Merge pull request #23 from n0-computer/signed-announce

Signed announce

Author: rklaehn

content-discovery/Cargo.lock

@@ -38,15 +38,6 @@ impl ContentArg {
             },
         }
     }
-
-    /// Get the host of the content. Only defined for tickets.
-    pub fn host(&self) -> Option<NodeId> {
-        match self {
-            ContentArg::Hash(_) => None,
-            ContentArg::HashAndFormat(_) => None,
-            ContentArg::Ticket(ticket) => Some(ticket.node_addr().node_id),
-        }
-    }
 }
 
 impl Display for ContentArg {
@@ -81,16 +72,12 @@ pub struct AnnounceArgs {
     #[clap(long)]
     pub tracker: NodeId,
 
-    /// The host to announce. Not needed if content is a ticket.
-    #[clap(long)]
-    pub host: Option<NodeId>,
-
     /// The content to announce.
     ///
     /// Content can be specified as a hash, a hash and format, or a ticket.
     /// If a hash is specified, the format is assumed to be raw.
     /// Unless a ticket is specified, the host must be specified.
-    pub content: Vec<ContentArg>,
+    pub content: ContentArg,
 
     /// Announce that the peer has only partial data.
     #[clap(long)]

content-discovery/iroh-mainline-content-discovery-cli/src/args.rs

@@ -1,8 +1,8 @@
 pub mod args;
 
 use std::{
-    collections::BTreeSet,
     net::{Ipv4Addr, SocketAddr, SocketAddrV4},
+    str::FromStr,
 };
 
 use anyhow::Context;
@@ -11,7 +11,7 @@ use clap::Parser;
 use futures::StreamExt;
 use iroh_mainline_content_discovery::{
     create_quinn_client,
-    protocol::{Announce, AnnounceKind, Query, QueryFlags, ALPN},
+    protocol::{AbsoluteTime, Announce, AnnounceKind, Query, QueryFlags, SignedAnnounce, ALPN},
     to_infohash,
 };
 use iroh_net::{
@@ -54,44 +54,32 @@ pub async fn accept_conn(
 
 async fn announce(args: AnnounceArgs) -> anyhow::Result<()> {
     // todo: uncomment once the connection problems are fixed
-    // for now, a random node id is more reliable.
-    // let key = load_secret_key(tracker_path(CLIENT_KEY)?).await?;
-    let key = iroh_net::key::SecretKey::generate();
-    let content = args.content.iter().map(|x| x.hash_and_format()).collect();
-    let host = if let Some(host) = args.host {
-        host
-    } else {
-        let hosts = args
-            .content
-            .iter()
-            .filter_map(|x| x.host())
-            .collect::<BTreeSet<_>>();
-        if hosts.len() != 1 {
-            anyhow::bail!(
-                "content for all tickets must be from the same host, unless a host is specified"
-            );
-        }
-        *hosts.iter().next().unwrap()
+    let Ok(key) = std::env::var("ANNOUNCE_SECRET") else {
+        eprintln!("ANNOUNCE_SECRET environment variable must be set to a valid secret key");
+        anyhow::bail!("ANNOUNCE_SECRET env var not set");
     };
-    println!("announcing to {}", args.tracker);
-    println!("host {} has", host);
-    for content in &content {
-        println!("    {}", content);
-    }
-    let endpoint = create_endpoint(key, args.magic_port.unwrap_or_default(), false).await?;
+    let Ok(key) = iroh_net::key::SecretKey::from_str(&key) else {
+        anyhow::bail!("ANNOUNCE_SECRET env var is not a valid secret key");
+    };
+    let content = args.content.hash_and_format();
+    println!("announcing to {}: {}", args.tracker, content);
+    let endpoint = create_endpoint(key.clone(), args.magic_port.unwrap_or_default(), false).await?;
     let connection = endpoint.connect_by_node_id(&args.tracker, ALPN).await?;
     println!("connected to {:?}", connection.remote_address());
     let kind = if args.partial {
         AnnounceKind::Partial
     } else {
         AnnounceKind::Complete
     };
+    let timestamp = AbsoluteTime::now();
     let announce = Announce {
-        host,
+        host: key.public(),
         kind,
         content,
+        timestamp,
     };
-    iroh_mainline_content_discovery::announce(connection, announce).await?;
+    let signed_announce = SignedAnnounce::new(announce, &key)?;
+    iroh_mainline_content_discovery::announce(connection, signed_announce).await?;
     println!("done");
     Ok(())
 }
@@ -114,8 +102,12 @@ async fn query(args: QueryArgs) -> anyhow::Result<()> {
         "querying tracker {} for content {}",
         args.tracker, args.content
     );
-    for peer in res.hosts {
-        println!("{}", peer);
+    for sa in res.hosts {
+        if sa.verify().is_ok() {
+            println!("{}: {:?}", sa.announce.host, sa.announce.kind);
+        } else {
+            println!("invalid announce");
+        }
     }
     Ok(())
 }
@@ -143,7 +135,13 @@ async fn query_dht(args: QueryDhtArgs) -> anyhow::Result<()> {
     );
     while let Some(item) = stream.next().await {
         match item {
-            Ok(provider) => println!("found provider {}", provider),
+            Ok(announce) => {
+                if announce.verify().is_ok() {
+                    println!("found verified provider {}", announce.host);
+                } else {
+                    println!("found unverified provider");
+                }
+            }
             Err(e) => println!("error: {}", e),
         }
     }

content-discovery/iroh-mainline-content-discovery-cli/src/main.rs

@@ -26,6 +26,7 @@ futures = { version = "0.3.25", optional = true }
 rcgen = { version = "0.12.0", optional = true }
 rustls = { version = "0.21", optional = true }
 genawaiter = { version = "0.99.1", features = ["futures03"], optional = true }
+serde-big-array = "0.5.1"
 
 [features]
 client = ["iroh-pkarr-node-discovery", "mainline", "quinn", "tracing", "anyhow", "rcgen", "genawaiter", "rustls", "futures", "postcard"]

content-discovery/iroh-mainline-content-discovery/Cargo.toml

@@ -13,7 +13,7 @@ use iroh_pkarr_node_discovery::PkarrNodeDiscovery;
 use mainline::common::{GetPeerResponse, StoreQueryMetdata};
 
 use crate::protocol::{
-    Announce, Query, QueryResponse, Request, Response, ALPN, REQUEST_SIZE_LIMIT,
+    Query, QueryResponse, Request, Response, SignedAnnounce, ALPN, REQUEST_SIZE_LIMIT,
 };
 
 /// Announce to a tracker.
@@ -24,10 +24,13 @@ use crate::protocol::{
 /// `tracker` is the node id of the tracker to announce to. It must understand the [TRACKER_ALPN] protocol.
 /// `content` is the content to announce.
 /// `kind` is the kind of the announcement. We can claim to have the complete data or only some of it.
-pub async fn announce(connection: quinn::Connection, args: Announce) -> anyhow::Result<()> {
+pub async fn announce(
+    connection: quinn::Connection,
+    signed_announce: SignedAnnounce,
+) -> anyhow::Result<()> {
     let (mut send, mut recv) = connection.open_bi().await?;
     tracing::debug!("opened bi stream");
-    let request = Request::Announce(args);
+    let request = Request::Announce(signed_announce);
     let request = postcard::to_stdvec(&request)?;
     tracing::debug!("sending announce");
     send.write_all(&request).await?;
@@ -65,7 +68,7 @@ async fn query_socket_one(
     endpoint: impl QuinnConnectionProvider<SocketAddr>,
     addr: SocketAddr,
     args: Query,
-) -> anyhow::Result<Vec<NodeId>> {
+) -> anyhow::Result<Vec<SignedAnnounce>> {
     let connection = endpoint.connect(addr).await?;
     let result = query(connection, args).await?;
     Ok(result.hosts)
@@ -75,7 +78,7 @@ async fn query_magic_one(
     endpoint: MagicEndpoint,
     node_id: &NodeId,
     args: Query,
-) -> anyhow::Result<Vec<NodeId>> {
+) -> anyhow::Result<Vec<SignedAnnounce>> {
     let connection = endpoint.connect_by_node_id(node_id, ALPN).await?;
     let result = query(connection, args).await?;
     Ok(result.hosts)
@@ -101,7 +104,7 @@ pub fn query_trackers(
     trackers: impl IntoIterator<Item = NodeId>,
     args: Query,
     query_parallelism: usize,
-) -> impl Stream<Item = anyhow::Result<NodeId>> {
+) -> impl Stream<Item = anyhow::Result<SignedAnnounce>> {
     futures::stream::iter(trackers)
         .map(move |tracker| {
             let endpoint = endpoint.clone();
@@ -123,7 +126,7 @@ pub fn query_dht(
     dht: mainline::dht::Dht,
     args: Query,
     query_parallelism: usize,
-) -> impl Stream<Item = anyhow::Result<NodeId>> {
+) -> impl Stream<Item = anyhow::Result<SignedAnnounce>> {
     let dht = dht.as_async();
     let info_hash = to_infohash(args.content);
     let response: mainline::common::Response<GetPeerResponse> = dht.get_peers(info_hash);

content-discovery/iroh-mainline-content-discovery/src/client.rs

@@ -1,8 +1,13 @@
 //! The protocol for communicating with the tracker.
+use std::{
+    ops::{Deref, Sub},
+    time::{Duration, SystemTime},
+};
+
 use iroh_bytes::HashAndFormat;
 use iroh_net::NodeId;
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeSet;
+use serde_big_array::BigArray;
 
 /// The ALPN string for this protocol
 pub const ALPN: &[u8] = b"n0/tracker/1";
@@ -28,20 +33,98 @@ impl AnnounceKind {
     }
 }
 
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default)]
+pub struct AbsoluteTime(u64);
+
+impl AbsoluteTime {
+    pub fn now() -> Self {
+        Self::try_from(SystemTime::now()).unwrap()
+    }
+}
+
+impl Sub for AbsoluteTime {
+    type Output = Duration;
+
+    fn sub(self, rhs: Self) -> Self::Output {
+        Duration::from_micros(self.0 - rhs.0)
+    }
+}
+
+impl TryFrom<SystemTime> for AbsoluteTime {
+    type Error = anyhow::Error;
+
+    fn try_from(value: SystemTime) -> Result<Self, Self::Error> {
+        Ok(Self(
+            value
+                .duration_since(std::time::UNIX_EPOCH)
+                .expect("Time went backwards")
+                .as_micros()
+                .try_into()
+                .expect("time too large"),
+        ))
+    }
+}
+
+impl From<AbsoluteTime> for SystemTime {
+    fn from(value: AbsoluteTime) -> Self {
+        std::time::UNIX_EPOCH + Duration::from_micros(value.0)
+    }
+}
+
 /// Announce that a peer claims to have some blobs or set of blobs.
 ///
 /// A peer can announce having some data, but it should also be able to announce
 /// that another peer has the data. This is why the peer is included.
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
 pub struct Announce {
     /// The peer that supposedly has the data.
-    ///
-    /// Should we get this from the connection?
     pub host: NodeId,
-    /// The blobs or sets that the peer claims to have.
-    pub content: BTreeSet<HashAndFormat>,
+    /// The content that the peer claims to have.
+    pub content: HashAndFormat,
     /// The kind of the announcement.
     pub kind: AnnounceKind,
+    /// The timestamp of the announce.
+    pub timestamp: AbsoluteTime,
+}
+
+/// A signed announce.
+#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
+pub struct SignedAnnounce {
+    /// Announce.
+    pub announce: Announce,
+    /// Signature of the announce, signed by the host of the announce.
+    ///
+    /// The signature is over the announce, serialized with postcard.
+    #[serde(with = "BigArray")]
+    pub signature: [u8; 64],
+}
+
+impl Deref for SignedAnnounce {
+    type Target = Announce;
+
+    fn deref(&self) -> &Self::Target {
+        &self.announce
+    }
+}
+
+impl SignedAnnounce {
+    /// Create a new signed announce.
+    pub fn new(announce: Announce, secret_key: &iroh_net::key::SecretKey) -> anyhow::Result<Self> {
+        let announce_bytes = postcard::to_allocvec(&announce)?;
+        let signature = secret_key.sign(&announce_bytes).to_bytes();
+        Ok(Self {
+            announce,
+            signature,
+        })
+    }
+
+    /// Verify the announce, and return the announce if it's valid.
+    pub fn verify(&self) -> anyhow::Result<()> {
+        let announce_bytes = postcard::to_allocvec(&self.announce)?;
+        let signature = iroh_net::key::Signature::from_bytes(&self.signature);
+        self.announce.host.verify(&announce_bytes, &signature)?;
+        Ok(())
+    }
 }
 
 ///
@@ -76,20 +159,18 @@ pub struct Query {
 /// A response to a query.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct QueryResponse {
-    /// The content that was queried.
-    pub content: HashAndFormat,
     /// The hosts that supposedly have the content.
     ///
     /// If there are any addrs, they are as seen from the tracker,
     /// so they might or might not be useful.
-    pub hosts: Vec<NodeId>,
+    pub hosts: Vec<SignedAnnounce>,
 }
 
 /// A request to the tracker.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum Request {
     /// Announce info
-    Announce(Announce),
+    Announce(SignedAnnounce),
     /// Query info
     Query(Query),
 }