLDTesting too" testTestingTldAuth describe "TLDWeb path" $ it "AUTH (resolver 404 -> NotFound) for TLDWeb too" testWebTldAuth + describe "no resolver configured" $ + it "answers CMD PROHIBITED so the client skips this server" testNoResolverProhibited + describe "backing resolver failure" $ + it "surfaces as SMP host INTERNAL (transient, not not-found)" testBackendErrorInternal describe "success path" $ it "returns NameRecord" testDirectSuccess @@ -189,6 +211,33 @@ testWebTldAuth = do where webDomain = SimplexNameDomain TLDWeb "example.com" [] +-- | A router with no resolver configured (namesEnv = Nothing) answers +-- CMD PROHIBITED, so a client iterating its servers skips it and tries the +-- next rather than treating the response as an authoritative "not found". +testNoResolverProhibited :: HasCallStack => IO () +testNoResolverProhibited = + withNoResolver $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + case r of + Left (SMP _ (SMP.CMD SMP.PROHIBITED)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (CMD PROHIBITED)), got: " <> show r + where + simplexDomain = SimplexNameDomain TLDSimplex "alice" [] + +-- | A backing-resolver failure (502 upstream) surfaces as SMP host INTERNAL - +-- a transient error the client surfaces / retries, distinct from AUTH which +-- would (incorrectly) read as "name not registered". +testBackendErrorInternal :: HasCallStack => IO () +testBackendErrorInternal = do + nenv <- mkErrorNamesEnv + withDirectResolver nenv $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + case r of + Left (SMP _ SMP.INTERNAL) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ INTERNAL), got: " <> show r + where + simplexDomain = SimplexNameDomain TLDSimplex "alice" [] + -- | Success path: stub returns a real NameRecord. The agent surfaces it -- verbatim. testDirectSuccess :: HasCallStack => IO () From 0fa090926d893a60b826506be6557b405cbec3e5 Mon Sep 17 00:00:00 2001 From: sh Date: Fri, 12 Jun 2026 14:29:03 +0000 Subject: [PATCH 21/33] refactor(names): server role + one error type Addresses epoberezkin's review (PR #1784). Name resolution becomes a server role like proxy; the agent owns resolution + server selection; one error type flows through the whole stack. - ServerRoles gains `names`; UserServers gains `nameSrvs` (opt-in list); resolveSimplexName drops the explicit server arg and picks a names-capable server via getNextServer. - RSLV carries SimplexNameDomain (was RslvRequest): no JSON on the wire, contract dropped, name validated at parse (invalid -> CMD SYNTAX). - Version check moves from the encoder to Client.hs (no ERR to server). - ErrorType.NAME {nameErr :: NameErrorType} (+ AgentErrorType.NAME), wire- and JSON-encoded; resolver errors surface with diagnostics. Success response renamed NAME -> RNAME to free the collision. - NameOwner -> EthAddress (record selector); NameRecord derives FromJSON and gains field-ordered Encoding; per-field caps removed. - Remove newEnvWithNames / runSMPServerBlockingWithNames test seams; stub resolver folded into ServerConfig.namesResolverCall_. --- simplexmq.cabal | 2 +- src/Simplex/Messaging/Agent.hs | 23 +- src/Simplex/Messaging/Agent/Client.hs | 21 +- src/Simplex/Messaging/Agent/Env/SQLite.hs | 11 +- src/Simplex/Messaging/Agent/Protocol.hs | 4 + src/Simplex/Messaging/Client.hs | 34 +-- src/Simplex/Messaging/Names/EthAddress.hs | 45 ++++ src/Simplex/Messaging/Names/Owner.hs | 46 ---- src/Simplex/Messaging/Names/Record.hs | 84 +++----- src/Simplex/Messaging/Protocol.hs | 118 +++++----- src/Simplex/Messaging/Server.hs | 35 ++- src/Simplex/Messaging/Server/Env/STM.hs | 28 ++- src/Simplex/Messaging/Server/Main.hs | 14 +- src/Simplex/Messaging/Server/Names.hs | 66 +++--- src/Simplex/Messaging/Server/Prometheus.hs | 16 +- src/Simplex/Messaging/Server/Stats.hs | 41 ++-- tests/AgentTests/ResolveNameTests.hs | 238 +++++++++------------ tests/AgentTests/ServerChoice.hs | 4 +- tests/RSLVTests.hs | 142 +++++------- tests/SMPAgentClient.hs | 4 +- tests/SMPClient.hs | 14 +- tests/SMPNamesTests.hs | 177 +++++++-------- 22 files changed, 528 insertions(+), 639 deletions(-) create mode 100644 src/Simplex/Messaging/Names/EthAddress.hs delete mode 100644 src/Simplex/Messaging/Names/Owner.hs diff --git a/simplexmq.cabal b/simplexmq.cabal index 68fe132675..a0abf32b52 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -130,7 +130,7 @@ library Simplex.Messaging.Crypto.ShortLink Simplex.Messaging.Encoding Simplex.Messaging.Encoding.String - Simplex.Messaging.Names.Owner + Simplex.Messaging.Names.EthAddress Simplex.Messaging.Names.Record Simplex.Messaging.Notifications.Client Simplex.Messaging.Notifications.Protocol diff --git a/src/Simplex/Messaging/Agent.hs b/src/Simplex/Messaging/Agent.hs index 759efea4e2..f882ce7aff 100644 --- a/src/Simplex/Messaging/Agent.hs +++ b/src/Simplex/Messaging/Agent.hs @@ -442,11 +442,11 @@ getConnShortLink :: AgentClient -> NetworkRequestMode -> UserId -> ConnShortLink getConnShortLink c = withAgentEnv c .:. getConnShortLink' c {-# INLINE getConnShortLink #-} --- | Resolve a SimpleX name via the configured resolver SMP server (PFWD RSLV). --- The TLD->contract whitelist lives in the agent so chat clients only need to --- pass the resolver address and the parsed domain. -resolveSimplexName :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> SimplexNameDomain -> AE NameRecord -resolveSimplexName c = withAgentEnv c .:: resolveSimplexName' c +-- | Resolve a SimpleX name (PFWD RSLV). The agent owns server selection: it +-- picks a names-capable server (ServerRoles.names) from the user's nameSrvs, so +-- chat clients just pass the parsed domain. +resolveSimplexName :: AgentClient -> NetworkRequestMode -> UserId -> SimplexNameDomain -> AE NameRecord +resolveSimplexName c nm userId domain = withAgentEnv c $ resolveSimplexName' c nm userId domain {-# INLINE resolveSimplexName #-} getConnLinkPrivKey :: AgentClient -> ConnId -> AE (Maybe C.PrivateKeyEd25519) @@ -1191,15 +1191,10 @@ getConnShortLink' c nm userId = \case deleteLocalInvShortLink' :: AgentClient -> ConnShortLink 'CMInvitation -> AM () deleteLocalInvShortLink' c (CSLInvitation _ srv linkId _) = withStore' c $ \db -> deleteInvShortLink db srv linkId -resolveSimplexName' :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> SimplexNameDomain -> AM NameRecord -resolveSimplexName' c nm userId resolverSrv domain = - resolveName c nm userId resolverSrv placeholderContract (fullDomainName domain) - where - -- The wire format still carries a 20-byte `contract` field on RslvRequest - -- (no SMP version bump), but the server-side resolver ignores it: the - -- backing Python REST resolver is the source of truth for which on-chain - -- registry maps to each TLD. The agent sends the all-zero placeholder. - placeholderContract = either error id (SMP.mkNameOwner (B.replicate 20 '\NUL')) +resolveSimplexName' :: AgentClient -> NetworkRequestMode -> UserId -> SimplexNameDomain -> AM NameRecord +resolveSimplexName' c nm userId domain = do + resolverSrv <- getNextNameServer c userId + resolveName c nm userId resolverSrv domain changeConnectionUser' :: AgentClient -> UserId -> ConnId -> UserId -> AM () changeConnectionUser' c oldUserId connId newUserId = do diff --git a/src/Simplex/Messaging/Agent/Client.hs b/src/Simplex/Messaging/Agent/Client.hs index 232705c54c..684c78fc77 100644 --- a/src/Simplex/Messaging/Agent/Client.hs +++ b/src/Simplex/Messaging/Agent/Client.hs @@ -69,6 +69,7 @@ module Simplex.Messaging.Agent.Client secureGetQueueLink, getQueueLink, resolveName, + getNextNameServer, enableQueueNotifications, EnableQueueNtfReq (..), enableQueuesNtfs, @@ -268,7 +269,6 @@ import Simplex.Messaging.Protocol NetworkError (..), MsgFlags (..), MsgId, - NameOwner, NameRecord, NtfServer, NtfServerWithAuth, @@ -1997,12 +1997,23 @@ getQueueLink c nm userId server lnkId = -- resolver) and falls back to a direct send when the proxy is unavailable -- (faster but exposes the client IP). Mode selection is delegated to -- `sendOrProxySMPCommand`, which honours the network config (SPMNever etc.). -resolveName :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> NameOwner -> Text -> AM NameRecord -resolveName c nm userId server contract name = +resolveName :: AgentClient -> NetworkRequestMode -> UserId -> SMPServer -> SimplexNameDomain -> AM NameRecord +resolveName c nm userId server domain = snd <$> sendOrProxySMPCommand c nm userId server "" "RSLV" NoEntity resolveViaProxy resolveDirectly where - resolveViaProxy smp proxySess = proxyResolveName smp nm proxySess contract name - resolveDirectly smp = directResolveName smp nm contract name + resolveViaProxy smp proxySess = proxyResolveName smp nm proxySess domain + resolveDirectly smp = directResolveName smp nm domain + +-- | Pick a names-capable server for the user (the agent owns server selection, +-- accounting for the names role). nameSrvs is opt-in (a plain list); empty means +-- no server resolves names - a declared agent error, never a fallback. +getNextNameServer :: AgentClient -> UserId -> AM SMPServer +getNextNameServer c userId = + liftIO (TM.lookupIO userId (userServers c :: TMap UserId (UserServers 'PSMP))) >>= \case + Just UserServers {nameSrvs} -> case L.nonEmpty nameSrvs of + Just srvs -> protoServer <$> pickServer srvs + Nothing -> throwE $ NAME SMP.NO_SERVERS + Nothing -> throwE $ INTERNAL "unknown userId - no user servers" enableQueueNotifications :: AgentClient -> RcvQueue -> SMP.NtfPublicAuthKey -> SMP.RcvNtfPublicDhKey -> AM (SMP.NotifierId, SMP.RcvNtfPublicDhKey) enableQueueNotifications c rq@RcvQueue {rcvId, rcvPrivateKey} notifierKey rcvNtfPublicDhKey = diff --git a/src/Simplex/Messaging/Agent/Env/SQLite.hs b/src/Simplex/Messaging/Agent/Env/SQLite.hs index 8e5bf08806..aba4a898a3 100644 --- a/src/Simplex/Messaging/Agent/Env/SQLite.hs +++ b/src/Simplex/Messaging/Agent/Env/SQLite.hs @@ -105,12 +105,13 @@ data ServerCfg p = ServerCfg data ServerRoles = ServerRoles { storage :: Bool, - proxy :: Bool + proxy :: Bool, + names :: Bool } deriving (Show) allRoles :: ServerRoles -allRoles = ServerRoles True True +allRoles = ServerRoles True True True presetServerCfg :: Bool -> ServerRoles -> Maybe OperatorId -> ProtoServerWithAuth p -> ServerCfg p presetServerCfg enabled roles operator server = @@ -119,6 +120,9 @@ presetServerCfg enabled roles operator server = data UserServers p = UserServers { storageSrvs :: NonEmpty (Maybe OperatorId, ProtoServerWithAuth p), proxySrvs :: NonEmpty (Maybe OperatorId, ProtoServerWithAuth p), + -- name resolution is opt-in: a plain list (NOT NonEmpty, no fallback-to-all). + -- Empty = no servers resolve names = a clean agent error, never falls back. + nameSrvs :: [(Maybe OperatorId, ProtoServerWithAuth p)], knownHosts :: Set TransportHost } @@ -126,9 +130,10 @@ type OperatorId = Int64 -- This function sets all servers as enabled in case all passed servers are disabled. mkUserServers :: NonEmpty (ServerCfg p) -> UserServers p -mkUserServers srvs = UserServers {storageSrvs = filterSrvs storage, proxySrvs = filterSrvs proxy, knownHosts} +mkUserServers srvs = UserServers {storageSrvs = filterSrvs storage, proxySrvs = filterSrvs proxy, nameSrvs, knownHosts} where filterSrvs role = L.map (\ServerCfg {operator, server} -> (operator, server)) $ fromMaybe srvs $ L.nonEmpty $ L.filter (\ServerCfg {enabled, roles} -> enabled && role roles) srvs + nameSrvs = map (\ServerCfg {operator, server} -> (operator, server)) $ L.filter (\ServerCfg {enabled, roles} -> enabled && names roles) srvs knownHosts = S.unions $ L.map (\ServerCfg {server = ProtoServerWithAuth srv _} -> serverHosts srv) srvs serverHosts :: ProtocolServer p -> Set TransportHost diff --git a/src/Simplex/Messaging/Agent/Protocol.hs b/src/Simplex/Messaging/Agent/Protocol.hs index 573f64ed25..803d7220f3 100644 --- a/src/Simplex/Messaging/Agent/Protocol.hs +++ b/src/Simplex/Messaging/Agent/Protocol.hs @@ -244,6 +244,7 @@ import Simplex.Messaging.Protocol ( AProtocolType, BrokerErrorType (..), ErrorType, + NameErrorType (..), MsgBody, MsgFlags, MsgId, @@ -2018,6 +2019,9 @@ data AgentErrorType XFTP {serverAddress :: String, xftpErr :: XFTPErrorType} | -- | XFTP agent errors FILE {fileErr :: FileErrorType} + | -- | name resolution agent errors (e.g. no name-resolving servers configured). + -- Server-origin name errors arrive forwarded as SMP _ (NAME ...) instead. + NAME {nameErr :: NameErrorType} | -- | SMP proxy errors PROXY {proxyServer :: String, relayServer :: String, proxyErr :: ProxyClientError} | -- | XRCP protocol errors forwarded to agent clients diff --git a/src/Simplex/Messaging/Client.hs b/src/Simplex/Messaging/Client.hs index 9fb5255537..9091db3e11 100644 --- a/src/Simplex/Messaging/Client.hs +++ b/src/Simplex/Messaging/Client.hs @@ -166,6 +166,7 @@ import Simplex.Messaging.Parsers (defaultJSON, dropPrefix, enumJSON, sumTypeJSON import Simplex.Messaging.Protocol import Simplex.Messaging.Protocol.Types import Simplex.Messaging.Server.QueueStore.QueueInfo +import Simplex.Messaging.SimplexName (SimplexNameDomain) import Simplex.Messaging.TMap (TMap) import qualified Simplex.Messaging.TMap as TM import Simplex.Messaging.Transport @@ -1050,23 +1051,30 @@ proxySMPMessage c nm proxiedRelay spKey sId flags msg = proxyOKSMPCommand c nm p -- | Resolve a public-namespace name via PFWD. Preferred path - hides the -- client IP from the resolver. Mirrors `proxySMPMessage`'s shape; routes --- through `proxySMPCommand` and pattern-matches the expected NAME response. -proxyResolveName :: SMPClient -> NetworkRequestMode -> ProxiedRelay -> NameOwner -> Text -> ExceptT SMPClientError IO (Either ProxyClientError NameRecord) -proxyResolveName c nm proxiedRelay contract name = - proxySMPCommand c nm proxiedRelay Nothing NoEntity (RSLV RslvRequest {name, contract}) >>= \case - Right (NAME nr) -> pure $ Right nr - Right r -> throwE $ unexpectedResponse r - Left e -> pure $ Left e +-- through `proxySMPCommand` and pattern-matches the expected RNAME response. +-- Version-gated on the destination relay (mirrors `connectSMPProxiedRelay`): +-- the client never sends RSLV to a relay that predates names support. +proxyResolveName :: SMPClient -> NetworkRequestMode -> ProxiedRelay -> SimplexNameDomain -> ExceptT SMPClientError IO (Either ProxyClientError NameRecord) +proxyResolveName c nm proxiedRelay name + | prVersion proxiedRelay >= namesSMPVersion = + proxySMPCommand c nm proxiedRelay Nothing NoEntity (RSLV name) >>= \case + Right (RNAME nr) -> pure $ Right nr + Right r -> throwE $ unexpectedResponse r + Left e -> pure $ Left e + | otherwise = throwE $ PCETransportError TEVersion -- | Direct (non-PFWD) name resolution. Exposes the client IP to the resolver; -- callers that want anonymity should use `proxyResolveName` via the standard -- proxy fallback in the agent. RSLV requires no entity ID or authorization --- (see `noAuthCmd` in Protocol.hs). -directResolveName :: SMPClient -> NetworkRequestMode -> NameOwner -> Text -> ExceptT SMPClientError IO NameRecord -directResolveName c nm contract name = - sendProtocolCommand c nm Nothing NoEntity (Cmd SResolver (RSLV RslvRequest {name, contract})) >>= \case - NAME nr -> pure nr - r -> throwE $ unexpectedResponse r +-- (see `noAuthCmd` in Protocol.hs). Version-gated on the session here, not the +-- encoder, so an old server never receives RSLV. +directResolveName :: SMPClient -> NetworkRequestMode -> SimplexNameDomain -> ExceptT SMPClientError IO NameRecord +directResolveName c nm name + | thVersion (thParams c) >= namesSMPVersion = + sendProtocolCommand c nm Nothing NoEntity (Cmd SResolver (RSLV name)) >>= \case + RNAME nr -> pure nr + r -> throwE $ unexpectedResponse r + | otherwise = throwE $ PCETransportError TEVersion -- | Acknowledge message delivery (server deletes the message). -- diff --git a/src/Simplex/Messaging/Names/EthAddress.hs b/src/Simplex/Messaging/Names/EthAddress.hs new file mode 100644 index 0000000000..83e8944acb --- /dev/null +++ b/src/Simplex/Messaging/Names/EthAddress.hs @@ -0,0 +1,45 @@ +{-# LANGUAGE OverloadedStrings #-} +{-# LANGUAGE StrictData #-} + +module Simplex.Messaging.Names.EthAddress + ( EthAddress, + mkEthAddress, + unEthAddress, + ) +where + +import Control.Applicative ((<|>)) +import qualified Data.Aeson as J +import qualified Data.ByteArray.Encoding as BAE +import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B +import Data.Maybe (fromMaybe) +import qualified Data.Text as T +import Data.Text.Encoding (decodeLatin1, encodeUtf8) +import Simplex.Messaging.Encoding (Encoding (..)) + +-- | 20-byte Ethereum address (NameRecord owner / resolver). Bare constructor +-- not exported; use 'mkEthAddress' to enforce the 20-byte invariant. JSON form +-- is "0x"-prefixed lowercase hex (matches the resolver output). +newtype EthAddress = EthAddress {unEthAddress :: ByteString} + deriving (Eq, Show) + +mkEthAddress :: ByteString -> Either String EthAddress +mkEthAddress bs + | B.length bs == 20 = Right (EthAddress bs) + | otherwise = Left "EthAddress must be 20 bytes" + +-- Wire: length-prefixed raw bytes (via the ByteString instance); parse enforces +-- the 20-byte invariant. +instance Encoding EthAddress where + smpEncode = smpEncode . unEthAddress + smpP = smpP >>= either fail pure . mkEthAddress + +instance J.ToJSON EthAddress where + toJSON (EthAddress bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) + +instance J.FromJSON EthAddress where + parseJSON = J.withText "EthAddress" $ \t -> do + -- Accept "0x" and "0X" prefixes (matches the server-side hex decoder). + let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) + either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkEthAddress diff --git a/src/Simplex/Messaging/Names/Owner.hs b/src/Simplex/Messaging/Names/Owner.hs deleted file mode 100644 index 5c5bfdd3f4..0000000000 --- a/src/Simplex/Messaging/Names/Owner.hs +++ /dev/null @@ -1,46 +0,0 @@ -{-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE StrictData #-} - -module Simplex.Messaging.Names.Owner - ( NameOwner, - mkNameOwner, - unNameOwner, - ) -where - -import Control.Applicative ((<|>)) -import qualified Data.Aeson as J -import qualified Data.ByteArray.Encoding as BAE -import Data.ByteString.Char8 (ByteString) -import qualified Data.ByteString.Char8 as B -import Data.Maybe (fromMaybe) -import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, encodeUtf8) - --- | 20-byte Ethereum address (NameRecord owner). Bare constructor not exported; --- use `mkNameOwner` to enforce the 20-byte invariant. -newtype NameOwner = NameOwner ByteString - deriving (Eq) - --- Render the 20 raw bytes as "0x"-prefixed lowercase hex so log lines / --- traceShow output match the on-the-wire JSON form instead of Latin-1 garbage. -instance Show NameOwner where - show (NameOwner bs) = "NameOwner 0x" <> B.unpack (BAE.convertToBase BAE.Base16 bs) - -mkNameOwner :: ByteString -> Either String NameOwner -mkNameOwner bs - | B.length bs == 20 = Right (NameOwner bs) - | otherwise = Left "NameOwner must be 20 bytes" - -unNameOwner :: NameOwner -> ByteString -unNameOwner (NameOwner bs) = bs -{-# INLINE unNameOwner #-} - -instance J.ToJSON NameOwner where - toJSON (NameOwner bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) - -instance J.FromJSON NameOwner where - parseJSON = J.withText "NameOwner" $ \t -> do - -- Accept "0x" and "0X" prefixes (matches the Server-side hex decoder). - let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) - either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkNameOwner diff --git a/src/Simplex/Messaging/Names/Record.hs b/src/Simplex/Messaging/Names/Record.hs index 53d27d9906..4a78b151a7 100644 --- a/src/Simplex/Messaging/Names/Record.hs +++ b/src/Simplex/Messaging/Names/Record.hs @@ -10,20 +10,19 @@ where import qualified Data.Aeson as J import qualified Data.Aeson.TH as JQ -import qualified Data.ByteString.Char8 as B import Data.Text (Text) -import Data.Text.Encoding (encodeUtf8) -import Simplex.Messaging.Names.Owner (NameOwner) +import Simplex.Messaging.Encoding (Encoding (..), smpEncodeList, smpListP) +import Simplex.Messaging.Names.EthAddress (EthAddress) import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) --- | Resolved name record returned by the names role. --- Wire format is JSON — change requires an SMP version bump. --- JSON keys match the Python REST resolver (`snrc-resolve.py`). --- Text fields use the empty string as the "unset" sentinel; coin fields --- use JSON `null`. simplexContact / simplexChannel are arrays of links --- (primary first, empty array when unset) so a name can advertise fallback --- SMP servers. `owner` and `resolver` carry 20-byte addresses encoded as --- `0x`-prefixed lowercase hex (see Names.Owner). +-- | Resolved name record returned by the names role. JSON keys match the +-- resolver REST output; both FromJSON (resolver -> server) and ToJSON +-- (server diagnostics) are TH-derived from one Options value, so the Haskell +-- type IS the schema. Text fields use the empty string as the "unset" +-- sentinel; coin fields use JSON null. simplexContact / simplexChannel are +-- arrays of links (primary first, empty when unset) so a name can advertise +-- fallback SMP servers. owner / resolver carry 20-byte EthAddresses (0x hex). +-- The only size bound is the SMP transport block (enforced by the framing). data NameRecord = NameRecord { nrName :: Text, nrNickname :: Text, @@ -35,55 +34,30 @@ data NameRecord = NameRecord nrBtc :: Maybe Text, nrXmr :: Maybe Text, nrDot :: Maybe Text, - nrOwner :: NameOwner, - nrResolver :: NameOwner -- resolver address that produced the record + nrOwner :: EthAddress, + nrResolver :: EthAddress -- resolver address that produced the record } deriving (Eq, Show) --- ToJSON / toEncoding TH-derived from a single Options value so both Aeson --- paths emit byte-identical output in declaration order. omitNothingFields --- is False so absent coin fields surface as JSON `null` (matches the Python --- resolver output for unset coins). -$( JQ.deriveToJSON +-- omitNothingFields False so absent coin fields surface as JSON null (matches +-- the resolver output for unset coins). +$( JQ.deriveJSON defaultJSON {J.omitNothingFields = False, J.fieldLabelModifier = dropPrefix "nr"} ''NameRecord ) --- Each link field holds up to maxLinks entries totalling at most maxLinkBytes --- UTF-8 bytes -- the same byte budget as the former single-string field, so the --- proxied NameRecord size is unchanged. Entries are ordered primary-first. --- maxLinks matches the dApp's authoring cap (ens-app-v3 MultiUrlField --- MULTI_URL_FIELD_CAP = 5); records with more entries are non-conforming. -maxLinks :: Int -maxLinks = 5 - -maxLinkBytes :: Int -maxLinkBytes = 1024 - --- FromJSON is hand-rolled to enforce per-field UTF-8 byte-length caps that --- TH derivation cannot express. -instance J.FromJSON NameRecord where - parseJSON = J.withObject "NameRecord" $ \o -> do - nrName <- o J..: "name" >>= capUtf8 "name" 255 - nrNickname <- o J..: "nickname" >>= capUtf8 "nickname" 255 - nrWebsite <- o J..: "website" >>= capUtf8 "website" 255 - nrLocation <- o J..: "location" >>= capUtf8 "location" 255 - nrSimplexContact <- o J..: "simplexContact" >>= capLinks "simplexContact" - nrSimplexChannel <- o J..: "simplexChannel" >>= capLinks "simplexChannel" - nrEth <- o J..:? "eth" >>= traverse (capUtf8 "eth" 255) - nrBtc <- o J..:? "btc" >>= traverse (capUtf8 "btc" 255) - nrXmr <- o J..:? "xmr" >>= traverse (capUtf8 "xmr" 255) - nrDot <- o J..:? "dot" >>= traverse (capUtf8 "dot" 255) - nrOwner <- o J..: "owner" - nrResolver <- o J..: "resolver" +-- Wire encoding for the SMP NAME response: field-ordered smpEncode, not embedded +-- JSON. Field order = record declaration order. EthAddress encodes as its raw +-- 20 bytes (length-prefixed via the ByteString instance). +instance Encoding NameRecord where + smpEncode NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} = + smpEncode (nrName, nrNickname, nrWebsite, nrLocation) + <> smpEncodeList nrSimplexContact + <> smpEncodeList nrSimplexChannel + <> smpEncode (nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver) + smpP = do + (nrName, nrNickname, nrWebsite, nrLocation) <- smpP + nrSimplexContact <- smpListP + nrSimplexChannel <- smpListP + (nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver) <- smpP pure NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} - where - capUtf8 fld lim t - | B.length (encodeUtf8 t) <= lim = pure t - | otherwise = fail $ fld <> " exceeds " <> show lim <> " bytes UTF-8" - capLinks fld links - | length links > maxLinks = - fail $ fld <> " exceeds " <> show maxLinks <> " entries" - | sum (map (B.length . encodeUtf8) links) > maxLinkBytes = - fail $ fld <> " entries exceed " <> show maxLinkBytes <> " bytes UTF-8" - | otherwise = pure links diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 83204ccf13..5943d2e791 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -80,6 +80,7 @@ module Simplex.Messaging.Protocol ErrorType (..), CommandError (..), ProxyError (..), + NameErrorType (..), BrokerErrorType (..), NetworkError (..), BlockingInfo (..), @@ -163,11 +164,7 @@ module Simplex.Messaging.Protocol EncTransmission (..), FwdResponse (..), FwdTransmission (..), - RslvRequest (..), NameRecord (..), - NameOwner, - mkNameOwner, - unNameOwner, MsgFlags (..), initialSMPClientVersion, currentSMPClientVersion, @@ -230,7 +227,6 @@ where import Control.Applicative (optional, (<|>)) import Control.Exception (Exception, SomeException, displayException, fromException) -import Control.Monad (when) import Control.Monad.Except import Data.Aeson (FromJSON (..), ToJSON (..)) import qualified Data.Aeson as J @@ -269,12 +265,12 @@ import Simplex.Messaging.Agent.Store.DB (Binary (..), FromField (..), ToField (. import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Encoding.String -import Simplex.Messaging.Names.Owner (NameOwner, mkNameOwner, unNameOwner) import Simplex.Messaging.Names.Record (NameRecord (..)) import Simplex.Messaging.Parsers import Simplex.Messaging.Protocol.Types import Simplex.Messaging.Server.QueueStore.QueueInfo import Simplex.Messaging.ServiceScheme +import Simplex.Messaging.SimplexName (SimplexNameDomain) import Simplex.Messaging.Transport import Simplex.Messaging.Transport.Client (TransportHost, TransportHosts (..)) import Simplex.Messaging.Util (bshow, eitherToMaybe, safeDecodeUtf8, (<$?>)) @@ -564,19 +560,6 @@ type LinkId = QueueId -- | SMP queue ID on the server. type QueueId = EntityId --- | Name resolution request. The client sends the name in canonical --- SimplexNameDomain form (TLD always explicit) as a Text plus the SNRC --- contract address it expects the server to query. The server parses the --- name into SimplexNameDomain (validating syntax) and checks the supplied --- contract against its hardcoded TLD whitelist before reading the chain — --- so a single names router can safely host multiple TLDs (each backed by --- its own SNRC contract) and reject clients that ask for the wrong one. -data RslvRequest = RslvRequest - { name :: Text, - contract :: NameOwner - } - deriving (Eq, Show) - -- | Parameterized type for SMP protocol commands from all clients. data Command (p :: Party) where -- SMP recipient commands @@ -624,8 +607,10 @@ data Command (p :: Party) where -- - entity ID: empty -- - corrId: unique correlation ID between proxy and relay, also used as a nonce to encrypt forwarded transmission RFWD :: EncFwdTransmission -> Command ProxyService -- use CorrId as CbNonce, proxy to relay - -- Name resolution: forwarded-only via PFWD. Server reads SNRC contract via Ethereum JSON-RPC. - RSLV :: RslvRequest -> Command Resolver + -- Name resolution. Preferably forwarded via PFWD (hides the client IP from + -- the resolver), but direct RSLV is also accepted. The validated name is the + -- only argument; the server resolves it via its configured resolver. + RSLV :: SimplexNameDomain -> Command Resolver deriving instance Show (Command p) @@ -734,16 +719,6 @@ instance Encoding FwdTransmission where newtype EncFwdTransmission = EncFwdTransmission ByteString deriving (Show) -instance J.ToJSON RslvRequest where - toJSON RslvRequest {name, contract} = J.object ["name" J..= name, "contract" J..= contract] - toEncoding RslvRequest {name, contract} = J.pairs ("name" J..= name <> "contract" J..= contract) - -instance J.FromJSON RslvRequest where - parseJSON = J.withObject "RslvRequest" $ \o -> do - name <- o J..: "name" - contract <- o J..: "contract" - pure RslvRequest {name, contract} - data BrokerMsg where -- SMP broker messages (responses, client messages, notifications) IDS :: QueueIdsKeys -> BrokerMsg @@ -771,8 +746,9 @@ data BrokerMsg where OK :: BrokerMsg ERR :: ErrorType -> BrokerMsg PONG :: BrokerMsg - -- Name resolution response. Returned only for forwarded RSLV. - NAME :: NameRecord -> BrokerMsg + -- Name resolution response (success), for direct or forwarded RSLV. + -- Named RNAME so the error family can use ErrorType.NAME. + RNAME :: NameRecord -> BrokerMsg deriving (Eq, Show) data RcvMessage = RcvMessage @@ -1010,7 +986,7 @@ data BrokerMsgTag | OK_ | ERR_ | PONG_ - | NAME_ + | RNAME_ deriving (Show) class ProtocolMsgTag t where @@ -1106,7 +1082,7 @@ instance Encoding BrokerMsgTag where OK_ -> "OK" ERR_ -> "ERR" PONG_ -> "PONG" - NAME_ -> "NAME" + RNAME_ -> "RNAME" smpP = messageTagP instance ProtocolMsgTag BrokerMsgTag where @@ -1129,7 +1105,7 @@ instance ProtocolMsgTag BrokerMsgTag where "OK" -> Just OK_ "ERR" -> Just ERR_ "PONG" -> Just PONG_ - "NAME" -> Just NAME_ + "RNAME" -> Just RNAME_ _ -> Nothing -- | SMP message body format @@ -1612,10 +1588,27 @@ data ErrorType EXPIRED | -- | internal server error INTERNAL + | -- | name resolution error (Resolver role) - see NameErrorType + NAME {nameErr :: NameErrorType} | -- | used internally, never returned by the server (to be removed) DUPLICATE_ -- not part of SMP protocol, used internally deriving (Eq, Show) +-- | Name resolution errors (the NAME family of ErrorType / AgentErrorType). +-- One vocabulary shared server-side and agent-side so name failures flow +-- through the single error type to chat (as ChatErrorAgent) with diagnostics, +-- mirroring ProxyError. +data NameErrorType + = -- | the names role / resolver is not configured on this server + NO_RESOLVER + | -- | the name is not registered (resolver returned not-found) + NO_NAME + | -- | no name-resolving servers configured (agent-originated only) + NO_SERVERS + | -- | backing resolver/RPC failure - carries the diagnostic detail + RESOLVER {resolverErr :: Text} + deriving (Eq, Show) + instance StrEncoding ErrorType where strEncode = \case BLOCK -> "BLOCK" @@ -1632,6 +1625,7 @@ instance StrEncoding ErrorType where LARGE_MSG -> "LARGE_MSG" EXPIRED -> "EXPIRED" INTERNAL -> "INTERNAL" + NAME e -> "NAME " <> strEncode e DUPLICATE_ -> "DUPLICATE_" strP = A.choice @@ -1639,6 +1633,7 @@ instance StrEncoding ErrorType where "SESSION" $> SESSION, "CMD " *> (CMD <$> parseRead1), "PROXY " *> (PROXY <$> strP), + "NAME " *> (NAME <$> strP), "AUTH" $> AUTH, "BLOCKED " *> strP, "SERVICE" $> SERVICE, @@ -1839,9 +1834,8 @@ instance PartyI p => ProtocolEncoding SMPVersion ErrorType (Command p) where PRXY host auth_ -> e (PRXY_, ' ', host, auth_) PFWD fwdV pubKey (EncTransmission s) -> e (PFWD_, ' ', fwdV, pubKey, Tail s) RFWD (EncFwdTransmission s) -> e (RFWD_, ' ', Tail s) - RSLV req - | v >= namesSMPVersion -> e (RSLV_, ' ', Tail (LB.toStrict (J.encode req))) - | otherwise -> e (ERR_, ' ', AUTH) -- pre-v20: shouldn't reach here, degrade to AUTH + -- Version gating is the client's job (Client.hs), not the encoder's. + RSLV d -> e (RSLV_, ' ', Tail (strEncode d)) where e :: Encoding a => a -> ByteString e = smpEncode @@ -1950,11 +1944,11 @@ instance ProtocolEncoding SMPVersion ErrorType Cmd where CT SNotifierService NSUBS_ | v >= rcvServiceSMPVersion -> Cmd SNotifierService <$> (NSUBS <$> _smpP <*> smpP) | otherwise -> pure $ Cmd SNotifierService $ NSUBS (-1) mempty - CT SResolver RSLV_ - | v >= namesSMPVersion -> do - Tail bs <- _smpP - either fail (pure . Cmd SResolver . RSLV) (J.eitherDecodeStrict bs) - | otherwise -> fail "RSLV requires namesSMPVersion" + -- Name is validated at parse (invalid syntax fails here -> CMD error), + -- so the handler only ever sees a valid SimplexNameDomain. + CT SResolver RSLV_ -> do + Tail bs <- _smpP + either fail (pure . Cmd SResolver . RSLV) (strDecode bs) fromProtocolError = fromProtocolError @SMPVersion @ErrorType @BrokerMsg {-# INLINE fromProtocolError #-} @@ -2001,9 +1995,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where | v < clientNoticesSMPVersion -> BLOCKED info {notice = Nothing} _ -> err PONG -> e PONG_ - NAME rec - | v >= namesSMPVersion -> e (NAME_, ' ', Tail (LB.toStrict (J.encode rec))) - | otherwise -> e (ERR_, ' ', AUTH) -- pre-v20: shouldn't reach here, degrade to AUTH + -- Field-ordered Encoding NameRecord (no JSON on the wire); a response that + -- arrived is already on a supported version, so no version gate. + RNAME rec -> e (RNAME_, ' ', rec) where e :: Encoding a => a -> ByteString e = smpEncode @@ -2051,11 +2045,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where OK_ -> pure OK ERR_ -> ERR <$> _smpP PONG_ -> pure PONG - NAME_ - | v >= namesSMPVersion -> do - Tail bs <- _smpP - either fail (pure . NAME) (J.eitherDecodeStrict bs) - | otherwise -> fail "NAME requires namesSMPVersion" + RNAME_ -> RNAME <$> _smpP where serviceRespP resp | v >= rcvServiceSMPVersion = resp <$> _smpP <*> smpP @@ -2078,7 +2068,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where PKEY {} -> noEntityMsg RRES _ -> noEntityMsg ALLS -> noEntityMsg - NAME _ -> noEntityMsg + RNAME _ -> noEntityMsg -- other broker responses must have queue ID _ | B.null entId -> Left $ CMD NO_ENTITY @@ -2121,6 +2111,7 @@ instance Encoding ErrorType where NO_MSG -> "NO_MSG" LARGE_MSG -> "LARGE_MSG" INTERNAL -> "INTERNAL" + NAME err -> "NAME " <> smpEncode err DUPLICATE_ -> "DUPLICATE_" smpP = @@ -2139,9 +2130,28 @@ instance Encoding ErrorType where "NO_MSG" -> pure NO_MSG "LARGE_MSG" -> pure LARGE_MSG "INTERNAL" -> pure INTERNAL + "NAME" -> NAME <$> _smpP "DUPLICATE_" -> pure DUPLICATE_ _ -> fail "bad ErrorType" +instance Encoding NameErrorType where + smpEncode = \case + NO_RESOLVER -> "NO_RESOLVER" + NO_NAME -> "NO_NAME" + NO_SERVERS -> "NO_SERVERS" + RESOLVER e -> "RESOLVER " <> encodeUtf8 e + smpP = + A.takeTill (== ' ') >>= \case + "NO_RESOLVER" -> pure NO_RESOLVER + "NO_NAME" -> pure NO_NAME + "NO_SERVERS" -> pure NO_SERVERS + "RESOLVER" -> RESOLVER . safeDecodeUtf8 <$> (A.space *> A.takeByteString) + _ -> fail "bad NameErrorType" + +instance StrEncoding NameErrorType where + strEncode = smpEncode + strP = smpP + instance Encoding CommandError where smpEncode e = case e of UNKNOWN -> "UNKNOWN" @@ -2441,4 +2451,4 @@ $(J.deriveJSON (sumTypeJSON id) ''BrokerErrorType) $(J.deriveJSON defaultJSON ''BlockingInfo) -- run deriveJSON in one TH splice to allow mutual instance -$(concat <$> mapM @[] (J.deriveJSON (sumTypeJSON id)) [''ProxyError, ''ErrorType]) +$(concat <$> mapM @[] (J.deriveJSON (sumTypeJSON id)) [''ProxyError, ''NameErrorType, ''ErrorType]) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 4586134459..ac2633e0ad 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -32,7 +32,6 @@ module Simplex.Messaging.Server ( runSMPServer, runSMPServerBlocking, - runSMPServerBlockingWithNames, controlPortAuth, importMessages, exportMessages, @@ -109,7 +108,7 @@ import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) -import Simplex.Messaging.Server.Names (NamesEnv, ResolveError (..), closeNamesEnv, parseName, resolveName) +import Simplex.Messaging.Server.Names (closeNamesEnv, resolveName) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -163,13 +162,6 @@ runSMPServer cfg attachHTTP_ = do runSMPServerBlocking :: MsgStoreClass s => TMVar Bool -> ServerConfig s -> Maybe AttachHTTP -> IO () runSMPServerBlocking started cfg attachHTTP_ = newEnv cfg >>= runReaderT (smpServer started cfg attachHTTP_) --- | Test seam: run the server with a pre-built `namesEnv` (typically a stub --- backed by `newNamesEnvWith`). Production code MUST use `runSMPServerBlocking`, --- which builds `namesEnv` from `namesConfig` and probes the real RPC endpoint. -runSMPServerBlockingWithNames :: MsgStoreClass s => TMVar Bool -> ServerConfig s -> Maybe AttachHTTP -> Maybe NamesEnv -> IO () -runSMPServerBlockingWithNames started cfg attachHTTP_ namesOverride = - newEnvWithNames cfg namesOverride >>= runReaderT (smpServer started cfg attachHTTP_) - type M s a = ReaderT (Env s) IO a type AttachHTTP = Socket -> TLS.Context -> IO () @@ -670,8 +662,8 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt map tshow [_pRequests, _pSuccesses, _pErrorsConnect, _pErrorsCompat, _pErrorsOther] showServiceStats ServiceStatsData {_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd} = map tshow [_srvAssocNew, _srvAssocDuplicate, _srvAssocUpdated, _srvAssocRemoved, _srvSubCount, _srvSubDuplicate, _srvSubQueues, _srvSubEnd] - showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName} = - map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvEthErrs, _rslvDisabled, _rslvBadName] + showNameResolverStats NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} = + map tshow [_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled] prometheusMetricsThread_ :: ServerConfig s -> [M s ()] prometheusMetricsThread_ ServerConfig {prometheusInterval = Just interval, prometheusMetricsFile} = @@ -1505,21 +1497,18 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> response . (corrId,NoEntity,) <$> processForwardedCommand encBlock - Cmd SResolver (RSLV req) -> do + Cmd SResolver (RSLV d) -> do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) - -- Distinct error responses let a client iterating its servers act correctly: - -- CMD PROHIBITED - this router has no resolver (names role off): skip, try next - -- INTERNAL - resolver / backing-store failure: transient, retry or surface - -- AUTH - name not registered, or malformed name: authoritative "no such name" + -- The name is validated at command parse (invalid syntax never reaches + -- here), so the handler only maps the resolver outcome to a declared + -- error that reaches the client as ERR (NAME ...). (selector, msg) <- asks namesEnv >>= \case - Nothing -> pure (rslvDisabled, ERR $ CMD PROHIBITED) - Just nenv -> case parseName req of - Nothing -> pure (rslvBadName, ERR AUTH) - Just d -> liftIO (resolveName nenv d) <&> \case - Right rec -> (rslvSucc, NAME rec) - Left NotFound -> (rslvNotFound, ERR AUTH) - Left _ -> (rslvEthErrs, ERR INTERNAL) + Nothing -> pure (rslvDisabled, ERR $ NAME NO_RESOLVER) + Just nenv -> liftIO (resolveName nenv d) <&> \case + Right rec -> (rslvSucc, RNAME rec) + Left e@NO_NAME -> (rslvNotFound, ERR $ NAME e) + Left e -> (rslvResolverErrs, ERR $ NAME e) incStat (selector st) $> response (corrId, NoEntity, msg) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 835db4bd7b..2e212f05ff 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -76,7 +76,6 @@ module Simplex.Messaging.Server.Env.STM noPostgresExit, dbStoreCfg, storeLogFile', - newEnvWithNames, ) where @@ -116,7 +115,7 @@ import Simplex.Messaging.Server.Information import Simplex.Messaging.Server.MsgStore.Journal import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types -import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, newNamesEnv, pingEndpoint) +import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, ResolverCall, newNamesEnv, newNamesEnvWith, pingEndpoint) import Simplex.Messaging.Server.Names.HttpResolver (scrubUrl) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore @@ -202,6 +201,9 @@ data ServerConfig s = ServerConfig serverClientConcurrency :: Int, -- | public-namespace resolver config; Nothing disables the names role namesConfig :: Maybe NamesConfig, + -- | test seam: inject a stub resolver call instead of the production HTTP + -- resolver + startup probe. Nothing in production (built from namesConfig). + namesResolverCall_ :: Maybe ResolverCall, -- | server public information information :: Maybe ServerPublicInfo, startOptions :: StartOptions @@ -564,14 +566,7 @@ newProhibitedSub = do return Sub {subThread = ProhibitSub, delivered} newEnv :: ServerConfig s -> IO (Env s) -newEnv cfg = newEnvWithNames cfg Nothing - --- | Test seam: build the server env, but if `namesOverride` is provided, --- use it as `namesEnv` and skip the production `newNamesEnv` / `pingEndpoint` --- path. This is the only injection point for stub `ethCall` implementations --- in functional-API tests. -newEnvWithNames :: ServerConfig s -> Maybe NamesEnv -> IO (Env s) -newEnvWithNames config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig} namesOverride = do +newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig, namesResolverCall_} = do serverActive <- newTVarIO True server <- newServer msgStore_ <- case serverStoreCfg of @@ -616,11 +611,12 @@ newEnvWithNames config@ServerConfig {allowSMPProxy, smpCredentials, httpCredenti sockets <- newTVarIO [] clientSeq <- newTVarIO 0 proxyAgent <- newSMPProxyAgent smpAgentCfg random - namesEnv <- case namesOverride of - Just env -> pure (Just env) - Nothing -> case namesConfig of - Nothing -> pure Nothing - Just nc -> do + namesEnv <- case namesConfig of + Nothing -> pure Nothing + Just nc -> case namesResolverCall_ of + -- test seam: stub resolver, no real HTTP env or startup probe + Just call -> Just <$> newNamesEnvWith nc call Nothing + Nothing -> do logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (resolverEndpoint nc) when allowSMPProxy $ logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV calls can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." @@ -630,7 +626,7 @@ newEnvWithNames config@ServerConfig {allowSMPProxy, smpCredentials, httpCredenti -- should not block the server. Log so operators can spot it. pingEndpoint env >>= \case Right _ -> logInfo "[NAMES] endpoint probe ok" - Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR AUTH until reachable): " <> tshow e + Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR (NAME ...) until reachable): " <> tshow e pure (Just env) pure Env diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index a60599e67d..4842b3c106 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -612,6 +612,7 @@ smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = allowSMPProxy = True, serverClientConcurrency = readIniDefault defaultProxyClientConcurrency "PROXY" "client_concurrency" ini, namesConfig = readNamesConfig ini, + namesResolverCall_ = Nothing, -- production builds the resolver from namesConfig information = serverPublicInfo ini, startOptions } @@ -814,7 +815,12 @@ readNamesConfig ini { resolverEndpoint = either (error . ("[NAMES] resolver_endpoint: " <>)) id (validateUrl endpoint resolverAuth_), resolverAuth = resolverAuth_, resolverTimeoutMs = boundedIniInt 3000 100 60000 "resolver_timeout_ms", - resolverMaxResponseBytes = boundedIniInt 65536 1024 16777216 "resolver_max_response_bytes" + -- ceiling = SMP transport budget: the NAME response is one SMP + -- transmission (proxied: padded to paddedProxiedTLength = 16226), + -- and the smpEncoded NameRecord is <= its JSON body, so capping + -- the body here guarantees the response always frames. An + -- over-cap body fails as BodyTooLarge -> ERR (NAME (RESOLVER ..)). + resolverMaxResponseBytes = boundedIniInt 16000 1024 16000 "resolver_max_response_bytes" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) @@ -823,9 +829,9 @@ readNamesConfig ini lookupValue "NAMES" key ini -- Lower bound rejects values that would time-out every RSLV immediately -- (timeout = 0) or accept zero-length responses (max_response_bytes = 0). - -- The upper bounds defend against operator-misconfig footguns: 16 MiB - -- response cap (worst-case per-call memory), 60 s timeout (no operator - -- wants RSLV to hang longer). + -- The upper bounds defend against operator-misconfig footguns: the response + -- cap is the SMP transport budget (see resolverMaxResponseBytes above), and + -- 60 s is the max RSLV timeout no operator wants exceeded. boundedIniInt def floor_ ceiling_ key = case lookupValue "NAMES" key ini of Left _ -> def Right raw -> case readMaybe (T.unpack (T.strip raw)) of diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index c2e17369f1..bb55f92d75 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -7,10 +7,11 @@ -- | Public-namespace resolver. Each RSLV becomes one HTTP GET to the -- configured names resolver service (the Python REST resolver in PR #1795 -- by default), bounded by resolverTimeoutMs and the maximum response size. --- The resolver_endpoint URL is operator-supplied; the contract field on the --- RSLV wire format is parsed for forward-compatibility but ignored — the --- Python service is the source of truth for which on-chain registries are --- queried per TLD. +-- The resolver_endpoint URL is operator-supplied; the resolver service is the +-- source of truth for which on-chain registries are queried per TLD. +-- +-- Resolver outcomes map to the protocol's `NameErrorType` so failures reach the +-- client (as `ERR (NAME ...)` -> ChatErrorAgent) instead of being swallowed. -- -- HTTP details (URL building, redirects disabled, body cap, auth header) -- live in Names.HttpResolver. @@ -20,13 +21,11 @@ module Simplex.Messaging.Server.Names NamesEnv (..), ResolverCall, ResolverCallKind (..), - ResolveError (..), newNamesEnv, newNamesEnvWith, closeNamesEnv, pingEndpoint, resolveName, - parseName, ) where @@ -36,9 +35,7 @@ import qualified Data.Aeson as J import qualified Data.Aeson.Types as JT import Data.Text (Text) import qualified Data.Text as T -import Data.Text.Encoding (encodeUtf8) -import Simplex.Messaging.Encoding.String (strDecode) -import Simplex.Messaging.Protocol (NameRecord, RslvRequest (..)) +import Simplex.Messaging.Protocol (NameErrorType (..), NameRecord) import Simplex.Messaging.Server.Names.HttpResolver ( ResolverEnv, ResolverError (..), @@ -59,13 +56,6 @@ data NamesConfig = NamesConfig } deriving (Show) -data ResolveError - = NotFound -- name not registered, unknown TLD, or malformed name (404 / 400) - | ResolverError -- upstream RPC failure (502) or transport error - | ResolverDecodeErr -- response was not a valid NameRecord JSON - | TimedOut - deriving (Eq, Show) - -- | Test seam: a function from URL path -> JSON value or error. Production -- wires this to resolveHttp / healthHttp on a real `ResolverEnv`; tests -- substitute a stub returning canned JSON or a chosen error. @@ -104,14 +94,6 @@ newNamesEnvWith config resolverCall resolverEnv = pure NamesEnv {config, resolve closeNamesEnv :: NamesEnv -> IO () closeNamesEnv NamesEnv {resolverEnv} = mapM_ closeResolverEnv resolverEnv --- | Parse the client-supplied name. The wire-format `contract` field is --- parsed by the protocol layer but ignored here: the resolver service --- selects which registry to query based on the TLD. Returns the parsed --- domain, or `Nothing` if the name is not a valid SimplexNameDomain (the --- handler maps `Nothing` to `ERR AUTH` and increments `rslvBadName`). -parseName :: RslvRequest -> Maybe SimplexNameDomain -parseName RslvRequest {name} = either (const Nothing) Just $ strDecode (encodeUtf8 name) - -- | Reach the configured resolver with `GET /health` to confirm reachability -- at server startup. A non-2xx response or transport failure surfaces as -- Left so misconfigured deployments fail loudly. Bounded by @@ -128,35 +110,35 @@ pingEndpoint NamesEnv {resolverCall, config} = do -- | Resolve a parsed domain via the configured HTTP resolver, with an -- `resolverTimeoutMs` ceiling. Synchronous exceptions are caught and -- logged; async exceptions propagate. -resolveName :: NamesEnv -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +resolveName :: NamesEnv -> SimplexNameDomain -> IO (Either NameErrorType NameRecord) resolveName env d = do r <- E.try (timeout (resolverTimeoutMs (config env) * 1000) (fetch env d)) case r of - Right result -> pure (maybe (Left TimedOut) id result) + Right result -> pure (maybe (Left (RESOLVER "timeout")) id result) Left e | Just (_ :: E.SomeAsyncException) <- E.fromException e -> E.throwIO e | otherwise -> do logError $ "[NAMES] resolver fetch raised " <> T.pack (E.displayException e) - pure (Left ResolverError) + pure (Left (RESOLVER "resolver error")) -fetch :: NamesEnv -> SimplexNameDomain -> IO (Either ResolveError NameRecord) +fetch :: NamesEnv -> SimplexNameDomain -> IO (Either NameErrorType NameRecord) fetch NamesEnv {resolverCall} d = resolverCall (ResolverFetch (fullDomainName d)) >>= \case Left e -> pure (Left (mapResolverError e)) Right v -> case JT.parseEither J.parseJSON v of Right nr -> pure (Right nr) - Left _ -> pure (Left ResolverDecodeErr) - --- | Collapse the HTTP-layer error space into the resolver's public error --- space. 404 / 400 both map to NotFound (name not registered, unknown TLD, --- or malformed name — indistinguishable from the client's point of view). --- Everything else collapses to ResolverError; the response body is not --- inspected because adversarial endpoints could embed arbitrary content. -mapResolverError :: ResolverError -> ResolveError + Left _ -> pure (Left (RESOLVER "invalid response")) + +-- | Map the HTTP-layer error space into the protocol NameErrorType. 404 / 400 +-- both map to NO_NAME (name not registered, unknown TLD, or malformed name — +-- indistinguishable from the client's point of view). Everything else is a +-- backend failure surfaced as RESOLVER with a SAFE server-generated diagnostic +-- (kind only - the adversarial response body is never echoed). +mapResolverError :: ResolverError -> NameErrorType mapResolverError = \case - HttpStatusErr 404 -> NotFound - HttpStatusErr 400 -> NotFound - HttpStatusErr _ -> ResolverError - HttpFailure _ -> ResolverError - BodyTooLarge -> ResolverError - InvalidJson _ -> ResolverDecodeErr + HttpStatusErr 404 -> NO_NAME + HttpStatusErr 400 -> NO_NAME + HttpStatusErr code -> RESOLVER ("HTTP " <> T.pack (show code)) + HttpFailure _ -> RESOLVER "transport failure" + BodyTooLarge -> RESOLVER "response too large" + InvalidJson _ -> RESOLVER "invalid response" diff --git a/src/Simplex/Messaging/Server/Prometheus.hs b/src/Simplex/Messaging/Server/Prometheus.hs index 3367873538..575f699c6e 100644 --- a/src/Simplex/Messaging/Server/Prometheus.hs +++ b/src/Simplex/Messaging/Server/Prometheus.hs @@ -461,7 +461,7 @@ prometheusMetrics sm rtm ts = \simplex_smp_" <> pfx <> "_services_sub_fewer_total " <> mshow (_srvSubFewerTotal ss) <> "\n# " <> pfx <> ".srvSubFewerTotal\n\ \\n" names = - let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = _rslvStats + let NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} = _rslvStats in "# Names\n\ \# -----\n\ \\n\ @@ -473,19 +473,15 @@ prometheusMetrics sm rtm ts = \# TYPE simplex_smp_names_success counter\n\ \simplex_smp_names_success " <> mshow _rslvSucc <> "\n# rslvSucc\n\ \\n\ - \# HELP simplex_smp_names_not_found Lookup key has no corresponding NameRecord on chain (zero-owner sentinel).\n\ + \# HELP simplex_smp_names_not_found Name not registered (resolver returned 404 / 400).\n\ \# TYPE simplex_smp_names_not_found counter\n\ \simplex_smp_names_not_found " <> mshow _rslvNotFound <> "\n# rslvNotFound\n\ \\n\ - \# HELP simplex_smp_names_bad_name Client sent malformed domain, TLD outside whitelist, or wrong contract address.\n\ - \# TYPE simplex_smp_names_bad_name counter\n\ - \simplex_smp_names_bad_name " <> mshow _rslvBadName <> "\n# rslvBadName\n\ + \# HELP simplex_smp_names_resolver_errs Resolver backend errors (HTTP 5xx, transport, decode, or timeout).\n\ + \# TYPE simplex_smp_names_resolver_errs counter\n\ + \simplex_smp_names_resolver_errs " <> mshow _rslvResolverErrs <> "\n# rslvResolverErrs\n\ \\n\ - \# HELP simplex_smp_names_eth_errs Ethereum endpoint or ABI errors.\n\ - \# TYPE simplex_smp_names_eth_errs counter\n\ - \simplex_smp_names_eth_errs " <> mshow _rslvEthErrs <> "\n# rslvEthErrs\n\ - \\n\ - \# HELP simplex_smp_names_disabled RSLV requests rejected because the names role is disabled.\n\ + \# HELP simplex_smp_names_disabled RSLV requests rejected because no resolver is configured (names role off).\n\ \# TYPE simplex_smp_names_disabled counter\n\ \simplex_smp_names_disabled " <> mshow _rslvDisabled <> "\n# rslvDisabled\n\ \\n" diff --git a/src/Simplex/Messaging/Server/Stats.hs b/src/Simplex/Messaging/Server/Stats.hs index b7dd239eb2..f6583f6875 100644 --- a/src/Simplex/Messaging/Server/Stats.hs +++ b/src/Simplex/Messaging/Server/Stats.hs @@ -893,8 +893,7 @@ data NameResolverStats = NameResolverStats { rslvReqs :: IORef Int, rslvSucc :: IORef Int, rslvNotFound :: IORef Int, - rslvBadName :: IORef Int, - rslvEthErrs :: IORef Int, + rslvResolverErrs :: IORef Int, rslvDisabled :: IORef Int } @@ -903,17 +902,15 @@ newNameResolverStats = do rslvReqs <- newIORef 0 rslvSucc <- newIORef 0 rslvNotFound <- newIORef 0 - rslvBadName <- newIORef 0 - rslvEthErrs <- newIORef 0 + rslvResolverErrs <- newIORef 0 rslvDisabled <- newIORef 0 - pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvBadName, rslvEthErrs, rslvDisabled} + pure NameResolverStats {rslvReqs, rslvSucc, rslvNotFound, rslvResolverErrs, rslvDisabled} data NameResolverStatsData = NameResolverStatsData { _rslvReqs :: Int, _rslvSucc :: Int, _rslvNotFound :: Int, - _rslvBadName :: Int, - _rslvEthErrs :: Int, + _rslvResolverErrs :: Int, _rslvDisabled :: Int } deriving (Show) @@ -924,8 +921,7 @@ newNameResolverStatsData = { _rslvReqs = 0, _rslvSucc = 0, _rslvNotFound = 0, - _rslvBadName = 0, - _rslvEthErrs = 0, + _rslvResolverErrs = 0, _rslvDisabled = 0 } @@ -934,20 +930,18 @@ getNameResolverStatsData s = do _rslvReqs <- readIORef $ rslvReqs s _rslvSucc <- readIORef $ rslvSucc s _rslvNotFound <- readIORef $ rslvNotFound s - _rslvBadName <- readIORef $ rslvBadName s - _rslvEthErrs <- readIORef $ rslvEthErrs s + _rslvResolverErrs <- readIORef $ rslvResolverErrs s _rslvDisabled <- readIORef $ rslvDisabled s - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} getResetNameResolverStatsData :: NameResolverStats -> IO NameResolverStatsData getResetNameResolverStatsData s = do _rslvReqs <- atomicSwapIORef (rslvReqs s) 0 _rslvSucc <- atomicSwapIORef (rslvSucc s) 0 _rslvNotFound <- atomicSwapIORef (rslvNotFound s) 0 - _rslvBadName <- atomicSwapIORef (rslvBadName s) 0 - _rslvEthErrs <- atomicSwapIORef (rslvEthErrs s) 0 + _rslvResolverErrs <- atomicSwapIORef (rslvResolverErrs s) 0 _rslvDisabled <- atomicSwapIORef (rslvDisabled s) 0 - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} -- not thread safe; used on server start only setNameResolverStats :: NameResolverStats -> NameResolverStatsData -> IO () @@ -955,33 +949,28 @@ setNameResolverStats s d = do writeIORef (rslvReqs s) $! _rslvReqs d writeIORef (rslvSucc s) $! _rslvSucc d writeIORef (rslvNotFound s) $! _rslvNotFound d - writeIORef (rslvBadName s) $! _rslvBadName d - writeIORef (rslvEthErrs s) $! _rslvEthErrs d + writeIORef (rslvResolverErrs s) $! _rslvResolverErrs d writeIORef (rslvDisabled s) $! _rslvDisabled d instance StrEncoding NameResolverStatsData where - strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} = + strEncode NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} = "reqs=" <> strEncode _rslvReqs <> "\nsucc=" <> strEncode _rslvSucc <> "\nnotFound=" <> strEncode _rslvNotFound - <> "\nethErrs=" - <> strEncode _rslvEthErrs + <> "\nresolverErrs=" + <> strEncode _rslvResolverErrs <> "\ndisabled=" <> strEncode _rslvDisabled - <> "\nbadName=" - <> strEncode _rslvBadName strP = do _rslvReqs <- "reqs=" *> strP <* A.endOfLine _rslvSucc <- "succ=" *> strP <* A.endOfLine _rslvNotFound <- "notFound=" *> strP <* A.endOfLine - _rslvEthErrs <- "ethErrs=" *> strP <* A.endOfLine + _rslvResolverErrs <- "resolverErrs=" *> strP <* A.endOfLine _rslvDisabled <- "disabled=" *> strP - -- badName= was added after the initial release; old stats files may omit it. - _rslvBadName <- (A.endOfLine *> "badName=" *> strP) <|> pure 0 - pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvBadName, _rslvEthErrs, _rslvDisabled} + pure NameResolverStatsData {_rslvReqs, _rslvSucc, _rslvNotFound, _rslvResolverErrs, _rslvDisabled} data ServiceStats = ServiceStats { srvAssocNew :: IORef Int, diff --git a/tests/AgentTests/ResolveNameTests.hs b/tests/AgentTests/ResolveNameTests.hs index 193b4e3fab..88c20696da 100644 --- a/tests/AgentTests/ResolveNameTests.hs +++ b/tests/AgentTests/ResolveNameTests.hs @@ -12,10 +12,11 @@ -- | End-to-end tests for `Simplex.Messaging.Agent.resolveSimplexName`. -- --- Exercises the agent layer (real `AgentClient`) against an SMP server --- whose `NamesEnv` is a stub `ResolverCall` — same pattern as `RSLVTests` --- but going through `sendOrProxySMPCommand` so we cover the agent-side --- direct/proxy selection and the agent's error mapping. +-- Exercises the agent layer (real `AgentClient`) against an SMP server with a +-- stub `ResolverCall` (set via `ServerConfig.namesResolverCall_`). The agent +-- owns server selection: it picks a names-capable server (ServerRoles.names) +-- from the user's nameSrvs, so the proxy test gives ONLY the resolver server +-- the names role (deterministic selection) and the proxy server the proxy role. module AgentTests.ResolveNameTests (resolveNameTests) where import AgentTests.FunctionalAPITests (withAgent) @@ -27,20 +28,14 @@ import SMPClient import SMPNamesTests (sampleRecord, sampleRecordJSON) import Simplex.Messaging.Agent (resolveSimplexName) import Simplex.Messaging.Agent.Client (AgentClient) -import Simplex.Messaging.Agent.Env.SQLite (InitialAgentServers (..)) +import Simplex.Messaging.Agent.Env.SQLite (InitialAgentServers (..), ServerCfg, ServerRoles (..), presetServerCfg) import Simplex.Messaging.Agent.Protocol (AgentErrorType (..)) import Simplex.Messaging.Client (SMPProxyFallback (..), SMPProxyMode (..), pattern NRMInteractive) -import Simplex.Messaging.Protocol (pattern SMPServer) +import Simplex.Messaging.Protocol (SMPServer) import qualified Simplex.Messaging.Protocol as SMP import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) -import Simplex.Messaging.Server.Names - ( NamesConfig (..), - NamesEnv, - ResolverCall, - ResolverCallKind (..), - newNamesEnvWith, - ) +import Simplex.Messaging.Server.Names (NamesConfig (..), ResolverCall, ResolverCallKind (..)) import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) import Simplex.Messaging.Transport @@ -56,8 +51,7 @@ stubNamesConfig = resolverMaxResponseBytes = 65536 } --- | 404 stub: the resolver returns "not registered". Server maps to ERR --- AUTH; agent surfaces as SMP host AUTH. +-- | 404 stub: resolver returns "not registered". Server -> ERR (NAME NO_NAME). stubResolverNotFound :: ResolverCall stubResolverNotFound = \case ResolverFetch _ -> pure (Left (HttpStatusErr 404)) @@ -69,21 +63,15 @@ stubResolverSuccess = \case ResolverFetch _ -> pure (Right sampleRecordJSON) ResolverHealth -> pure (Right (J.object [])) --- | 502 stub: the backing resolver fails (upstream RPC error). Server maps to --- ERR INTERNAL; agent surfaces as SMP host INTERNAL (transient, not "not found"). +-- | 502 stub: backing resolver fails. Server -> ERR (NAME (RESOLVER "HTTP 502")). stubResolverError :: ResolverCall stubResolverError = \case ResolverFetch _ -> pure (Left (HttpStatusErr 502)) ResolverHealth -> pure (Right (J.object [])) -mkNotFoundNamesEnv :: IO NamesEnv -mkNotFoundNamesEnv = newNamesEnvWith stubNamesConfig stubResolverNotFound Nothing - -mkSuccessNamesEnv :: IO NamesEnv -mkSuccessNamesEnv = newNamesEnvWith stubNamesConfig stubResolverSuccess Nothing - -mkErrorNamesEnv :: IO NamesEnv -mkErrorNamesEnv = newNamesEnvWith stubNamesConfig stubResolverError Nothing +-- | Enable names on a server config with a stub resolver (no real HTTP/probe). +withNames :: ResolverCall -> AServerConfig -> AServerConfig +withNames stub c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just stubNamesConfig, namesResolverCall_ = Just stub} memCfg :: AServerConfig memCfg = cfgMS (ASType SQSMemory SMSMemory) @@ -100,34 +88,44 @@ memCfg2 = case memCfg of SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) other -> other -withDirectResolver :: NamesEnv -> (AgentClient -> IO a) -> IO a -withDirectResolver nenv k = - withSmpServerConfigOnWithNames (transport @TLS) memCfg testPort nenv $ \_ -> - withAgent 1 agentCfg directServers testDB k - where - directServers = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = userServers [testSMPServer]} +-- per-server roles: only the resolver server carries the names role +nameSrvCfg :: SMPServer -> ServerCfg 'SMP.PSMP +nameSrvCfg = presetServerCfg True ServerRoles {storage = True, proxy = False, names = True} (Just 1) . SMP.noAuthSrv + +proxySrvCfg :: SMPServer -> ServerCfg 'SMP.PSMP +proxySrvCfg = presetServerCfg True ServerRoles {storage = True, proxy = True, names = False} (Just 1) . SMP.noAuthSrv + +-- single-server (operator 1) agent config, direct (no proxy) +oneSrv :: ServerCfg 'SMP.PSMP -> InitialAgentServers +oneSrv cfg_ = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = [(1, [cfg_])]} -withProxyAndResolver :: NamesEnv -> (AgentClient -> IO a) -> IO a -withProxyAndResolver nenv k = +withDirectResolver :: ResolverCall -> (AgentClient -> IO a) -> IO a +withDirectResolver stub k = + withSmpServerConfigOn (transport @TLS) (withNames stub memCfg) testPort $ \_ -> + withAgent 1 agentCfg (oneSrv (nameSrvCfg testSMPServer)) testDB k + +withProxyAndResolver :: ResolverCall -> (AgentClient -> IO a) -> IO a +withProxyAndResolver stub k = withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> - withSmpServerConfigOnWithNames (transport @TLS) memCfg2 testPort2 nenv $ \_ -> + withSmpServerConfigOn (transport @TLS) (withNames stub memCfg2) testPort2 $ \_ -> withAgent 1 agentCfg proxyServers testDB k where - proxyServers = (initAgentServersProxy_ SPMAlways SPFProhibit) {smp = userServers [testSMPServer, testSMPServer2]} + -- only testSMPServer2 (the resolver) has the names role; testSMPServer is the proxy + proxyServers = (initAgentServersProxy_ SPMAlways SPFProhibit) {smp = [(1, [proxySrvCfg testSMPServer, nameSrvCfg testSMPServer2])]} --- | A direct SMP server with NO names role configured (namesEnv = Nothing). +-- | A direct SMP server with NO names role configured (namesEnv = Nothing): the +-- agent still picks it (client-side names role) and the server answers +-- NAME NO_RESOLVER. withNoResolver :: (AgentClient -> IO a) -> IO a withNoResolver k = withSmpServerConfigOn (transport @TLS) memCfg testPort $ \_ -> - withAgent 1 agentCfg directServers testDB k - where - directServers = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = userServers [testSMPServer]} - -directResolverSrv :: SMP.SMPServer -directResolverSrv = SMPServer testHost testPort testKeyHash + withAgent 1 agentCfg (oneSrv (nameSrvCfg testSMPServer)) testDB k -proxiedResolverSrv :: SMP.SMPServer -proxiedResolverSrv = SMPServer testHost2 testPort2 testKeyHash +-- | An agent whose one server has the names role OFF (proxySrvCfg): nameSrvs is +-- empty, but the user exists, so resolution fails agent-side in getNextNameServer +-- with NO_SERVERS (not the unknown-user INTERNAL path) - no server is contacted. +withNoNameServers :: (AgentClient -> IO a) -> IO a +withNoNameServers k = withAgent 1 agentCfg (oneSrv (proxySrvCfg testSMPServer)) testDB k -- --------------------------------------------------------------------------- -- Spec @@ -137,17 +135,19 @@ resolveNameTests :: Spec resolveNameTests = do describe "Agent resolveSimplexName" $ do describe "direct path (SPMNever)" $ - it "AUTH propagates as SMP host AUTH (resolver 404 -> NotFound)" testDirectAuth + it "404 propagates as SMP host (NAME NO_NAME)" testDirectNotFound describe "proxy path (SPMAlways)" $ - it "AUTH from resolver propagates via proxy as SMP AUTH" testProxyAuth + it "404 from resolver propagates via proxy as SMP (NAME NO_NAME)" testProxyNotFound describe "TLDTesting path" $ - it "AUTH (resolver 404 -> NotFound) for TLDTesting too" testTestingTldAuth + it "NAME NO_NAME for TLDTesting too" testTestingTldNotFound describe "TLDWeb path" $ - it "AUTH (resolver 404 -> NotFound) for TLDWeb too" testWebTldAuth + it "NAME NO_NAME for TLDWeb too" testWebTldNotFound describe "no resolver configured" $ - it "answers CMD PROHIBITED so the client skips this server" testNoResolverProhibited + it "answers NAME NO_RESOLVER" testNoResolver + describe "no names servers (names role off everywhere)" $ + it "fails agent-side with NAME NO_SERVERS" testNoNameServers describe "backing resolver failure" $ - it "surfaces as SMP host INTERNAL (transient, not not-found)" testBackendErrorInternal + it "surfaces as SMP host (NAME (RESOLVER ..))" testBackendError describe "success path" $ it "returns NameRecord" testDirectSuccess @@ -155,98 +155,72 @@ resolveNameTests = do -- Tests -- --------------------------------------------------------------------------- --- | Direct path: agent with SPMNever sends RSLV without PFWD; resolver --- replies 404 (not found); server returns ERR AUTH; agent maps to --- `SMP host AUTH`. -testDirectAuth :: HasCallStack => IO () -testDirectAuth = do - nenv <- mkNotFoundNamesEnv - withDirectResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain +testDirectNotFound :: HasCallStack => IO () +testDirectNotFound = + withDirectResolver stubResolverNotFound $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP _ SMP.AUTH) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r - where - simplexDomain = SimplexNameDomain TLDSimplex "alice" [] - --- | Proxy path: relay-level protocol errors are reported transparently as --- SMP errors with the proxy host (see Client.hs:1178 "transparent for --- AUTH/QUOTA"). -testProxyAuth :: HasCallStack => IO () -testProxyAuth = do - nenv <- mkNotFoundNamesEnv - withProxyAndResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 proxiedResolverSrv simplexDomain + Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r + +testProxyNotFound :: HasCallStack => IO () +testProxyNotFound = + withProxyAndResolver stubResolverNotFound $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP host SMP.AUTH) | testPort `isInfixOf` host -> pure () - _ -> expectationFailure $ "expected Left (SMP testPort <> "> AUTH), got: " <> show r - where - simplexDomain = SimplexNameDomain TLDSimplex "alice" [] - --- | TLDTesting routes through the same code path as TLDSimplex (the contract --- field is ignored server-side; the resolver decides which registry to query). -testTestingTldAuth :: HasCallStack => IO () -testTestingTldAuth = do - nenv <- mkNotFoundNamesEnv - withDirectResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv testingDomain + Left (SMP host (SMP.NAME SMP.NO_NAME)) | testPort `isInfixOf` host -> pure () + _ -> expectationFailure $ "expected Left (SMP testPort <> "> (NAME NO_NAME)), got: " <> show r + +testTestingTldNotFound :: HasCallStack => IO () +testTestingTldNotFound = + withDirectResolver stubResolverNotFound $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDTesting "bob" []) case r of - Left (SMP _ SMP.AUTH) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r - where - testingDomain = SimplexNameDomain TLDTesting "bob" [] - --- | TLDWeb is no longer a TLDContract-gated short-circuit on the agent side; --- the agent forwards the request to the server, which forwards to the --- resolver, which decides (per its configured TLDs) whether to honour the --- lookup. The stub here returns 404 for every fetch, so we get AUTH. -testWebTldAuth :: HasCallStack => IO () -testWebTldAuth = do - nenv <- mkNotFoundNamesEnv - withDirectResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv webDomain + Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r + +testWebTldNotFound :: HasCallStack => IO () +testWebTldNotFound = + withDirectResolver stubResolverNotFound $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDWeb "example.com" []) case r of - Left (SMP _ SMP.AUTH) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ AUTH), got: " <> show r - where - webDomain = SimplexNameDomain TLDWeb "example.com" [] + Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r --- | A router with no resolver configured (namesEnv = Nothing) answers --- CMD PROHIBITED, so a client iterating its servers skips it and tries the --- next rather than treating the response as an authoritative "not found". -testNoResolverProhibited :: HasCallStack => IO () -testNoResolverProhibited = +-- | A router with the names role but no resolver configured answers +-- NAME NO_RESOLVER (distinct from NO_NAME / NO_SERVERS). +testNoResolver :: HasCallStack => IO () +testNoResolver = withNoResolver $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP _ (SMP.CMD SMP.PROHIBITED)) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ (CMD PROHIBITED)), got: " <> show r - where - simplexDomain = SimplexNameDomain TLDSimplex "alice" [] - --- | A backing-resolver failure (502 upstream) surfaces as SMP host INTERNAL - --- a transient error the client surfaces / retries, distinct from AUTH which --- would (incorrectly) read as "name not registered". -testBackendErrorInternal :: HasCallStack => IO () -testBackendErrorInternal = do - nenv <- mkErrorNamesEnv - withDirectResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain + Left (SMP _ (SMP.NAME SMP.NO_RESOLVER)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_RESOLVER)), got: " <> show r + +-- | With no names-role servers, resolution fails agent-side (no server is +-- contacted) with the agent-origin AgentErrorType.NAME NO_SERVERS. +testNoNameServers :: HasCallStack => IO () +testNoNameServers = + withNoNameServers $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP _ SMP.INTERNAL) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ INTERNAL), got: " <> show r - where - simplexDomain = SimplexNameDomain TLDSimplex "alice" [] + Left (NAME SMP.NO_SERVERS) -> pure () + _ -> expectationFailure $ "expected Left (NAME NO_SERVERS), got: " <> show r + +-- | A backing-resolver failure (502) surfaces as SMP host (NAME (RESOLVER ..)) - +-- a transient error distinct from NO_NAME ("name not registered"). +testBackendError :: HasCallStack => IO () +testBackendError = + withDirectResolver stubResolverError $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) + case r of + Left (SMP _ (SMP.NAME (SMP.RESOLVER _))) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME (RESOLVER ..))), got: " <> show r --- | Success path: stub returns a real NameRecord. The agent surfaces it --- verbatim. testDirectSuccess :: HasCallStack => IO () -testDirectSuccess = do - nenv <- mkSuccessNamesEnv - withDirectResolver nenv $ \c -> do - r <- runExceptT $ resolveSimplexName c NRMInteractive 1 directResolverSrv simplexDomain +testDirectSuccess = + withDirectResolver stubResolverSuccess $ \c -> do + r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of Right nr -> nr `shouldBe` sampleRecord _ -> expectationFailure $ "expected Right NameRecord, got: " <> show r - where - simplexDomain = SimplexNameDomain TLDSimplex "alice" [] diff --git a/tests/AgentTests/ServerChoice.hs b/tests/AgentTests/ServerChoice.hs index 8412c6761a..01ceeff16a 100644 --- a/tests/AgentTests/ServerChoice.hs +++ b/tests/AgentTests/ServerChoice.hs @@ -52,10 +52,10 @@ testSMPServers = ] storageOnly :: ServerRoles -storageOnly = ServerRoles {storage = True, proxy = False} +storageOnly = ServerRoles {storage = True, proxy = False, names = False} proxyOnly :: ServerRoles -proxyOnly = ServerRoles {storage = False, proxy = True} +proxyOnly = ServerRoles {storage = False, proxy = True, names = False} initServers :: InitialAgentServers initServers = diff --git a/tests/RSLVTests.hs b/tests/RSLVTests.hs index f6ada606d2..b2776aa8c6 100644 --- a/tests/RSLVTests.hs +++ b/tests/RSLVTests.hs @@ -11,14 +11,14 @@ -- | Functional-API tests for the public-namespace resolver (RSLV). -- --- Mocks the resolver at the `resolverCall` layer using `newNamesEnvWith`. +-- Mocks the resolver at the `resolverCall` layer: tests set a stub via +-- `ServerConfig.namesResolverCall_` (no real HTTP, no startup probe). -- Tests: --- * direct RSLV is accepted (not `CMD PROHIBITED`) --- * `ERR AUTH` for malformed names (parseName layer) --- * `ERR AUTH` for backend `NotFound` (404 / 400 from the HTTP resolver) --- * `ERR AUTH` for backend transport errors (HTTP 502 or transport failure) --- * `ERR AUTH` when the server has no `namesEnv` (rslvDisabled) --- * `NAME` returned when the resolver returns a valid JSON record +-- * direct RSLV reaches the resolver (not `CMD PROHIBITED`) +-- * `ERR (NAME NO_NAME)` for backend not-found (404 / 400) +-- * `ERR (NAME (RESOLVER ..))` for backend transport errors (HTTP 502) +-- * `ERR (NAME NO_RESOLVER)` when the server has no `namesEnv` (names off) +-- * `RNAME` returned when the resolver returns a valid JSON record -- * the same paths via PFWD round-trip (proxy + resolver wiring works) module RSLVTests (rslvTests) where @@ -26,10 +26,13 @@ import Control.Monad.Trans.Except (ExceptT, runExceptT) import qualified Data.Aeson as J import qualified Data.ByteString.Char8 as B import Data.List.NonEmpty (NonEmpty (..)) +import Data.Text (Text) +import Data.Text.Encoding (encodeUtf8) import Data.Time.Clock (getCurrentTime) import SMPClient import Simplex.Messaging.Client import qualified Simplex.Messaging.Crypto as C +import Simplex.Messaging.Encoding.String (strDecode) import SMPNamesTests (sampleRecord, sampleRecordJSON) import Simplex.Messaging.Protocol ( BrokerMsg (..), @@ -37,13 +40,11 @@ import Simplex.Messaging.Protocol Command (..), CorrId (..), ErrorType (..), - NameOwner, - RslvRequest (..), + NameErrorType (..), SParty (..), Transmission, TransmissionForAuth (..), encodeTransmissionForAuth, - mkNameOwner, pattern SMPServer, tGetClient, tPut, @@ -53,12 +54,11 @@ import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), Ser import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) import Simplex.Messaging.Server.Names ( NamesConfig (..), - NamesEnv, ResolverCall, ResolverCallKind (..), - newNamesEnvWith, ) import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) +import Simplex.Messaging.SimplexName (SimplexNameDomain) import Simplex.Messaging.Transport import Simplex.Messaging.Version (mkVersionRange) import Test.Hspec hiding (fit, it) @@ -68,13 +68,11 @@ import Util (it) -- Fixtures -- --------------------------------------------------------------------------- -unsafeOwner :: B.ByteString -> NameOwner -unsafeOwner = either error id . mkNameOwner - --- A placeholder contract used in RslvRequest. The server ignores the --- contract field, so the value doesn't affect behaviour. -placeholderContract :: NameOwner -placeholderContract = unsafeOwner (B.replicate 20 '\NUL') +-- | Build a validated SimplexNameDomain from a name string (the RSLV command +-- only carries a parsed domain; invalid names cannot be constructed here - +-- that rejection is tested at the SimplexName parse level). +domain :: Text -> SimplexNameDomain +domain = either error id . strDecode . encodeUtf8 stubNamesConfig :: NamesConfig stubNamesConfig = @@ -85,14 +83,14 @@ stubNamesConfig = resolverMaxResponseBytes = 65536 } --- | Default stub: the resolver replies 404. Server maps to NotFound -> AUTH. +-- | Default stub: the resolver replies 404. Server maps to NAME NO_NAME. stubResolverNotFound :: ResolverCall stubResolverNotFound = \case ResolverFetch _ -> pure (Left (HttpStatusErr 404)) ResolverHealth -> pure (Right (J.object [])) --- | Stub that returns a 502 upstream-RPC failure on resolve. Server maps to --- ResolverError -> ERR AUTH via `rslvEthErrs`. +-- | Stub that returns a 502 upstream failure on resolve. Server maps to +-- NAME (RESOLVER "HTTP 502"). stubResolverHttpErr :: ResolverCall stubResolverHttpErr = \case ResolverFetch _ -> pure (Left (HttpStatusErr 502)) @@ -104,9 +102,6 @@ stubResolverSuccess = \case ResolverFetch _ -> pure (Right sampleRecordJSON) ResolverHealth -> pure (Right (J.object [])) -mkNamesEnv :: ResolverCall -> IO NamesEnv -mkNamesEnv stub = newNamesEnvWith stubNamesConfig stub Nothing - memCfg :: AServerConfig memCfg = cfgMS (ASType SQSMemory SMSMemory) @@ -122,18 +117,21 @@ memCfg2 = case memCfg of SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) other -> other -withResolverServer :: NamesEnv -> IO a -> IO a -withResolverServer nenv = - withSmpServerConfigOnWithNames (transport @TLS) memCfg testPort nenv . const +-- | Enable names on a config with a stub resolver (no real HTTP, no probe). +withNames :: ResolverCall -> AServerConfig -> AServerConfig +withNames stub c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just stubNamesConfig, namesResolverCall_ = Just stub} -withProxyAndResolver :: NamesEnv -> IO a -> IO a -withProxyAndResolver nenv runTest = +withResolverServer :: ResolverCall -> IO a -> IO a +withResolverServer stub = withSmpServerConfigOn (transport @TLS) (withNames stub memCfg) testPort . const + +withProxyAndResolver :: ResolverCall -> IO a -> IO a +withProxyAndResolver stub runTest = withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> - withSmpServerConfigOnWithNames (transport @TLS) memCfg2 testPort2 nenv (const runTest) + withSmpServerConfigOn (transport @TLS) (withNames stub memCfg2) testPort2 (const runTest) -sendRslv :: Transport c => THandleSMP c 'TClient -> B.ByteString -> RslvRequest -> IO (Transmission (Either ErrorType BrokerMsg)) -sendRslv h@THandle {params} corrId req = do - let TransmissionForAuth {tToSend} = encodeTransmissionForAuth params (CorrId corrId, NoEntity, Cmd SResolver (RSLV req)) +sendRslv :: Transport c => THandleSMP c 'TClient -> B.ByteString -> SimplexNameDomain -> IO (Transmission (Either ErrorType BrokerMsg)) +sendRslv h@THandle {params} corrId d = do + let TransmissionForAuth {tToSend} = encodeTransmissionForAuth params (CorrId corrId, NoEntity, Cmd SResolver (RSLV d)) [Right ()] <- tPut h (Right (Nothing, tToSend) :| []) r :| _ <- tGetClient h pure r @@ -145,60 +143,39 @@ sendRslv h@THandle {params} corrId req = do rslvTests :: Spec rslvTests = do describe "RSLV direct (non-forwarded)" $ do - it "server accepts RSLV without PFWD (not CMD PROHIBITED)" testRslvDirectAccepted - it "AUTH when name is malformed (bare label, no TLD)" testRslvBadName - it "AUTH when resolver replies 404 (not registered)" testRslvBackendNotFound - it "AUTH when resolver replies 502 (upstream failure)" testRslvBackendHttpErr - it "AUTH when server has no names config (namesEnv = Nothing)" testRslvDisabled + it "resolver replies 404 -> NAME NO_NAME (reached, not CMD PROHIBITED)" testRslvBackendNotFound + it "resolver replies 502 -> NAME (RESOLVER ..)" testRslvBackendHttpErr + it "no names config -> NAME NO_RESOLVER" testRslvDisabled describe "RSLV forwarded (PFWD)" $ do - it "PFWD-wrapped RSLV reaches resolver via proxy (PCEProtocolError AUTH)" testRslvForwarded - describe "RSLV success path (NAME response)" $ do - it "returns NAME with NameRecord" testRslvSuccess - -testRslvDirectAccepted :: IO () -testRslvDirectAccepted = do - nenv <- mkNamesEnv stubResolverNotFound - withResolverServer nenv $ - testSMPClient @TLS $ \h -> do - (corrId, _entId, resp) <- sendRslv h "rs01" RslvRequest {name = "alice.simplex", contract = placeholderContract} - corrId `shouldBe` CorrId "rs01" - resp `shouldBe` Right (ERR AUTH) - -testRslvBadName :: IO () -testRslvBadName = do - nenv <- mkNamesEnv stubResolverNotFound - withResolverServer nenv $ - testSMPClient @TLS $ \h -> do - (_, _, resp) <- sendRslv h "rs02" RslvRequest {name = "alice", contract = placeholderContract} - resp `shouldBe` Right (ERR AUTH) + it "PFWD-wrapped RSLV reaches resolver via proxy (PCEProtocolError (NAME NO_NAME))" testRslvForwarded + describe "RSLV success path (RNAME response)" $ do + it "returns RNAME with NameRecord" testRslvSuccess testRslvBackendNotFound :: IO () -testRslvBackendNotFound = do - nenv <- mkNamesEnv stubResolverNotFound - withResolverServer nenv $ +testRslvBackendNotFound = + withResolverServer stubResolverNotFound $ testSMPClient @TLS $ \h -> do - (_, _, resp) <- sendRslv h "rs04" RslvRequest {name = "ghost.simplex", contract = placeholderContract} - resp `shouldBe` Right (ERR AUTH) + (corrId, _entId, resp) <- sendRslv h "rs01" (domain "ghost.simplex") + corrId `shouldBe` CorrId "rs01" + resp `shouldBe` Right (ERR (NAME NO_NAME)) testRslvBackendHttpErr :: IO () -testRslvBackendHttpErr = do - nenv <- mkNamesEnv stubResolverHttpErr - withResolverServer nenv $ +testRslvBackendHttpErr = + withResolverServer stubResolverHttpErr $ testSMPClient @TLS $ \h -> do - (_, _, resp) <- sendRslv h "rs05" RslvRequest {name = "alice.simplex", contract = placeholderContract} - resp `shouldBe` Right (ERR AUTH) + (_, _, resp) <- sendRslv h "rs05" (domain "alice.simplex") + resp `shouldBe` Right (ERR (NAME (RESOLVER "HTTP 502"))) testRslvDisabled :: IO () testRslvDisabled = withSmpServerConfigOn (transport @TLS) memCfg testPort $ const $ testSMPClient @TLS $ \h -> do - (_, _, resp) <- sendRslv h "rs06" RslvRequest {name = "alice.simplex", contract = placeholderContract} - resp `shouldBe` Right (ERR AUTH) + (_, _, resp) <- sendRslv h "rs06" (domain "alice.simplex") + resp `shouldBe` Right (ERR (NAME NO_RESOLVER)) testRslvForwarded :: IO () -testRslvForwarded = do - nenv <- mkNamesEnv stubResolverNotFound - withProxyAndResolver nenv $ do +testRslvForwarded = + withProxyAndResolver stubResolverNotFound $ do g <- C.newRandom ts <- getCurrentTime let proxyServ = SMPServer testHost testPort testKeyHash @@ -207,21 +184,20 @@ testRslvForwarded = do pcE <- getProtocolClient g NRMInteractive (1, proxyServ, Nothing) cfg' [] Nothing ts (\_ -> pure ()) pc <- either (fail . show) pure pcE sess <- runExceptT' (connectSMPProxiedRelay pc NRMInteractive relayServ Nothing) - r <- runExceptT (proxyResolveName pc NRMInteractive sess placeholderContract "alice.simplex") + r <- runExceptT (proxyResolveName pc NRMInteractive sess (domain "alice.simplex")) case r of - Left (PCEProtocolError SMP.AUTH) -> pure () - _ -> expectationFailure $ "expected Left (PCEProtocolError AUTH), got: " <> show r + Left (PCEProtocolError (SMP.NAME SMP.NO_NAME)) -> pure () + _ -> expectationFailure $ "expected Left (PCEProtocolError (NAME NO_NAME)), got: " <> show r testRslvSuccess :: IO () -testRslvSuccess = do - nenv <- mkNamesEnv stubResolverSuccess - withResolverServer nenv $ +testRslvSuccess = + withResolverServer stubResolverSuccess $ testSMPClient @TLS $ \h -> do - (corrId, _entId, resp) <- sendRslv h "rs07" RslvRequest {name = "alice.simplex", contract = placeholderContract} + (corrId, _entId, resp) <- sendRslv h "rs07" (domain "alice.simplex") corrId `shouldBe` CorrId "rs07" case resp of - Right (NAME nr) -> nr `shouldBe` sampleRecord - _ -> expectationFailure $ "expected Right (NAME ..), got: " <> show resp + Right (RNAME nr) -> nr `shouldBe` sampleRecord + _ -> expectationFailure $ "expected Right (RNAME ..), got: " <> show resp runExceptT' :: Show e => ExceptT e IO a -> IO a runExceptT' a = runExceptT a >>= either (fail . show) pure diff --git a/tests/SMPAgentClient.hs b/tests/SMPAgentClient.hs index 41aab20399..7f3ebb14d7 100644 --- a/tests/SMPAgentClient.hs +++ b/tests/SMPAgentClient.hs @@ -116,7 +116,7 @@ userServers :: NonEmpty (ProtocolServer p) -> Map UserId (NonEmpty (ServerCfg p) userServers = userServers' . L.map noAuthSrv userServers' :: NonEmpty (ProtoServerWithAuth p) -> Map UserId (NonEmpty (ServerCfg p)) -userServers' srvs = M.fromList [(1, L.map (presetServerCfg True (ServerRoles True True) (Just 1)) srvs)] +userServers' srvs = M.fromList [(1, L.map (presetServerCfg True (ServerRoles True True True) (Just 1)) srvs)] noAuthSrvCfg :: ProtocolServer p -> ServerCfg p -noAuthSrvCfg = presetServerCfg True (ServerRoles True True) (Just 1) . noAuthSrv +noAuthSrvCfg = presetServerCfg True (ServerRoles True True True) (Just 1) . noAuthSrv diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index 3f6386921d..bf4dcd45b1 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -30,8 +30,7 @@ import Simplex.Messaging.Client.Agent (SMPClientAgentConfig (..), defaultSMPClie import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Protocol -import Simplex.Messaging.Server (runSMPServerBlocking, runSMPServerBlockingWithNames) -import Simplex.Messaging.Server.Names (NamesEnv) +import Simplex.Messaging.Server (runSMPServerBlocking) import Simplex.Messaging.Server.Env.STM import Simplex.Messaging.Server.MsgStore.Types (MsgStoreClass (..), SMSType (..), SQSType (..)) import Simplex.Messaging.Server.QueueStore.Postgres.Config (PostgresStoreCfg (..)) @@ -280,6 +279,7 @@ cfgMS msType = withStoreCfg (testServerStoreConfig msType) $ \serverStoreCfg -> allowSMPProxy = False, serverClientConcurrency = 2, namesConfig = Nothing, + namesResolverCall_ = Nothing, information = Nothing, startOptions = defaultStartOptions } @@ -364,16 +364,6 @@ withSmpServerConfigOn t (ASrvCfg _ _ cfg') port' = (\started -> runSMPServerBlocking started cfg' {transports = [(port', t, False)]} Nothing) (threadDelay 10000) --- | Variant of `withSmpServerConfigOn` for RSLV functional tests: passes a --- pre-built `NamesEnv` (typically with a stub `ethCall`) so the server does --- not contact the real Ethereum RPC. Skips the production `pingEndpoint` --- probe. -withSmpServerConfigOnWithNames :: HasCallStack => ASrvTransport -> AServerConfig -> ServiceName -> NamesEnv -> (HasCallStack => ThreadId -> IO a) -> IO a -withSmpServerConfigOnWithNames t (ASrvCfg _ _ cfg') port' nenv = - serverBracket - (\started -> runSMPServerBlockingWithNames started cfg' {transports = [(port', t, False)]} Nothing (Just nenv)) - (threadDelay 10000) - withSmpServerThreadOn :: HasCallStack => (ASrvTransport, AStoreType) -> ServiceName -> (HasCallStack => ThreadId -> IO a) -> IO a withSmpServerThreadOn (t, msType) = withSmpServerConfigOn t (cfgMS msType) diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 91b30a0945..0b3cfac5e8 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -12,15 +12,17 @@ import Data.Either (isLeft, isRight) import Data.IORef (atomicModifyIORef', newIORef, readIORef) import Data.List (sort) import qualified Data.Text as T -import Simplex.Messaging.Protocol (NameOwner, NameRecord (..), RslvRequest (..), mkNameOwner, unNameOwner) +import Data.Text.Encoding (encodeUtf8) +import Simplex.Messaging.Encoding (smpDecode, smpEncode) +import Simplex.Messaging.Encoding.String (strDecode) +import Simplex.Messaging.Names.EthAddress (EthAddress, mkEthAddress, unEthAddress) +import Simplex.Messaging.Protocol (ErrorType (..), NameErrorType (..), NameRecord (..)) import Simplex.Messaging.Server.Main (validateUrl) import Simplex.Messaging.Server.Names ( NamesConfig (..), - ResolveError (..), ResolverCallKind (..), RpcAuth (..), newNamesEnvWith, - parseName, pingEndpoint, resolveName, ) @@ -31,15 +33,11 @@ import Test.Hspec twentyOnes :: B.ByteString twentyOnes = B.replicate 20 '\x01' -unsafeOwner :: B.ByteString -> NameOwner -unsafeOwner = either error id . mkNameOwner +unsafeAddr :: B.ByteString -> EthAddress +unsafeAddr = either error id . mkEthAddress -addr1 :: NameOwner -addr1 = unsafeOwner twentyOnes - --- | Sample record matching the Python resolver JSON shape (PR #1795). --- Text fields use the empty string as the "unset" sentinel; coin fields --- use Nothing -> JSON null. +-- | Sample record matching the resolver JSON shape. Text fields use the empty +-- string as the "unset" sentinel; coin fields use Nothing -> JSON null. sampleRecord :: NameRecord sampleRecord = NameRecord @@ -53,8 +51,8 @@ sampleRecord = nrBtc = Nothing, nrXmr = Nothing, nrDot = Nothing, - nrOwner = unsafeOwner twentyOnes, - nrResolver = unsafeOwner (B.replicate 20 '\x02') + nrOwner = unsafeAddr twentyOnes, + nrResolver = unsafeAddr (B.replicate 20 '\x02') } -- | JSON value canned by the resolver-stub for the "success" tests. @@ -72,9 +70,10 @@ testNamesConfig = smpNamesTests :: Spec smpNamesTests = do - describe "NameRecord encoding (Protocol)" nameRecordEncodingSpec - describe "Smart constructors (NameOwner)" smartCtorsSpec - describe "RSLV request parsing" parseNameSpec + describe "NameRecord JSON (Protocol)" nameRecordEncodingSpec + describe "Wire encoding (smpEncode)" wireEncodingSpec + describe "Smart constructors (EthAddress)" smartCtorsSpec + describe "Name parsing (SimplexNameDomain)" parseNameSpec describe "HTTP resolver" resolverSpec describe "Resolver health probe" healthSpec describe "resolver_endpoint validation" validateUrlSpec @@ -84,7 +83,7 @@ nameRecordEncodingSpec = do it "round-trips JSON encode / decode" $ J.eitherDecodeStrict (LB.toStrict (J.encode sampleRecord)) `shouldBe` Right sampleRecord - it "emits keys in spec-documented order (Python resolver shape)" $ do + it "emits keys in spec-documented order (resolver shape)" $ do let bytes = LB.toStrict (J.encode sampleRecord) offset k = B.length (fst (B.breakSubstring k bytes)) offsets = @@ -116,96 +115,86 @@ nameRecordEncodingSpec = do B.isInfixOf "\"simplexChannel\":[]" bytes `shouldBe` True B.isInfixOf "\"simplexChannel\":null" bytes `shouldBe` False - it "rejects nrName > 255 bytes UTF-8" $ do - let oversize = sampleRecord {nrName = T.replicate 256 "x"} - bytes = LB.toStrict (J.encode oversize) - (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft - - it "rejects simplexContact entries > 1024 bytes UTF-8 combined" $ do - let oversize = sampleRecord {nrSimplexContact = [T.replicate 1025 "x"]} - bytes = LB.toStrict (J.encode oversize) - (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft - - it "rejects simplexContact with more than 5 entries" $ do - let oversize = sampleRecord {nrSimplexContact = replicate 6 "simplex:/contact/x#y"} - bytes = LB.toStrict (J.encode oversize) - (J.eitherDecodeStrict bytes :: Either String NameRecord) `shouldSatisfy` isLeft - - it "FromJSON NameOwner accepts both 0x and 0X prefixes" $ do + it "FromJSON EthAddress accepts both 0x and 0X prefixes" $ do let json p = "\"" <> p <> "0101010101010101010101010101010101010101\"" - (J.eitherDecodeStrict (json "0x") :: Either String NameOwner) `shouldSatisfy` isRight - (J.eitherDecodeStrict (json "0X") :: Either String NameOwner) `shouldSatisfy` isRight + (J.eitherDecodeStrict (json "0x") :: Either String EthAddress) `shouldSatisfy` isRight + (J.eitherDecodeStrict (json "0X") :: Either String EthAddress) `shouldSatisfy` isRight it "owner / resolver are emitted as lowercase hex" $ do - -- The Python resolver returns lowercase hex; encoded form must match. - let mixedCase = unsafeOwner (B.pack ['\xde', '\xad', '\xbe', '\xef'] <> B.replicate 16 '\x00') + -- The resolver returns lowercase hex; encoded form must match. + let mixedCase = unsafeAddr (B.pack ['\xde', '\xad', '\xbe', '\xef'] <> B.replicate 16 '\x00') bytes = LB.toStrict (J.encode sampleRecord {nrOwner = mixedCase, nrResolver = mixedCase}) B.isInfixOf "0xdeadbeef" bytes `shouldBe` True B.isInfixOf "0xDEADBEEF" bytes `shouldBe` False - it "encodes within the proxied transmission budget" $ do - let wide = +-- The RNAME response and ERR (NAME ...) travel as field-ordered smpEncode on +-- the wire (no JSON), so round-trip the new Encoding instances directly. +wireEncodingSpec :: Spec +wireEncodingSpec = do + it "NameRecord round-trips smpEncode / smpDecode" $ + smpDecode (smpEncode sampleRecord) `shouldBe` Right sampleRecord + + it "NameRecord round-trips with multiple links and unset coins" $ do + let r = sampleRecord - { nrName = T.replicate 255 "n", - nrNickname = T.replicate 255 "k", - nrWebsite = T.replicate 255 "w", - nrLocation = T.replicate 255 "l", - nrSimplexContact = [T.replicate 1024 "x"], - nrSimplexChannel = [T.replicate 1024 "y"], - nrEth = Just (T.replicate 255 "e"), - nrBtc = Just (T.replicate 255 "b"), - nrXmr = Just (T.replicate 255 "m"), - nrDot = Just (T.replicate 255 "d") + { nrSimplexContact = ["simplex:/contact/a#1", "simplex:/contact/b#2"], + nrSimplexChannel = [], + nrEth = Nothing, + nrBtc = Nothing } - LB.length (J.encode wide) < 16224 `shouldBe` True + smpDecode (smpEncode r) `shouldBe` Right r + + it "ErrorType NAME family round-trips smpEncode / smpDecode" $ do + smpDecode (smpEncode (NAME NO_RESOLVER)) `shouldBe` Right (NAME NO_RESOLVER) + smpDecode (smpEncode (NAME NO_NAME)) `shouldBe` Right (NAME NO_NAME) + -- RESOLVER detail may contain spaces - must survive the round-trip + smpDecode (smpEncode (NAME (RESOLVER "HTTP 502"))) `shouldBe` Right (NAME (RESOLVER "HTTP 502")) smartCtorsSpec :: Spec smartCtorsSpec = do - it "mkNameOwner accepts exactly 20 bytes" $ do - mkNameOwner twentyOnes `shouldSatisfy` isRight - mkNameOwner (B.replicate 19 '\x01') `shouldSatisfy` isLeft - mkNameOwner (B.replicate 21 '\x01') `shouldSatisfy` isLeft - - it "unNameOwner round-trips mkNameOwner" $ - case mkNameOwner twentyOnes of - Right o -> unNameOwner o `shouldBe` twentyOnes - Left e -> expectationFailure ("mkNameOwner failed: " <> e) - + it "mkEthAddress accepts exactly 20 bytes" $ do + mkEthAddress twentyOnes `shouldSatisfy` isRight + mkEthAddress (B.replicate 19 '\x01') `shouldSatisfy` isLeft + mkEthAddress (B.replicate 21 '\x01') `shouldSatisfy` isLeft + + it "unEthAddress round-trips mkEthAddress" $ + case mkEthAddress twentyOnes of + Right o -> unEthAddress o `shouldBe` twentyOnes + Left e -> expectationFailure ("mkEthAddress failed: " <> e) + +-- The RSLV command carries a parsed SimplexNameDomain, so name validation +-- happens at parse (StrEncoding). These exercise that validation directly. parseNameSpec :: Spec parseNameSpec = do - it "accepts a valid simplex-TLD name" $ do - let req = req' "privacy.simplex" - case parseName req of - Just d -> do + it "accepts a valid simplex-TLD name" $ + case parseN "privacy.simplex" of + Right d -> do nameTLD d `shouldBe` TLDSimplex domain d `shouldBe` "privacy" - Nothing -> expectationFailure "expected Just" + Left e -> expectationFailure ("expected Right, got Left " <> e) - it "normalises case across labels (Alice.SIMPLEX = alice.simplex)" $ do - let dL = parseName (req' "alice.simplex") - dM = parseName (req' "Alice.SIMPLEX") - dL `shouldBe` dM + it "normalises case across labels (Alice.SIMPLEX = alice.simplex)" $ + parseN "alice.simplex" `shouldBe` parseN "Alice.SIMPLEX" - it "accepts a testing-TLD name" $ do - case parseName (req' "bob.testing") of - Just d -> nameTLD d `shouldBe` TLDTesting - Nothing -> expectationFailure "expected Just" + it "accepts a testing-TLD name" $ + case parseN "bob.testing" of + Right d -> nameTLD d `shouldBe` TLDTesting + Left e -> expectationFailure ("expected Right, got Left " <> e) it "accepts a TLDWeb name (server forwards to resolver, which will likely 404/400)" $ - parseName (req' "example.com") `shouldSatisfy` \case - Just _ -> True - Nothing -> False + parseN "example.com" `shouldSatisfy` isRight it "rejects a bare (no-TLD) name" $ - parseName (req' "privacy") `shouldBe` Nothing + parseN "privacy" `shouldSatisfy` isLeft it "rejects non-ASCII labels (homograph attacks)" $ - parseName (req' "\1072lice.simplex") `shouldBe` Nothing + parseN "\1072lice.simplex" `shouldSatisfy` isLeft it "rejects oversized inputs (>253 bytes)" $ - parseName (req' (T.replicate 254 "a" <> ".simplex")) `shouldBe` Nothing + parseN (T.replicate 254 "a" <> ".simplex") `shouldSatisfy` isLeft where - req' n = RslvRequest {name = n, contract = addr1} + parseN :: T.Text -> Either String SimplexNameDomain + parseN = strDecode . encodeUtf8 resolverSpec :: Spec resolverSpec = do @@ -217,33 +206,29 @@ resolverSpec = do r <- resolveName env aliceDomain r `shouldBe` Right sampleRecord - it "returns NotFound on 404" $ do + it "returns NO_NAME on 404" $ do env <- mkEnv (\_ -> pure (Left (HttpStatusErr 404))) - resolveName env aliceDomain `shouldReturn` Left NotFound + resolveName env aliceDomain `shouldReturn` Left NO_NAME - it "returns NotFound on 400 (unknown TLD)" $ do + it "returns NO_NAME on 400 (unknown TLD)" $ do env <- mkEnv (\_ -> pure (Left (HttpStatusErr 400))) - resolveName env aliceDomain `shouldReturn` Left NotFound + resolveName env aliceDomain `shouldReturn` Left NO_NAME - it "returns ResolverError on 502 (upstream RPC failure)" $ do + it "returns RESOLVER on 502 (upstream failure)" $ do env <- mkEnv (\_ -> pure (Left (HttpStatusErr 502))) - resolveName env aliceDomain `shouldReturn` Left ResolverError - - it "returns ResolverError on 5xx other than 502" $ do - env <- mkEnv (\_ -> pure (Left (HttpStatusErr 500))) - resolveName env aliceDomain `shouldReturn` Left ResolverError + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "HTTP 502") - it "returns ResolverError on transport-layer body-too-large" $ do + it "returns RESOLVER on transport-layer body-too-large" $ do env <- mkEnv (\_ -> pure (Left BodyTooLarge)) - resolveName env aliceDomain `shouldReturn` Left ResolverError + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "response too large") - it "returns ResolverDecodeErr on malformed JSON from the resolver" $ do + it "returns RESOLVER on malformed JSON from the resolver" $ do env <- mkEnv (\_ -> pure (Left (InvalidJson "expected object"))) - resolveName env aliceDomain `shouldReturn` Left ResolverDecodeErr + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") - it "returns ResolverDecodeErr when JSON parses but isn't a NameRecord shape" $ do + it "returns RESOLVER when JSON parses but isn't a NameRecord shape" $ do env <- mkEnv (\_ -> pure (Right (J.object []))) - resolveName env aliceDomain `shouldReturn` Left ResolverDecodeErr + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") it "sends one HTTP request per lookup (no cache)" $ do callCount <- newIORef (0 :: Int) From ce69adfdb2902e7005d71b05a0f41143d5632ec9 Mon Sep 17 00:00:00 2001 From: sh Date: Sat, 13 Jun 2026 07:14:51 +0000 Subject: [PATCH 22/33] test(server): update stats backup line count NameResolverStatsData adds 6 lines to the server stats backup (the "rslvStats:" header plus the reqs/succ/notFound/resolverErrs/disabled fields), so testRestoreMessages' expected stats-backup line count is 95 -> 101. --- tests/ServerTests.hs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/ServerTests.hs b/tests/ServerTests.hs index 7f342f6ae3..a418cd01dd 100644 --- a/tests/ServerTests.hs +++ b/tests/ServerTests.hs @@ -1100,7 +1100,7 @@ testRestoreMessages = pure () rId <- readTVarIO recipientId logSize testStoreLogFile `shouldReturn` 2 - logSize testServerStatsBackupFile `shouldReturn` 95 + logSize testServerStatsBackupFile `shouldReturn` 101 Right stats1 <- strDecode <$> B.readFile testServerStatsBackupFile checkStats stats1 [rId] 5 1 withSmpServerConfigOn at cfg' testPort . runTest t $ \h -> do @@ -1116,7 +1116,7 @@ testRestoreMessages = logSize testStoreLogFile `shouldReturn` (if compacting then 1 else 2) -- the last message is not removed because it was not ACK'd -- logSize testStoreMsgsFile `shouldReturn` 3 - logSize testServerStatsBackupFile `shouldReturn` 95 + logSize testServerStatsBackupFile `shouldReturn` 101 Right stats2 <- strDecode <$> B.readFile testServerStatsBackupFile checkStats stats2 [rId] 5 3 @@ -1134,7 +1134,7 @@ testRestoreMessages = pure () logSize testStoreLogFile `shouldReturn` (if compacting then 1 else 2) removeFile testStoreLogFile - logSize testServerStatsBackupFile `shouldReturn` 95 + logSize testServerStatsBackupFile `shouldReturn` 101 Right stats3 <- strDecode <$> B.readFile testServerStatsBackupFile checkStats stats3 [rId] 5 5 removeFileIfExists testStoreMsgsFile From 5e0b75703bc270e355384bd4d0be62ab62b5893f Mon Sep 17 00:00:00 2001 From: sh Date: Mon, 22 Jun 2026 15:32:08 +0000 Subject: [PATCH 23/33] feat(names): public-namespace resolution via RSLV/RNAME SNRC names resolver role: RSLV command -> HTTP resolver -> RNAME record. Agent owns server selection (ServerRoles.names); NAME error family; async, concurrency-bounded resolution; length-prefixed extensible wire; spec. --- protocol/simplex-messaging.md | 111 ++++---- simplexmq.cabal | 3 + src/Simplex/Messaging/Agent/Client.hs | 2 +- src/Simplex/Messaging/Agent/Protocol.hs | 5 +- src/Simplex/Messaging/Names/EthAddress.hs | 7 - src/Simplex/Messaging/Names/Record.hs | 17 -- src/Simplex/Messaging/Protocol.hs | 40 ++- src/Simplex/Messaging/Server.hs | 189 ++++++++----- src/Simplex/Messaging/Server/Env/STM.hs | 35 +-- src/Simplex/Messaging/Server/Main.hs | 178 +++--------- src/Simplex/Messaging/Server/Main/Init.hs | 7 +- src/Simplex/Messaging/Server/Names.hs | 100 ++++--- .../Messaging/Server/Names/HttpResolver.hs | 74 ++--- src/Simplex/Messaging/SimplexName.hs | 25 +- src/Simplex/Messaging/Transport.hs | 12 +- tests/AgentTests/ResolveNameTests.hs | 134 +++------ tests/NamesResolverServer.hs | 106 ++++++++ tests/RSLVTests.hs | 171 ++++++------ tests/SMPClient.hs | 1 - tests/SMPNamesTests.hs | 257 +++++++++--------- 20 files changed, 709 insertions(+), 765 deletions(-) create mode 100644 tests/NamesResolverServer.hs diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 716f5ef7f8..67c54e112d 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -106,7 +106,7 @@ This document describes SMP protocol version 20. Versions 1-5 are discontinued. - v17: create notification credentials with NEW command - v18: support client notices in BLOCKED error - v19: service subscriptions to messages (SUBS, NSUBS, SOKS, ENDS, ALLS commands) -- v20: public namespaces resolver (RSLV command, NAME response) — forwarded-only via PFWD +- v20: public namespaces resolver (RSLV command, RNAME response) — direct or forwarded via PFWD ## Introduction @@ -428,7 +428,7 @@ Simplex messaging router implementations MUST NOT create, store or send to any o - Any other information that may compromise privacy or [forward secrecy][4] of communication between clients using simplex messaging routers (the routers cannot compromise forward secrecy of any application layer protocol, such as double ratchet). -Routers with the names role make outbound HTTP calls to a backing resolver service (the reference implementation is `scripts/resolver/snrc-resolve.py`, which in turn makes JSON-RPC calls to an Ethereum endpoint) to read `NameRecord` data; the lookup key reaches that resolver and its upstream RPC endpoint. Operators MUST run both the resolver process and its upstream RPC endpoint themselves (loopback Reth + Nimbus, or a self-hosted central deployment) — sharing them across multiple operators collapses the two-server privacy property because the resolver / RPC operator would see every lookup key across all of them. The names role and the SMP-proxy role MUST NOT be enabled on the same router by default; a slow `RSLV` cache miss can serialise other forwarded commands on the same proxy-relay session. +Routers with the names role make outbound HTTP calls to a backing resolver service (the reference implementation is `scripts/resolver/snrc-resolve.py`, which in turn makes JSON-RPC calls to an Ethereum endpoint) to read `NameRecord` data; the lookup key reaches that resolver and its upstream RPC endpoint. Operators MUST run both the resolver process and its upstream RPC endpoint themselves (loopback Reth + Nimbus, or a self-hosted central deployment) — sharing them across multiple operators collapses the two-server privacy property because the resolver / RPC operator would see every lookup key across all of them. The names role and the SMP-proxy role MUST NOT be enabled on the same router by default: a client forwarding `RSLV` through a proxy that is also the names router would expose both its connection and the lookup key to one operator, collapsing the two-server privacy property. (Resolution itself runs on a forked thread, so a slow `RSLV` does not serialise other forwarded commands on the session.) ## Message delivery notifications @@ -1435,12 +1435,15 @@ router. A names router translates an opaque lookup key (such as `alice` or `alice.simplex.eth`) into a `NameRecord` carrying the channel and contact links the named party publishes. -**Forwarded-only.** RSLV is only valid when delivered inside a `PFWD` block via -the SMP proxy. A direct `RSLV` from a transport client is rejected with -`ERR CMD PROHIBITED`. This preserves the two-server privacy property of the -resolver design: the names router sees the lookup key but never the client IP, -session, or identity; the proxy router sees the client connection but cannot -read the encrypted lookup key inside the forwarded transmission. +**Direct or forwarded.** RSLV is an unauthenticated command accepted both +directly from a transport client and inside a `PFWD` block via the SMP proxy; +the client chooses. Forwarded delivery preserves the two-server privacy property +of the resolver design: the names router sees the lookup key but never the +client IP, session, or identity, while the proxy router sees the client +connection but cannot read the encrypted lookup key inside the forwarded +transmission. Direct delivery is simpler but exposes the client's connection to +the names router, so clients SHOULD prefer the forwarded path when proxying is +available. **Backing store.** This protocol does not prescribe where the names router reads `NameRecord` from. The reference implementation forwards each RSLV to a @@ -1453,50 +1456,44 @@ while still returning a `NameRecord` matching the encoding below. #### Resolve name command -The `RSLV` command carries a JSON-encoded request as the payload: +The `RSLV` command carries the canonical fully-qualified name directly as the +payload (not JSON): ```abnf -rslv = %s"RSLV" SP json-bytes ; json-bytes consumes the remainder of the transmission +rslv = %s"RSLV" SP domain ; domain = canonical name as non-space bytes; any trailing bytes are ignored (forward-compatible) ``` -`json-bytes` MUST be a UTF-8 JSON object with the following schema: +`domain` is the UTF-8 canonical fully-qualified name with the TLD always +explicit (e.g. `privacy.simplex`, `test.testing`, `example.com`), bounded to +253 bytes. -| Field | JSON type | Constraints | -|---|---|---| -| `name` | string | the canonical fully-qualified name (TLD always explicit, e.g. `"privacy.simplex"`, `"test.testing"`, `"example.com"`); UTF-8 bytes only | -| `contract` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes); currently ignored by the server, reserved for future eth-backed implementations that may use it to constrain which on-chain registry the client expects the server to query | +**Server-side validation.** The names router parses `domain` as a +fully-qualified name (TLD required — bare labels are rejected) and forwards it +to the configured backing resolver, which is the source of truth for which +on-chain registry maps to each TLD. -**Server-side validation.** The names router parses `name` as a fully-qualified -domain (TLD required — bare labels are rejected) and forwards it to the -configured backing resolver. The `contract` field is parsed for forward -compatibility but ignored by the reference implementation: the backing -resolver is the source of truth for which on-chain registry maps to each TLD. - -The names router responds with either a `NAME` response carrying the resolved -record, or one of three error responses that a client iterating across several +The names router responds with either an `RNAME` response carrying the resolved +record, or an `ERR NAME` error whose subcode a client iterating across several configured servers can act on distinctly: | Response | Condition | Client action | |---|---|---| -| `NAME` | record resolved | use it | -| `ERR AUTH` | name not registered, or malformed name | authoritative "no such name" — stop | -| `ERR CMD PROHIBITED` | this router has no resolver (names role not enabled) | skip this server, try the next | -| `ERR INTERNAL` | backing resolver failure (404/400/5xx upstream, transport failure, timeout, decode error) | transient — retry or surface, do not treat as "not found" | +| `RNAME` | record resolved | use it | +| `ERR NAME NOT_FOUND` | name not registered, unknown TLD, or malformed name | authoritative "no such name" — stop | +| `ERR NAME NO_RESOLVER` | this router has no resolver (names role not enabled) | skip this server, try the next | +| `ERR NAME RESOLVER ` | transient failure: backing resolver error (upstream 5xx, transport, timeout, decode) or local overload (`"resolver overloaded"` when the router's concurrent-resolution cap is reached) | transient — retry or surface, do not treat as "not found" | A client SHOULD NOT broadcast a `name` to further servers after a name-capable -router has answered (`AUTH` or `INTERNAL`), since that router has already seen -the lookup key; `CMD PROHIBITED` discloses nothing about the name beyond the -fact that this router cannot resolve, so iterating past it is safe. Stats -counters MAY be exposed out-of-band for operator observability (`bad_name` is -incremented for validation failures, distinct from `not_found` for valid -lookups with no backing record). +router has answered (`NOT_FOUND` or `RESOLVER`), since that router has already +seen the lookup key; `NO_RESOLVER` discloses nothing about the name beyond the +fact that this router cannot resolve, so iterating past it is safe. #### Name record response -The `NAME` response carries a JSON-encoded record as the payload: +The `RNAME` response carries a JSON-encoded record as the payload: ```abnf -name = %s"NAME" SP json-bytes ; json-bytes consumes the remainder of the transmission +rname = %s"RNAME" SP len json-bytes ; len = length of json-bytes as a 2-byte integer; any bytes after json-bytes are ignored (forward-compatible) ``` `json-bytes` MUST be a UTF-8 JSON object with the following schema: @@ -1507,8 +1504,8 @@ name = %s"NAME" SP json-bytes ; json-bytes consumes the remainder of the trans | `nickname` | string | ≤ 255 bytes UTF-8; senders MUST emit the empty string `""` when unset | | `website` | string | ≤ 255 bytes UTF-8; same empty-string-when-unset rule | | `location` | string | ≤ 255 bytes UTF-8; same empty-string-when-unset rule | -| `simplexContact` | string | ≤ 1024 bytes UTF-8; same empty-string-when-unset rule | -| `simplexChannel` | string | ≤ 1024 bytes UTF-8; same empty-string-when-unset rule | +| `simplexContact` | array of strings | each a SimpleX contact link (primary first); empty array `[]` when unset | +| `simplexChannel` | array of strings | each a SimpleX channel link (primary first); empty array `[]` when unset | | `eth` | string or null | ≤ 255 bytes UTF-8; senders MUST emit `null` when unset; receivers MUST also accept absent keys as unset | | `btc` | string or null | ≤ 255 bytes UTF-8; same null / absent rules | | `xmr` | string or null | ≤ 255 bytes UTF-8; same null / absent rules | @@ -1516,30 +1513,34 @@ name = %s"NAME" SP json-bytes ; json-bytes consumes the remainder of the trans | `owner` | string | `"0x"` followed by 40 lowercase hex characters (20 raw bytes) | | `resolver` | string | `"0x"` followed by 40 lowercase hex characters; the resolver contract address that produced the record | -Text fields (`nickname`, `website`, `location`, `simplexContact`, -`simplexChannel`) use the empty string `""` as the "unset" sentinel: a -backing resolver with no value for the field MUST emit an empty string, not -JSON `null` and not an absent key. Coin fields (`eth`, `btc`, `xmr`, `dot`) -use JSON `null` as the "unset" sentinel and MAY also be absent from the -object entirely. +Text fields (`nickname`, `website`, `location`) use the empty string `""` as +the "unset" sentinel: a backing resolver with no value for the field MUST emit +an empty string, not JSON `null` and not an absent key. Link fields +(`simplexContact`, `simplexChannel`) are arrays, primary link first, and use the +empty array `[]` when unset. Coin fields (`eth`, `btc`, `xmr`, `dot`) use JSON +`null` as the "unset" sentinel and MAY also be absent from the object entirely. -The server MUST filter records its backing resolver indicates are expired -or otherwise unavailable (returning `ERR AUTH` to the client), so the wire -format carries no expiry field. Testnet-vs-mainnet status is derived from -the queried TLD rather than an in-record flag. +The backing resolver filters records that are expired or otherwise unavailable +(the names router then returns `ERR NAME NOT_FOUND` to the client), so the wire +format carries no expiry field. Testnet-vs-mainnet status is derived from the +queried TLD rather than an in-record flag. Receivers MUST tolerate extra unknown fields (forward-compatibility for future field additions). Adding a required field is a breaking change requiring an SMP version bump. -**Canonical encoding.** Two names routers reading the same backing state and -producing the same `NameRecord` MUST emit byte-identical JSON: emit object -keys in the order listed above, integers without decimal points, no -insignificant whitespace. - -**Wire-size budget.** A maximal `nameRecord` (two 1024-byte SimpleX links -plus the other capped strings) JSON-encodes to roughly 4 KB, well under the -SMP proxied transmission budget of 16224 bytes. +**Field order is not significant.** Receivers parse JSON by key name, so object +key order, insignificant whitespace, and number formatting carry no meaning; +records are interpreted by decoded value, never compared byte-for-byte. Peers +MUST NOT rely on a byte-canonical form — a different resolver or server may emit +the same record with different key order or spacing. This order-independence is +what makes the format forward-compatible (see the unknown-field rule above). + +**Wire-size budget.** The names router caps the resolver response it will +accept (`resolver_max_response_bytes`, ≤ 16000 bytes, the default) so the +re-encoded `RNAME` stays within the SMP proxied transmission budget of 16224 +bytes; a response over the cap is rejected as `ERR NAME RESOLVER`. The link +arrays are bounded by this overall budget rather than a fixed per-field count. ## Transport connection with the SMP router diff --git a/simplexmq.cabal b/simplexmq.cabal index 730572ff0f..ee8eeadbb3 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -550,6 +550,7 @@ test-suite simplexmq-test CoreTests.VersionRangeTests FileDescriptionTests RemoteControl + NamesResolverServer RSLVTests ServerTests SMPAgentClient @@ -635,6 +636,8 @@ test-suite simplexmq-test , unliftio , unliftio-core , unordered-containers + , wai + , warp , yaml default-language: Haskell2010 if flag(server_postgres) diff --git a/src/Simplex/Messaging/Agent/Client.hs b/src/Simplex/Messaging/Agent/Client.hs index 684c78fc77..35b127b5a7 100644 --- a/src/Simplex/Messaging/Agent/Client.hs +++ b/src/Simplex/Messaging/Agent/Client.hs @@ -2012,7 +2012,7 @@ getNextNameServer c userId = liftIO (TM.lookupIO userId (userServers c :: TMap UserId (UserServers 'PSMP))) >>= \case Just UserServers {nameSrvs} -> case L.nonEmpty nameSrvs of Just srvs -> protoServer <$> pickServer srvs - Nothing -> throwE $ NAME SMP.NO_SERVERS + Nothing -> throwE NO_NAME_SERVERS Nothing -> throwE $ INTERNAL "unknown userId - no user servers" enableQueueNotifications :: AgentClient -> RcvQueue -> SMP.NtfPublicAuthKey -> SMP.RcvNtfPublicDhKey -> AM (SMP.NotifierId, SMP.RcvNtfPublicDhKey) diff --git a/src/Simplex/Messaging/Agent/Protocol.hs b/src/Simplex/Messaging/Agent/Protocol.hs index 803d7220f3..29b1d4220e 100644 --- a/src/Simplex/Messaging/Agent/Protocol.hs +++ b/src/Simplex/Messaging/Agent/Protocol.hs @@ -244,7 +244,6 @@ import Simplex.Messaging.Protocol ( AProtocolType, BrokerErrorType (..), ErrorType, - NameErrorType (..), MsgBody, MsgFlags, MsgId, @@ -2019,9 +2018,9 @@ data AgentErrorType XFTP {serverAddress :: String, xftpErr :: XFTPErrorType} | -- | XFTP agent errors FILE {fileErr :: FileErrorType} - | -- | name resolution agent errors (e.g. no name-resolving servers configured). + | -- | no name-resolving servers configured for the user (agent-origin). -- Server-origin name errors arrive forwarded as SMP _ (NAME ...) instead. - NAME {nameErr :: NameErrorType} + NO_NAME_SERVERS | -- | SMP proxy errors PROXY {proxyServer :: String, relayServer :: String, proxyErr :: ProxyClientError} | -- | XRCP protocol errors forwarded to agent clients diff --git a/src/Simplex/Messaging/Names/EthAddress.hs b/src/Simplex/Messaging/Names/EthAddress.hs index 83e8944acb..a124193220 100644 --- a/src/Simplex/Messaging/Names/EthAddress.hs +++ b/src/Simplex/Messaging/Names/EthAddress.hs @@ -16,7 +16,6 @@ import qualified Data.ByteString.Char8 as B import Data.Maybe (fromMaybe) import qualified Data.Text as T import Data.Text.Encoding (decodeLatin1, encodeUtf8) -import Simplex.Messaging.Encoding (Encoding (..)) -- | 20-byte Ethereum address (NameRecord owner / resolver). Bare constructor -- not exported; use 'mkEthAddress' to enforce the 20-byte invariant. JSON form @@ -29,12 +28,6 @@ mkEthAddress bs | B.length bs == 20 = Right (EthAddress bs) | otherwise = Left "EthAddress must be 20 bytes" --- Wire: length-prefixed raw bytes (via the ByteString instance); parse enforces --- the 20-byte invariant. -instance Encoding EthAddress where - smpEncode = smpEncode . unEthAddress - smpP = smpP >>= either fail pure . mkEthAddress - instance J.ToJSON EthAddress where toJSON (EthAddress bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) diff --git a/src/Simplex/Messaging/Names/Record.hs b/src/Simplex/Messaging/Names/Record.hs index 4a78b151a7..1eec7920ed 100644 --- a/src/Simplex/Messaging/Names/Record.hs +++ b/src/Simplex/Messaging/Names/Record.hs @@ -11,7 +11,6 @@ where import qualified Data.Aeson as J import qualified Data.Aeson.TH as JQ import Data.Text (Text) -import Simplex.Messaging.Encoding (Encoding (..), smpEncodeList, smpListP) import Simplex.Messaging.Names.EthAddress (EthAddress) import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) @@ -45,19 +44,3 @@ $( JQ.deriveJSON defaultJSON {J.omitNothingFields = False, J.fieldLabelModifier = dropPrefix "nr"} ''NameRecord ) - --- Wire encoding for the SMP NAME response: field-ordered smpEncode, not embedded --- JSON. Field order = record declaration order. EthAddress encodes as its raw --- 20 bytes (length-prefixed via the ByteString instance). -instance Encoding NameRecord where - smpEncode NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} = - smpEncode (nrName, nrNickname, nrWebsite, nrLocation) - <> smpEncodeList nrSimplexContact - <> smpEncodeList nrSimplexChannel - <> smpEncode (nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver) - smpP = do - (nrName, nrNickname, nrWebsite, nrLocation) <- smpP - nrSimplexContact <- smpListP - nrSimplexChannel <- smpListP - (nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver) <- smpP - pure NameRecord {nrName, nrNickname, nrWebsite, nrLocation, nrSimplexContact, nrSimplexChannel, nrEth, nrBtc, nrXmr, nrDot, nrOwner, nrResolver} diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 5943d2e791..0b380ca4d6 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -1594,17 +1594,16 @@ data ErrorType DUPLICATE_ -- not part of SMP protocol, used internally deriving (Eq, Show) --- | Name resolution errors (the NAME family of ErrorType / AgentErrorType). --- One vocabulary shared server-side and agent-side so name failures flow --- through the single error type to chat (as ChatErrorAgent) with diagnostics, --- mirroring ProxyError. +-- | Name resolution errors returned by the server (Resolver role) via +-- ErrorType.NAME; they reach the agent forwarded as SMP _ (NAME ...) and on to +-- chat as ChatErrorAgent with diagnostics, mirroring ProxyError. The +-- agent-originated "no name-resolving servers" case is a separate agent error +-- (AgentErrorType.NO_NAME_SERVERS), not part of this server vocabulary. data NameErrorType = -- | the names role / resolver is not configured on this server NO_RESOLVER | -- | the name is not registered (resolver returned not-found) - NO_NAME - | -- | no name-resolving servers configured (agent-originated only) - NO_SERVERS + NOT_FOUND | -- | backing resolver/RPC failure - carries the diagnostic detail RESOLVER {resolverErr :: Text} deriving (Eq, Show) @@ -1834,8 +1833,7 @@ instance PartyI p => ProtocolEncoding SMPVersion ErrorType (Command p) where PRXY host auth_ -> e (PRXY_, ' ', host, auth_) PFWD fwdV pubKey (EncTransmission s) -> e (PFWD_, ' ', fwdV, pubKey, Tail s) RFWD (EncFwdTransmission s) -> e (RFWD_, ' ', Tail s) - -- Version gating is the client's job (Client.hs), not the encoder's. - RSLV d -> e (RSLV_, ' ', Tail (strEncode d)) + RSLV d -> e (RSLV_, ' ', d) where e :: Encoding a => a -> ByteString e = smpEncode @@ -1944,11 +1942,9 @@ instance ProtocolEncoding SMPVersion ErrorType Cmd where CT SNotifierService NSUBS_ | v >= rcvServiceSMPVersion -> Cmd SNotifierService <$> (NSUBS <$> _smpP <*> smpP) | otherwise -> pure $ Cmd SNotifierService $ NSUBS (-1) mempty - -- Name is validated at parse (invalid syntax fails here -> CMD error), - -- so the handler only ever sees a valid SimplexNameDomain. - CT SResolver RSLV_ -> do - Tail bs <- _smpP - either fail (pure . Cmd SResolver . RSLV) (strDecode bs) + -- the domain is space-delimited; ignore any trailing bytes so a future + -- version appending RSLV fields stays parseable by this server (fwd-compat) + CT SResolver RSLV_ -> Cmd SResolver . RSLV <$> _smpP <* A.takeByteString fromProtocolError = fromProtocolError @SMPVersion @ErrorType @BrokerMsg {-# INLINE fromProtocolError #-} @@ -1995,9 +1991,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where | v < clientNoticesSMPVersion -> BLOCKED info {notice = Nothing} _ -> err PONG -> e PONG_ - -- Field-ordered Encoding NameRecord (no JSON on the wire); a response that - -- arrived is already on a supported version, so no version gate. - RNAME rec -> e (RNAME_, ' ', rec) + -- length-prefixed (Large) rather than Tail so the JSON record is + -- self-delimiting and later versions can append fields after it on the wire + RNAME rec -> e (RNAME_, ' ', Large $ LB.toStrict $ J.encode rec) where e :: Encoding a => a -> ByteString e = smpEncode @@ -2045,7 +2041,9 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where OK_ -> pure OK ERR_ -> ERR <$> _smpP PONG_ -> pure PONG - RNAME_ -> RNAME <$> _smpP + -- A.takeByteString ignores any bytes after the length-prefixed record, so a + -- future version appending fields stays parseable by this client (fwd-compat) + RNAME_ -> (fmap RNAME . J.eitherDecodeStrict . unLarge <$?> _smpP) <* A.takeByteString where serviceRespP resp | v >= rcvServiceSMPVersion = resp <$> _smpP <*> smpP @@ -2137,14 +2135,12 @@ instance Encoding ErrorType where instance Encoding NameErrorType where smpEncode = \case NO_RESOLVER -> "NO_RESOLVER" - NO_NAME -> "NO_NAME" - NO_SERVERS -> "NO_SERVERS" + NOT_FOUND -> "NOT_FOUND" RESOLVER e -> "RESOLVER " <> encodeUtf8 e smpP = A.takeTill (== ' ') >>= \case "NO_RESOLVER" -> pure NO_RESOLVER - "NO_NAME" -> pure NO_NAME - "NO_SERVERS" -> pure NO_SERVERS + "NOT_FOUND" -> pure NOT_FOUND "RESOLVER" -> RESOLVER . safeDecodeUtf8 <$> (A.space *> A.takeByteString) _ -> fail "bad NameErrorType" diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index ac2633e0ad..8017e8207f 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -103,12 +103,13 @@ import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding import Simplex.Messaging.Encoding.String import Simplex.Messaging.Protocol +import Simplex.Messaging.SimplexName (SimplexNameDomain) import Simplex.Messaging.Server.Control import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) -import Simplex.Messaging.Server.Names (closeNamesEnv, resolveName) +import Simplex.Messaging.Server.Names (NamesEnv, closeNamesEnv, releaseResolver, resolveName, resolverAtCapacity, tryAcquireResolver) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -247,9 +248,8 @@ smpServer started cfg@ServerConfig {transports, transportConfig = tCfg, startOpt closeServer :: M s () closeServer = do - pa <- asks (smpAgent . proxyAgent) - ne <- asks namesEnv - liftIO $ closeSMPClientAgent pa `E.finally` mapM_ closeNamesEnv ne + asks (smpAgent . proxyAgent) >>= liftIO . closeSMPClientAgent + asks namesEnv >>= liftIO . mapM_ closeNamesEnv serverThread :: forall sub. String -> @@ -1470,19 +1470,60 @@ client Nothing -> inc False pRequests >> inc False pErrorsConnect $> Just (ERR $ PROXY NO_SESSION) where forkProxiedCmd :: M s BrokerMsg -> M s (Maybe BrokerMsg) - forkProxiedCmd cmdAction = do - bracket_ wait signal . forkClient clnt (B.unpack $ "client $" <> encode sessionId <> " proxy") $ do - -- commands MUST be processed under a reasonable timeout or the client would halt - cmdAction >>= \t -> atomically $ writeTBQueue sndQ ([(corrId, EntityId sessId, t)], []) - pure Nothing - where - wait = do - ServerConfig {serverClientConcurrency} <- asks config - atomically $ do - used <- readTVar procThreads - when (used >= serverClientConcurrency) retry - writeTVar procThreads $! used + 1 - signal = atomically $ modifyTVar' procThreads (\t -> t - 1) + forkProxiedCmd = forkCmd corrId (EntityId sessId) + -- Run a slow command on a forked, back-pressured thread, sending its response + -- to sndQ from the thread so command processing is not blocked. Returns + -- Nothing (no synchronous response). Used for proxying and name resolution. + forkCmd :: CorrId -> EntityId -> M s BrokerMsg -> M s (Maybe a) + forkCmd corrId entId cmdAction = do + bracket_ wait signal . forkClient clnt (B.unpack $ "client $" <> encode sessionId <> " cmd") $ + -- commands MUST be processed under a reasonable timeout or the client would halt + cmdAction >>= \t -> atomically $ writeTBQueue sndQ ([(corrId, entId, t)], []) + pure Nothing + where + wait = do + ServerConfig {serverClientConcurrency} <- asks config + atomically $ do + used <- readTVar procThreads + when (used >= serverClientConcurrency) retry + writeTVar procThreads $! used + 1 + signal = atomically $ modifyTVar' procThreads (\t -> t - 1) + -- Count an RSLV request and decide handling: no resolver -> NO_RESOLVER; + -- already at the concurrency cap -> shed with a transient RESOLVER error + -- (Left, answered without forking) so an unauthenticated flood cannot + -- exhaust threads / outbound resolver calls; otherwise return the resolve + -- action (Right) for the caller to fork. The capacity check here is a + -- non-mutating peek (no slot reserved), so no slot is held across the + -- fork boundary; rslvNameResponse acquires and releases the slot in one + -- bracket inside the forked thread. Shared by the direct and forwarded paths. + admitRslv :: SimplexNameDomain -> M s (Either BrokerMsg (M s BrokerMsg)) + admitRslv d = do + st <- asks (rslvStats . serverStats) + incStat (rslvReqs st) + asks namesEnv >>= \case + Nothing -> incStat (rslvDisabled st) $> Left (ERR (NAME NO_RESOLVER)) + Just nenv -> + ifM + (liftIO (resolverAtCapacity nenv)) + (incStat (rslvResolverErrs st) $> Left (ERR (NAME (RESOLVER "resolver overloaded")))) + (pure $ Right (rslvNameResponse nenv d)) + -- Resolve a name to its RNAME / ERR (NAME ...) response. Acquires the + -- in-flight slot and releases it in the same bracket, so it cannot leak on + -- any exit path (including async kill of the forked thread). A lost race + -- on the cap (acquire returns False) sheds, matching admitRslv's peek. + -- The name is validated at parse, so this only maps the resolver outcome. + rslvNameResponse :: NamesEnv -> SimplexNameDomain -> M s BrokerMsg + rslvNameResponse nenv d = do + st <- asks (rslvStats . serverStats) + bracket (liftIO (tryAcquireResolver nenv)) (\held -> when held $ liftIO (releaseResolver nenv)) $ \case + False -> incStat (rslvResolverErrs st) $> ERR (NAME (RESOLVER "resolver overloaded")) + True -> do + (selector, msg) <- + liftIO (resolveName nenv d) <&> \case + Right rec -> (rslvSucc, RNAME rec) + Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) + Left e -> (rslvResolverErrs, ERR $ NAME e) + incStat (selector st) $> msg transportErr :: TransportError -> ErrorType transportErr = PROXY . BROKER . TRANSPORT mkIncProxyStats :: MonadIO m => ProxyStats -> ProxyStats -> OwnServer -> (ProxyStats -> IORef Int) -> m () @@ -1496,20 +1537,13 @@ client SKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) - Cmd SProxyService (RFWD encBlock) -> response . (corrId,NoEntity,) <$> processForwardedCommand encBlock - Cmd SResolver (RSLV d) -> do - st <- asks (rslvStats . serverStats) - incStat (rslvReqs st) - -- The name is validated at command parse (invalid syntax never reaches - -- here), so the handler only maps the resolver outcome to a declared - -- error that reaches the client as ERR (NAME ...). - (selector, msg) <- asks namesEnv >>= \case - Nothing -> pure (rslvDisabled, ERR $ NAME NO_RESOLVER) - Just nenv -> liftIO (resolveName nenv d) <&> \case - Right rec -> (rslvSucc, RNAME rec) - Left e@NO_NAME -> (rslvNotFound, ERR $ NAME e) - Left e -> (rslvResolverErrs, ERR $ NAME e) - incStat (selector st) $> response (corrId, NoEntity, msg) + Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock + -- Resolve names on a forked thread (like proxying) so a slow RSLV does not + -- block other commands; admitRslv bounds concurrent resolutions and sheds + -- load (synchronous error, no fork) when saturated. Shared with the + -- forwarded path (processForwardedCommand). + Cmd SResolver (RSLV d) -> + admitRslv d >>= either (pure . response . (corrId, NoEntity,)) (forkCmd corrId NoEntity) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr @@ -2107,45 +2141,62 @@ client encNMsgMeta = C.cbEncrypt rcvNtfDhSecret ntfNonce (smpEncode msgMeta) 128 pure $ MsgNtf {ntfMsgId = msgId, ntfTs = msgTs, ntfNonce, ntfEncMeta = fromRight "" encNMsgMeta} - processForwardedCommand :: EncFwdTransmission -> M s BrokerMsg - processForwardedCommand (EncFwdTransmission s) = fmap (either ERR RRES) . runExceptT $ do - THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') - sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' - let proxyNonce = C.cbNonce $ bs corrId - s' <- liftEitherWith (const CRYPTO) $ C.cbDecryptNoPad sessSecret proxyNonce s - FwdTransmission {fwdCorrId, fwdVersion, fwdKey, fwdTransmission = EncTransmission et} <- liftEitherWith (const $ CMD SYNTAX) $ smpDecode s' - let clientSecret = C.dh' fwdKey serverPrivKey - clientNonce = C.cbNonce $ bs fwdCorrId - b <- liftEitherWith (const CRYPTO) $ C.cbDecrypt clientSecret clientNonce et - let clntTHParams = smpTHParamsSetVersion fwdVersion thParams' - -- only allowing single forwarded transactions - t' <- case tParse clntTHParams b of - t :| [] -> pure $ tDecodeServer clntTHParams t - _ -> throwE BLOCK - let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} - -- process forwarded command - r <- - lift (rejectOrVerify clntThAuth t') >>= \case - Left r -> pure r - -- rejectOrVerify filters allowed commands, no need to repeat it here. - -- INTERNAL is used because processCommand never returns Nothing for sender commands (could be extracted for better types). - -- `fst` removes empty message that is only returned for `SUB` command - Right t''@(_, (corrId', entId', _)) -> maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') - -- encode response - r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of - [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right - TBError _ _ : _ -> throwE BLOCK - TBTransmission b' _ : _ -> pure b' - TBTransmissions b' _ _ : _ -> pure b' - -- encrypt to client - r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength - -- encrypt to proxy - let fr = FwdResponse {fwdCorrId, fwdResponse = r2} - r3 = EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) - stats <- asks serverStats - incStat $ pMsgFwdsRecv stats - pure r3 + -- Returns Nothing for a forwarded RSLV: like proxying, it resolves and + -- replies from a forked thread (forkCmd writes the RRES to sndQ), so a + -- slow RSLV does not serialise other forwarded commands on this session. + processForwardedCommand :: EncFwdTransmission -> M s (Maybe BrokerMsg) + processForwardedCommand (EncFwdTransmission s) = do + prepared <- runExceptT $ do + THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') + sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' + let proxyNonce = C.cbNonce $ bs corrId + s' <- liftEitherWith (const CRYPTO) $ C.cbDecryptNoPad sessSecret proxyNonce s + FwdTransmission {fwdCorrId, fwdVersion, fwdKey, fwdTransmission = EncTransmission et} <- liftEitherWith (const $ CMD SYNTAX) $ smpDecode s' + let clientSecret = C.dh' fwdKey serverPrivKey + clientNonce = C.cbNonce $ bs fwdCorrId + b <- liftEitherWith (const CRYPTO) $ C.cbDecrypt clientSecret clientNonce et + let clntTHParams = smpTHParamsSetVersion fwdVersion thParams' + -- only allowing single forwarded transactions + t' <- case tParse clntTHParams b of + t :| [] -> pure $ tDecodeServer clntTHParams t + _ -> throwE BLOCK + let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} + -- wrap an inner response transmission into the encrypted RRES reply + encodeResp r = do + r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of + [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right + TBError _ _ : _ -> throwE BLOCK + TBTransmission b' _ : _ -> pure b' + TBTransmissions b' _ _ : _ -> pure b' + -- encrypt to client + r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength + -- encrypt to proxy + let fr = FwdResponse {fwdCorrId, fwdResponse = r2} + pure $ RRES $ EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) + pure (clntThAuth, fwdVersion, t', encodeResp) + case prepared of + Left e -> pure $ Just $ ERR e + Right (clntThAuth, fwdVersion, t', encodeResp) -> do + incFwdRecv -- count every decrypted forwarded command, on either path + let respond r = Just . either ERR id <$> runExceptT (encodeResp r) + rejectOrVerify clntThAuth t' >>= \case + -- rejectOrVerify filters allowed commands, no need to repeat it here. + Left r -> respond r + Right t''@(_, (corrId', entId', cmd')) -> case cmd' of + -- forwarded RSLV is bounded/shed like the direct path (admitRslv); + -- the resolved (or shed) response is wrapped as RRES via encodeResp. + Cmd SResolver (RSLV d) -> + admitRslv d >>= \case + Left msg -> respond (corrId', entId', msg) + Right act -> forkCmd corrId NoEntity $ do + msg <- act + either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) + -- INTERNAL is used because processCommand never returns Nothing for + -- the other forwarded commands (could be extracted for better types). + -- `fst` removes empty message that is only returned for `SUB` command + _ -> processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'' >>= respond . maybe (corrId', entId', ERR INTERNAL) fst where + incFwdRecv = asks serverStats >>= incStat . pMsgFwdsRecv rejectOrVerify :: Maybe (THandleAuth 'TServer) -> SignedTransmissionOrError ErrorType Cmd -> M s (VerifiedTransmissionOrError s) rejectOrVerify clntThAuth = \case Left (corrId', entId', e) -> pure $ Left (corrId', entId', ERR e) diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 2e212f05ff..53c6f2c207 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -115,8 +115,7 @@ import Simplex.Messaging.Server.Information import Simplex.Messaging.Server.MsgStore.Journal import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types -import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, ResolverCall, newNamesEnv, newNamesEnvWith, pingEndpoint) -import Simplex.Messaging.Server.Names.HttpResolver (scrubUrl) +import Simplex.Messaging.Server.Names (NamesConfig (..), NamesEnv, newNamesEnv, pingEndpoint) import Simplex.Messaging.Server.NtfStore import Simplex.Messaging.Server.QueueStore import Simplex.Messaging.Server.QueueStore.Postgres.Config @@ -201,9 +200,6 @@ data ServerConfig s = ServerConfig serverClientConcurrency :: Int, -- | public-namespace resolver config; Nothing disables the names role namesConfig :: Maybe NamesConfig, - -- | test seam: inject a stub resolver call instead of the production HTTP - -- resolver + startup probe. Nothing in production (built from namesConfig). - namesResolverCall_ :: Maybe ResolverCall, -- | server public information information :: Maybe ServerPublicInfo, startOptions :: StartOptions @@ -566,7 +562,7 @@ newProhibitedSub = do return Sub {subThread = ProhibitSub, delivered} newEnv :: ServerConfig s -> IO (Env s) -newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig, namesResolverCall_} = do +newEnv config@ServerConfig {smpCredentials, httpCredentials, serverStoreCfg, smpAgentCfg, information, messageExpiration, idleQueueInterval, msgQueueQuota, maxJournalMsgCount, maxJournalStateLines, namesConfig} = do serverActive <- newTVarIO True server <- newServer msgStore_ <- case serverStoreCfg of @@ -611,23 +607,16 @@ newEnv config@ServerConfig {allowSMPProxy, smpCredentials, httpCredentials, serv sockets <- newTVarIO [] clientSeq <- newTVarIO 0 proxyAgent <- newSMPProxyAgent smpAgentCfg random - namesEnv <- case namesConfig of - Nothing -> pure Nothing - Just nc -> case namesResolverCall_ of - -- test seam: stub resolver, no real HTTP env or startup probe - Just call -> Just <$> newNamesEnvWith nc call Nothing - Nothing -> do - logInfo $ "[NAMES] resolver enabled, endpoint=" <> scrubUrl (resolverEndpoint nc) - when allowSMPProxy $ - logWarn "[NAMES] enable: on on a proxy-role host: slow RSLV calls can serialise other forwarded commands on the same proxy-relay session. For high-volume deployments, run [NAMES] on a separate host." - env <- newNamesEnv nc - -- Probe the endpoint at startup. Don't exitFailure: a flapping - -- network or an Ethereum host coming up minutes after smp-server - -- should not block the server. Log so operators can spot it. - pingEndpoint env >>= \case - Right _ -> logInfo "[NAMES] endpoint probe ok" - Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR (NAME ...) until reachable): " <> tshow e - pure (Just env) + namesEnv <- forM namesConfig $ \nc -> do + logInfo $ "[NAMES] resolver enabled, endpoint=" <> T.pack (resolverEndpoint nc) + env <- newNamesEnv nc + -- Probe the endpoint at startup. Don't exitFailure: a flapping network or a + -- resolver host coming up minutes after smp-server should not block the + -- server. Log so operators can spot it. + pingEndpoint env >>= \case + Right _ -> logInfo "[NAMES] endpoint probe ok" + Left e -> logWarn $ "[NAMES] endpoint probe failed (server will still start, RSLV will return ERR (NAME ...) until reachable): " <> tshow e + pure env pure Env { serverActive, diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 4842b3c106..17a7290923 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -47,11 +47,11 @@ import Control.Monad import qualified Data.Attoparsec.ByteString.Char8 as A import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B -import Data.Char (isAlpha, isAscii, isDigit, isHexDigit, toLower, toUpper) +import Data.Char (isAlpha, isAscii, toUpper) import Data.Either (fromRight) import Data.Functor (($>)) import Data.Ini (Ini, lookupValue, readIniFile) -import Data.List (find, isInfixOf, isPrefixOf) +import Data.List (dropWhileEnd, find, isPrefixOf) import qualified Data.List.NonEmpty as L import Data.Maybe (fromMaybe, isJust, isNothing) import Data.Text (Text) @@ -67,9 +67,6 @@ import Simplex.Messaging.Client.Agent (SMPClientAgentConfig (..), defaultSMPClie import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (parseAll) -import qualified Data.IP as IP -import Data.Bits (shiftR, (.&.)) -import Data.Word (Word32) import Network.URI (URI (..), URIAuth (..), parseAbsoluteURI) import Simplex.Messaging.Protocol (BasicAuth (..), ProtoServerWithAuth (ProtoServerWithAuth), pattern SMPServer) import Simplex.Messaging.Server (AttachHTTP, exportMessages, importMessages, printMessageStats, runSMPServer) @@ -612,7 +609,6 @@ smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = allowSMPProxy = True, serverClientConcurrency = readIniDefault defaultProxyClientConcurrency "PROXY" "client_concurrency" ini, namesConfig = readNamesConfig ini, - namesResolverCall_ = Nothing, -- production builds the resolver from namesConfig information = serverPublicInfo ini, startOptions } @@ -816,11 +812,15 @@ readNamesConfig ini resolverAuth = resolverAuth_, resolverTimeoutMs = boundedIniInt 3000 100 60000 "resolver_timeout_ms", -- ceiling = SMP transport budget: the NAME response is one SMP - -- transmission (proxied: padded to paddedProxiedTLength = 16226), - -- and the smpEncoded NameRecord is <= its JSON body, so capping - -- the body here guarantees the response always frames. An - -- over-cap body fails as BodyTooLarge -> ERR (NAME (RESOLVER ..)). - resolverMaxResponseBytes = boundedIniInt 16000 1024 16000 "resolver_max_response_bytes" + -- transmission (proxied: padded to paddedProxiedTLength = 16226) + -- carrying the resolver's JSON record on the wire, so capping the + -- resolver response body guarantees the RNAME response always frames. + -- An over-cap body fails as BodyTooLarge -> ERR (NAME (RESOLVER ..)). + resolverMaxResponseBytes = boundedIniInt 16000 1024 16000 "resolver_max_response_bytes", + -- cap on concurrent in-flight resolutions; RSLV beyond it is shed + -- so an unauthenticated flood cannot exhaust threads / saturate the + -- resolver with unbounded concurrent outbound HTTP. + resolverMaxConcurrent = boundedIniInt 32 1 1024 "resolver_max_concurrent" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) @@ -842,147 +842,31 @@ readNamesConfig ini | otherwise -> error $ "[NAMES] " <> T.unpack key <> " must be in [" <> show floor_ <> ".." <> show ceiling_ <> "] (got " <> show n <> ")" --- | Validate the resolver_endpoint URL: --- * scheme must be http: or https: --- * authority (host) must be present and non-empty --- * port MUST be explicit (rejects http://host without :8000 to avoid --- accidentally hitting :80 when the resolver listens on :8000) --- * userinfo (user:pass@) MUST NOT be present (credentials belong in --- resolver_auth so they don't leak via Host header or logs) --- * query and fragment MUST NOT be present (a base URL with a query/fragment --- does not compose with the appended /resolve/ and /health paths) --- * a path prefix IS allowed (e.g. https://gw.example.com:443/snrc for a --- resolver behind a reverse-proxy sub-path); /resolve/ and /health --- are appended to it. Do not embed secrets in the path — it appears in --- logs; put credentials in resolver_auth. --- * on a non-loopback host, only http WITH resolver_auth is rejected (the --- Authorization header would travel in cleartext). http without auth is --- allowed (no secret to leak; resolver data is public — also lets dev --- setups reach a host resolver via host.docker.internal). https is always --- allowed, with or without auth. --- * link-local hosts (169.254.0.0/16, including the cloud metadata IP --- 169.254.169.254) are rejected unconditionally -validateUrl :: Text -> Maybe RpcAuth -> Either String Text +-- | Validate the resolver_endpoint URL: it must be an absolute http(s) URL +-- with a host. /resolve/ and /health are appended to it, so a +-- reverse-proxy sub-path prefix is fine. The endpoint is operator-supplied +-- trusted config (not attacker-controlled), so SSRF/IP-alias hardening is not +-- applied; credentials go in resolver_auth, not the URL. The one transport +-- guard kept: http + resolver_auth to a non-loopback host is rejected, since +-- the Authorization header would otherwise travel in cleartext. +validateUrl :: Text -> Maybe RpcAuth -> Either String String validateUrl url auth_ = do - uri <- maybe (Left "not an absolute URI") Right $ parseAbsoluteURI (T.unpack url) + let s = T.unpack url + uri <- maybe (Left "not an absolute URI") Right $ parseAbsoluteURI s let scheme = uriScheme uri - unless (scheme == "http:" || scheme == "https:") $ - Left ("scheme " <> show scheme <> " not supported (use http or https)") - ua <- maybe (Left "missing authority (host)") Right (uriAuthority uri) + unless (scheme == "http:" || scheme == "https:") $ Left "scheme must be http or https" + ua <- maybe (Left "missing host") Right (uriAuthority uri) let host = uriRegName ua when (null host) $ Left "empty host" - when (isBareIntegerHost host) $ - Left "bare-integer host not allowed (use a hostname or dotted-quad / bracketed IP); rejects 169.254.169.254 decimal/hex aliases" - when (isObfuscatedIpv4 host) $ - Left "non-canonical IPv4 form not allowed (use dotted-quad decimal 0-255 with no leading zeros); rejects inet_aton hex/octal/compact aliases of 169.254.169.254" - when (isLinkLocal host || isForbiddenIpv6 host) $ - Left "link-local host not allowed (rejects cloud metadata services and IPv6 aliases of 169.254.0.0/16)" - unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; use resolver_auth instead" - case uriPort ua of - "" -> Left "explicit port required (e.g. http://host:8000)" - ':' : portStr -> case readMaybe portStr of - Just n | (n :: Int) >= 1 && n <= 65535 -> Right () - _ -> Left $ "port " <> portStr <> " out of range (must be 1..65535)" - other -> Left $ "unexpected port syntax: " <> other - unless (null (uriQuery uri)) $ Left "query string not allowed (it does not compose with the appended /resolve/ path)" - unless (null (uriFragment uri)) $ Left "fragment not allowed (fragments are never sent to the server)" - -- A path prefix is allowed and used as the base for /resolve/ and - -- /health (resolver behind a reverse-proxy sub-path). The join in - -- HttpResolver.newResolverEnv strips a single trailing slash, so both - -- ".../snrc" and ".../snrc/" behave identically. Secrets do not belong in - -- the path (it is logged) — use resolver_auth. - -- The only transport-security risk on a non-loopback host is leaking the - -- Authorization header in cleartext, so we reject ONLY http+auth. http - -- without auth is allowed (nothing secret to leak — the resolver serves - -- public name data; this also covers reaching a host resolver via - -- host.docker.internal in dev). https is always fine, with or without auth. - -- NOTE: http without auth has no transport integrity — a network attacker - -- could forge NameRecord responses. Only point at a plaintext resolver on a - -- trusted/local network. - when (not (isLoopback host) && scheme == "http:" && isJust auth_) $ - Left "http with resolver_auth on a non-loopback host not allowed (the Authorization header would be sent in cleartext); use https, or drop resolver_auth for a no-auth resolver" - Right url + unless (null (uriUserInfo ua)) $ Left "userinfo (user:pass@) not allowed; put credentials in resolver_auth" + when (scheme == "http:" && isJust auth_ && not (isLoopback host)) $ + Left "http with resolver_auth on a non-loopback host not allowed (the Authorization header would travel in cleartext); use https, or drop resolver_auth" + -- drop trailing slash(es) so "/resolve/" never double-slashes + Right (dropWhileEnd (== '/') s) where - -- 127.0.0.0/8 and 0.0.0.0 both bind locally on Linux/BSD; treat them all - -- as loopback for the http/auth gate so a misconfigured 0.0.0.0:8545 (or - -- 127.0.0.5) doesn't get an Authorization header sent to a colocated - -- service or silently dropped onto the wire. - isLoopback = \case - "localhost" -> True - "[::1]" -> True - "0.0.0.0" -> True - h -> case parseDottedQuad h of - Just (127, _, _, _) -> True - _ -> False - parseDottedQuad s = case splitOnDot s of - [a, b, c, d] -> (,,,) <$> octet a <*> octet b <*> octet c <*> octet d - _ -> Nothing - where - octet o = case readMaybe o of - Just n | (n :: Int) >= 0 && n <= 255 -> Just n - _ -> Nothing - splitOnDot s = case break (== '.') s of - (chunk, []) -> [chunk] - (chunk, _ : rest) -> chunk : splitOnDot rest - -- IPv4 link-local 169.254.0.0/16 in dotted-quad form. IPv6 forms are - -- delegated to isForbiddenIpv6 which parses the address numerically. - isLinkLocal h = "169.254." `isPrefixOf` h - -- Reject hostnames that look like decimal or `0x`/`0X`-hex integers — - -- glibc's inet_aton accepts both as IPv4 aliases (`2852039166`, - -- `0xa9fea9fe`, `0XA9FEA9FE` all resolve to 169.254.169.254). The literal - -- prefix `0x` / `0X` with no digits after is also rejected: it isn't a - -- legitimate hostname and lets us avoid reasoning about libc's behaviour. - isBareIntegerHost h = case map toLower h of - '0' : 'x' : rest -> all isHexDigit rest - lh -> not (null lh) && all isDigit lh - -- Reject dotted hosts whose every component is numeric (decimal or `0x`-hex) - -- but which aren't strict canonical IPv4 (exactly 4 decimal octets 0..255 with - -- no leading zeros). inet_aton accepts hex octets (`0xA9.0xFE.0xA9.0xFE`), - -- octal octets (`0251.0376.0251.0376`, leading zero), mixed forms - -- (`169.0376.169.254`), and compact 2/3-segment forms (`169.16689638`, - -- `169.254.43518`) as aliases for 169.254.169.254. The literal-prefix check - -- in isLinkLocal misses all of these; this predicate closes the gap. - isObfuscatedIpv4 h - | '.' `notElem` h = False - | otherwise = allNumericParts && not strictCanonical - where - parts = splitOnDot h - allNumericParts = not (null parts) && all isNumericPart parts - isNumericPart p = case map toLower p of - '0' : 'x' : rest@(_ : _) -> all isHexDigit rest - lp@(_ : _) -> all isDigit lp - _ -> False - strictCanonical = length parts == 4 && all isStrictDecOctet parts - isStrictDecOctet "0" = True - isStrictDecOctet p@(c : _) = - c /= '0' && all isDigit p && maybe False (\n -> (n :: Int) <= 255) (readMaybe p) - isStrictDecOctet _ = False - -- Strip the [...] brackets that parseAbsoluteURI keeps on IPv6 hosts, parse - -- as numeric IPv6, and check 128-bit ranges: - -- * fe80::/10 (link-local) - -- * ::1 (loopback) - -- * IPv4-compatible (::/96), IPv4-mapped (::ffff/96), 6to4 (2002::/16), - -- NAT64 WKP (64:ff9b::/96) — when they alias an IPv4 in 169.254.0.0/16 - -- This covers every textual form of those addresses (compressed, uncompressed, - -- mixed dotted-quad embed) because Data.IP normalises before we inspect bits. - isForbiddenIpv6 h = maybe False (isForbiddenIpv6Word . IP.fromIPv6w) $ - stripBrackets h >>= readMaybe - where - stripBrackets ('[' : rest@(_ : _)) | last rest == ']' = Just (init rest) - stripBrackets _ = Nothing - -- Loopback (::1) is intentionally NOT in this list: loopback is gated - -- separately by isLoopback for the http/auth decision. - isForbiddenIpv6Word :: (Word32, Word32, Word32, Word32) -> Bool - isForbiddenIpv6Word (w1, w2, w3, w4) = - linkLocal || compatTo169 || mappedTo169 || sixToFour169 || nat64To169 - where - linkLocal = (w1 `shiftR` 22) == 0x3fa -- fe80::/10 - is169254v4 = (w4 `shiftR` 16) == 0xa9fe - high96Zero = w1 == 0 && w2 == 0 - compatTo169 = high96Zero && w3 == 0 && is169254v4 - mappedTo169 = high96Zero && w3 == 0xffff && is169254v4 - sixToFour169 = (w1 `shiftR` 16) == 0x2002 && (w1 .&. 0xffff) == 0xa9fe - nat64To169 = w1 == 0x0064ff9b && w2 == 0 && w3 == 0 && is169254v4 + -- exact loopback literals only; a "127." prefix would wrongly match hosts + -- like 127.evil.com, weakening the cleartext-auth guard above. + isLoopback h = h == "localhost" || h == "127.0.0.1" || h == "[::1]" || h == "0.0.0.0" -- | Parse an rpc_auth INI value. Scheme keyword is case-insensitive so -- "Bearer " / "BEARER " (Caddy / RFC 7235 convention) work diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 355615d4f2..0ab6b42fb2 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -159,10 +159,6 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# Public-namespace resolution via the snrc-resolve.py REST resolver.\n\ \# Operator runs the resolver alongside smp-server (default port 8000)\n\ \# with its own Ethereum JSON-RPC endpoint configured in resolver.toml.\n\ - \# Co-locating with the proxy role logs a startup advisory: slow RSLV calls can\n\ - \# serialise other forwarded commands on the same proxy-relay session.\n\ - \# For high-volume deployments, run [NAMES] on a separate host.\n\ - \# Restart required to change settings.\n\ \enable: off\n\ \# Same-host:\n\ \# resolver_endpoint: http://127.0.0.1:8000\n\ @@ -170,7 +166,8 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# resolver_endpoint: https://names.simplex.chat:443\n\ \# resolver_auth: basic :\n\ \# resolver_timeout_ms: 3000\n\ - \# resolver_max_response_bytes: 65536\n\n\ + \# resolver_max_response_bytes: 16000\n\ + \# resolver_max_concurrent: 32\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index bb55f92d75..d2452c6664 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -19,21 +19,21 @@ module Simplex.Messaging.Server.Names ( NamesConfig (..), RpcAuth (..), NamesEnv (..), - ResolverCall, - ResolverCallKind (..), newNamesEnv, - newNamesEnvWith, closeNamesEnv, pingEndpoint, resolveName, + resolverAtCapacity, + tryAcquireResolver, + releaseResolver, ) where +import Control.Concurrent.STM import qualified Control.Exception as E import Control.Logger.Simple (logError) -import qualified Data.Aeson as J -import qualified Data.Aeson.Types as JT -import Data.Text (Text) +import Data.Bifunctor (first) +import Data.Maybe (fromMaybe) import qualified Data.Text as T import Simplex.Messaging.Protocol (NameErrorType (..), NameRecord) import Simplex.Messaging.Server.Names.HttpResolver @@ -49,50 +49,51 @@ import Simplex.Messaging.SimplexName (SimplexNameDomain, fullDomainName) import System.Timeout (timeout) data NamesConfig = NamesConfig - { resolverEndpoint :: Text, + { resolverEndpoint :: String, resolverAuth :: Maybe RpcAuth, resolverTimeoutMs :: Int, - resolverMaxResponseBytes :: Int + resolverMaxResponseBytes :: Int, + -- | cap on concurrent in-flight resolutions; RSLV beyond it is shed (see + -- tryAcquireResolver) so unauthenticated floods cannot exhaust threads or + -- saturate the outbound resolver with unbounded concurrent HTTP calls. + resolverMaxConcurrent :: Int } deriving (Show) --- | Test seam: a function from URL path -> JSON value or error. Production --- wires this to resolveHttp / healthHttp on a real `ResolverEnv`; tests --- substitute a stub returning canned JSON or a chosen error. --- --- The first argument is the HTTP endpoint to hit: `ResolverFetch` for a --- name lookup, `ResolverHealth` for the startup probe. Tests use the tag --- to assert which kind of call the server made. -data ResolverCallKind = ResolverFetch Text | ResolverHealth - deriving (Eq, Show) - --- Re-export so test seams (which need to match on the kind) can use it --- without depending on the HttpResolver module. - -type ResolverCall = ResolverCallKind -> IO (Either ResolverError J.Value) - data NamesEnv = NamesEnv { config :: NamesConfig, - resolverCall :: ResolverCall, - resolverEnv :: Maybe ResolverEnv -- Nothing for test stubs + resolverEnv :: ResolverEnv, + inFlight :: TVar Int } newNamesEnv :: NamesConfig -> IO NamesEnv -newNamesEnv cfg = do - rEnv <- newResolverEnv (resolverEndpoint cfg) (resolverAuth cfg) (resolverTimeoutMs cfg) (resolverMaxResponseBytes cfg) - newNamesEnvWith cfg (httpResolverCall rEnv) (Just rEnv) +newNamesEnv config = do + resolverEnv <- newResolverEnv (resolverEndpoint config) (resolverAuth config) (resolverTimeoutMs config) (resolverMaxResponseBytes config) + inFlight <- newTVarIO 0 + pure NamesEnv {config, resolverEnv, inFlight} -httpResolverCall :: ResolverEnv -> ResolverCall -httpResolverCall env = \case - ResolverFetch n -> resolveHttp env n - ResolverHealth -> healthHttp env +closeNamesEnv :: NamesEnv -> IO () +closeNamesEnv NamesEnv {resolverEnv} = closeResolverEnv resolverEnv --- | Allocate resolver with an injected `resolverCall` (test seam). -newNamesEnvWith :: NamesConfig -> ResolverCall -> Maybe ResolverEnv -> IO NamesEnv -newNamesEnvWith config resolverCall resolverEnv = pure NamesEnv {config, resolverCall, resolverEnv} +-- | Non-mutating check: True when in-flight resolutions are already at the cap. +-- Used to shed an RSLV before forking; the authoritative gate is still +-- tryAcquireResolver inside the forked action, so a slot is never held across +-- the fork boundary (which is what makes the slot leak-proof on async kills). +resolverAtCapacity :: NamesEnv -> IO Bool +resolverAtCapacity NamesEnv {config, inFlight} = + (>= resolverMaxConcurrent config) <$> readTVarIO inFlight -closeNamesEnv :: NamesEnv -> IO () -closeNamesEnv NamesEnv {resolverEnv} = mapM_ closeResolverEnv resolverEnv +-- | Reserve a resolution slot if under resolverMaxConcurrent. Returns False +-- when saturated so the caller sheds load (returns a transient error) instead +-- of making another outbound resolver call. Each True must be paired with +-- exactly one releaseResolver. +tryAcquireResolver :: NamesEnv -> IO Bool +tryAcquireResolver NamesEnv {config, inFlight} = + atomically $ stateTVar inFlight $ \n -> + if n >= resolverMaxConcurrent config then (False, n) else (True, n + 1) + +releaseResolver :: NamesEnv -> IO () +releaseResolver NamesEnv {inFlight} = atomically $ modifyTVar' inFlight (subtract 1) -- | Reach the configured resolver with `GET /health` to confirm reachability -- at server startup. A non-2xx response or transport failure surfaces as @@ -100,12 +101,8 @@ closeNamesEnv NamesEnv {resolverEnv} = mapM_ closeResolverEnv resolverEnv -- `resolverTimeoutMs` so a slow-loris endpoint cannot park startup until -- http-client's default 30 s response timeout fires. pingEndpoint :: NamesEnv -> IO (Either ResolverError ()) -pingEndpoint NamesEnv {resolverCall, config} = do - r <- timeout (resolverTimeoutMs config * 1000) $ resolverCall ResolverHealth - pure $ case r of - Nothing -> Left (HttpStatusErr 0) -- transport-level timeout (0 is not a real HTTP code) - Just (Left e) -> Left e - Just (Right _) -> Right () +pingEndpoint NamesEnv {resolverEnv, config} = + fromMaybe (Left ResolverTimeout) <$> timeout (resolverTimeoutMs config * 1000) (healthHttp resolverEnv) -- | Resolve a parsed domain via the configured HTTP resolver, with an -- `resolverTimeoutMs` ceiling. Synchronous exceptions are caught and @@ -114,7 +111,7 @@ resolveName :: NamesEnv -> SimplexNameDomain -> IO (Either NameErrorType NameRec resolveName env d = do r <- E.try (timeout (resolverTimeoutMs (config env) * 1000) (fetch env d)) case r of - Right result -> pure (maybe (Left (RESOLVER "timeout")) id result) + Right result -> pure (fromMaybe (Left (RESOLVER "timeout")) result) Left e | Just (_ :: E.SomeAsyncException) <- E.fromException e -> E.throwIO e | otherwise -> do @@ -122,23 +119,20 @@ resolveName env d = do pure (Left (RESOLVER "resolver error")) fetch :: NamesEnv -> SimplexNameDomain -> IO (Either NameErrorType NameRecord) -fetch NamesEnv {resolverCall} d = - resolverCall (ResolverFetch (fullDomainName d)) >>= \case - Left e -> pure (Left (mapResolverError e)) - Right v -> case JT.parseEither J.parseJSON v of - Right nr -> pure (Right nr) - Left _ -> pure (Left (RESOLVER "invalid response")) +fetch NamesEnv {resolverEnv} d = + first mapResolverError <$> resolveHttp resolverEnv (fullDomainName d) -- | Map the HTTP-layer error space into the protocol NameErrorType. 404 / 400 --- both map to NO_NAME (name not registered, unknown TLD, or malformed name — +-- both map to NOT_FOUND (name not registered, unknown TLD, or malformed name — -- indistinguishable from the client's point of view). Everything else is a -- backend failure surfaced as RESOLVER with a SAFE server-generated diagnostic -- (kind only - the adversarial response body is never echoed). mapResolverError :: ResolverError -> NameErrorType mapResolverError = \case - HttpStatusErr 404 -> NO_NAME - HttpStatusErr 400 -> NO_NAME + HttpStatusErr 404 -> NOT_FOUND + HttpStatusErr 400 -> NOT_FOUND HttpStatusErr code -> RESOLVER ("HTTP " <> T.pack (show code)) HttpFailure _ -> RESOLVER "transport failure" BodyTooLarge -> RESOLVER "response too large" InvalidJson _ -> RESOLVER "invalid response" + ResolverTimeout -> RESOLVER "timeout" diff --git a/src/Simplex/Messaging/Server/Names/HttpResolver.hs b/src/Simplex/Messaging/Server/Names/HttpResolver.hs index ed314c6de1..118810a08d 100644 --- a/src/Simplex/Messaging/Server/Names/HttpResolver.hs +++ b/src/Simplex/Messaging/Server/Names/HttpResolver.hs @@ -28,23 +28,22 @@ module Simplex.Messaging.Server.Names.HttpResolver closeResolverEnv, resolveHttp, healthHttp, - scrubUrl, ) where import qualified Control.Exception as E import qualified Data.Aeson as J +import Data.Bifunctor (first) import qualified Data.ByteArray.Encoding as BAE import Data.ByteString.Char8 (ByteString) +import qualified Data.ByteString.Char8 as B import qualified Data.ByteString.Lazy as BL import Data.Text (Text) -import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, encodeUtf8) +import Data.Text.Encoding (encodeUtf8) import Network.HTTP.Client ( HttpException, Manager, ManagerSettings (..), - Request, brReadSome, parseRequest, redirectCount, @@ -58,6 +57,7 @@ import qualified Network.HTTP.Client as HC import Network.HTTP.Client.TLS (tlsManagerSettings) import qualified Network.HTTP.Types as HT import Network.HTTP.Types.URI (urlEncode) +import Simplex.Messaging.Names.Record (NameRecord) data RpcAuth = AuthBearer Text | AuthBasic Text Text @@ -69,7 +69,7 @@ instance Show RpcAuth where data ResolverEnv = ResolverEnv { manager :: Manager, - baseUrl :: Text, + baseUrl :: String, authHdr :: [HT.Header], timeoutMicro :: Int, maxResponseBytes :: Int @@ -80,15 +80,16 @@ data ResolverError | HttpStatusErr Int | BodyTooLarge | InvalidJson String + | ResolverTimeout deriving (Show) -newResolverEnv :: Text -> Maybe RpcAuth -> Int -> Int -> IO ResolverEnv +newResolverEnv :: String -> Maybe RpcAuth -> Int -> Int -> IO ResolverEnv newResolverEnv baseUrl auth_ timeoutMs maxResponseBytes = do manager <- HC.newManager tlsManagerSettings {managerConnCount = 10} pure ResolverEnv { manager, - baseUrl = stripTrailingSlash baseUrl, + baseUrl, authHdr = maybe [] (pure . authHeader) auth_, timeoutMicro = timeoutMs * 1000, maxResponseBytes @@ -107,17 +108,26 @@ authHeader = \case let encoded = BAE.convertToBase BAE.Base64 (encodeUtf8 u <> ":" <> encodeUtf8 p) :: ByteString in ("Authorization", "Basic " <> encoded) --- | GET /resolve/, return the JSON body on 200. -resolveHttp :: ResolverEnv -> Text -> IO (Either ResolverError J.Value) -resolveHttp env name = doGet env ("/resolve/" <> percentEncode name) +-- | GET /resolve/, decoding the 200 body +-- directly into a NameRecord in one pass (no intermediate Aeson Value). The +-- name is percent-encoded (every non-unreserved byte per RFC 3986): the +-- resolver expects raw labels, so slashes/punctuation must not alter the path. +resolveHttp :: ResolverEnv -> Text -> IO (Either ResolverError NameRecord) +resolveHttp env name = + (>>= first InvalidJson . J.eitherDecodeStrict . BL.toStrict) + <$> httpGet env ("/resolve/" <> B.unpack (urlEncode True (encodeUtf8 name))) --- | GET /health, return the JSON body on 200. -healthHttp :: ResolverEnv -> IO (Either ResolverError J.Value) -healthHttp env = doGet env "/health" +-- | GET /health; success = reachable with status < 400. The body is +-- size-capped but NOT decoded — the probe only checks reachability. +healthHttp :: ResolverEnv -> IO (Either ResolverError ()) +healthHttp env = (() <$) <$> httpGet env "/health" -doGet :: ResolverEnv -> Text -> IO (Either ResolverError J.Value) -doGet ResolverEnv {manager, baseUrl, authHdr, timeoutMicro, maxResponseBytes} path = do - req0 <- parseRequest (T.unpack (baseUrl <> path)) +-- | GET , returning the response body bytes on status < 400 +-- within the size cap. Redirects are disabled and Authorization is attached +-- only when configured. +httpGet :: ResolverEnv -> String -> IO (Either ResolverError BL.ByteString) +httpGet ResolverEnv {manager, baseUrl, authHdr, timeoutMicro, maxResponseBytes} path = do + req0 <- parseRequest (baseUrl <> path) let req = req0 { redirectCount = 0, @@ -130,35 +140,5 @@ doGet ResolverEnv {manager, baseUrl, authHdr, timeoutMicro, maxResponseBytes} pa then pure (Left (HttpStatusErr status)) else do bs <- brReadSome (responseBody res) (maxResponseBytes + 1) - if BL.length bs > fromIntegral maxResponseBytes - then pure (Left BodyTooLarge) - else case J.eitherDecodeStrict (BL.toStrict bs) of - Left e -> pure (Left (InvalidJson e)) - Right v -> pure (Right v) + pure $ if BL.length bs > fromIntegral maxResponseBytes then Left BodyTooLarge else Right bs pure (either (Left . HttpFailure) id result) - --- | Percent-encode a name component (path-safe). Aggressive: encode every --- byte that isn't an unreserved character per RFC 3986. The resolver expects --- raw labels (e.g., `alice.simplex`); slashes and other ASCII punctuation --- would change the request path semantics if passed through verbatim. -percentEncode :: Text -> Text -percentEncode = decodeLatin1 . urlEncode True . encodeUtf8 - -stripTrailingSlash :: Text -> Text -stripTrailingSlash t = case T.unsnoc t of - Just (rest, '/') -> rest - _ -> t - --- | Strip userinfo from a URL so log lines never leak credentials. -scrubUrl :: Text -> Text -scrubUrl url = - let (scheme, rest) = T.breakOn "://" url - in if T.null rest - then url - else - let body = T.drop 3 rest - (host, query) = T.breakOn "/" body - in case T.breakOn "@" host of - (_userinfo, atRest) - | not (T.null atRest) -> scheme <> "://" <> T.drop 1 atRest <> query - _ -> url diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index f02ced0bdf..d582e738f8 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -29,6 +29,7 @@ import Data.Text (Text) import qualified Data.Text as T import Data.Text.Encoding (decodeLatin1, encodeUtf8) import Simplex.Messaging.Agent.Store.DB (ToField (..)) +import Simplex.Messaging.Encoding (Encoding (..)) import Simplex.Messaging.Encoding.String import Simplex.Messaging.Parsers (defaultJSON, dropPrefix, enumJSON) import Simplex.Messaging.Util (safeDecodeUtf8, (<$?>)) @@ -72,13 +73,17 @@ nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigi -- parser would otherwise `takeWhile1 (not . isSpace)` unbounded, allowing -- a crafted multi-megabyte token to be decoded and re-parsed before any -- validation. Cap at 253 bytes (DNS full-domain limit) — generous against --- any realistic SimpleX name and forces the surrounding `parseOnly` --- (which requires consuming all input) to fail on oversized inputs. +-- any realistic SimpleX name — and FAIL on a longer token rather than stop +-- at the cap, so an oversized name is rejected outright (not silently +-- truncated) on every entry point, including the RSLV wire decoder whose +-- trailing `takeByteString` would otherwise swallow and discard the overflow. boundedNonSpace :: A.Parser ByteString boundedNonSpace = do bs <- A.scan (0 :: Int) $ \i c -> - if i < 253 && not (A.isSpace c) then Just (i + 1) else Nothing - if B.null bs then fail "expected non-empty name token" else pure bs + if i <= 253 && not (A.isSpace c) then Just (i + 1) else Nothing + if B.null bs + then fail "expected non-empty name token" + else if B.length bs > 253 then fail "name token exceeds 253 bytes" else pure bs instance StrEncoding SimplexNameInfo where strEncode SimplexNameInfo {nameType, nameDomain} = @@ -100,12 +105,20 @@ instance StrEncoding SimplexNameDomain where -- `alice.simplex` resolve to different on-chain records. A mixed-case TLD -- would also fall through to TLDWeb and route through the `tldAll` -- catch-all entry instead of the TLDSimplex registry. - mkDomain labels = case reverse (map T.toLower labels) of + mkDomain labels = case reverse lowered of [] -> Left "empty name" [_] -> Left "domain requires TLD" "simplex" : name : sub -> Right (SimplexNameDomain TLDSimplex name sub) "testing" : name : sub -> Right (SimplexNameDomain TLDTesting name sub) - _ -> Right (SimplexNameDomain TLDWeb (T.intercalate "." (map T.toLower labels)) []) + _ -> Right (SimplexNameDomain TLDWeb (T.intercalate "." lowered) []) + where + lowered = map T.toLower labels + +-- Wire encoding for the RSLV command: the domain is the trailing field, so it +-- encodes as the raw StrEncoding bytes (no length prefix) and parses to end. +instance Encoding SimplexNameDomain where + smpEncode = strEncode + smpP = strP fullDomainName :: SimplexNameDomain -> Text fullDomainName SimplexNameDomain {nameTLD, domain, subDomain} = T.intercalate "." (reverse subDomain ++ [domain] ++ tld') diff --git a/src/Simplex/Messaging/Transport.hs b/src/Simplex/Messaging/Transport.hs index 2d6229621b..51a2955eb5 100644 --- a/src/Simplex/Messaging/Transport.hs +++ b/src/Simplex/Messaging/Transport.hs @@ -242,11 +242,13 @@ legacyServerSMPRelayVersion = VersionSMP 6 currentServerSMPRelayVersion :: VersionSMP currentServerSMPRelayVersion = VersionSMP 20 --- Max SMP protocol version to be used in e2e encrypted --- connection between client and server, as defined by SMP proxy. --- SMP proxy sets it to lower than its current version --- to prevent client version fingerprinting by the --- destination relays when clients upgrade at different times. +-- Max SMP protocol version to be used in e2e encrypted connection between +-- client and server, as defined by SMP proxy. Normally set below the current +-- version to prevent client version fingerprinting by the destination relays +-- when clients upgrade at different times. Pinned to the current version (20) +-- for this release because proxied name resolution is gated on namesSMPVersion +-- (20), so the one-version anti-fingerprinting buffer does not apply yet; it +-- reappears once the current version advances past 20. proxiedSMPRelayVersion :: VersionSMP proxiedSMPRelayVersion = VersionSMP 20 diff --git a/tests/AgentTests/ResolveNameTests.hs b/tests/AgentTests/ResolveNameTests.hs index 88c20696da..98acb9ee53 100644 --- a/tests/AgentTests/ResolveNameTests.hs +++ b/tests/AgentTests/ResolveNameTests.hs @@ -12,9 +12,9 @@ -- | End-to-end tests for `Simplex.Messaging.Agent.resolveSimplexName`. -- --- Exercises the agent layer (real `AgentClient`) against an SMP server with a --- stub `ResolverCall` (set via `ServerConfig.namesResolverCall_`). The agent --- owns server selection: it picks a names-capable server (ServerRoles.names) +-- Exercises the agent layer (real `AgentClient`) against an SMP server whose +-- resolver_endpoint points at a real local HTTP resolver (NamesResolverServer). +-- The agent owns server selection: it picks a names-capable server (ServerRoles.names) -- from the user's nameSrvs, so the proxy test gives ONLY the resolver server -- the names role (deterministic selection) and the proxy server the proxy role. module AgentTests.ResolveNameTests (resolveNameTests) where @@ -22,10 +22,14 @@ module AgentTests.ResolveNameTests (resolveNameTests) where import AgentTests.FunctionalAPITests (withAgent) import Control.Monad.Except (runExceptT) import qualified Data.Aeson as J +import qualified Data.ByteString.Lazy as LB import Data.List (isInfixOf) +import Network.HTTP.Types (Status, status200, status404, status502) +import NamesResolverServer (memCfg, memCfg2, memProxyCfg, withNames) +import qualified NamesResolverServer as NRS import SMPAgentClient import SMPClient -import SMPNamesTests (sampleRecord, sampleRecordJSON) +import SMPNamesTests (sampleRecord) import Simplex.Messaging.Agent (resolveSimplexName) import Simplex.Messaging.Agent.Client (AgentClient) import Simplex.Messaging.Agent.Env.SQLite (InitialAgentServers (..), ServerCfg, ServerRoles (..), presetServerCfg) @@ -33,61 +37,11 @@ import Simplex.Messaging.Agent.Protocol (AgentErrorType (..)) import Simplex.Messaging.Client (SMPProxyFallback (..), SMPProxyMode (..), pattern NRMInteractive) import Simplex.Messaging.Protocol (SMPServer) import qualified Simplex.Messaging.Protocol as SMP -import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) -import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) -import Simplex.Messaging.Server.Names (NamesConfig (..), ResolverCall, ResolverCallKind (..)) -import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) import Simplex.Messaging.Transport import Test.Hspec hiding (fit, it) import Util (it) -stubNamesConfig :: NamesConfig -stubNamesConfig = - NamesConfig - { resolverEndpoint = "http://stub", - resolverAuth = Nothing, - resolverTimeoutMs = 1000, - resolverMaxResponseBytes = 65536 - } - --- | 404 stub: resolver returns "not registered". Server -> ERR (NAME NO_NAME). -stubResolverNotFound :: ResolverCall -stubResolverNotFound = \case - ResolverFetch _ -> pure (Left (HttpStatusErr 404)) - ResolverHealth -> pure (Right (J.object [])) - --- | Success stub: returns the canned NameRecord JSON. -stubResolverSuccess :: ResolverCall -stubResolverSuccess = \case - ResolverFetch _ -> pure (Right sampleRecordJSON) - ResolverHealth -> pure (Right (J.object [])) - --- | 502 stub: backing resolver fails. Server -> ERR (NAME (RESOLVER "HTTP 502")). -stubResolverError :: ResolverCall -stubResolverError = \case - ResolverFetch _ -> pure (Left (HttpStatusErr 502)) - ResolverHealth -> pure (Right (J.object [])) - --- | Enable names on a server config with a stub resolver (no real HTTP/probe). -withNames :: ResolverCall -> AServerConfig -> AServerConfig -withNames stub c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just stubNamesConfig, namesResolverCall_ = Just stub} - -memCfg :: AServerConfig -memCfg = cfgMS (ASType SQSMemory SMSMemory) - -memProxyCfg :: AServerConfig -memProxyCfg = proxyCfgMS (ASType SQSMemory SMSMemory) - -memCfg2 :: AServerConfig -memCfg2 = case memCfg of - ASrvCfg qt mt c -> ASrvCfg qt mt c {serverStoreCfg = newStoreCfg (serverStoreCfg c)} - where - newStoreCfg :: ServerStoreCfg s -> ServerStoreCfg s - newStoreCfg = \case - SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) - other -> other - -- per-server roles: only the resolver server carries the names role nameSrvCfg :: SMPServer -> ServerCfg 'SMP.PSMP nameSrvCfg = presetServerCfg True ServerRoles {storage = True, proxy = False, names = True} (Just 1) . SMP.noAuthSrv @@ -99,16 +53,18 @@ proxySrvCfg = presetServerCfg True ServerRoles {storage = True, proxy = True, na oneSrv :: ServerCfg 'SMP.PSMP -> InitialAgentServers oneSrv cfg_ = (initAgentServersProxy_ SPMNever SPFProhibit) {smp = [(1, [cfg_])]} -withDirectResolver :: ResolverCall -> (AgentClient -> IO a) -> IO a -withDirectResolver stub k = - withSmpServerConfigOn (transport @TLS) (withNames stub memCfg) testPort $ \_ -> - withAgent 1 agentCfg (oneSrv (nameSrvCfg testSMPServer)) testDB k - -withProxyAndResolver :: ResolverCall -> (AgentClient -> IO a) -> IO a -withProxyAndResolver stub k = - withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> - withSmpServerConfigOn (transport @TLS) (withNames stub memCfg2) testPort2 $ \_ -> - withAgent 1 agentCfg proxyServers testDB k +withDirectResolver :: (Status, LB.ByteString) -> (AgentClient -> IO a) -> IO a +withDirectResolver (st, body) k = + NRS.withResolverServer (NRS.resolveResp st body) $ \port _ -> + withSmpServerConfigOn (transport @TLS) (withNames port memCfg) testPort $ \_ -> + withAgent 1 agentCfg (oneSrv (nameSrvCfg testSMPServer)) testDB k + +withProxyAndResolver :: (Status, LB.ByteString) -> (AgentClient -> IO a) -> IO a +withProxyAndResolver (st, body) k = + NRS.withResolverServer (NRS.resolveResp st body) $ \port _ -> + withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> + withSmpServerConfigOn (transport @TLS) (withNames port memCfg2) testPort2 $ \_ -> + withAgent 1 agentCfg proxyServers testDB k where -- only testSMPServer2 (the resolver) has the names role; testSMPServer is the proxy proxyServers = (initAgentServersProxy_ SPMAlways SPFProhibit) {smp = [(1, [proxySrvCfg testSMPServer, nameSrvCfg testSMPServer2])]} @@ -123,7 +79,7 @@ withNoResolver k = -- | An agent whose one server has the names role OFF (proxySrvCfg): nameSrvs is -- empty, but the user exists, so resolution fails agent-side in getNextNameServer --- with NO_SERVERS (not the unknown-user INTERNAL path) - no server is contacted. +-- with NO_NAME_SERVERS (not the unknown-user INTERNAL path) - no server is contacted. withNoNameServers :: (AgentClient -> IO a) -> IO a withNoNameServers k = withAgent 1 agentCfg (oneSrv (proxySrvCfg testSMPServer)) testDB k @@ -135,17 +91,17 @@ resolveNameTests :: Spec resolveNameTests = do describe "Agent resolveSimplexName" $ do describe "direct path (SPMNever)" $ - it "404 propagates as SMP host (NAME NO_NAME)" testDirectNotFound + it "404 propagates as SMP host (NAME NOT_FOUND)" testDirectNotFound describe "proxy path (SPMAlways)" $ - it "404 from resolver propagates via proxy as SMP (NAME NO_NAME)" testProxyNotFound + it "404 from resolver propagates via proxy as SMP (NAME NOT_FOUND)" testProxyNotFound describe "TLDTesting path" $ - it "NAME NO_NAME for TLDTesting too" testTestingTldNotFound + it "NAME NOT_FOUND for TLDTesting too" testTestingTldNotFound describe "TLDWeb path" $ - it "NAME NO_NAME for TLDWeb too" testWebTldNotFound + it "NAME NOT_FOUND for TLDWeb too" testWebTldNotFound describe "no resolver configured" $ it "answers NAME NO_RESOLVER" testNoResolver describe "no names servers (names role off everywhere)" $ - it "fails agent-side with NAME NO_SERVERS" testNoNameServers + it "fails agent-side with NO_NAME_SERVERS" testNoNameServers describe "backing resolver failure" $ it "surfaces as SMP host (NAME (RESOLVER ..))" testBackendError describe "success path" $ @@ -157,38 +113,38 @@ resolveNameTests = do testDirectNotFound :: HasCallStack => IO () testDirectNotFound = - withDirectResolver stubResolverNotFound $ \c -> do + withDirectResolver (status404, "{}") $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r + Left (SMP _ (SMP.NAME SMP.NOT_FOUND)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NOT_FOUND)), got: " <> show r testProxyNotFound :: HasCallStack => IO () testProxyNotFound = - withProxyAndResolver stubResolverNotFound $ \c -> do + withProxyAndResolver (status404, "{}") $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (SMP host (SMP.NAME SMP.NO_NAME)) | testPort `isInfixOf` host -> pure () - _ -> expectationFailure $ "expected Left (SMP testPort <> "> (NAME NO_NAME)), got: " <> show r + Left (SMP host (SMP.NAME SMP.NOT_FOUND)) | testPort `isInfixOf` host -> pure () + _ -> expectationFailure $ "expected Left (SMP testPort <> "> (NAME NOT_FOUND)), got: " <> show r testTestingTldNotFound :: HasCallStack => IO () testTestingTldNotFound = - withDirectResolver stubResolverNotFound $ \c -> do + withDirectResolver (status404, "{}") $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDTesting "bob" []) case r of - Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r + Left (SMP _ (SMP.NAME SMP.NOT_FOUND)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NOT_FOUND)), got: " <> show r testWebTldNotFound :: HasCallStack => IO () testWebTldNotFound = - withDirectResolver stubResolverNotFound $ \c -> do + withDirectResolver (status404, "{}") $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDWeb "example.com" []) case r of - Left (SMP _ (SMP.NAME SMP.NO_NAME)) -> pure () - _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_NAME)), got: " <> show r + Left (SMP _ (SMP.NAME SMP.NOT_FOUND)) -> pure () + _ -> expectationFailure $ "expected Left (SMP _ (NAME NOT_FOUND)), got: " <> show r -- | A router with the names role but no resolver configured answers --- NAME NO_RESOLVER (distinct from NO_NAME / NO_SERVERS). +-- NAME NO_RESOLVER (distinct from NOT_FOUND / NO_NAME_SERVERS). testNoResolver :: HasCallStack => IO () testNoResolver = withNoResolver $ \c -> do @@ -198,20 +154,20 @@ testNoResolver = _ -> expectationFailure $ "expected Left (SMP _ (NAME NO_RESOLVER)), got: " <> show r -- | With no names-role servers, resolution fails agent-side (no server is --- contacted) with the agent-origin AgentErrorType.NAME NO_SERVERS. +-- contacted) with the agent-origin AgentErrorType.NO_NAME_SERVERS. testNoNameServers :: HasCallStack => IO () testNoNameServers = withNoNameServers $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of - Left (NAME SMP.NO_SERVERS) -> pure () - _ -> expectationFailure $ "expected Left (NAME NO_SERVERS), got: " <> show r + Left NO_NAME_SERVERS -> pure () + _ -> expectationFailure $ "expected Left NO_NAME_SERVERS, got: " <> show r -- | A backing-resolver failure (502) surfaces as SMP host (NAME (RESOLVER ..)) - --- a transient error distinct from NO_NAME ("name not registered"). +-- a transient error distinct from NOT_FOUND ("name not registered"). testBackendError :: HasCallStack => IO () testBackendError = - withDirectResolver stubResolverError $ \c -> do + withDirectResolver (status502, "{}") $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of Left (SMP _ (SMP.NAME (SMP.RESOLVER _))) -> pure () @@ -219,7 +175,7 @@ testBackendError = testDirectSuccess :: HasCallStack => IO () testDirectSuccess = - withDirectResolver stubResolverSuccess $ \c -> do + withDirectResolver (status200, J.encode sampleRecord) $ \c -> do r <- runExceptT $ resolveSimplexName c NRMInteractive 1 (SimplexNameDomain TLDSimplex "alice" []) case r of Right nr -> nr `shouldBe` sampleRecord diff --git a/tests/NamesResolverServer.hs b/tests/NamesResolverServer.hs new file mode 100644 index 0000000000..1fcb84aea7 --- /dev/null +++ b/tests/NamesResolverServer.hs @@ -0,0 +1,106 @@ +{-# LANGUAGE DuplicateRecordFields #-} +{-# LANGUAGE GADTs #-} +{-# LANGUAGE LambdaCase #-} +{-# LANGUAGE NamedFieldPuns #-} +{-# LANGUAGE OverloadedStrings #-} +{-# OPTIONS_GHC -fno-warn-ambiguous-fields #-} + +-- | A real local HTTP resolver for the names tests. Tests point +-- `resolver_endpoint` at this server (http://127.0.0.1:) so the full +-- HttpResolver path - request building, response reading, body cap, JSON +-- decoding - is exercised end to end, instead of injecting a stub below HTTP. +-- +-- It also hosts the SMP server config fixtures shared by the names tests +-- (RSLVTests and AgentTests.ResolveNameTests), so the two suites stay in sync. +module NamesResolverServer + ( withResolverServer, + withResolverServerDelayed, + resolveResp, + testNamesConfig, + memCfg, + memProxyCfg, + memCfg2, + withNames, + withNamesCap, + ) +where + +import Control.Concurrent (threadDelay) +import Control.Monad (when) +import qualified Data.ByteString.Lazy as LB +import Data.IORef (IORef, atomicModifyIORef', newIORef) +import Data.Text (Text) +import Network.HTTP.Types (Status, hContentType, notFound404, ok200) +import Network.Wai (Application, pathInfo, responseLBS) +import qualified Network.Wai.Handler.Warp as Warp +import SMPClient (AServerConfig (..), cfgMS, proxyCfgMS, testStoreLogFile2, testStoreMsgsFile2, updateCfg) +import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) +import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) +import Simplex.Messaging.Server.Names (NamesConfig (..)) + +-- | Run an action with a local HTTP resolver listening on a free port. The +-- handler maps the request path segments to an HTTP response; every request's +-- path segments are appended to the returned log (for "no cache" / "addressed +-- with full name" assertions). +withResolverServer :: ([Text] -> (Status, LB.ByteString)) -> (Int -> IORef [[Text]] -> IO a) -> IO a +withResolverServer = withResolverServerDelayed 0 + +-- | Like 'withResolverServer' but delays each response by delayMs (exercises +-- the resolverTimeoutMs path). +withResolverServerDelayed :: Int -> ([Text] -> (Status, LB.ByteString)) -> (Int -> IORef [[Text]] -> IO a) -> IO a +withResolverServerDelayed delayMs handler action = do + reqs <- newIORef [] + Warp.withApplication (pure (app reqs)) $ \port -> action port reqs + where + app :: IORef [[Text]] -> Application + app reqs req send = do + atomicModifyIORef' reqs $ \rs -> (rs <> [pathInfo req], ()) + when (delayMs > 0) $ threadDelay (delayMs * 1000) + let (st, body) = handler (pathInfo req) + send $ responseLBS st [(hContentType, "application/json")] body + +-- | Handler that answers /health with 200 and every /resolve/ with the +-- given status + body; anything else 404s. +resolveResp :: Status -> LB.ByteString -> [Text] -> (Status, LB.ByteString) +resolveResp st body = \case + ["health"] -> (ok200, "{}") + ("resolve" : _) -> (st, body) + _ -> (notFound404, "{}") + +-- | Names config pointing at the local test resolver on `port`. Response cap +-- defaults to 65536; override via record update for the body-cap case. +testNamesConfig :: Int -> NamesConfig +testNamesConfig port = + NamesConfig + { resolverEndpoint = "http://127.0.0.1:" <> show port, + resolverAuth = Nothing, + resolverTimeoutMs = 1000, + resolverMaxResponseBytes = 65536, + resolverMaxConcurrent = 32 + } + +memCfg :: AServerConfig +memCfg = cfgMS (ASType SQSMemory SMSMemory) + +memProxyCfg :: AServerConfig +memProxyCfg = proxyCfgMS (ASType SQSMemory SMSMemory) + +-- | 'memCfg' on the second store-log/messages files, for the second SMP server +-- (proxy + relay setups need two servers with distinct on-disk state). +memCfg2 :: AServerConfig +memCfg2 = case memCfg of + ASrvCfg qt mt c -> ASrvCfg qt mt c {serverStoreCfg = newStoreCfg (serverStoreCfg c)} + where + newStoreCfg :: ServerStoreCfg s -> ServerStoreCfg s + newStoreCfg = \case + SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) + other -> other + +-- | Enable names on a config pointing at the local test resolver on `port`. +withNames :: Int -> AServerConfig -> AServerConfig +withNames port c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just (testNamesConfig port)} + +-- | Like 'withNames' but with a custom in-flight resolver cap, for tests that +-- exercise load-shedding / slot release at a small cap. +withNamesCap :: Int -> Int -> AServerConfig -> AServerConfig +withNamesCap cap port c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just (testNamesConfig port) {resolverMaxConcurrent = cap}} diff --git a/tests/RSLVTests.hs b/tests/RSLVTests.hs index b2776aa8c6..533a9cef1a 100644 --- a/tests/RSLVTests.hs +++ b/tests/RSLVTests.hs @@ -11,11 +11,11 @@ -- | Functional-API tests for the public-namespace resolver (RSLV). -- --- Mocks the resolver at the `resolverCall` layer: tests set a stub via --- `ServerConfig.namesResolverCall_` (no real HTTP, no startup probe). +-- Runs a real local HTTP resolver (NamesResolverServer) and points the SMP +-- server's resolver_endpoint at it, so the full HttpResolver path is exercised. -- Tests: -- * direct RSLV reaches the resolver (not `CMD PROHIBITED`) --- * `ERR (NAME NO_NAME)` for backend not-found (404 / 400) +-- * `ERR (NAME NOT_FOUND)` for backend not-found (404 / 400) -- * `ERR (NAME (RESOLVER ..))` for backend transport errors (HTTP 502) -- * `ERR (NAME NO_RESOLVER)` when the server has no `namesEnv` (names off) -- * `RNAME` returned when the resolver returns a valid JSON record @@ -25,15 +25,19 @@ module RSLVTests (rslvTests) where import Control.Monad.Trans.Except (ExceptT, runExceptT) import qualified Data.Aeson as J import qualified Data.ByteString.Char8 as B +import qualified Data.ByteString.Lazy as LB import Data.List.NonEmpty (NonEmpty (..)) import Data.Text (Text) import Data.Text.Encoding (encodeUtf8) import Data.Time.Clock (getCurrentTime) +import Network.HTTP.Types (Status, status200, status404, status502) +import NamesResolverServer (memCfg, memCfg2, memProxyCfg, withNames) +import qualified NamesResolverServer as NRS import SMPClient import Simplex.Messaging.Client import qualified Simplex.Messaging.Crypto as C import Simplex.Messaging.Encoding.String (strDecode) -import SMPNamesTests (sampleRecord, sampleRecordJSON) +import SMPNamesTests (sampleRecord) import Simplex.Messaging.Protocol ( BrokerMsg (..), Cmd (..), @@ -50,14 +54,6 @@ import Simplex.Messaging.Protocol tPut, ) import qualified Simplex.Messaging.Protocol as SMP -import Simplex.Messaging.Server.Env.STM (AStoreType (..), ServerConfig (..), ServerStoreCfg (..), StorePaths (..)) -import Simplex.Messaging.Server.MsgStore.Types (SMSType (..), SQSType (..)) -import Simplex.Messaging.Server.Names - ( NamesConfig (..), - ResolverCall, - ResolverCallKind (..), - ) -import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain) import Simplex.Messaging.Transport import Simplex.Messaging.Version (mkVersionRange) @@ -74,60 +70,18 @@ import Util (it) domain :: Text -> SimplexNameDomain domain = either error id . strDecode . encodeUtf8 -stubNamesConfig :: NamesConfig -stubNamesConfig = - NamesConfig - { resolverEndpoint = "http://stub", - resolverAuth = Nothing, - resolverTimeoutMs = 1000, - resolverMaxResponseBytes = 65536 - } - --- | Default stub: the resolver replies 404. Server maps to NAME NO_NAME. -stubResolverNotFound :: ResolverCall -stubResolverNotFound = \case - ResolverFetch _ -> pure (Left (HttpStatusErr 404)) - ResolverHealth -> pure (Right (J.object [])) - --- | Stub that returns a 502 upstream failure on resolve. Server maps to --- NAME (RESOLVER "HTTP 502"). -stubResolverHttpErr :: ResolverCall -stubResolverHttpErr = \case - ResolverFetch _ -> pure (Left (HttpStatusErr 502)) - ResolverHealth -> pure (Right (J.object [])) - --- | Stub returning a real NameRecord JSON value (success path). -stubResolverSuccess :: ResolverCall -stubResolverSuccess = \case - ResolverFetch _ -> pure (Right sampleRecordJSON) - ResolverHealth -> pure (Right (J.object [])) - -memCfg :: AServerConfig -memCfg = cfgMS (ASType SQSMemory SMSMemory) - -memProxyCfg :: AServerConfig -memProxyCfg = proxyCfgMS (ASType SQSMemory SMSMemory) - -memCfg2 :: AServerConfig -memCfg2 = case memCfg of - ASrvCfg qt mt c -> ASrvCfg qt mt c {serverStoreCfg = newStoreCfg (serverStoreCfg c)} - where - newStoreCfg :: ServerStoreCfg s -> ServerStoreCfg s - newStoreCfg = \case - SSCMemory _ -> SSCMemory (Just StorePaths {storeLogFile = testStoreLogFile2, storeMsgsFile = Just testStoreMsgsFile2}) - other -> other - --- | Enable names on a config with a stub resolver (no real HTTP, no probe). -withNames :: ResolverCall -> AServerConfig -> AServerConfig -withNames stub c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just stubNamesConfig, namesResolverCall_ = Just stub} - -withResolverServer :: ResolverCall -> IO a -> IO a -withResolverServer stub = withSmpServerConfigOn (transport @TLS) (withNames stub memCfg) testPort . const - -withProxyAndResolver :: ResolverCall -> IO a -> IO a -withProxyAndResolver stub runTest = - withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> - withSmpServerConfigOn (transport @TLS) (withNames stub memCfg2) testPort2 (const runTest) +-- | Run a local HTTP resolver (replying with the given status + body to every +-- /resolve) and an SMP server with names enabled pointing at it. +withResolverServer :: (Status, LB.ByteString) -> IO a -> IO a +withResolverServer (st, body) runTest = + NRS.withResolverServer (NRS.resolveResp st body) $ \port _ -> + withSmpServerConfigOn (transport @TLS) (withNames port memCfg) testPort (const runTest) + +withProxyAndResolver :: (Status, LB.ByteString) -> IO a -> IO a +withProxyAndResolver (st, body) runTest = + NRS.withResolverServer (NRS.resolveResp st body) $ \port _ -> + withSmpServerConfigOn (transport @TLS) memProxyCfg testPort $ \_ -> + withSmpServerConfigOn (transport @TLS) (withNames port memCfg2) testPort2 (const runTest) sendRslv :: Transport c => THandleSMP c 'TClient -> B.ByteString -> SimplexNameDomain -> IO (Transmission (Either ErrorType BrokerMsg)) sendRslv h@THandle {params} corrId d = do @@ -143,25 +97,28 @@ sendRslv h@THandle {params} corrId d = do rslvTests :: Spec rslvTests = do describe "RSLV direct (non-forwarded)" $ do - it "resolver replies 404 -> NAME NO_NAME (reached, not CMD PROHIBITED)" testRslvBackendNotFound + it "resolver replies 404 -> NAME NOT_FOUND (reached, not CMD PROHIBITED)" testRslvBackendNotFound it "resolver replies 502 -> NAME (RESOLVER ..)" testRslvBackendHttpErr it "no names config -> NAME NO_RESOLVER" testRslvDisabled + it "refuses to send RSLV on a session below namesSMPVersion" testRslvVersionGate describe "RSLV forwarded (PFWD)" $ do - it "PFWD-wrapped RSLV reaches resolver via proxy (PCEProtocolError (NAME NO_NAME))" testRslvForwarded + it "PFWD-wrapped RSLV reaches resolver via proxy (PCEProtocolError (NAME NOT_FOUND))" testRslvForwarded + it "PFWD-wrapped RSLV success returns RNAME (record JSON frames over the proxy)" testRslvForwardedSuccess describe "RSLV success path (RNAME response)" $ do it "returns RNAME with NameRecord" testRslvSuccess + it "releases the in-flight slot so sequential RSLVs are not shed (cap=1)" testRslvSlotReleased testRslvBackendNotFound :: IO () testRslvBackendNotFound = - withResolverServer stubResolverNotFound $ + withResolverServer (status404, "{}") $ testSMPClient @TLS $ \h -> do (corrId, _entId, resp) <- sendRslv h "rs01" (domain "ghost.simplex") corrId `shouldBe` CorrId "rs01" - resp `shouldBe` Right (ERR (NAME NO_NAME)) + resp `shouldBe` Right (ERR (NAME NOT_FOUND)) testRslvBackendHttpErr :: IO () testRslvBackendHttpErr = - withResolverServer stubResolverHttpErr $ + withResolverServer (status502, "{}") $ testSMPClient @TLS $ \h -> do (_, _, resp) <- sendRslv h "rs05" (domain "alice.simplex") resp `shouldBe` Right (ERR (NAME (RESOLVER "HTTP 502"))) @@ -173,25 +130,56 @@ testRslvDisabled = (_, _, resp) <- sendRslv h "rs06" (domain "alice.simplex") resp `shouldBe` Right (ERR (NAME NO_RESOLVER)) -testRslvForwarded :: IO () -testRslvForwarded = - withProxyAndResolver stubResolverNotFound $ do +-- The client must refuse to send RSLV on a session negotiated below +-- namesSMPVersion, surfacing TEVersion without contacting the resolver. +-- rcvServiceSMPVersion is the last version before names support. +testRslvVersionGate :: IO () +testRslvVersionGate = + withResolverServer (status200, J.encode sampleRecord) $ do g <- C.newRandom ts <- getCurrentTime - let proxyServ = SMPServer testHost testPort testKeyHash - relayServ = SMPServer testHost2 testPort2 testKeyHash - cfg' = defaultSMPClientConfig {serverVRange = mkVersionRange minServerSMPRelayVersion currentClientSMPRelayVersion} - pcE <- getProtocolClient g NRMInteractive (1, proxyServ, Nothing) cfg' [] Nothing ts (\_ -> pure ()) + let srv = SMPServer testHost testPort testKeyHash + oldCfg = defaultSMPClientConfig {serverVRange = mkVersionRange minServerSMPRelayVersion rcvServiceSMPVersion} + pcE <- getProtocolClient g NRMInteractive (1, srv, Nothing) oldCfg [] Nothing ts (\_ -> pure ()) pc <- either (fail . show) pure pcE - sess <- runExceptT' (connectSMPProxiedRelay pc NRMInteractive relayServ Nothing) - r <- runExceptT (proxyResolveName pc NRMInteractive sess (domain "alice.simplex")) + r <- runExceptT (directResolveName pc NRMInteractive (domain "alice.simplex")) case r of - Left (PCEProtocolError (SMP.NAME SMP.NO_NAME)) -> pure () - _ -> expectationFailure $ "expected Left (PCEProtocolError (NAME NO_NAME)), got: " <> show r + Left (PCETransportError TEVersion) -> pure () + _ -> expectationFailure $ "expected Left (PCETransportError TEVersion), got: " <> show r + +-- Resolve "alice.simplex" through a proxy client + relay session against the +-- running proxy/relay servers, returning the raw proxied result. +forwardedResolveAlice :: IO (Either SMPClientError (Either ProxyClientError SMP.NameRecord)) +forwardedResolveAlice = do + g <- C.newRandom + ts <- getCurrentTime + let proxyServ = SMPServer testHost testPort testKeyHash + relayServ = SMPServer testHost2 testPort2 testKeyHash + cfg' = defaultSMPClientConfig {serverVRange = mkVersionRange minServerSMPRelayVersion currentClientSMPRelayVersion} + pcE <- getProtocolClient g NRMInteractive (1, proxyServ, Nothing) cfg' [] Nothing ts (\_ -> pure ()) + pc <- either (fail . show) pure pcE + sess <- runExceptT' (connectSMPProxiedRelay pc NRMInteractive relayServ Nothing) + runExceptT (proxyResolveName pc NRMInteractive sess (domain "alice.simplex")) + +testRslvForwarded :: IO () +testRslvForwarded = + withProxyAndResolver (status404, "{}") $ + forwardedResolveAlice >>= \r -> case r of + Left (PCEProtocolError (SMP.NAME SMP.NOT_FOUND)) -> pure () + _ -> expectationFailure $ "expected Left (PCEProtocolError (NAME NOT_FOUND)), got: " <> show r + +-- A successful RNAME over the proxy: exercises the resolver-record JSON framing +-- on the proxied (RRES, paddedProxiedTLength) response path, async on the relay. +testRslvForwardedSuccess :: IO () +testRslvForwardedSuccess = + withProxyAndResolver (status200, J.encode sampleRecord) $ + forwardedResolveAlice >>= \r -> case r of + Right (Right nr) -> nr `shouldBe` sampleRecord + _ -> expectationFailure $ "expected Right (Right NameRecord), got: " <> show r testRslvSuccess :: IO () testRslvSuccess = - withResolverServer stubResolverSuccess $ + withResolverServer (status200, J.encode sampleRecord) $ testSMPClient @TLS $ \h -> do (corrId, _entId, resp) <- sendRslv h "rs07" (domain "alice.simplex") corrId `shouldBe` CorrId "rs07" @@ -199,5 +187,22 @@ testRslvSuccess = Right (RNAME nr) -> nr `shouldBe` sampleRecord _ -> expectationFailure $ "expected Right (RNAME ..), got: " <> show resp +-- On a names server capped at one concurrent resolution, three sequential RSLVs +-- must all return RNAME: each resolution has to release its slot, or the 2nd and +-- 3rd would be shed with ERR (NAME (RESOLVER "resolver overloaded")). Guards that +-- the in-flight slot release covers the whole forked resolve action. +testRslvSlotReleased :: IO () +testRslvSlotReleased = + NRS.withResolverServer (NRS.resolveResp status200 (J.encode sampleRecord)) $ \port _ -> + withSmpServerConfigOn (transport @TLS) (NRS.withNamesCap 1 port memCfg) testPort $ + const $ + testSMPClient @TLS $ \h -> + mapM_ + ( \cid -> do + (_, _, resp) <- sendRslv h cid (domain "alice.simplex") + resp `shouldBe` Right (RNAME sampleRecord) + ) + ["sr1", "sr2", "sr3"] + runExceptT' :: Show e => ExceptT e IO a -> IO a runExceptT' a = runExceptT a >>= either (fail . show) pure diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index bf4dcd45b1..2ee9b509f0 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -279,7 +279,6 @@ cfgMS msType = withStoreCfg (testServerStoreConfig msType) $ \serverStoreCfg -> allowSMPProxy = False, serverClientConcurrency = 2, namesConfig = Nothing, - namesResolverCall_ = Nothing, information = Nothing, startOptions = defaultStartOptions } diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 0b3cfac5e8..4410bbf736 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -3,16 +3,18 @@ {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE ScopedTypeVariables #-} -module SMPNamesTests (smpNamesTests, sampleRecord, sampleRecordJSON) where +module SMPNamesTests (smpNamesTests, sampleRecord) where import qualified Data.Aeson as J import qualified Data.ByteString.Char8 as B import qualified Data.ByteString.Lazy as LB import Data.Either (isLeft, isRight) -import Data.IORef (atomicModifyIORef', newIORef, readIORef) +import Data.IORef (readIORef) import Data.List (sort) import qualified Data.Text as T import Data.Text.Encoding (encodeUtf8) +import Network.HTTP.Types (status200, status400, status404, status500, status502) +import NamesResolverServer (resolveResp, testNamesConfig, withResolverServer, withResolverServerDelayed) import Simplex.Messaging.Encoding (smpDecode, smpEncode) import Simplex.Messaging.Encoding.String (strDecode) import Simplex.Messaging.Names.EthAddress (EthAddress, mkEthAddress, unEthAddress) @@ -20,11 +22,12 @@ import Simplex.Messaging.Protocol (ErrorType (..), NameErrorType (..), NameRecor import Simplex.Messaging.Server.Main (validateUrl) import Simplex.Messaging.Server.Names ( NamesConfig (..), - ResolverCallKind (..), RpcAuth (..), - newNamesEnvWith, + newNamesEnv, pingEndpoint, + releaseResolver, resolveName, + tryAcquireResolver, ) import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) @@ -55,23 +58,10 @@ sampleRecord = nrResolver = unsafeAddr (B.replicate 20 '\x02') } --- | JSON value canned by the resolver-stub for the "success" tests. -sampleRecordJSON :: J.Value -sampleRecordJSON = J.toJSON sampleRecord - -testNamesConfig :: NamesConfig -testNamesConfig = - NamesConfig - { resolverEndpoint = "http://stub", - resolverAuth = Nothing, - resolverTimeoutMs = 1000, - resolverMaxResponseBytes = 65536 - } - smpNamesTests :: Spec smpNamesTests = do describe "NameRecord JSON (Protocol)" nameRecordEncodingSpec - describe "Wire encoding (smpEncode)" wireEncodingSpec + describe "ErrorType NAME wire encoding" errorWireSpec describe "Smart constructors (EthAddress)" smartCtorsSpec describe "Name parsing (SimplexNameDomain)" parseNameSpec describe "HTTP resolver" resolverSpec @@ -127,26 +117,13 @@ nameRecordEncodingSpec = do B.isInfixOf "0xdeadbeef" bytes `shouldBe` True B.isInfixOf "0xDEADBEEF" bytes `shouldBe` False --- The RNAME response and ERR (NAME ...) travel as field-ordered smpEncode on --- the wire (no JSON), so round-trip the new Encoding instances directly. -wireEncodingSpec :: Spec -wireEncodingSpec = do - it "NameRecord round-trips smpEncode / smpDecode" $ - smpDecode (smpEncode sampleRecord) `shouldBe` Right sampleRecord - - it "NameRecord round-trips with multiple links and unset coins" $ do - let r = - sampleRecord - { nrSimplexContact = ["simplex:/contact/a#1", "simplex:/contact/b#2"], - nrSimplexChannel = [], - nrEth = Nothing, - nrBtc = Nothing - } - smpDecode (smpEncode r) `shouldBe` Right r - +-- ERR (NAME ...) travels as field-ordered smpEncode on the wire; the RNAME +-- success response carries the NameRecord as JSON (covered by the JSON spec). +errorWireSpec :: Spec +errorWireSpec = it "ErrorType NAME family round-trips smpEncode / smpDecode" $ do smpDecode (smpEncode (NAME NO_RESOLVER)) `shouldBe` Right (NAME NO_RESOLVER) - smpDecode (smpEncode (NAME NO_NAME)) `shouldBe` Right (NAME NO_NAME) + smpDecode (smpEncode (NAME NOT_FOUND)) `shouldBe` Right (NAME NOT_FOUND) -- RESOLVER detail may contain spaces - must survive the round-trip smpDecode (smpEncode (NAME (RESOLVER "HTTP 502"))) `shouldBe` Right (NAME (RESOLVER "HTTP 502")) @@ -198,106 +175,122 @@ parseNameSpec = do resolverSpec :: Spec resolverSpec = do - let mkEnv stub = newNamesEnvWith testNamesConfig stub Nothing - aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} - - it "returns NameRecord on 200 OK" $ do - env <- mkEnv (\_ -> pure (Right sampleRecordJSON)) - r <- resolveName env aliceDomain - r `shouldBe` Right sampleRecord - - it "returns NO_NAME on 404" $ do - env <- mkEnv (\_ -> pure (Left (HttpStatusErr 404))) - resolveName env aliceDomain `shouldReturn` Left NO_NAME - - it "returns NO_NAME on 400 (unknown TLD)" $ do - env <- mkEnv (\_ -> pure (Left (HttpStatusErr 400))) - resolveName env aliceDomain `shouldReturn` Left NO_NAME - - it "returns RESOLVER on 502 (upstream failure)" $ do - env <- mkEnv (\_ -> pure (Left (HttpStatusErr 502))) - resolveName env aliceDomain `shouldReturn` Left (RESOLVER "HTTP 502") - - it "returns RESOLVER on transport-layer body-too-large" $ do - env <- mkEnv (\_ -> pure (Left BodyTooLarge)) - resolveName env aliceDomain `shouldReturn` Left (RESOLVER "response too large") - - it "returns RESOLVER on malformed JSON from the resolver" $ do - env <- mkEnv (\_ -> pure (Left (InvalidJson "expected object"))) - resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") - - it "returns RESOLVER when JSON parses but isn't a NameRecord shape" $ do - env <- mkEnv (\_ -> pure (Right (J.object []))) - resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") - - it "sends one HTTP request per lookup (no cache)" $ do - callCount <- newIORef (0 :: Int) - env <- mkEnv $ \_ -> do - atomicModifyIORef' callCount (\v -> (v + 1, ())) - pure (Right sampleRecordJSON) - _ <- resolveName env aliceDomain - _ <- resolveName env aliceDomain - readIORef callCount `shouldReturn` 2 - - it "addresses the resolver with the full canonical domain name" $ do - seenName <- newIORef ("" :: T.Text) - env <- - mkEnv $ \case - ResolverFetch n -> do - atomicModifyIORef' seenName (\_ -> (n, ())) - pure (Right sampleRecordJSON) - ResolverHealth -> pure (Right (J.object [])) - _ <- resolveName env aliceDomain - readIORef seenName `shouldReturn` "alice.simplex" + it "returns NameRecord on 200 OK" $ + withResolverServer (resolveResp status200 (J.encode sampleRecord)) $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Right sampleRecord + + it "returns NOT_FOUND on 404" $ + withResolverServer (resolveResp status404 "{}") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Left NOT_FOUND + + it "returns NOT_FOUND on 400 (unknown TLD)" $ + withResolverServer (resolveResp status400 "{}") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Left NOT_FOUND + + it "returns RESOLVER on 502 (upstream failure)" $ + withResolverServer (resolveResp status502 "{}") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "HTTP 502") + + it "returns RESOLVER when the body exceeds the response cap" $ + withResolverServer (resolveResp status200 (LB.fromStrict (B.replicate 500 'x'))) $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) {resolverMaxResponseBytes = 100} + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "response too large") + + it "returns RESOLVER on malformed JSON from the resolver" $ + withResolverServer (resolveResp status200 "this is not json") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") + + it "returns RESOLVER when JSON parses but isn't a NameRecord shape" $ + withResolverServer (resolveResp status200 "{}") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "invalid response") + + it "returns RESOLVER (timeout) when the resolver is slower than resolverTimeoutMs" $ + withResolverServerDelayed 1500 (resolveResp status200 (J.encode sampleRecord)) $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) {resolverTimeoutMs = 300} + resolveName env aliceDomain `shouldReturn` Left (RESOLVER "timeout") + + it "sends one HTTP request per lookup (no cache)" $ + withResolverServer (resolveResp status200 (J.encode sampleRecord)) $ \port reqs -> do + env <- newNamesEnv (testNamesConfig port) + _ <- resolveName env aliceDomain + _ <- resolveName env aliceDomain + readIORef reqs >>= \rs -> length rs `shouldBe` 2 + + it "addresses the resolver with the full canonical domain name" $ + withResolverServer (resolveResp status200 (J.encode sampleRecord)) $ \port reqs -> do + env <- newNamesEnv (testNamesConfig port) + _ <- resolveName env aliceDomain + readIORef reqs `shouldReturn` [["resolve", "alice.simplex"]] + + it "bounds concurrent resolutions at resolverMaxConcurrent; releaseResolver frees a slot" $ do + -- no HTTP is made; this exercises the admission counter the RSLV handler uses to shed load + env <- newNamesEnv (testNamesConfig 1) {resolverMaxConcurrent = 2} + a <- tryAcquireResolver env + b <- tryAcquireResolver env + c <- tryAcquireResolver env + releaseResolver env + d <- tryAcquireResolver env + [a, b, c, d] `shouldBe` [True, True, False, True] + where + aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} healthSpec :: Spec healthSpec = do - let mkEnv stub = newNamesEnvWith testNamesConfig stub Nothing - - it "pingEndpoint succeeds on a 200 OK /health response" $ do - env <- mkEnv (\_ -> pure (Right (J.object []))) - r <- pingEndpoint env - case r of - Right () -> pure () - Left e -> expectationFailure $ "expected Right (), got Left " <> show e - - it "pingEndpoint fails on a 500 /health response" $ do - env <- mkEnv (\_ -> pure (Left (HttpStatusErr 500))) - r <- pingEndpoint env - case r of - Left (HttpStatusErr 500) -> pure () - _ -> expectationFailure $ "expected Left (HttpStatusErr 500), got " <> show r - - it "pingEndpoint routes to ResolverHealth (not ResolverFetch)" $ do - seenKind <- newIORef Nothing - env <- mkEnv $ \k -> do - atomicModifyIORef' seenKind (\_ -> (Just k, ())) - pure (Right (J.object [])) - _ <- pingEndpoint env - readIORef seenKind `shouldReturn` Just ResolverHealth + it "pingEndpoint succeeds on a 200 OK /health response" $ + withResolverServer (resolveResp status200 "{}") $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + pingEndpoint env >>= \case + Right () -> pure () + Left e -> expectationFailure $ "expected Right (), got Left " <> show e + + it "pingEndpoint fails on a 500 /health response" $ + withResolverServer healthFails $ \port _ -> do + env <- newNamesEnv (testNamesConfig port) + pingEndpoint env >>= \case + Left (HttpStatusErr 500) -> pure () + r -> expectationFailure $ "expected Left (HttpStatusErr 500), got " <> show r + + it "pingEndpoint queries /health" $ + withResolverServer (resolveResp status200 "{}") $ \port reqs -> do + env <- newNamesEnv (testNamesConfig port) + _ <- pingEndpoint env + readIORef reqs `shouldReturn` [["health"]] + where + healthFails = \case + ["health"] -> (status500, "{}") + _ -> (status404, "{}") +-- The endpoint is operator-supplied trusted config, so validation is just +-- basic well-formedness: an absolute http(s) URL with a host. validateUrlSpec :: Spec validateUrlSpec = do - let auth = Just (AuthBasic "user" "pass") - it "accepts https with explicit port and auth (root path)" $ - validateUrl "https://gw.example.com:443" auth `shouldSatisfy` isRight - it "accepts a path prefix (reverse-proxy sub-path)" $ - validateUrl "https://gw.example.com:443/snrc" auth `shouldSatisfy` isRight - it "accepts a path prefix with trailing slash" $ - validateUrl "https://gw.example.com:443/snrc/" auth `shouldSatisfy` isRight - it "rejects a query string" $ - validateUrl "https://gw.example.com:443/snrc?x=1" auth `shouldSatisfy` isLeft - it "rejects a fragment" $ - validateUrl "https://gw.example.com:443/snrc#f" auth `shouldSatisfy` isLeft - it "rejects userinfo (credentials belong in resolver_auth)" $ - validateUrl "https://user:pass@gw.example.com:443" auth `shouldSatisfy` isLeft - it "rejects a missing port" $ - validateUrl "https://gw.example.com/snrc" auth `shouldSatisfy` isLeft - it "accepts https on a non-loopback host without auth (public resolver)" $ + it "accepts an https URL with a path prefix" $ validateUrl "https://gw.example.com:443/snrc" Nothing `shouldSatisfy` isRight - it "accepts http without auth on a non-loopback host (e.g. host.docker.internal)" $ - validateUrl "http://host.docker.internal:9999" Nothing `shouldSatisfy` isRight - it "rejects http WITH auth on a non-loopback host (cleartext credential leak)" $ - validateUrl "http://gw.example.com:9999" auth `shouldSatisfy` isLeft - it "allows loopback http without auth (with a path prefix)" $ - validateUrl "http://localhost:8000/snrc" Nothing `shouldSatisfy` isRight + it "accepts an http URL" $ + validateUrl "http://127.0.0.1:8000" Nothing `shouldSatisfy` isRight + it "accepts a URL without an explicit port" $ + validateUrl "https://gw.example.com/snrc" Nothing `shouldSatisfy` isRight + it "rejects a relative / non-absolute URI" $ + validateUrl "gw.example.com/snrc" Nothing `shouldSatisfy` isLeft + it "rejects a non-http(s) scheme" $ + validateUrl "ftp://gw.example.com:21" Nothing `shouldSatisfy` isLeft + it "rejects an empty host" $ + validateUrl "http://" Nothing `shouldSatisfy` isLeft + it "accepts https with auth (Authorization is TLS-protected)" $ + validateUrl "https://gw.example.com" (Just auth) `shouldSatisfy` isRight + it "accepts loopback http with auth (no cleartext exposure)" $ + validateUrl "http://localhost:8000" (Just auth) `shouldSatisfy` isRight + it "rejects non-loopback http with auth (cleartext credential leak)" $ + validateUrl "http://gw.example.com:8000" (Just auth) `shouldSatisfy` isLeft + it "rejects URL-embedded userinfo (credentials belong in resolver_auth)" $ + validateUrl "https://user:pass@gw.example.com" Nothing `shouldSatisfy` isLeft + it "rejects http+auth to a 127.-prefixed non-loopback host (not real loopback)" $ + validateUrl "http://127.evil.com:8000" (Just auth) `shouldSatisfy` isLeft + where + auth = AuthBasic "user" "pass" From 2e2bc8675d8416f31a97da425adfa2ccae676396 Mon Sep 17 00:00:00 2001 From: Evgeny Date: Mon, 22 Jun 2026 22:49:01 +0100 Subject: [PATCH 24/33] remove comments Co-authored-by: Evgeny --- src/Simplex/Messaging/Server.hs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 8017e8207f..4ca173da2a 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1270,8 +1270,6 @@ verifyQueueTransmission service thAuth (tAuth, authorized, (corrId, entId, comma vc SNotifierService NSUBS {} = verifyServiceCmd vc SProxiedClient _ = VRVerified Nothing vc SProxyService (RFWD _) = VRVerified Nothing - -- RSLV is accepted both forwarded (via PFWD, preferred - hides client IP from resolver) - -- and direct (client->resolver, faster, exposes client IP). Mode is chosen by the client. vc SResolver (RSLV _) = VRVerified Nothing checkRole = case (service, partyClientRole p) of (Just THClientService {serviceRole}, Just role) -> serviceRole == role @@ -2141,9 +2139,6 @@ client encNMsgMeta = C.cbEncrypt rcvNtfDhSecret ntfNonce (smpEncode msgMeta) 128 pure $ MsgNtf {ntfMsgId = msgId, ntfTs = msgTs, ntfNonce, ntfEncMeta = fromRight "" encNMsgMeta} - -- Returns Nothing for a forwarded RSLV: like proxying, it resolves and - -- replies from a forked thread (forkCmd writes the RRES to sndQ), so a - -- slow RSLV does not serialise other forwarded commands on this session. processForwardedCommand :: EncFwdTransmission -> M s (Maybe BrokerMsg) processForwardedCommand (EncFwdTransmission s) = do prepared <- runExceptT $ do From c57cdcedb880ef8df33dc2fdc0d88c9fee9595bd Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Mon, 22 Jun 2026 23:05:03 +0000 Subject: [PATCH 25/33] simplify --- protocol/simplex-messaging.md | 2 +- src/Simplex/Messaging/Names/EthAddress.hs | 1 - src/Simplex/Messaging/Protocol.hs | 6 +-- src/Simplex/Messaging/Server.hs | 56 ++++++++--------------- src/Simplex/Messaging/Server/Main.hs | 6 +-- src/Simplex/Messaging/Server/Main/Init.hs | 3 +- src/Simplex/Messaging/Server/Names.hs | 36 ++------------- tests/NamesResolverServer.hs | 9 +--- tests/RSLVTests.hs | 18 -------- tests/SMPNamesTests.hs | 11 ----- 10 files changed, 29 insertions(+), 119 deletions(-) diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 67c54e112d..52a470987a 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1481,7 +1481,7 @@ configured servers can act on distinctly: | `RNAME` | record resolved | use it | | `ERR NAME NOT_FOUND` | name not registered, unknown TLD, or malformed name | authoritative "no such name" — stop | | `ERR NAME NO_RESOLVER` | this router has no resolver (names role not enabled) | skip this server, try the next | -| `ERR NAME RESOLVER ` | transient failure: backing resolver error (upstream 5xx, transport, timeout, decode) or local overload (`"resolver overloaded"` when the router's concurrent-resolution cap is reached) | transient — retry or surface, do not treat as "not found" | +| `ERR NAME RESOLVER ` | transient failure: backing resolver error (upstream 5xx, transport, timeout, decode) | transient — retry or surface, do not treat as "not found" | A client SHOULD NOT broadcast a `name` to further servers after a name-capable router has answered (`NOT_FOUND` or `RESOLVER`), since that router has already diff --git a/src/Simplex/Messaging/Names/EthAddress.hs b/src/Simplex/Messaging/Names/EthAddress.hs index a124193220..92eb31bfbd 100644 --- a/src/Simplex/Messaging/Names/EthAddress.hs +++ b/src/Simplex/Messaging/Names/EthAddress.hs @@ -33,6 +33,5 @@ instance J.ToJSON EthAddress where instance J.FromJSON EthAddress where parseJSON = J.withText "EthAddress" $ \t -> do - -- Accept "0x" and "0X" prefixes (matches the server-side hex decoder). let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkEthAddress diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 0b380ca4d6..17eab6254c 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -608,8 +608,7 @@ data Command (p :: Party) where -- - corrId: unique correlation ID between proxy and relay, also used as a nonce to encrypt forwarded transmission RFWD :: EncFwdTransmission -> Command ProxyService -- use CorrId as CbNonce, proxy to relay -- Name resolution. Preferably forwarded via PFWD (hides the client IP from - -- the resolver), but direct RSLV is also accepted. The validated name is the - -- only argument; the server resolves it via its configured resolver. + -- the resolver), but direct RSLV is also accepted. RSLV :: SimplexNameDomain -> Command Resolver deriving instance Show (Command p) @@ -746,8 +745,7 @@ data BrokerMsg where OK :: BrokerMsg ERR :: ErrorType -> BrokerMsg PONG :: BrokerMsg - -- Name resolution response (success), for direct or forwarded RSLV. - -- Named RNAME so the error family can use ErrorType.NAME. + -- Named RNAME (not NAME) so the error family can use ErrorType.NAME. RNAME :: NameRecord -> BrokerMsg deriving (Eq, Show) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 4ca173da2a..f64f074f01 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -109,7 +109,7 @@ import Simplex.Messaging.Server.Env.STM as Env import Simplex.Messaging.Server.Expiration import Simplex.Messaging.Server.MsgStore import Simplex.Messaging.Server.MsgStore.Journal (JournalMsgStore, JournalQueue (..), getJournalQueueMessages) -import Simplex.Messaging.Server.Names (NamesEnv, closeNamesEnv, releaseResolver, resolveName, resolverAtCapacity, tryAcquireResolver) +import Simplex.Messaging.Server.Names (NamesEnv, closeNamesEnv, resolveName) import Simplex.Messaging.Server.MsgStore.STM import Simplex.Messaging.Server.MsgStore.Types import Simplex.Messaging.Server.NtfStore @@ -1470,8 +1470,8 @@ client forkProxiedCmd :: M s BrokerMsg -> M s (Maybe BrokerMsg) forkProxiedCmd = forkCmd corrId (EntityId sessId) -- Run a slow command on a forked, back-pressured thread, sending its response - -- to sndQ from the thread so command processing is not blocked. Returns - -- Nothing (no synchronous response). Used for proxying and name resolution. + -- to sndQ from the thread so command processing is not blocked. Used for + -- proxying and name resolution. forkCmd :: CorrId -> EntityId -> M s BrokerMsg -> M s (Maybe a) forkCmd corrId entId cmdAction = do bracket_ wait signal . forkClient clnt (B.unpack $ "client $" <> encode sessionId <> " cmd") $ @@ -1486,42 +1486,28 @@ client when (used >= serverClientConcurrency) retry writeTVar procThreads $! used + 1 signal = atomically $ modifyTVar' procThreads (\t -> t - 1) - -- Count an RSLV request and decide handling: no resolver -> NO_RESOLVER; - -- already at the concurrency cap -> shed with a transient RESOLVER error - -- (Left, answered without forking) so an unauthenticated flood cannot - -- exhaust threads / outbound resolver calls; otherwise return the resolve - -- action (Right) for the caller to fork. The capacity check here is a - -- non-mutating peek (no slot reserved), so no slot is held across the - -- fork boundary; rslvNameResponse acquires and releases the slot in one - -- bracket inside the forked thread. Shared by the direct and forwarded paths. + -- Count an RSLV request and decide handling: no resolver -> NO_RESOLVER + -- (Left, answered without forking); otherwise return the resolve action + -- (Right) for the caller to fork. Concurrent resolutions are bounded the + -- same way as every other forwarded command: per-client procThreads in + -- forkCmd. Shared by the direct and forwarded paths. admitRslv :: SimplexNameDomain -> M s (Either BrokerMsg (M s BrokerMsg)) admitRslv d = do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) asks namesEnv >>= \case Nothing -> incStat (rslvDisabled st) $> Left (ERR (NAME NO_RESOLVER)) - Just nenv -> - ifM - (liftIO (resolverAtCapacity nenv)) - (incStat (rslvResolverErrs st) $> Left (ERR (NAME (RESOLVER "resolver overloaded")))) - (pure $ Right (rslvNameResponse nenv d)) - -- Resolve a name to its RNAME / ERR (NAME ...) response. Acquires the - -- in-flight slot and releases it in the same bracket, so it cannot leak on - -- any exit path (including async kill of the forked thread). A lost race - -- on the cap (acquire returns False) sheds, matching admitRslv's peek. + Just nenv -> pure $ Right (rslvNameResponse nenv d) -- The name is validated at parse, so this only maps the resolver outcome. rslvNameResponse :: NamesEnv -> SimplexNameDomain -> M s BrokerMsg rslvNameResponse nenv d = do st <- asks (rslvStats . serverStats) - bracket (liftIO (tryAcquireResolver nenv)) (\held -> when held $ liftIO (releaseResolver nenv)) $ \case - False -> incStat (rslvResolverErrs st) $> ERR (NAME (RESOLVER "resolver overloaded")) - True -> do - (selector, msg) <- - liftIO (resolveName nenv d) <&> \case - Right rec -> (rslvSucc, RNAME rec) - Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) - Left e -> (rslvResolverErrs, ERR $ NAME e) - incStat (selector st) $> msg + (selector, msg) <- + liftIO (resolveName nenv d) <&> \case + Right rec -> (rslvSucc, RNAME rec) + Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) + Left e -> (rslvResolverErrs, ERR $ NAME e) + incStat (selector st) $> msg transportErr :: TransportError -> ErrorType transportErr = PROXY . BROKER . TRANSPORT mkIncProxyStats :: MonadIO m => ProxyStats -> ProxyStats -> OwnServer -> (ProxyStats -> IORef Int) -> m () @@ -1536,10 +1522,8 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock - -- Resolve names on a forked thread (like proxying) so a slow RSLV does not - -- block other commands; admitRslv bounds concurrent resolutions and sheds - -- load (synchronous error, no fork) when saturated. Shared with the - -- forwarded path (processForwardedCommand). + -- Resolve on a forked thread (like proxying) so a slow RSLV does not block + -- other commands. Shared with the forwarded path (processForwardedCommand). Cmd SResolver (RSLV d) -> admitRslv d >>= either (pure . response . (corrId, NoEntity,)) (forkCmd corrId NoEntity) Cmd SSenderLink command -> case command of @@ -2178,8 +2162,8 @@ client -- rejectOrVerify filters allowed commands, no need to repeat it here. Left r -> respond r Right t''@(_, (corrId', entId', cmd')) -> case cmd' of - -- forwarded RSLV is bounded/shed like the direct path (admitRslv); - -- the resolved (or shed) response is wrapped as RRES via encodeResp. + -- forwarded RSLV resolves on a forked thread like the direct path; + -- the response is wrapped as RRES via encodeResp. Cmd SResolver (RSLV d) -> admitRslv d >>= \case Left msg -> respond (corrId', entId', msg) @@ -2535,4 +2519,4 @@ restoreServerStats msgStats_ ntfStats = asks (serverStatsBackupFile . config) >> logNote $ "error restoring server stats: " <> T.pack e liftIO exitFailure compareCounts name statsCnt storeCnt = - when (statsCnt /= storeCnt) $ logWarn $ name <> " count differs: stats: " <> tshow statsCnt <> ", store: " <> tshow storeCnt \ No newline at end of file + when (statsCnt /= storeCnt) $ logWarn $ name <> " count differs: stats: " <> tshow statsCnt <> ", store: " <> tshow storeCnt diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index 17a7290923..a2b66e3bd4 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -816,11 +816,7 @@ readNamesConfig ini -- carrying the resolver's JSON record on the wire, so capping the -- resolver response body guarantees the RNAME response always frames. -- An over-cap body fails as BodyTooLarge -> ERR (NAME (RESOLVER ..)). - resolverMaxResponseBytes = boundedIniInt 16000 1024 16000 "resolver_max_response_bytes", - -- cap on concurrent in-flight resolutions; RSLV beyond it is shed - -- so an unauthenticated flood cannot exhaust threads / saturate the - -- resolver with unbounded concurrent outbound HTTP. - resolverMaxConcurrent = boundedIniInt 32 1 1024 "resolver_max_concurrent" + resolverMaxResponseBytes = boundedIniInt 16000 1024 16000 "resolver_max_response_bytes" } where enabled = fromMaybe False (iniOnOff "NAMES" "enable" ini) diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index 0ab6b42fb2..a4aa463d9d 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -166,8 +166,7 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# resolver_endpoint: https://names.simplex.chat:443\n\ \# resolver_auth: basic :\n\ \# resolver_timeout_ms: 3000\n\ - \# resolver_max_response_bytes: 16000\n\ - \# resolver_max_concurrent: 32\n\n\ + \# resolver_max_response_bytes: 16000\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/src/Simplex/Messaging/Server/Names.hs b/src/Simplex/Messaging/Server/Names.hs index d2452c6664..0dc17a37af 100644 --- a/src/Simplex/Messaging/Server/Names.hs +++ b/src/Simplex/Messaging/Server/Names.hs @@ -23,13 +23,9 @@ module Simplex.Messaging.Server.Names closeNamesEnv, pingEndpoint, resolveName, - resolverAtCapacity, - tryAcquireResolver, - releaseResolver, ) where -import Control.Concurrent.STM import qualified Control.Exception as E import Control.Logger.Simple (logError) import Data.Bifunctor (first) @@ -52,49 +48,23 @@ data NamesConfig = NamesConfig { resolverEndpoint :: String, resolverAuth :: Maybe RpcAuth, resolverTimeoutMs :: Int, - resolverMaxResponseBytes :: Int, - -- | cap on concurrent in-flight resolutions; RSLV beyond it is shed (see - -- tryAcquireResolver) so unauthenticated floods cannot exhaust threads or - -- saturate the outbound resolver with unbounded concurrent HTTP calls. - resolverMaxConcurrent :: Int + resolverMaxResponseBytes :: Int } deriving (Show) data NamesEnv = NamesEnv { config :: NamesConfig, - resolverEnv :: ResolverEnv, - inFlight :: TVar Int + resolverEnv :: ResolverEnv } newNamesEnv :: NamesConfig -> IO NamesEnv newNamesEnv config = do resolverEnv <- newResolverEnv (resolverEndpoint config) (resolverAuth config) (resolverTimeoutMs config) (resolverMaxResponseBytes config) - inFlight <- newTVarIO 0 - pure NamesEnv {config, resolverEnv, inFlight} + pure NamesEnv {config, resolverEnv} closeNamesEnv :: NamesEnv -> IO () closeNamesEnv NamesEnv {resolverEnv} = closeResolverEnv resolverEnv --- | Non-mutating check: True when in-flight resolutions are already at the cap. --- Used to shed an RSLV before forking; the authoritative gate is still --- tryAcquireResolver inside the forked action, so a slot is never held across --- the fork boundary (which is what makes the slot leak-proof on async kills). -resolverAtCapacity :: NamesEnv -> IO Bool -resolverAtCapacity NamesEnv {config, inFlight} = - (>= resolverMaxConcurrent config) <$> readTVarIO inFlight - --- | Reserve a resolution slot if under resolverMaxConcurrent. Returns False --- when saturated so the caller sheds load (returns a transient error) instead --- of making another outbound resolver call. Each True must be paired with --- exactly one releaseResolver. -tryAcquireResolver :: NamesEnv -> IO Bool -tryAcquireResolver NamesEnv {config, inFlight} = - atomically $ stateTVar inFlight $ \n -> - if n >= resolverMaxConcurrent config then (False, n) else (True, n + 1) - -releaseResolver :: NamesEnv -> IO () -releaseResolver NamesEnv {inFlight} = atomically $ modifyTVar' inFlight (subtract 1) - -- | Reach the configured resolver with `GET /health` to confirm reachability -- at server startup. A non-2xx response or transport failure surfaces as -- Left so misconfigured deployments fail loudly. Bounded by diff --git a/tests/NamesResolverServer.hs b/tests/NamesResolverServer.hs index 1fcb84aea7..18d7353afb 100644 --- a/tests/NamesResolverServer.hs +++ b/tests/NamesResolverServer.hs @@ -21,7 +21,6 @@ module NamesResolverServer memProxyCfg, memCfg2, withNames, - withNamesCap, ) where @@ -75,8 +74,7 @@ testNamesConfig port = { resolverEndpoint = "http://127.0.0.1:" <> show port, resolverAuth = Nothing, resolverTimeoutMs = 1000, - resolverMaxResponseBytes = 65536, - resolverMaxConcurrent = 32 + resolverMaxResponseBytes = 65536 } memCfg :: AServerConfig @@ -99,8 +97,3 @@ memCfg2 = case memCfg of -- | Enable names on a config pointing at the local test resolver on `port`. withNames :: Int -> AServerConfig -> AServerConfig withNames port c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just (testNamesConfig port)} - --- | Like 'withNames' but with a custom in-flight resolver cap, for tests that --- exercise load-shedding / slot release at a small cap. -withNamesCap :: Int -> Int -> AServerConfig -> AServerConfig -withNamesCap cap port c = updateCfg c $ \cfg_ -> cfg_ {namesConfig = Just (testNamesConfig port) {resolverMaxConcurrent = cap}} diff --git a/tests/RSLVTests.hs b/tests/RSLVTests.hs index 533a9cef1a..63578b7057 100644 --- a/tests/RSLVTests.hs +++ b/tests/RSLVTests.hs @@ -106,7 +106,6 @@ rslvTests = do it "PFWD-wrapped RSLV success returns RNAME (record JSON frames over the proxy)" testRslvForwardedSuccess describe "RSLV success path (RNAME response)" $ do it "returns RNAME with NameRecord" testRslvSuccess - it "releases the in-flight slot so sequential RSLVs are not shed (cap=1)" testRslvSlotReleased testRslvBackendNotFound :: IO () testRslvBackendNotFound = @@ -187,22 +186,5 @@ testRslvSuccess = Right (RNAME nr) -> nr `shouldBe` sampleRecord _ -> expectationFailure $ "expected Right (RNAME ..), got: " <> show resp --- On a names server capped at one concurrent resolution, three sequential RSLVs --- must all return RNAME: each resolution has to release its slot, or the 2nd and --- 3rd would be shed with ERR (NAME (RESOLVER "resolver overloaded")). Guards that --- the in-flight slot release covers the whole forked resolve action. -testRslvSlotReleased :: IO () -testRslvSlotReleased = - NRS.withResolverServer (NRS.resolveResp status200 (J.encode sampleRecord)) $ \port _ -> - withSmpServerConfigOn (transport @TLS) (NRS.withNamesCap 1 port memCfg) testPort $ - const $ - testSMPClient @TLS $ \h -> - mapM_ - ( \cid -> do - (_, _, resp) <- sendRslv h cid (domain "alice.simplex") - resp `shouldBe` Right (RNAME sampleRecord) - ) - ["sr1", "sr2", "sr3"] - runExceptT' :: Show e => ExceptT e IO a -> IO a runExceptT' a = runExceptT a >>= either (fail . show) pure diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 4410bbf736..7ce0b3df24 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -25,9 +25,7 @@ import Simplex.Messaging.Server.Names RpcAuth (..), newNamesEnv, pingEndpoint, - releaseResolver, resolveName, - tryAcquireResolver, ) import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) @@ -228,15 +226,6 @@ resolverSpec = do _ <- resolveName env aliceDomain readIORef reqs `shouldReturn` [["resolve", "alice.simplex"]] - it "bounds concurrent resolutions at resolverMaxConcurrent; releaseResolver frees a slot" $ do - -- no HTTP is made; this exercises the admission counter the RSLV handler uses to shed load - env <- newNamesEnv (testNamesConfig 1) {resolverMaxConcurrent = 2} - a <- tryAcquireResolver env - b <- tryAcquireResolver env - c <- tryAcquireResolver env - releaseResolver env - d <- tryAcquireResolver env - [a, b, c, d] `shouldBe` [True, True, False, True] where aliceDomain = SimplexNameDomain {nameTLD = TLDSimplex, domain = "alice", subDomain = []} From 67367c4a4e8fa0b8f2fe4e07aac07de769207e44 Mon Sep 17 00:00:00 2001 From: Evgeny Poberezkin Date: Tue, 23 Jun 2026 07:33:09 +0100 Subject: [PATCH 26/33] move tests name --- tests/AgentTests.hs | 2 +- tests/AgentTests/ResolveNameTests.hs | 33 ++++++++++++++-------------- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/tests/AgentTests.hs b/tests/AgentTests.hs index 34d610cd5c..36dc92a95e 100644 --- a/tests/AgentTests.hs +++ b/tests/AgentTests.hs @@ -38,7 +38,7 @@ agentCoreTests = do describe "Connection request" connectionRequestTests describe "Double ratchet tests" doubleRatchetTests describe "Short link tests" shortLinkTests - resolveNameTests + describe "resolve names" resolveNameTests agentTests :: (ASrvTransport, AStoreType) -> Spec agentTests ps = do diff --git a/tests/AgentTests/ResolveNameTests.hs b/tests/AgentTests/ResolveNameTests.hs index 98acb9ee53..83f596f089 100644 --- a/tests/AgentTests/ResolveNameTests.hs +++ b/tests/AgentTests/ResolveNameTests.hs @@ -89,23 +89,22 @@ withNoNameServers k = withAgent 1 agentCfg (oneSrv (proxySrvCfg testSMPServer)) resolveNameTests :: Spec resolveNameTests = do - describe "Agent resolveSimplexName" $ do - describe "direct path (SPMNever)" $ - it "404 propagates as SMP host (NAME NOT_FOUND)" testDirectNotFound - describe "proxy path (SPMAlways)" $ - it "404 from resolver propagates via proxy as SMP (NAME NOT_FOUND)" testProxyNotFound - describe "TLDTesting path" $ - it "NAME NOT_FOUND for TLDTesting too" testTestingTldNotFound - describe "TLDWeb path" $ - it "NAME NOT_FOUND for TLDWeb too" testWebTldNotFound - describe "no resolver configured" $ - it "answers NAME NO_RESOLVER" testNoResolver - describe "no names servers (names role off everywhere)" $ - it "fails agent-side with NO_NAME_SERVERS" testNoNameServers - describe "backing resolver failure" $ - it "surfaces as SMP host (NAME (RESOLVER ..))" testBackendError - describe "success path" $ - it "returns NameRecord" testDirectSuccess + describe "direct path (SPMNever)" $ + it "404 propagates as SMP host (NAME NOT_FOUND)" testDirectNotFound + describe "proxy path (SPMAlways)" $ + it "404 from resolver propagates via proxy as SMP (NAME NOT_FOUND)" testProxyNotFound + describe "TLDTesting path" $ + it "NAME NOT_FOUND for TLDTesting too" testTestingTldNotFound + describe "TLDWeb path" $ + it "NAME NOT_FOUND for TLDWeb too" testWebTldNotFound + describe "no resolver configured" $ + it "answers NAME NO_RESOLVER" testNoResolver + describe "no names servers (names role off everywhere)" $ + it "fails agent-side with NO_NAME_SERVERS" testNoNameServers + describe "backing resolver failure" $ + it "surfaces as SMP host (NAME (RESOLVER ..))" testBackendError + describe "success path" $ + it "returns NameRecord" testDirectSuccess -- --------------------------------------------------------------------------- -- Tests From 6843b14cf2b95c4555a6407122dc8235e7b672d8 Mon Sep 17 00:00:00 2001 From: sh Date: Tue, 23 Jun 2026 08:21:51 +0000 Subject: [PATCH 27/33] simplify: text addresses, Tail JSON, drop admitRslv --- protocol/simplex-messaging.md | 4 +- simplexmq.cabal | 1 - src/Simplex/Messaging/Names/EthAddress.hs | 37 ----------------- src/Simplex/Messaging/Names/Record.hs | 8 ++-- src/Simplex/Messaging/Protocol.hs | 10 +---- src/Simplex/Messaging/Server.hs | 50 +++++++++++------------ src/Simplex/Messaging/Server/Stats.hs | 6 --- src/Simplex/Messaging/SimplexName.hs | 12 ++---- tests/SMPNamesTests.hs | 36 +--------------- 9 files changed, 38 insertions(+), 126 deletions(-) delete mode 100644 src/Simplex/Messaging/Names/EthAddress.hs diff --git a/protocol/simplex-messaging.md b/protocol/simplex-messaging.md index 52a470987a..872b35afe0 100644 --- a/protocol/simplex-messaging.md +++ b/protocol/simplex-messaging.md @@ -1460,7 +1460,7 @@ The `RSLV` command carries the canonical fully-qualified name directly as the payload (not JSON): ```abnf -rslv = %s"RSLV" SP domain ; domain = canonical name as non-space bytes; any trailing bytes are ignored (forward-compatible) +rslv = %s"RSLV" SP domain ; domain = canonical name as non-space bytes, consuming the remainder of the transmission ``` `domain` is the UTF-8 canonical fully-qualified name with the TLD always @@ -1493,7 +1493,7 @@ fact that this router cannot resolve, so iterating past it is safe. The `RNAME` response carries a JSON-encoded record as the payload: ```abnf -rname = %s"RNAME" SP len json-bytes ; len = length of json-bytes as a 2-byte integer; any bytes after json-bytes are ignored (forward-compatible) +rname = %s"RNAME" SP json-bytes ; json-bytes consumes the remainder of the transmission ``` `json-bytes` MUST be a UTF-8 JSON object with the following schema: diff --git a/simplexmq.cabal b/simplexmq.cabal index ee8eeadbb3..a02677568b 100644 --- a/simplexmq.cabal +++ b/simplexmq.cabal @@ -143,7 +143,6 @@ library Simplex.Messaging.Crypto.ShortLink Simplex.Messaging.Encoding Simplex.Messaging.Encoding.String - Simplex.Messaging.Names.EthAddress Simplex.Messaging.Names.Record Simplex.Messaging.Notifications.Client Simplex.Messaging.Notifications.Protocol diff --git a/src/Simplex/Messaging/Names/EthAddress.hs b/src/Simplex/Messaging/Names/EthAddress.hs deleted file mode 100644 index 92eb31bfbd..0000000000 --- a/src/Simplex/Messaging/Names/EthAddress.hs +++ /dev/null @@ -1,37 +0,0 @@ -{-# LANGUAGE OverloadedStrings #-} -{-# LANGUAGE StrictData #-} - -module Simplex.Messaging.Names.EthAddress - ( EthAddress, - mkEthAddress, - unEthAddress, - ) -where - -import Control.Applicative ((<|>)) -import qualified Data.Aeson as J -import qualified Data.ByteArray.Encoding as BAE -import Data.ByteString.Char8 (ByteString) -import qualified Data.ByteString.Char8 as B -import Data.Maybe (fromMaybe) -import qualified Data.Text as T -import Data.Text.Encoding (decodeLatin1, encodeUtf8) - --- | 20-byte Ethereum address (NameRecord owner / resolver). Bare constructor --- not exported; use 'mkEthAddress' to enforce the 20-byte invariant. JSON form --- is "0x"-prefixed lowercase hex (matches the resolver output). -newtype EthAddress = EthAddress {unEthAddress :: ByteString} - deriving (Eq, Show) - -mkEthAddress :: ByteString -> Either String EthAddress -mkEthAddress bs - | B.length bs == 20 = Right (EthAddress bs) - | otherwise = Left "EthAddress must be 20 bytes" - -instance J.ToJSON EthAddress where - toJSON (EthAddress bs) = J.String $ "0x" <> decodeLatin1 (BAE.convertToBase BAE.Base16 bs) - -instance J.FromJSON EthAddress where - parseJSON = J.withText "EthAddress" $ \t -> do - let hex = fromMaybe t (T.stripPrefix "0x" t <|> T.stripPrefix "0X" t) - either fail pure $ BAE.convertFromBase BAE.Base16 (encodeUtf8 hex) >>= mkEthAddress diff --git a/src/Simplex/Messaging/Names/Record.hs b/src/Simplex/Messaging/Names/Record.hs index 1eec7920ed..c13d7fcccb 100644 --- a/src/Simplex/Messaging/Names/Record.hs +++ b/src/Simplex/Messaging/Names/Record.hs @@ -11,7 +11,6 @@ where import qualified Data.Aeson as J import qualified Data.Aeson.TH as JQ import Data.Text (Text) -import Simplex.Messaging.Names.EthAddress (EthAddress) import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) -- | Resolved name record returned by the names role. JSON keys match the @@ -20,7 +19,8 @@ import Simplex.Messaging.Parsers (defaultJSON, dropPrefix) -- type IS the schema. Text fields use the empty string as the "unset" -- sentinel; coin fields use JSON null. simplexContact / simplexChannel are -- arrays of links (primary first, empty when unset) so a name can advertise --- fallback SMP servers. owner / resolver carry 20-byte EthAddresses (0x hex). +-- fallback SMP servers. owner / resolver are 0x-hex Ethereum addresses, kept +-- verbatim as text (the resolver is the source of truth for their validity). -- The only size bound is the SMP transport block (enforced by the framing). data NameRecord = NameRecord { nrName :: Text, @@ -33,8 +33,8 @@ data NameRecord = NameRecord nrBtc :: Maybe Text, nrXmr :: Maybe Text, nrDot :: Maybe Text, - nrOwner :: EthAddress, - nrResolver :: EthAddress -- resolver address that produced the record + nrOwner :: Text, + nrResolver :: Text -- resolver address (0x hex) that produced the record } deriving (Eq, Show) diff --git a/src/Simplex/Messaging/Protocol.hs b/src/Simplex/Messaging/Protocol.hs index 17eab6254c..538d51a90a 100644 --- a/src/Simplex/Messaging/Protocol.hs +++ b/src/Simplex/Messaging/Protocol.hs @@ -1940,8 +1940,6 @@ instance ProtocolEncoding SMPVersion ErrorType Cmd where CT SNotifierService NSUBS_ | v >= rcvServiceSMPVersion -> Cmd SNotifierService <$> (NSUBS <$> _smpP <*> smpP) | otherwise -> pure $ Cmd SNotifierService $ NSUBS (-1) mempty - -- the domain is space-delimited; ignore any trailing bytes so a future - -- version appending RSLV fields stays parseable by this server (fwd-compat) CT SResolver RSLV_ -> Cmd SResolver . RSLV <$> _smpP <* A.takeByteString fromProtocolError = fromProtocolError @SMPVersion @ErrorType @BrokerMsg @@ -1989,9 +1987,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where | v < clientNoticesSMPVersion -> BLOCKED info {notice = Nothing} _ -> err PONG -> e PONG_ - -- length-prefixed (Large) rather than Tail so the JSON record is - -- self-delimiting and later versions can append fields after it on the wire - RNAME rec -> e (RNAME_, ' ', Large $ LB.toStrict $ J.encode rec) + RNAME rec -> e (RNAME_, ' ', Tail $ LB.toStrict $ J.encode rec) where e :: Encoding a => a -> ByteString e = smpEncode @@ -2039,9 +2035,7 @@ instance ProtocolEncoding SMPVersion ErrorType BrokerMsg where OK_ -> pure OK ERR_ -> ERR <$> _smpP PONG_ -> pure PONG - -- A.takeByteString ignores any bytes after the length-prefixed record, so a - -- future version appending fields stays parseable by this client (fwd-compat) - RNAME_ -> (fmap RNAME . J.eitherDecodeStrict . unLarge <$?> _smpP) <* A.takeByteString + RNAME_ -> fmap RNAME . J.eitherDecodeStrict . unTail <$?> _smpP where serviceRespP resp | v >= rcvServiceSMPVersion = resp <$> _smpP <*> smpP diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index f64f074f01..468b8a9fa6 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1486,28 +1486,25 @@ client when (used >= serverClientConcurrency) retry writeTVar procThreads $! used + 1 signal = atomically $ modifyTVar' procThreads (\t -> t - 1) - -- Count an RSLV request and decide handling: no resolver -> NO_RESOLVER - -- (Left, answered without forking); otherwise return the resolve action - -- (Right) for the caller to fork. Concurrent resolutions are bounded the - -- same way as every other forwarded command: per-client procThreads in - -- forkCmd. Shared by the direct and forwarded paths. - admitRslv :: SimplexNameDomain -> M s (Either BrokerMsg (M s BrokerMsg)) - admitRslv d = do + -- Resolve a name to its RNAME / ERR (NAME ...) response: no resolver -> + -- NO_RESOLVER, otherwise resolve via the configured resolver and count the + -- outcome. Run on a forked thread (like proxying) so a slow RSLV does not + -- block other commands; concurrency is bounded the same way as every other + -- forwarded command, by per-client procThreads in forkCmd. Shared by the + -- direct and forwarded RSLV paths. The name is validated at parse. + rslvNameResponse :: SimplexNameDomain -> M s BrokerMsg + rslvNameResponse d = do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) asks namesEnv >>= \case - Nothing -> incStat (rslvDisabled st) $> Left (ERR (NAME NO_RESOLVER)) - Just nenv -> pure $ Right (rslvNameResponse nenv d) - -- The name is validated at parse, so this only maps the resolver outcome. - rslvNameResponse :: NamesEnv -> SimplexNameDomain -> M s BrokerMsg - rslvNameResponse nenv d = do - st <- asks (rslvStats . serverStats) - (selector, msg) <- - liftIO (resolveName nenv d) <&> \case - Right rec -> (rslvSucc, RNAME rec) - Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) - Left e -> (rslvResolverErrs, ERR $ NAME e) - incStat (selector st) $> msg + Nothing -> incStat (rslvDisabled st) $> ERR (NAME NO_RESOLVER) + Just nenv -> do + (selector, msg) <- + liftIO (resolveName nenv d) <&> \case + Right rec -> (rslvSucc, RNAME rec) + Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) + Left e -> (rslvResolverErrs, ERR $ NAME e) + incStat (selector st) $> msg transportErr :: TransportError -> ErrorType transportErr = PROXY . BROKER . TRANSPORT mkIncProxyStats :: MonadIO m => ProxyStats -> ProxyStats -> OwnServer -> (ProxyStats -> IORef Int) -> m () @@ -1524,8 +1521,7 @@ client Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock -- Resolve on a forked thread (like proxying) so a slow RSLV does not block -- other commands. Shared with the forwarded path (processForwardedCommand). - Cmd SResolver (RSLV d) -> - admitRslv d >>= either (pure . response . (corrId, NoEntity,)) (forkCmd corrId NoEntity) + Cmd SResolver (RSLV d) -> forkCmd corrId NoEntity (rslvNameResponse d) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr @@ -2165,11 +2161,9 @@ client -- forwarded RSLV resolves on a forked thread like the direct path; -- the response is wrapped as RRES via encodeResp. Cmd SResolver (RSLV d) -> - admitRslv d >>= \case - Left msg -> respond (corrId', entId', msg) - Right act -> forkCmd corrId NoEntity $ do - msg <- act - either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) + forkCmd corrId NoEntity $ do + msg <- rslvNameResponse d + either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) -- INTERNAL is used because processCommand never returns Nothing for -- the other forwarded commands (could be extracted for better types). -- `fst` removes empty message that is only returned for `SUB` command @@ -2272,6 +2266,10 @@ updateDeletedStats q = do incStat $ qDeletedAll stats liftIO $ atomicModifyIORef'_ (qCount stats) (subtract 1) +incStat :: MonadIO m => IORef Int -> m () +incStat r = liftIO $ atomicModifyIORef'_ r (+ 1) +{-# INLINE incStat #-} + randomId' :: Int -> M s ByteString randomId' n = atomically . C.randomBytes n =<< asks random diff --git a/src/Simplex/Messaging/Server/Stats.hs b/src/Simplex/Messaging/Server/Stats.hs index f6583f6875..11a7de666a 100644 --- a/src/Simplex/Messaging/Server/Stats.hs +++ b/src/Simplex/Messaging/Server/Stats.hs @@ -39,7 +39,6 @@ module Simplex.Messaging.Server.Stats setServiceStats, emptyTimeBuckets, updateTimeBuckets, - incStat, NameResolverStats (..), NameResolverStatsData (..), newNameResolverStats, @@ -50,7 +49,6 @@ module Simplex.Messaging.Server.Stats ) where import Control.Applicative (optional, (<|>)) -import Control.Monad.IO.Class (MonadIO, liftIO) import qualified Data.Attoparsec.ByteString.Char8 as A import Data.ByteString.Char8 (ByteString) import qualified Data.ByteString.Char8 as B @@ -809,10 +807,6 @@ updatePeriodStats ps (EntityId pId) = do ph = hash pId updatePeriod ref = unlessM (IS.member ph <$> readIORef ref) $ atomicModifyIORef'_ ref $ IS.insert ph -incStat :: MonadIO m => IORef Int -> m () -incStat r = liftIO $ atomicModifyIORef'_ r (+ 1) -{-# INLINE incStat #-} - data ProxyStats = ProxyStats { pRequests :: IORef Int, pSuccesses :: IORef Int, -- includes destination server error responses that will be forwarded to the client diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index d582e738f8..862ea57320 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -73,17 +73,13 @@ nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigi -- parser would otherwise `takeWhile1 (not . isSpace)` unbounded, allowing -- a crafted multi-megabyte token to be decoded and re-parsed before any -- validation. Cap at 253 bytes (DNS full-domain limit) — generous against --- any realistic SimpleX name — and FAIL on a longer token rather than stop --- at the cap, so an oversized name is rejected outright (not silently --- truncated) on every entry point, including the RSLV wire decoder whose --- trailing `takeByteString` would otherwise swallow and discard the overflow. +-- any realistic SimpleX name — and forces the surrounding `parseOnly` +-- (which requires consuming all input) to fail on oversized inputs. boundedNonSpace :: A.Parser ByteString boundedNonSpace = do bs <- A.scan (0 :: Int) $ \i c -> - if i <= 253 && not (A.isSpace c) then Just (i + 1) else Nothing - if B.null bs - then fail "expected non-empty name token" - else if B.length bs > 253 then fail "name token exceeds 253 bytes" else pure bs + if i < 253 && not (A.isSpace c) then Just (i + 1) else Nothing + if B.null bs then fail "expected non-empty name token" else pure bs instance StrEncoding SimplexNameInfo where strEncode SimplexNameInfo {nameType, nameDomain} = diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 7ce0b3df24..62a48d563b 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -17,7 +17,6 @@ import Network.HTTP.Types (status200, status400, status404, status500, status502 import NamesResolverServer (resolveResp, testNamesConfig, withResolverServer, withResolverServerDelayed) import Simplex.Messaging.Encoding (smpDecode, smpEncode) import Simplex.Messaging.Encoding.String (strDecode) -import Simplex.Messaging.Names.EthAddress (EthAddress, mkEthAddress, unEthAddress) import Simplex.Messaging.Protocol (ErrorType (..), NameErrorType (..), NameRecord (..)) import Simplex.Messaging.Server.Main (validateUrl) import Simplex.Messaging.Server.Names @@ -31,12 +30,6 @@ import Simplex.Messaging.Server.Names.HttpResolver (ResolverError (..)) import Simplex.Messaging.SimplexName (SimplexNameDomain (..), SimplexTLD (..)) import Test.Hspec -twentyOnes :: B.ByteString -twentyOnes = B.replicate 20 '\x01' - -unsafeAddr :: B.ByteString -> EthAddress -unsafeAddr = either error id . mkEthAddress - -- | Sample record matching the resolver JSON shape. Text fields use the empty -- string as the "unset" sentinel; coin fields use Nothing -> JSON null. sampleRecord :: NameRecord @@ -52,15 +45,14 @@ sampleRecord = nrBtc = Nothing, nrXmr = Nothing, nrDot = Nothing, - nrOwner = unsafeAddr twentyOnes, - nrResolver = unsafeAddr (B.replicate 20 '\x02') + nrOwner = "0x0101010101010101010101010101010101010101", + nrResolver = "0x0202020202020202020202020202020202020202" } smpNamesTests :: Spec smpNamesTests = do describe "NameRecord JSON (Protocol)" nameRecordEncodingSpec describe "ErrorType NAME wire encoding" errorWireSpec - describe "Smart constructors (EthAddress)" smartCtorsSpec describe "Name parsing (SimplexNameDomain)" parseNameSpec describe "HTTP resolver" resolverSpec describe "Resolver health probe" healthSpec @@ -103,18 +95,6 @@ nameRecordEncodingSpec = do B.isInfixOf "\"simplexChannel\":[]" bytes `shouldBe` True B.isInfixOf "\"simplexChannel\":null" bytes `shouldBe` False - it "FromJSON EthAddress accepts both 0x and 0X prefixes" $ do - let json p = "\"" <> p <> "0101010101010101010101010101010101010101\"" - (J.eitherDecodeStrict (json "0x") :: Either String EthAddress) `shouldSatisfy` isRight - (J.eitherDecodeStrict (json "0X") :: Either String EthAddress) `shouldSatisfy` isRight - - it "owner / resolver are emitted as lowercase hex" $ do - -- The resolver returns lowercase hex; encoded form must match. - let mixedCase = unsafeAddr (B.pack ['\xde', '\xad', '\xbe', '\xef'] <> B.replicate 16 '\x00') - bytes = LB.toStrict (J.encode sampleRecord {nrOwner = mixedCase, nrResolver = mixedCase}) - B.isInfixOf "0xdeadbeef" bytes `shouldBe` True - B.isInfixOf "0xDEADBEEF" bytes `shouldBe` False - -- ERR (NAME ...) travels as field-ordered smpEncode on the wire; the RNAME -- success response carries the NameRecord as JSON (covered by the JSON spec). errorWireSpec :: Spec @@ -125,18 +105,6 @@ errorWireSpec = -- RESOLVER detail may contain spaces - must survive the round-trip smpDecode (smpEncode (NAME (RESOLVER "HTTP 502"))) `shouldBe` Right (NAME (RESOLVER "HTTP 502")) -smartCtorsSpec :: Spec -smartCtorsSpec = do - it "mkEthAddress accepts exactly 20 bytes" $ do - mkEthAddress twentyOnes `shouldSatisfy` isRight - mkEthAddress (B.replicate 19 '\x01') `shouldSatisfy` isLeft - mkEthAddress (B.replicate 21 '\x01') `shouldSatisfy` isLeft - - it "unEthAddress round-trips mkEthAddress" $ - case mkEthAddress twentyOnes of - Right o -> unEthAddress o `shouldBe` twentyOnes - Left e -> expectationFailure ("mkEthAddress failed: " <> e) - -- The RSLV command carries a parsed SimplexNameDomain, so name validation -- happens at parse (StrEncoding). These exercise that validation directly. parseNameSpec :: Spec From 55c6717dcad6bc7bfef9152ddb07564a9b0851a7 Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Wed, 24 Jun 2026 09:46:48 +0000 Subject: [PATCH 28/33] fix --- src/Simplex/Messaging/Server.hs | 61 +++++++++++++++++----------- src/Simplex/Messaging/SimplexName.hs | 23 +++++++---- tests/SMPNamesTests.hs | 6 +++ 3 files changed, 57 insertions(+), 33 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 468b8a9fa6..c680cec40c 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1486,25 +1486,30 @@ client when (used >= serverClientConcurrency) retry writeTVar procThreads $! used + 1 signal = atomically $ modifyTVar' procThreads (\t -> t - 1) - -- Resolve a name to its RNAME / ERR (NAME ...) response: no resolver -> - -- NO_RESOLVER, otherwise resolve via the configured resolver and count the - -- outcome. Run on a forked thread (like proxying) so a slow RSLV does not - -- block other commands; concurrency is bounded the same way as every other - -- forwarded command, by per-client procThreads in forkCmd. Shared by the - -- direct and forwarded RSLV paths. The name is validated at parse. - rslvNameResponse :: SimplexNameDomain -> M s BrokerMsg - rslvNameResponse d = do + -- Account an RSLV request and look up the resolver, shared by the direct and + -- forwarded RSLV paths. Nothing => names is disabled (counted), so the caller + -- answers NO_RESOLVER without forking; Just nenv => the caller forks the + -- resolution. Returning the env (not an action) keeps the fork at the call site. + rslvNamesEnv :: M s (Maybe NamesEnv) + rslvNamesEnv = do st <- asks (rslvStats . serverStats) incStat (rslvReqs st) asks namesEnv >>= \case - Nothing -> incStat (rslvDisabled st) $> ERR (NAME NO_RESOLVER) - Just nenv -> do - (selector, msg) <- - liftIO (resolveName nenv d) <&> \case - Right rec -> (rslvSucc, RNAME rec) - Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) - Left e -> (rslvResolverErrs, ERR $ NAME e) - incStat (selector st) $> msg + Nothing -> incStat (rslvDisabled st) $> Nothing + Just nenv -> pure (Just nenv) + -- The actual resolution: resolve a parsed name via the configured resolver + -- and count the outcome (the name is already validated at parse). Run on a + -- forked thread so a slow RSLV does not block other commands; concurrency is + -- bounded by per-client procThreads in forkCmd, like every forwarded command. + resolveNameMsg :: NamesEnv -> SimplexNameDomain -> M s BrokerMsg + resolveNameMsg nenv d = do + st <- asks (rslvStats . serverStats) + (selector, msg) <- + liftIO (resolveName nenv d) <&> \case + Right rec -> (rslvSucc, RNAME rec) + Left e@NOT_FOUND -> (rslvNotFound, ERR $ NAME e) + Left e -> (rslvResolverErrs, ERR $ NAME e) + incStat (selector st) $> msg transportErr :: TransportError -> ErrorType transportErr = PROXY . BROKER . TRANSPORT mkIncProxyStats :: MonadIO m => ProxyStats -> ProxyStats -> OwnServer -> (ProxyStats -> IORef Int) -> m () @@ -1519,9 +1524,14 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock - -- Resolve on a forked thread (like proxying) so a slow RSLV does not block - -- other commands. Shared with the forwarded path (processForwardedCommand). - Cmd SResolver (RSLV d) -> forkCmd corrId NoEntity (rslvNameResponse d) + Cmd SResolver (RSLV d) -> rslvName + where + -- only fork when a resolver is configured; NO_RESOLVER is answered + -- without forking. Like proxying, the resolution runs on a forked + -- thread so a slow RSLV does not block other commands. + rslvName = rslvNamesEnv >>= \case + Nothing -> pure $ response (corrId, NoEntity, ERR (NAME NO_RESOLVER)) + Just nenv -> forkCmd corrId NoEntity (resolveNameMsg nenv d) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr @@ -2158,12 +2168,15 @@ client -- rejectOrVerify filters allowed commands, no need to repeat it here. Left r -> respond r Right t''@(_, (corrId', entId', cmd')) -> case cmd' of - -- forwarded RSLV resolves on a forked thread like the direct path; - -- the response is wrapped as RRES via encodeResp. + -- like the direct path: fork only when a resolver is configured + -- (else NO_RESOLVER without forking); the response is wrapped as + -- RRES via encodeResp. Cmd SResolver (RSLV d) -> - forkCmd corrId NoEntity $ do - msg <- rslvNameResponse d - either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) + rslvNamesEnv >>= \case + Nothing -> respond (corrId', entId', ERR (NAME NO_RESOLVER)) + Just nenv -> forkCmd corrId NoEntity $ do + msg <- resolveNameMsg nenv d + either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) -- INTERNAL is used because processCommand never returns Nothing for -- the other forwarded commands (could be extracted for better types). -- `fst` removes empty message that is only returned for `SUB` command diff --git a/src/Simplex/Messaging/SimplexName.hs b/src/Simplex/Messaging/SimplexName.hs index 862ea57320..901ae8bb9a 100644 --- a/src/Simplex/Messaging/SimplexName.hs +++ b/src/Simplex/Messaging/SimplexName.hs @@ -60,7 +60,11 @@ instance StrEncoding SimplexNameType where strP = A.char '#' $> NTPublicGroup <|> A.char '@' $> NTContact nameLabelP :: AT.Parser Text -nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigit c) `AT.sepBy1` AT.char '-' +nameLabelP = do + label <- T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigit c) `AT.sepBy1` AT.char '-' + -- DNS label limit: each dot-separated component is at most 63 bytes (labels + -- are ASCII, so character count == byte count) + if T.length label > 63 then fail "name label exceeds 63 bytes" else pure label where -- ASCII letters only. SNRC contracts hash byte sequences via keccak; ENS -- uses UTS-46 + Punycode for IDN, which we do not implement. Admitting @@ -69,17 +73,18 @@ nameLabelP = T.intercalate "-" <$> AT.takeWhile1 (\c -> isNameLetter c || isDigi -- (Cyrillic а vs ASCII a hash to different on-chain records). isNameLetter c = c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' --- | DoS defense for the bare-name / bare-domain entry points. The outer --- parser would otherwise `takeWhile1 (not . isSpace)` unbounded, allowing --- a crafted multi-megabyte token to be decoded and re-parsed before any --- validation. Cap at 253 bytes (DNS full-domain limit) — generous against --- any realistic SimpleX name — and forces the surrounding `parseOnly` --- (which requires consuming all input) to fail on oversized inputs. +-- | Cap the name at 253 bytes (DNS full-domain limit) and FAIL on a longer +-- token rather than stop at the cap, so an oversized name is rejected outright +-- (not silently truncated) on every entry point — including the RSLV wire +-- decoder, whose trailing `takeByteString` would otherwise swallow the overflow +-- and resolve a truncated name. boundedNonSpace :: A.Parser ByteString boundedNonSpace = do bs <- A.scan (0 :: Int) $ \i c -> - if i < 253 && not (A.isSpace c) then Just (i + 1) else Nothing - if B.null bs then fail "expected non-empty name token" else pure bs + if i <= 253 && not (A.isSpace c) then Just (i + 1) else Nothing + if B.null bs + then fail "expected non-empty name token" + else if B.length bs > 253 then fail "name exceeds 253 bytes" else pure bs instance StrEncoding SimplexNameInfo where strEncode SimplexNameInfo {nameType, nameDomain} = diff --git a/tests/SMPNamesTests.hs b/tests/SMPNamesTests.hs index 62a48d563b..8db0d9b400 100644 --- a/tests/SMPNamesTests.hs +++ b/tests/SMPNamesTests.hs @@ -135,6 +135,12 @@ parseNameSpec = do it "rejects oversized inputs (>253 bytes)" $ parseN (T.replicate 254 "a" <> ".simplex") `shouldSatisfy` isLeft + + it "rejects a label longer than 63 bytes (DNS label limit)" $ + parseN (T.replicate 64 "a" <> ".simplex") `shouldSatisfy` isLeft + + it "accepts a label of exactly 63 bytes" $ + parseN (T.replicate 63 "a" <> ".simplex") `shouldSatisfy` isRight where parseN :: T.Text -> Either String SimplexNameDomain parseN = strDecode . encodeUtf8 From 4b288410b68b7aa3fae6d7eb60c81c4e8d9a4b94 Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:37:37 +0000 Subject: [PATCH 29/33] remove spaghetti --- src/Simplex/Messaging/Server.hs | 92 +++++++++++++++------------------ 1 file changed, 41 insertions(+), 51 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index c680cec40c..737cde70ed 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -2130,57 +2130,47 @@ client pure $ MsgNtf {ntfMsgId = msgId, ntfTs = msgTs, ntfNonce, ntfEncMeta = fromRight "" encNMsgMeta} processForwardedCommand :: EncFwdTransmission -> M s (Maybe BrokerMsg) - processForwardedCommand (EncFwdTransmission s) = do - prepared <- runExceptT $ do - THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') - sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' - let proxyNonce = C.cbNonce $ bs corrId - s' <- liftEitherWith (const CRYPTO) $ C.cbDecryptNoPad sessSecret proxyNonce s - FwdTransmission {fwdCorrId, fwdVersion, fwdKey, fwdTransmission = EncTransmission et} <- liftEitherWith (const $ CMD SYNTAX) $ smpDecode s' - let clientSecret = C.dh' fwdKey serverPrivKey - clientNonce = C.cbNonce $ bs fwdCorrId - b <- liftEitherWith (const CRYPTO) $ C.cbDecrypt clientSecret clientNonce et - let clntTHParams = smpTHParamsSetVersion fwdVersion thParams' - -- only allowing single forwarded transactions - t' <- case tParse clntTHParams b of - t :| [] -> pure $ tDecodeServer clntTHParams t - _ -> throwE BLOCK - let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} - -- wrap an inner response transmission into the encrypted RRES reply - encodeResp r = do - r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of - [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right - TBError _ _ : _ -> throwE BLOCK - TBTransmission b' _ : _ -> pure b' - TBTransmissions b' _ _ : _ -> pure b' - -- encrypt to client - r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength - -- encrypt to proxy - let fr = FwdResponse {fwdCorrId, fwdResponse = r2} - pure $ RRES $ EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) - pure (clntThAuth, fwdVersion, t', encodeResp) - case prepared of - Left e -> pure $ Just $ ERR e - Right (clntThAuth, fwdVersion, t', encodeResp) -> do - incFwdRecv -- count every decrypted forwarded command, on either path - let respond r = Just . either ERR id <$> runExceptT (encodeResp r) - rejectOrVerify clntThAuth t' >>= \case - -- rejectOrVerify filters allowed commands, no need to repeat it here. - Left r -> respond r - Right t''@(_, (corrId', entId', cmd')) -> case cmd' of - -- like the direct path: fork only when a resolver is configured - -- (else NO_RESOLVER without forking); the response is wrapped as - -- RRES via encodeResp. - Cmd SResolver (RSLV d) -> - rslvNamesEnv >>= \case - Nothing -> respond (corrId', entId', ERR (NAME NO_RESOLVER)) - Just nenv -> forkCmd corrId NoEntity $ do - msg <- resolveNameMsg nenv d - either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) - -- INTERNAL is used because processCommand never returns Nothing for - -- the other forwarded commands (could be extracted for better types). - -- `fst` removes empty message that is only returned for `SUB` command - _ -> processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'' >>= respond . maybe (corrId', entId', ERR INTERNAL) fst + processForwardedCommand (EncFwdTransmission s) = fmap (either (Just . ERR) id) . runExceptT $ do + THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') + sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' + let proxyNonce = C.cbNonce $ bs corrId + s' <- liftEitherWith (const CRYPTO) $ C.cbDecryptNoPad sessSecret proxyNonce s + FwdTransmission {fwdCorrId, fwdVersion, fwdKey, fwdTransmission = EncTransmission et} <- liftEitherWith (const $ CMD SYNTAX) $ smpDecode s' + let clientSecret = C.dh' fwdKey serverPrivKey + clientNonce = C.cbNonce $ bs fwdCorrId + b <- liftEitherWith (const CRYPTO) $ C.cbDecrypt clientSecret clientNonce et + let clntTHParams = smpTHParamsSetVersion fwdVersion thParams' + -- only allowing single forwarded transactions + t' <- case tParse clntTHParams b of + t :| [] -> pure $ tDecodeServer clntTHParams t + _ -> throwE BLOCK + let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} + -- encrypt an inner response back to client and proxy as the RRES + -- reply (or ERR to the proxy if it cannot be batched/encrypted) + encodeResp r = either ERR id $ do + r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of + [] -> Left INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right + TBError _ _ : _ -> Left BLOCK + TBTransmission b' _ : _ -> Right b' + TBTransmissions b' _ _ : _ -> Right b' + r2 <- first (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength + let fr = FwdResponse {fwdCorrId, fwdResponse = r2} + pure $ RRES $ EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) + lift incFwdRecv -- count every decrypted forwarded command, on either path + lift (rejectOrVerify clntThAuth t') >>= \case + -- rejectOrVerify filters allowed commands, no need to repeat it here. + Left r -> pure $ Just $ encodeResp r + Right t''@(_, (corrId', entId', cmd')) -> case cmd' of + -- forwarded RSLV resolves on a forked thread (only when a resolver is + -- configured); the forked thread encodes and sends its own RRES. + Cmd SResolver (RSLV d) -> lift $ rslvNamesEnv >>= \case + Nothing -> pure $ Just $ encodeResp (corrId', entId', ERR (NAME NO_RESOLVER)) + Just nenv -> forkCmd corrId NoEntity $ do + msg <- resolveNameMsg nenv d + pure $ encodeResp (corrId', entId', msg) + -- INTERNAL because processCommand never returns Nothing for these + -- commands; `fst` drops the empty message only returned for SUB. + _ -> Just . encodeResp . maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') where incFwdRecv = asks serverStats >>= incStat . pMsgFwdsRecv rejectOrVerify :: Maybe (THandleAuth 'TServer) -> SignedTransmissionOrError ErrorType Cmd -> M s (VerifiedTransmissionOrError s) From 94a0541a6f84b302a97f70d8fb1e95c5a79e955f Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Wed, 24 Jun 2026 11:04:28 +0000 Subject: [PATCH 30/33] reduce diff --- src/Simplex/Messaging/Server.hs | 58 ++++++++++++++++----------------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 737cde70ed..9ba840f925 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1523,7 +1523,7 @@ client SKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) - Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock + Cmd SProxyService (RFWD encBlock) -> response . (corrId, NoEntity,) <$> processForwardedCommand encBlock Cmd SResolver (RSLV d) -> rslvName where -- only fork when a resolver is configured; NO_RESOLVER is answered @@ -2129,8 +2129,8 @@ client encNMsgMeta = C.cbEncrypt rcvNtfDhSecret ntfNonce (smpEncode msgMeta) 128 pure $ MsgNtf {ntfMsgId = msgId, ntfTs = msgTs, ntfNonce, ntfEncMeta = fromRight "" encNMsgMeta} - processForwardedCommand :: EncFwdTransmission -> M s (Maybe BrokerMsg) - processForwardedCommand (EncFwdTransmission s) = fmap (either (Just . ERR) id) . runExceptT $ do + processForwardedCommand :: EncFwdTransmission -> M s BrokerMsg + processForwardedCommand (EncFwdTransmission s) = fmap (either ERR RRES) . runExceptT $ do THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' let proxyNonce = C.cbNonce $ bs corrId @@ -2145,34 +2145,32 @@ client t :| [] -> pure $ tDecodeServer clntTHParams t _ -> throwE BLOCK let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} - -- encrypt an inner response back to client and proxy as the RRES - -- reply (or ERR to the proxy if it cannot be batched/encrypted) - encodeResp r = either ERR id $ do - r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of - [] -> Left INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right - TBError _ _ : _ -> Left BLOCK - TBTransmission b' _ : _ -> Right b' - TBTransmissions b' _ _ : _ -> Right b' - r2 <- first (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength - let fr = FwdResponse {fwdCorrId, fwdResponse = r2} - pure $ RRES $ EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) - lift incFwdRecv -- count every decrypted forwarded command, on either path - lift (rejectOrVerify clntThAuth t') >>= \case - -- rejectOrVerify filters allowed commands, no need to repeat it here. - Left r -> pure $ Just $ encodeResp r - Right t''@(_, (corrId', entId', cmd')) -> case cmd' of - -- forwarded RSLV resolves on a forked thread (only when a resolver is - -- configured); the forked thread encodes and sends its own RRES. - Cmd SResolver (RSLV d) -> lift $ rslvNamesEnv >>= \case - Nothing -> pure $ Just $ encodeResp (corrId', entId', ERR (NAME NO_RESOLVER)) - Just nenv -> forkCmd corrId NoEntity $ do - msg <- resolveNameMsg nenv d - pure $ encodeResp (corrId', entId', msg) - -- INTERNAL because processCommand never returns Nothing for these - -- commands; `fst` drops the empty message only returned for SUB. - _ -> Just . encodeResp . maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') + -- process forwarded command + r <- + lift (rejectOrVerify clntThAuth t') >>= \case + Left r -> pure r + -- rejectOrVerify filters allowed commands, no need to repeat it here. + -- INTERNAL is used because processCommand never returns Nothing for sender commands (could be extracted for better types). + -- `fst` removes empty message that is only returned for `SUB` command + Right t''@(_, (corrId', entId', cmd')) -> case cmd' of + -- forwarded RSLV resolves synchronously here (idempotent read, no ordering concern), unlike forked direct RSLV + Cmd SResolver (RSLV d) -> (corrId', entId',) <$> lift (rslvNamesEnv >>= maybe (pure $ ERR (NAME NO_RESOLVER)) (\nenv -> resolveNameMsg nenv d)) + _ -> maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') + -- encode response + r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of + [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right + TBError _ _ : _ -> throwE BLOCK + TBTransmission b' _ : _ -> pure b' + TBTransmissions b' _ _ : _ -> pure b' + -- encrypt to client + r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength + -- encrypt to proxy + let fr = FwdResponse {fwdCorrId, fwdResponse = r2} + r3 = EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) + stats <- asks serverStats + incStat $ pMsgFwdsRecv stats + pure r3 where - incFwdRecv = asks serverStats >>= incStat . pMsgFwdsRecv rejectOrVerify :: Maybe (THandleAuth 'TServer) -> SignedTransmissionOrError ErrorType Cmd -> M s (VerifiedTransmissionOrError s) rejectOrVerify clntThAuth = \case Left (corrId', entId', e) -> pure $ Left (corrId', entId', ERR e) From ae3aefd877440854568099d12d21a80d5121d539 Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Wed, 24 Jun 2026 12:33:21 +0000 Subject: [PATCH 31/33] async again, refactor --- src/Simplex/Messaging/Server.hs | 56 ++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 9ba840f925..039fdceeb4 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1523,7 +1523,7 @@ client SKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) - Cmd SProxyService (RFWD encBlock) -> response . (corrId, NoEntity,) <$> processForwardedCommand encBlock + Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock Cmd SResolver (RSLV d) -> rslvName where -- only fork when a resolver is configured; NO_RESOLVER is answered @@ -2129,8 +2129,8 @@ client encNMsgMeta = C.cbEncrypt rcvNtfDhSecret ntfNonce (smpEncode msgMeta) 128 pure $ MsgNtf {ntfMsgId = msgId, ntfTs = msgTs, ntfNonce, ntfEncMeta = fromRight "" encNMsgMeta} - processForwardedCommand :: EncFwdTransmission -> M s BrokerMsg - processForwardedCommand (EncFwdTransmission s) = fmap (either ERR RRES) . runExceptT $ do + processForwardedCommand :: EncFwdTransmission -> M s (Maybe BrokerMsg) + processForwardedCommand (EncFwdTransmission s) = fmap (either (Just . ERR) id) . runExceptT $ do THAuthServer {serverPrivKey, sessSecret'} <- maybe (throwE $ transportErr TENoServerAuth) pure (thAuth thParams') sessSecret <- maybe (throwE $ transportErr TENoServerAuth) pure sessSecret' let proxyNonce = C.cbNonce $ bs corrId @@ -2145,31 +2145,35 @@ client t :| [] -> pure $ tDecodeServer clntTHParams t _ -> throwE BLOCK let clntThAuth = Just $ THAuthServer {serverPrivKey, peerClientService = Nothing, sessSecret' = Just clientSecret} - -- process forwarded command - r <- - lift (rejectOrVerify clntThAuth t') >>= \case - Left r -> pure r - -- rejectOrVerify filters allowed commands, no need to repeat it here. - -- INTERNAL is used because processCommand never returns Nothing for sender commands (could be extracted for better types). - -- `fst` removes empty message that is only returned for `SUB` command - Right t''@(_, (corrId', entId', cmd')) -> case cmd' of - -- forwarded RSLV resolves synchronously here (idempotent read, no ordering concern), unlike forked direct RSLV - Cmd SResolver (RSLV d) -> (corrId', entId',) <$> lift (rslvNamesEnv >>= maybe (pure $ ERR (NAME NO_RESOLVER)) (\nenv -> resolveNameMsg nenv d)) - _ -> maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') - -- encode response - r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of - [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right - TBError _ _ : _ -> throwE BLOCK - TBTransmission b' _ : _ -> pure b' - TBTransmissions b' _ _ : _ -> pure b' - -- encrypt to client - r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength - -- encrypt to proxy - let fr = FwdResponse {fwdCorrId, fwdResponse = r2} - r3 = EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) + -- encode an inner response into the RRES reply (master's tail, factored + -- so the forked RSLV path reuses it) + encodeResp r = do + r' <- case batchTransmissions clntTHParams [Right (Nothing, encodeTransmission clntTHParams r)] of + [] -> throwE INTERNAL -- at least 1 item is guaranteed from NonEmpty/Right + TBError _ _ : _ -> throwE BLOCK + TBTransmission b' _ : _ -> pure b' + TBTransmissions b' _ _ : _ -> pure b' + r2 <- liftEitherWith (const BLOCK) $ EncResponse <$> C.cbEncrypt clientSecret (C.reverseNonce clientNonce) r' paddedProxiedTLength + let fr = FwdResponse {fwdCorrId, fwdResponse = r2} + pure $ RRES $ EncFwdResponse $ C.cbEncryptNoPad sessSecret (C.reverseNonce proxyNonce) (smpEncode fr) + -- the inner response, or Nothing if forked. forwarded RSLV is forked (like direct + -- RSLV) so a slow resolution does not block other forwarded commands - the fork + -- delivers its own RRES via forkCmd; NO_RESOLVER and everything else reply in line. + r_ <- lift (rejectOrVerify clntThAuth t') >>= \case + -- rejectOrVerify filters allowed commands, no need to repeat it here. + Left r -> pure $ Just r + Right t''@(_, (corrId', entId', cmd')) -> case cmd' of + Cmd SResolver (RSLV d) -> lift $ rslvNamesEnv >>= \case + Nothing -> pure $ Just (corrId', entId', ERR (NAME NO_RESOLVER)) + Just nenv -> forkCmd corrId NoEntity $ do + msg <- resolveNameMsg nenv d + either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) + -- INTERNAL because processCommand never returns Nothing for sender commands; + -- `fst` drops the empty message only returned for SUB. + _ -> Just . maybe (corrId', entId', ERR INTERNAL) fst <$> lift (processCommand Nothing fwdVersion (Right (M.empty, M.empty, M.empty)) t'') stats <- asks serverStats incStat $ pMsgFwdsRecv stats - pure r3 + traverse encodeResp r_ where rejectOrVerify :: Maybe (THandleAuth 'TServer) -> SignedTransmissionOrError ErrorType Cmd -> M s (VerifiedTransmissionOrError s) rejectOrVerify clntThAuth = \case From 64e75164eb551b6ac0e7fbba9dcd1efbf09f498d Mon Sep 17 00:00:00 2001 From: "Evgeny @ SimpleX Chat" <259188159+evgeny-simplex@users.noreply.github.com> Date: Wed, 24 Jun 2026 14:28:06 +0000 Subject: [PATCH 32/33] different threads limit for name resolutions --- src/Simplex/Messaging/Server.hs | 20 ++++++++++---------- src/Simplex/Messaging/Server/Env/STM.hs | 9 +++++++++ src/Simplex/Messaging/Server/Main.hs | 1 + src/Simplex/Messaging/Server/Main/Init.hs | 6 +++++- tests/SMPClient.hs | 1 + 5 files changed, 26 insertions(+), 11 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 039fdceeb4..00e2a24df0 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1468,22 +1468,22 @@ client Nothing -> inc False pRequests >> inc False pErrorsConnect $> Just (ERR $ PROXY NO_SESSION) where forkProxiedCmd :: M s BrokerMsg -> M s (Maybe BrokerMsg) - forkProxiedCmd = forkCmd corrId (EntityId sessId) + forkProxiedCmd = forkCmd serverClientConcurrency corrId (EntityId sessId) -- Run a slow command on a forked, back-pressured thread, sending its response - -- to sndQ from the thread so command processing is not blocked. Used for - -- proxying and name resolution. - forkCmd :: CorrId -> EntityId -> M s BrokerMsg -> M s (Maybe a) - forkCmd corrId entId cmdAction = do + -- to sndQ from the thread so command processing is not blocked. The concurrency + -- selector picks the per-connection limit (proxying vs name resolution). + forkCmd :: (ServerConfig s -> Int) -> CorrId -> EntityId -> M s BrokerMsg -> M s (Maybe a) + forkCmd concurrency corrId entId cmdAction = do bracket_ wait signal . forkClient clnt (B.unpack $ "client $" <> encode sessionId <> " cmd") $ -- commands MUST be processed under a reasonable timeout or the client would halt cmdAction >>= \t -> atomically $ writeTBQueue sndQ ([(corrId, entId, t)], []) pure Nothing where wait = do - ServerConfig {serverClientConcurrency} <- asks config + limit <- asks (concurrency . config) atomically $ do used <- readTVar procThreads - when (used >= serverClientConcurrency) retry + when (used >= limit) retry writeTVar procThreads $! used + 1 signal = atomically $ modifyTVar' procThreads (\t -> t - 1) -- Account an RSLV request and look up the resolver, shared by the direct and @@ -1500,7 +1500,7 @@ client -- The actual resolution: resolve a parsed name via the configured resolver -- and count the outcome (the name is already validated at parse). Run on a -- forked thread so a slow RSLV does not block other commands; concurrency is - -- bounded by per-client procThreads in forkCmd, like every forwarded command. + -- bounded by serverResolverConcurrency in forkCmd. resolveNameMsg :: NamesEnv -> SimplexNameDomain -> M s BrokerMsg resolveNameMsg nenv d = do st <- asks (rslvStats . serverStats) @@ -1531,7 +1531,7 @@ client -- thread so a slow RSLV does not block other commands. rslvName = rslvNamesEnv >>= \case Nothing -> pure $ response (corrId, NoEntity, ERR (NAME NO_RESOLVER)) - Just nenv -> forkCmd corrId NoEntity (resolveNameMsg nenv d) + Just nenv -> forkCmd serverResolverConcurrency corrId NoEntity (resolveNameMsg nenv d) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr @@ -2165,7 +2165,7 @@ client Right t''@(_, (corrId', entId', cmd')) -> case cmd' of Cmd SResolver (RSLV d) -> lift $ rslvNamesEnv >>= \case Nothing -> pure $ Just (corrId', entId', ERR (NAME NO_RESOLVER)) - Just nenv -> forkCmd corrId NoEntity $ do + Just nenv -> forkCmd serverResolverConcurrency corrId NoEntity $ do msg <- resolveNameMsg nenv d either ERR id <$> runExceptT (encodeResp (corrId', entId', msg)) -- INTERNAL because processCommand never returns Nothing for sender commands; diff --git a/src/Simplex/Messaging/Server/Env/STM.hs b/src/Simplex/Messaging/Server/Env/STM.hs index 53c6f2c207..b4333959f7 100644 --- a/src/Simplex/Messaging/Server/Env/STM.hs +++ b/src/Simplex/Messaging/Server/Env/STM.hs @@ -67,6 +67,7 @@ module Simplex.Messaging.Server.Env.STM defaultNtfExpiration, defaultInactiveClientExpiration, defaultProxyClientConcurrency, + defaultNameResolverConcurrency, defaultMaxJournalMsgCount, defaultMaxJournalStateLines, defaultIdleQueueInterval, @@ -198,6 +199,11 @@ data ServerConfig s = ServerConfig smpAgentCfg :: SMPClientAgentConfig, allowSMPProxy :: Bool, -- auth is the same with `newQueueBasicAuth` serverClientConcurrency :: Int, + -- | max concurrent name resolutions per connection, enforced in forkCmd. + -- Much higher than serverClientConcurrency: forwarded RSLVs from many clients + -- aggregate over a single proxy->relay connection (only servers send proxied + -- requests), so bounding them by the per-client limit would throttle unduly. + serverResolverConcurrency :: Int, -- | public-namespace resolver config; Nothing disables the names role namesConfig :: Maybe NamesConfig, -- | server public information @@ -246,6 +252,9 @@ defaultInactiveClientExpiration = defaultProxyClientConcurrency :: Int defaultProxyClientConcurrency = 32 +defaultNameResolverConcurrency :: Int +defaultNameResolverConcurrency = 1000 + journalMsgStoreDepth :: Int journalMsgStoreDepth = 5 diff --git a/src/Simplex/Messaging/Server/Main.hs b/src/Simplex/Messaging/Server/Main.hs index a2b66e3bd4..2f74f6cd50 100644 --- a/src/Simplex/Messaging/Server/Main.hs +++ b/src/Simplex/Messaging/Server/Main.hs @@ -608,6 +608,7 @@ smpServerCLI_ generateSite serveStaticFiles attachStaticFiles cfgPath logPath = }, allowSMPProxy = True, serverClientConcurrency = readIniDefault defaultProxyClientConcurrency "PROXY" "client_concurrency" ini, + serverResolverConcurrency = readIniDefault defaultNameResolverConcurrency "NAMES" "resolver_concurrency" ini, namesConfig = readNamesConfig ini, information = serverPublicInfo ini, startOptions diff --git a/src/Simplex/Messaging/Server/Main/Init.hs b/src/Simplex/Messaging/Server/Main/Init.hs index a4aa463d9d..89df1ad93a 100644 --- a/src/Simplex/Messaging/Server/Main/Init.hs +++ b/src/Simplex/Messaging/Server/Main/Init.hs @@ -166,7 +166,11 @@ iniFileContent cfgPath logPath opts host basicAuth controlPortPwds = \# resolver_endpoint: https://names.simplex.chat:443\n\ \# resolver_auth: basic :\n\ \# resolver_timeout_ms: 3000\n\ - \# resolver_max_response_bytes: 16000\n\n\ + \# resolver_max_response_bytes: 16000\n\ + \# Max concurrent name resolutions per connection (forwarded RSLVs from many\n\ + \# clients share one proxy connection, so this is much higher than PROXY client_concurrency).\n" + <> ("# resolver_concurrency = " <> tshow defaultNameResolverConcurrency) + <> "\n\n\ \[INACTIVE_CLIENTS]\n\ \# TTL and interval to check inactive clients\n\ \disconnect = on\n" diff --git a/tests/SMPClient.hs b/tests/SMPClient.hs index 2ee9b509f0..1c87a5f83c 100644 --- a/tests/SMPClient.hs +++ b/tests/SMPClient.hs @@ -278,6 +278,7 @@ cfgMS msType = withStoreCfg (testServerStoreConfig msType) $ \serverStoreCfg -> smpAgentCfg = defaultSMPClientAgentConfig {persistErrorInterval = 1}, -- seconds allowSMPProxy = False, serverClientConcurrency = 2, + serverResolverConcurrency = defaultNameResolverConcurrency, namesConfig = Nothing, information = Nothing, startOptions = defaultStartOptions From b6d0bb585f34ce47f4c464b04e4f759d87812711 Mon Sep 17 00:00:00 2001 From: Evgeny Poberezkin Date: Wed, 24 Jun 2026 14:31:34 +0100 Subject: [PATCH 33/33] remove comment --- src/Simplex/Messaging/Server.hs | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/Simplex/Messaging/Server.hs b/src/Simplex/Messaging/Server.hs index 00e2a24df0..5c9e45a047 100644 --- a/src/Simplex/Messaging/Server.hs +++ b/src/Simplex/Messaging/Server.hs @@ -1524,14 +1524,9 @@ client SEND flags msgBody -> response <$> withQueue_ False err (sendMessage flags msgBody) Cmd SIdleClient PING -> pure $ response (corrId, NoEntity, PONG) Cmd SProxyService (RFWD encBlock) -> (response . (corrId, NoEntity,) =<<) <$> processForwardedCommand encBlock - Cmd SResolver (RSLV d) -> rslvName - where - -- only fork when a resolver is configured; NO_RESOLVER is answered - -- without forking. Like proxying, the resolution runs on a forked - -- thread so a slow RSLV does not block other commands. - rslvName = rslvNamesEnv >>= \case - Nothing -> pure $ response (corrId, NoEntity, ERR (NAME NO_RESOLVER)) - Just nenv -> forkCmd serverResolverConcurrency corrId NoEntity (resolveNameMsg nenv d) + Cmd SResolver (RSLV d) -> rslvNamesEnv >>= \case + Nothing -> pure $ response (corrId, NoEntity, ERR (NAME NO_RESOLVER)) + Just nenv -> forkCmd serverResolverConcurrency corrId NoEntity (resolveNameMsg nenv d) Cmd SSenderLink command -> case command of LKEY k -> withQueue $ \q qr -> checkMode QMMessaging qr $ secureQueue_ q k $>> getQueueLink_ q qr LGET -> withQueue $ \q qr -> checkContact qr $ getQueueLink_ q qr