R4R: Judge if trust-node predefined before create certifier add verification for getBlock, queryTx and getValidators

[abelliumnt]

New solution for the issue in #2209
Besides, add verification in getting blocks, transactions and validator sets.
@alexanderbez @cwgoes

[codecov]

Codecov Report

Merging #2210 into develop will decrease coverage by 0.59%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##           develop    #2210     +/-   ##
==========================================
- Coverage    64.23%   63.63%   -0.6%     
==========================================
  Files          140      140             
  Lines         8575     8542     -33     
==========================================
- Hits          5508     5436     -72     
- Misses        2690     2738     +48     
+ Partials       377      368      -9

[abelliumnt]

I noticed some todos: getBlock, queryTx and getValidators. The authors want the gaia-lite could verify the proof from response by default. So here I implement the verification functionality and set distrust-node option to true.
However, currently sometimes some errors will be reported, for instance:

lhy@lhy-ubuntu:~$ gaiacli tendermint validator-set 1 --chain-id test-chain-uIS9nF
ERROR: The height of base truststore in gaia-lite is higher than height 1. 
Can't verify blockchain proof at this height. Please set --distrust-node false and try again

The reason is that:

• when the gaia-lite is started, it will fetch the latest commit as its base checkpoint. Here we mark the latest commit height as A.
• it can only verify proof from height which is higher than A.
• if user want to verify blocks or transactions on prior height this error will be reported.

Do you think this is accptable? If not, could you give me some suggestions about how to improve this?

[alexanderbez]

@HaoyangLiu, I like the approach here, but before going too in depth into a review, I think the nomenclature of distrust-node is a bit confusing and would lead to a slightly distasteful UX.

I think we should keep trust-node somehow while allowing any commands that do not need to rely on proofs still work as-is (e.g. gaiacli status).

Alternatively, to keep things simple. We could have trust-node as a persistent/root level flag and/or require anything that uses a CLIConext to use trust-node (including gaiacli status).

lmk your thoughts @cwgoes

[abelliumnt]

@alexanderbez
Good idea. I never thought that we add a root flag.
I changed the code, please help take a look at this PR again.

[abelliumnt]

@alexanderbez
I found a better way to decide whether to create certifier. If --trust-node is not predefined, then it indicates that certifier is not required. So only when --trust-node is predefined and its value is set to false, will the certifie rbe created. And the response proof will be verified too.
How do you think about this?

	flagPredefined := viper.IsSet(client.FlagTrustNode)
	if !flagPredefined {
		return nil
	}
 	trustNode := viper.GetBool(client.FlagTrustNode)
	if trustNode {
		return nil
	}

[alexanderbez]

@HaoyangLiu I like this approach better. I left some minor feedback. Otherwise, I tested this and it seems to work. Thanks!

[alexanderbez]

trustNodeDefined?

[alexanderbez]

Seems we're inconsistent with this flag's description. Can we update all occurrences to something like: Trust connected full node (don't verify proofs for responses)?

[alexanderbez]

Chain ID of Tendermint node*

[alexanderbez]

tested ACK -- thanks!

[jaekwon]

Capitalize and add trailing period please.

[abelliumnt]

I'm sorry. Could you clarify trailing period please?

[alexanderbez]

@HaoyangLiu I think he is stating that it should be reverted back to a sentence with a period.

[abelliumnt]

Got it! Thanks

[alexanderbez]

my pleasure 👍

[jaekwon]

Why did this change?

[abelliumnt]

I have added a comment about the reason above. When gaia-lite is launched, it will fetch the latest height as its trust basement. Then it can only verify blocks or transactions in later height.
Here gaia-lite is launched after a new block is created, please refer to the code. The wait is necessary. If the height of gaia node is zero, gaia-lite will be aborted for fetching block failure. So here gaia-lite will be start later and it will get block 2 as its trust basement. As a result, it can't verify block 1. As I clear here?

[cwgoes]

OK, we should update gaia lite so that you can easily start it with a separate root-of-trust.

[cwgoes]

Ref #2323

[cwgoes]

See comments, mostly DRY, we can save other changes for later PRs.

[cwgoes]

Combine this with similar instances below (DRY)

[cwgoes]

Ref #2322

[cwgoes]

DRY

[cwgoes]

This should be fetched from the CLIContext instead

[cwgoes]

DRY with above

[cwgoes]

This will be cached so the loop is OK I think

[cwgoes]

DRY with above/below

[cwgoes]

Ref #2323

[abelliumnt]

I remove this because if rest-server is stared with trust-node option, then we can't verify tx proof even if the request requires proof.

[cwgoes]

OK 👍

[cwgoes]

Almost ready, one more suggested change.

[cwgoes]

This logic is fine but I think it's confusing to put it in a function called formatTxResult - at first I thought you deleted the proof verification because I expected formatTxResult to only do formatting! Can we separate this into a different function - maybe validateTxResult or something?

[abelliumnt]

I added the verification logic here because I noticed the TODO.
How about I create a new function named validateTxResult and call it in formatTxResult, like this:

func formatTxResult(cdc *wire.Codec, cliCtx context.CLIContext, res *ctypes.ResultTx) (Info, error) {
     if !cliCtx.TrustNode {
          if err := validateTxResult(cliCtx , res); err !=nil {
                 return ni, err
          }
     }
     ....
}

[abelliumnt]

I'm sorry for misunderstanding. I have changed the code move the tx verification out of tx format.

[cwgoes]

OK 👍

[cwgoes]

Also merge develop to fix the file conflicts.

[abelliumnt]

The test_sim_modulues failure seems have no connection with my changes.

[alexanderbez]

The test_sim_modulues failure seems have no connection with my changes.

Correct 👍