feat(core): validatorapi voluntary exit + validator registration handlers#491
Open
varex83agent wants to merge 15 commits into
Open
feat(core): validatorapi voluntary exit + validator registration handlers#491varex83agent wants to merge 15 commits into
varex83agent wants to merge 15 commits into
Conversation
Threads the Handler through Axum state via AppState<H> + with_state, wires the node_version route to the real handler, and adds a TestHandler mock that future PRs will extend per-endpoint.
Re-uses the auto-generated pluto_eth2api envelopes (GetProposerDutiesResponseResponse, GetVersionResponseResponse) as the on-the-wire shape rather than hand-rolling parallel types. node_version is migrated to the same pattern; the body.rs hand-rolled wrapper module is removed.
Drops the per-handler generic parameter and routes through Arc<dyn Handler> via AppState. The Handler trait is object-safe (Send + Sync + 'static + async_trait-generated methods), so this is a pure type change with no surface impact.
Adds the Handler impl that the router has been calling through.
node_version returns the obolnetwork/pluto/{version}-{commit}/{arch}-{os}
identity string; proposer_duties calls the upstream beacon node and
rewrites known DV root public keys to this node's public share so the
validator client sees keys matching its keystore. The remaining 17
trait methods are unimplemented!() stubs that land per-PR as their
router handlers are ported.
Wires POST /eth/v1/validator/duties/attester/{epoch}: dual-format
(numeric or string-encoded) validator index body, upstream call,
pubshare swap.
Wires POST /eth/v1/validator/duties/sync/{epoch}, reusing the
ValIndexes dual-format body extractor.
Wires GET /eth/v1/validator/attestation_data. The Component now holds an Arc<MemDB> and awaits unsigned attestation data from the local DutyDB rather than hitting upstream.
Bug fixes (must-fix per review):
- attestation_data: wrap MemDB::await_attestation in tokio::time::timeout
(24s) so a request for a slot that never produces consensus output
cannot hold a handler task indefinitely. delete_duty now records
evicted keys per duty type and notifies waiters, so await_data returns
Error::AwaitDutyExpired immediately when the awaited duty is gone
instead of spinning until the timeout fires. Maps to 408 on the wire.
- Stop leaking upstream BlindedBlock400Response Debug output (incl.
stacktraces) into the client-visible ApiError.message. The variant
payload is now attached as `source` for debug logs; the message stays
generic.
Hardening:
- new_insecure is gated behind #[cfg(test)] so the insecure_test flag
cannot reach production builds.
- new_router applies DefaultBodyLimit::max(64 KiB) on the two
POST /duties/{attester,sync}/{epoch} routes — defends against the
Vec<u64> parse amplification on the ValIndexes deserializer.
- All upstream eth2_cl calls are wrapped in tokio::time::timeout(12s)
so a hanging beacon node cannot stall handler tasks.
- proposer_duties / attester_duties / sync_committee_duties propagate
upstream BadRequest as 400 and ServiceUnavailable as 503 instead of
collapsing every non-Ok variant to 502 — the VC can now back off on
upstream syncing instead of treating it as a gateway failure.
- swap_attester_pubshares / swap_sync_committee_pubshares now return
500 (cluster misconfig) instead of 502 when a pubshare is missing —
the upstream returned well-formed data, the failure is local.
ValIndexes:
- Replace #[serde(untagged)] with a streaming Visitor that validates
each element via SeqAccess::next_element. Avoids the speculative
Vec<u64> parse and the serde Content cache. Now accepts mixed
numeric/string elements and rejects negative integers.
- Hard cap at 8192 indices per request.
ApiError:
- with_boxed_source for sources that aren't std::error::Error (e.g.
anyhow::Error from auto-gen request builders).
Router:
- attestation_data uses Result<Query<...>, QueryRejection> so 4xx
responses from missing/malformed query params share the same
{ code, message } envelope as the rest of the router.
Tests (+13):
- attestation_data: timeout when data never arrives; 408 when duty is
evicted while a waiter is parked; cancellation cleanup when the
handler future is dropped; negative lookup on wrong committee_index.
- Status-mapping helpers: confirm upstream Debug output is never
serialized into the message.
- Router: ApiError envelope on bad query; oversized body rejection;
ValIndexes empty/mixed/oversized/negative cases.
Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
Ports `Validators` from `core/validatorapi/validatorapi.go` (lines 1218–1296)
together with the `convertValidators` helper (lines 1305–1332). The handler
translates VC-supplied pubshares back to the cluster's root pubkeys before
calling the upstream `POST /eth/v1/beacon/states/{state_id}/validators`
endpoint, then rewrites each returned validator's inner pubkey from the
root key to this node's public share so the downstream VC sees the share
it is configured to sign with.
`ignoreNotFound` follows the Go semantics: when the request filtered by
indices, an upstream validator that is not part of this cluster surfaces
as 500 (`pubshare not found`); otherwise the entry passes through with
its root pubkey unchanged. Upstream timeouts surface as 504, transport
failures as 502, and a malformed pubkey from the upstream as 502.
Upstream 400 / 404 propagate faithfully without leaking the upstream
body into the client-visible message.
`Validator` is aliased to the auto-generated
`GetStateValidatorsResponseResponseDatum`, matching the established
pattern for the other duty types in `validatorapi/types.rs`.
Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
Resolve conflicts against squash-merged main: - types.rs / component.rs: keep the new `validators` handler, `convert_validators`, and `invert_pub_share_map` (PR's unique work), adapting the upstream request to main's struct-literal `PostStateValidatorsRequest`/`Component::new` (now takes a `validator_cache`); alias `Validator` to the eth2api datum. - router.rs / dutydb/memory.rs: take main's evolved versions (JSON rejection + content-type middleware; eviction high-water mark). Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
…lers Implement the axum router handlers that were todo!() for the already-merged component logic, plus the two infra pieces, so the validator API surface is reachable end to end: - proxy_handler fallback: reverse-proxy to the beacon node with basic-auth, Host rewrite, hop-by-hop header stripping, and a proxy-latency metric. - submit_proposal_preparations: no-op swallow (200). - propose_block_v3: versioned block response with the consensus version / payload-value headers; builder_enabled maxes the boost. - submit_proposal / submit_blinded_block: per-fork (de)serialization keyed by the Eth-Consensus-Version header (JSON or SSZ body). - get_validators / get_validator: id batch dispatched on the first element's 0x prefix, matching Charon's getValidatorsByID. new_router gains an upstream_base_url argument and AppState carries a reqwest client for the proxy. Adds public per-fork SSZ block-body decoders in ssz_codec and extends the TestHandler stubs. Go reference: charon core/validatorapi/router.go (v1.7.1). Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
- proxy: stream the upstream response body instead of buffering, so the long-lived SSE /eth/v1/events stream proxies incrementally (reqwest bytes_stream + axum Body::from_stream; enable reqwest "stream"). - proxy: strip the client Authorization header when the upstream URL carries credentials, avoiding a duplicate/conflicting Authorization. - propose_block_v3: always send builder_boost_factor (0 when builder mode is off, u64::MAX when on), matching Charon. - request_is_ssz: reject a non-ASCII Content-Type with 415 instead of silently treating it as JSON. - ssz_codec: drop the dead `blinded` parameter from decode_signed_proposal_block_body (full-block decoder only). - move the use blocks above the const declarations in router.rs. - add an SSZ-body submit test; drop Go line-number anchors from doc comments. Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
…ation handlers Port the validator-lifecycle endpoints from Charon v1.7.1: - POST /eth/v1/beacon/pool/voluntary_exits (submit_exit): JSON-only, looks up the DV root pubkey from the active-validator cache, builds an Exit duty at slot = slots_per_epoch * exit.epoch, verifies the partial signature under DOMAIN_VOLUNTARY_EXIT, and broadcasts to subscribers. - POST /eth/v1/validator/register_validator (submit_validator_registrations): JSON or SSZ array body. Empty list and builder-disabled inputs are swallowed; non-distributed-validator keys are swallowed; each managed registration maps its timestamp to a slot via slot_from_timestamp, is verified under DOMAIN_APPLICATION_BUILDER (epoch 0), and broadcast. Supporting changes: - eth2util: add helpers::slot_from_timestamp (genesis time + slot duration, with the pre-genesis current-time fallback). - eth2api v1: derive ssz Encode/Decode on (Signed)ValidatorRegistration. - core ssz_codec: decode_signed_validator_registrations for the bare 180-byte concatenation, with the invalid-buffer-size guard. - validatorapi types: back SignedValidatorRegistration / SignedVoluntaryExit with the real consensus-spec payloads. Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
- Bound register_validator: per-route body limit + REGISTRATIONS_MAX_LEN element cap so a single caller cannot drive unbounded upstream fan-out. - Wrap the previously un-timed upstream calls (fetch_slots_config in submit_voluntary_exit, slot_from_timestamp in submit_registration) in UPSTREAM_REQUEST_TIMEOUT, matching the rest of the component. - Add HelperError::SlotComputation so slot arithmetic failures are no longer reported as "fetch slots config". - Go parity: voluntary-exit success logs at info!; JSON decode failures return "failed parsing json request body". - Remove Go cross-reference comments and now-stale #[allow(dead_code)] attributes; collapse verify_par_signed_proposal onto the shared verify_par_signed helper. - Tests: multi-registration batch (in-order success + halt-on-error); stronger before-genesis slot_from_timestamp assertion. Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
Collaborator
Author
/loop-review-pr summaryRan 1 review-and-fix iteration against this PR (four parallel reviewers: functional-parity, security, rust-style, code-quality). Terminated by: completion_promise (PR ideal — no remaining bug/major findings, gates green). Quality gates (final)
(Note: Resolved during the loopMajor (4)
Minor (6)
Nits (1)
OutstandingNone at bug/major severity. A couple of nits were considered and intentionally not taken: replacing the VerdictPR is ideal — all bug/major findings resolved, gates green. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the validator-lifecycle validatorapi endpoints from Charon v1.7.1, wiring both the
Componenthandler logic and the axum router so the routes are reachable end-to-end (no moretodo!()/unimplemented!()for these endpoints).POST /eth/v1/beacon/pool/voluntary_exits→submit_voluntary_exitPOST /eth/v1/validator/register_validator→submit_validator_registrationsScope
Component (
crates/core/src/validatorapi/component.rs)submit_voluntary_exit: looks up the DV root pubkey from the active-validator cache ("validator not found"→ 400 on miss), builds anExitduty atslot = slots_per_epoch * exit.epoch, verifies the partial signature underDOMAIN_VOLUNTARY_EXIT(epoch =exit.message.epoch), and fans out the partial-signed data to subscribers.submit_validator_registrations: empty list → no-op; builder mode disabled → swallow; per registration, non-distributed-validator keys are swallowed, the timestamp maps to a slot viaslot_from_timestamp, aBuilderRegistrationduty is built, the partial signature is verified underDOMAIN_APPLICATION_BUILDER(epoch 0), and the result is broadcast.Router (
router.rs)submit_exit: JSON-only; SSZ/unrecognised content types → 415, empty body → 400, malformed JSON → 400.submit_validator_registrations: JSON array or bare SSZ concatenation (180-byte fixed objects); misaligned SSZ → 415, empty body → 400.Supporting
eth2util::helpers::slot_from_timestamp— genesis time + slot duration mapping with the pre-genesis current-time fallback.eth2apiv1: derivesszEncode/DecodeonValidatorRegistration/SignedValidatorRegistration.ssz_codec::decode_signed_validator_registrations— bare 180-byte array decode withinvalid buffer sizeguard.validatorapi::types: backSignedValidatorRegistration/SignedVoluntaryExitwith the real consensus-spec payloads (were empty placeholders).Go references (v1.7.1)
core/validatorapi/validatorapi.go:SubmitVoluntaryExit,SubmitValidatorRegistrations,submitRegistration,SlotFromTimestamp,verifyPartialSig.core/validatorapi/router.go:submitExit,submitValidatorRegistrations,unmarshal, content negotiation inwrap.core/validatorapi/eth2types.go:signedValidatorRegistrations(SSZ 180-byte element size).core/eth2signeddata.go: exit domainDOMAIN_VOLUNTARY_EXIT/ epoch = message epoch; registration domainDOMAIN_APPLICATION_BUILDER/ epoch 0.Test coverage
slots_per_epoch * epoch), unknown-validator 400, bad-signature reject; registration builder-disabled swallow, empty no-op, non-DV swallow, verify+broadcast (timestamp→slot), bad-signature reject.ssz_codec: registration array round-trip, misaligned-buffer reject, empty-is-empty.eth2util:slot_from_timestampnormal mapping + pre-genesis fallback.Gates
cargo +nightly fmt --all --check✅cargo clippy --workspace --all-targets --all-features -- -D warnings✅cargo test --workspace✅ (1612 passed, 0 failed)cargo deny check✅Note:
cargo test --all-featuresis Docker-gated in this sandbox (eth2apiintegrationfeature spins a Lighthouse testcontainer that never readies). The functional gate iscargo test --workspace(default features);--all-featureswas confirmed to compile and is clippy-clean.Stacks on PR #488 (PR 1 — proxy + proposal/validators wiring).
🤖 Generated with Claude Code