feat(core): implement validatorapi proposal + submit_proposal + submit_blinded_proposal handlers#461
Open
varex83agent wants to merge 11 commits into
Open
Conversation
Threads the Handler through Axum state via AppState<H> + with_state, wires the node_version route to the real handler, and adds a TestHandler mock that future PRs will extend per-endpoint.
Re-uses the auto-generated pluto_eth2api envelopes (GetProposerDutiesResponseResponse, GetVersionResponseResponse) as the on-the-wire shape rather than hand-rolling parallel types. node_version is migrated to the same pattern; the body.rs hand-rolled wrapper module is removed.
Drops the per-handler generic parameter and routes through Arc<dyn Handler> via AppState. The Handler trait is object-safe (Send + Sync + 'static + async_trait-generated methods), so this is a pure type change with no surface impact.
Adds the Handler impl that the router has been calling through.
node_version returns the obolnetwork/pluto/{version}-{commit}/{arch}-{os}
identity string; proposer_duties calls the upstream beacon node and
rewrites known DV root public keys to this node's public share so the
validator client sees keys matching its keystore. The remaining 17
trait methods are unimplemented!() stubs that land per-PR as their
router handlers are ported.
Wires POST /eth/v1/validator/duties/attester/{epoch}: dual-format
(numeric or string-encoded) validator index body, upstream call,
pubshare swap.
Wires POST /eth/v1/validator/duties/sync/{epoch}, reusing the
ValIndexes dual-format body extractor.
Wires GET /eth/v1/validator/attestation_data. The Component now holds an Arc<MemDB> and awaits unsigned attestation data from the local DutyDB rather than hitting upstream.
Bug fixes (must-fix per review):
- attestation_data: wrap MemDB::await_attestation in tokio::time::timeout
(24s) so a request for a slot that never produces consensus output
cannot hold a handler task indefinitely. delete_duty now records
evicted keys per duty type and notifies waiters, so await_data returns
Error::AwaitDutyExpired immediately when the awaited duty is gone
instead of spinning until the timeout fires. Maps to 408 on the wire.
- Stop leaking upstream BlindedBlock400Response Debug output (incl.
stacktraces) into the client-visible ApiError.message. The variant
payload is now attached as `source` for debug logs; the message stays
generic.
Hardening:
- new_insecure is gated behind #[cfg(test)] so the insecure_test flag
cannot reach production builds.
- new_router applies DefaultBodyLimit::max(64 KiB) on the two
POST /duties/{attester,sync}/{epoch} routes — defends against the
Vec<u64> parse amplification on the ValIndexes deserializer.
- All upstream eth2_cl calls are wrapped in tokio::time::timeout(12s)
so a hanging beacon node cannot stall handler tasks.
- proposer_duties / attester_duties / sync_committee_duties propagate
upstream BadRequest as 400 and ServiceUnavailable as 503 instead of
collapsing every non-Ok variant to 502 — the VC can now back off on
upstream syncing instead of treating it as a gateway failure.
- swap_attester_pubshares / swap_sync_committee_pubshares now return
500 (cluster misconfig) instead of 502 when a pubshare is missing —
the upstream returned well-formed data, the failure is local.
ValIndexes:
- Replace #[serde(untagged)] with a streaming Visitor that validates
each element via SeqAccess::next_element. Avoids the speculative
Vec<u64> parse and the serde Content cache. Now accepts mixed
numeric/string elements and rejects negative integers.
- Hard cap at 8192 indices per request.
ApiError:
- with_boxed_source for sources that aren't std::error::Error (e.g.
anyhow::Error from auto-gen request builders).
Router:
- attestation_data uses Result<Query<...>, QueryRejection> so 4xx
responses from missing/malformed query params share the same
{ code, message } envelope as the rest of the router.
Tests (+13):
- attestation_data: timeout when data never arrives; 408 when duty is
evicted while a waiter is parked; cancellation cleanup when the
handler future is dropped; negative lookup on wrong committee_index.
- Status-mapping helpers: confirm upstream Debug output is never
serialized into the message.
- Router: ApiError envelope on bad query; oversized body rejection;
ValIndexes empty/mixed/oversized/negative cases.
Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
Adds the plumbing every subsequent submit/await handler needs without implementing any of the unimplemented!() arms. Mirrors Charon's core/validatorapi/validatorapi.go:196-256 (subscriber list + six Register* hooks) plus :1352 (verifyPartialSig). - New Component fields: subs, await_proposal_fn, await_agg_attestation_fn, await_sync_contribution_fn, await_agg_sig_db_fn, duty_def_fn, pub_key_by_att_fn. All Option<Arc<…>> so registration before the Component is shared in an Arc, then read-only thereafter. - subscribe() wraps the user closure with a set-clone step so each subscriber receives its own ParSignedDataSet — matches Go's Subscribe clone-before-fanout at validatorapi.go:249-256. - register_* methods replace any prior registration, matching Go's single-function input semantics. - verify_partial_sig() honours insecure_test, looks up this node's public share from pub_share_by_pubkey, then delegates to pluto_eth2util::signing::verify. Unlike Go — which projects domain / epoch / message-root through the core.Eth2SignedData interface — the Rust hook takes those three values directly so we don't have to port the Eth2SignedData trait in this plumbing PR; submit handlers in PRs 3-6 will derive the triple from their concrete signed-data wrapper. Tests: subscribe fanout clones per subscriber; the six register hooks all overwrite on re-register; unregistered hooks default to None; verify_partial_sig accepts a real BLS signature, rejects a tampered one, rejects an unknown DV pubkey, and short-circuits in insecure_test mode. Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
…t_blinded_proposal handlers
Ports the three proposal endpoints from Charon's
core/validatorapi/validatorapi.go: Proposal (lines 388-450),
SubmitProposal (lines 551-605) and SubmitBlindedProposal (lines
606-673), plus the propDataMatchesDuty helper (lines 451-549) and
getProposerPubkey (line 1334).
- crates/core/src/validatorapi/types.rs: replaces the three proposal
placeholders with re-exports of the concrete signeddata /
eth2api::versioned wrappers so the Handler trait now carries real
payloads (no Handler signature change — the trait method types just
point at populated structs instead of empty placeholders).
- crates/core/src/validatorapi/component.rs:
- Adds ProposerPubkeyFn / register_proposer_pubkey. Pluto's
duty_def_fn is intentionally type-erased (Box<dyn Any>) so we add
a thin typed hook for the proposer-pubkey lookup, mirroring the
existing pub_key_by_att_fn shape. This is the Rust equivalent of
Go's getProposerPubkey at validatorapi.go:1334.
- proposal: resolves proposer pubkey, derives epoch from slot via
pluto_eth2util::helpers::epoch_from_slot (Go's
eth2util.EpochFromSlot), builds a SignedRandao::new_partial wrapper,
verifies the partial randao signature, fans the parsig set out to
subscribers, and finally blocks (PROPOSAL_TIMEOUT = 24s, ~2 slots,
same sizing as ATTESTATION_DATA_TIMEOUT) on the await_proposal_fn
hook (with a dutydb.await_proposal fallback for tests). Always
returns finalized=false, execution_optimistic=false,
dependent_root=None — Go writes wrapResponse(proposal) which has
no metadata.
- submit_proposal / submit_blinded_proposal: pull the consensus-side
unsigned proposal for the slot, cross-check version, blinded flag,
proposer index, and SSZ tree-hash root against the VC submission
(proposal_matches_duty mirrors propDataMatchesDuty's per-fork
branches), then build a partial VersionedSignedProposal via
signeddata::VersionedSignedProposal::new_partial (or
new_partial_from_blinded_proposal for the blinded path), verify
the partial signature against this node's public share, and fan
out a single-entry ParSignedDataSet to subscribers.
- Adds a small fork-aware helper bundle on the eth2api
SignedProposalBlock / SignedBlindedProposalBlock enums so the
matches-duty check can reach proposer_index, slot, version, and the
per-variant SSZ root for both signed and blinded payloads. These
helpers are private to component.rs and follow Go's structure 1:1.
Tests: 12 new tests cover proposal (happy path with subscriber fanout,
builder-mode blinded branch, missing-hook 503, never-arrives 408),
submit_proposal (happy path, version mismatch, proposer-index
mismatch, blinded mismatch, unknown pubshare rejection, dutydb
fallback), and submit_blinded_proposal (happy path, proposer-index
mismatch).
Co-Authored-By: Bohdan Ohorodnii <35969035+varex83@users.noreply.github.com>
varex83agent
force-pushed
the
bohdan/validatorapi-plumbing
branch
from
f5c3b49 to
8eedb3f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the three proposal endpoints from
core/validatorapi/validatorapi.goin Charon v1.7.1:validatorapi.go:388-450. Resolves the proposerpubkey via a new
proposer_pubkey_fnhook, derives the epoch fromthe slot through the upstream beacon node, builds a partial
SignedRandaowrapper, runsverify_partial_sigagainst thisnode's pubshare, fans out the randao parsig to subscribers, then
blocks (24s ~ 2 slots) on
await_proposal_fnfor the consensusproposal landing in the dutydb. The return envelope matches Go's
wrapResponse(proposal)— no metadata.validatorapi.go:551-605. Pulls theconsensus-side unsigned proposal, validates it against the VC
submission via a new
proposal_matches_dutyhelper (the Rust portof
propDataMatchesDuty), constructs a partialsigneddata::VersionedSignedProposal::new_partial, verifies thepartial proposer signature, and fans the parsig set out to
subscribers.
validatorapi.go:606-673. Same fan-outshape; uses the existing
from_blinded_proposal/new_partial_from_blinded_proposalhelpers insigneddata::VersionedSignedProposalto bridge the blinded payloadthrough the same
proposal_matches_dutycheck.validatorapi.go:1334. Pluto's existingduty_def_fnis intentionally type-erased (Box<dyn Any>); this PRadds a typed
register_proposer_pubkeyhook that mirrors theexisting
register_pub_key_by_attestationshape and lets theproposal handlers fetch the proposer pubkey without downcasting.
The
VersionedProposal/VersionedSignedProposal/VersionedSignedBlindedProposalplaceholder types invalidatorapi/types.rsare nowpub usere-exports of the populatedsigneddata::*/eth2api::versioned::*wrappers, so theHandlertrait carries real payloads. The trait method signatures are
unchanged.
Go reference
core/validatorapi/validatorapi.go)validatorapi/component.rs)ProposalproposalpropDataMatchesDutyproposal_matches_duty+ per-fork helpersSubmitProposalsubmit_proposalSubmitBlindedProposalsubmit_blinded_proposalgetProposerPubkeyComponent::lookup_proposer_pubkey(hook)verifyPartialSigComponent::verify_partial_sig(PR-1)Test plan
cargo +nightly fmt --all --checkcargo clippy -p pluto-core --all-targets --all-features -- -D warningscargo test -p pluto-core --all-features— 386/386 passing (12 new tests)New tests:
proposal_returns_proposal_from_hook_and_fans_out_randao— happy pathproposal_returns_blinded_proposal_in_builder_mode— builder-mode branchproposal_rejects_when_proposer_pubkey_hook_missing— 503 on missing hookproposal_times_out_when_consensus_proposal_never_arrives— 408 onPROPOSAL_TIMEOUTsubmit_proposal_fans_out_partial_signed_to_subscribers— happy pathsubmit_proposal_rejects_version_mismatch— 400 on version diffsubmit_proposal_rejects_proposer_index_mismatch— 400 on index diffsubmit_proposal_rejects_blinded_mismatch— 400 on blinded flag diffsubmit_proposal_rejects_when_verification_fails— 500 on unknown pubsharesubmit_proposal_uses_dutydb_fallback_when_hook_missing— dutydb pathsubmit_blinded_proposal_fans_out_partial_signed_to_subscribers— happysubmit_blinded_proposal_rejects_proposer_index_mismatch— 400 on index