ava-labs · geoff-vball · Feb 17, 2025 · Feb 14, 2025 · Feb 19, 2025 · Feb 19, 2025
@@ -5,6 +5,7 @@ package server
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -287,12 +288,13 @@ func (s *server) AddAliasesWithReadLock(endpoint string, aliases ...string) erro
 
 func (s *server) Shutdown() error {
 	ctx, cancel := context.WithTimeout(context.Background(), s.shutdownTimeout)
-	err := s.srv.Shutdown(ctx)
+	listenerErr := s.listener.Close()
+	serverErr := s.srv.Shutdown(ctx)
 	cancel()
 
 	// If shutdown times out, make sure the server is still shutdown.
 	_ = s.srv.Close()
-	return err
+	return errors.Join(listenerErr, serverErr)
 }
 
 type readPathAdder struct {

@@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/fs"
 	"math"
 	"os"
 	"path/filepath"
@@ -34,10 +33,9 @@ import (
 	"github.com/ava-labs/avalanchego/subnets"
 	"github.com/ava-labs/avalanchego/trace"
 	"github.com/ava-labs/avalanchego/upgrade"
+	"github.com/ava-labs/avalanchego/utils/bag"
 	"github.com/ava-labs/avalanchego/utils/compression"
 	"github.com/ava-labs/avalanchego/utils/constants"
-	"github.com/ava-labs/avalanchego/utils/crypto/bls"
-	"github.com/ava-labs/avalanchego/utils/crypto/bls/signer/localsigner"
 	"github.com/ava-labs/avalanchego/utils/ips"
 	"github.com/ava-labs/avalanchego/utils/logging"
 	"github.com/ava-labs/avalanchego/utils/perms"
@@ -78,11 +76,11 @@ var (
 	errCannotTrackPrimaryNetwork              = errors.New("cannot track primary network")
 	errStakingKeyContentUnset                 = fmt.Errorf("%s key not set but %s set", StakingTLSKeyContentKey, StakingCertContentKey)
 	errStakingCertContentUnset                = fmt.Errorf("%s key set but %s not set", StakingTLSKeyContentKey, StakingCertContentKey)
-	errMissingStakingSigningKeyFile           = errors.New("missing staking signing key file")
 	errPluginDirNotADirectory                 = errors.New("plugin dir is not a directory")
 	errCannotReadDirectory                    = errors.New("cannot read directory")
 	errUnmarshalling                          = errors.New("unmarshalling failed")
 	errFileDoesNotExist                       = errors.New("file does not exist")
+	errInvalidSignerConfig                    = fmt.Errorf("only one of the following flags can be set: %s, %s, %s, %s", StakingEphemeralSignerEnabledKey, StakingSignerKeyContentKey, StakingSignerKeyPathKey, StakingRPCSignerEndpointKey)
 )
 
 func getConsensusConfig(v *viper.Viper) snowball.Parameters {
@@ -639,74 +637,15 @@ func getStakingTLSCert(v *viper.Viper) (tls.Certificate, error) {
 	}
 }
 
-func getStakingSigner(v *viper.Viper) (bls.Signer, error) {
-	if v.GetBool(StakingEphemeralSignerEnabledKey) {
-		key, err := localsigner.New()
-		if err != nil {
-			return nil, fmt.Errorf("couldn't generate ephemeral signing key: %w", err)
-		}
-		return key, nil
-	}
-
-	if v.IsSet(StakingSignerKeyContentKey) {
-		signerKeyRawContent := v.GetString(StakingSignerKeyContentKey)
-		signerKeyContent, err := base64.StdEncoding.DecodeString(signerKeyRawContent)
-		if err != nil {
-			return nil, fmt.Errorf("unable to decode base64 content: %w", err)
-		}
-		key, err := localsigner.FromBytes(signerKeyContent)
-		if err != nil {
-			return nil, fmt.Errorf("couldn't parse signing key: %w", err)
-		}
-		return key, nil
-	}
-
-	signingKeyPath := getExpandedArg(v, StakingSignerKeyPathKey)
-	_, err := os.Stat(signingKeyPath)
-	if !errors.Is(err, fs.ErrNotExist) {
-		signingKeyBytes, err := os.ReadFile(signingKeyPath)
-		if err != nil {
-			return nil, err
-		}
-		key, err := localsigner.FromBytes(signingKeyBytes)
-		if err != nil {
-			return nil, fmt.Errorf("couldn't parse signing key: %w", err)
-		}
-		return key, nil
-	}
-
-	if v.IsSet(StakingSignerKeyPathKey) {
-		return nil, errMissingStakingSigningKeyFile
-	}
-
-	key, err := localsigner.New()
-	if err != nil {
-		return nil, fmt.Errorf("couldn't generate new signing key: %w", err)
-	}
-
-	if err := os.MkdirAll(filepath.Dir(signingKeyPath), perms.ReadWriteExecute); err != nil {
-		return nil, fmt.Errorf("couldn't create path for signing key at %s: %w", signingKeyPath, err)
-	}
-
-	keyBytes := key.ToBytes()
-	if err := os.WriteFile(signingKeyPath, keyBytes, perms.ReadWrite); err != nil {
-		return nil, fmt.Errorf("couldn't write new signing key to %s: %w", signingKeyPath, err)
-	}
-	if err := os.Chmod(signingKeyPath, perms.ReadOnly); err != nil {
-		return nil, fmt.Errorf("couldn't restrict permissions on new signing key at %s: %w", signingKeyPath, err)
-	}
-	return key, nil
-}
-
 func getStakingConfig(v *viper.Viper, networkID uint32) (node.StakingConfig, error) {
 	config := node.StakingConfig{
 		SybilProtectionEnabled:        v.GetBool(SybilProtectionEnabledKey),
 		SybilProtectionDisabledWeight: v.GetUint64(SybilProtectionDisabledWeightKey),
 		PartialSyncPrimaryNetwork:     v.GetBool(PartialSyncPrimaryNetworkKey),
-		StakingKeyPath:                getExpandedArg(v, StakingTLSKeyPathKey),
-		StakingCertPath:               getExpandedArg(v, StakingCertPathKey),
-		StakingSignerPath:             getExpandedArg(v, StakingSignerKeyPathKey),
+		StakingTLSKeyPath:             getExpandedArg(v, StakingTLSKeyPathKey),
+		StakingTLSCertPath:            getExpandedArg(v, StakingCertPathKey),
 	}
+
 	if !config.SybilProtectionEnabled && config.SybilProtectionDisabledWeight == 0 {
 		return node.StakingConfig{}, errSybilProtectionDisabledStakerWeights
 	}
@@ -720,10 +659,12 @@ func getStakingConfig(v *viper.Viper, networkID uint32) (node.StakingConfig, err
 	if err != nil {
 		return node.StakingConfig{}, err
 	}
-	config.StakingSigningKey, err = getStakingSigner(v)
+
+	config.StakingSignerConfig, err = getStakingSignerConfig(v)
 	if err != nil {
 		return node.StakingConfig{}, err
 	}
+
 	if networkID != constants.MainnetID && networkID != constants.FujiID {
 		config.UptimeRequirement = v.GetFloat64(UptimeRequirementKey)
 		config.MinValidatorStake = v.GetUint64(MinValidatorStakeKey)
@@ -760,6 +701,44 @@ func getStakingConfig(v *viper.Viper, networkID uint32) (node.StakingConfig, err
 	return config, nil
 }
 
+func getStakingSignerConfig(v *viper.Viper) (any, error) {
+	// A maximum of one signer option can be set
+	bools := bag.Of(
+		v.GetBool(StakingEphemeralSignerEnabledKey),
+		v.IsSet(StakingSignerKeyContentKey),
+		v.IsSet(StakingSignerKeyPathKey),
+		v.IsSet(StakingRPCSignerEndpointKey),
+	)
+	if bools.Count(true) > 1 {
+		return node.StakingConfig{}, errInvalidSignerConfig
+	}
+
+	switch {
+	case v.GetBool(StakingEphemeralSignerEnabledKey):
+		return node.EphemeralSignerConfig{}, nil
+
+	case v.IsSet(StakingSignerKeyContentKey):
+		return node.ContentKeyConfig{
+			SignerKeyRawContent: getExpandedArg(v, StakingSignerKeyContentKey),
+		}, nil
+
+	case v.IsSet(StakingRPCSignerEndpointKey):
+		return node.RPCSignerConfig{
+			StakingSignerRPC: getExpandedArg(v, StakingRPCSignerEndpointKey),
+		}, nil
+
+	case v.IsSet(StakingSignerKeyPathKey):
+		return node.SignerPathConfig{
+			SignerKeyPath: getExpandedArg(v, StakingSignerKeyPathKey),
+		}, nil
+
+	default:
+		return node.DefaultSignerConfig{
+			SignerKeyPath: getExpandedArg(v, StakingSignerKeyPathKey),
+		}, nil
+	}
+}
+
 func getTxFeeConfig(v *viper.Viper, networkID uint32) genesis.TxFeeConfig {
 	if networkID != constants.MainnetID && networkID != constants.FujiID {
 		return genesis.TxFeeConfig{

@@ -17,6 +17,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/ava-labs/avalanchego/chains"
+	"github.com/ava-labs/avalanchego/config/node"
 	"github.com/ava-labs/avalanchego/ids"
 	"github.com/ava-labs/avalanchego/snow/consensus/snowball"
 	"github.com/ava-labs/avalanchego/subnets"
@@ -549,6 +550,86 @@ func TestGetSubnetConfigsFromFlags(t *testing.T) {
 	}
 }
 
+func TestGetStakingSigner(t *testing.T) {
+	testKey := "HLimS3vRibTMk9lZD4b+Z+GLuSBShvgbsu0WTLt2Kd4="
+	dataDir := t.TempDir()
+
+	fileKeyPath := filepath.Join(t.TempDir(), "foobar", "signer.key")
+	defaultSignerKeyPath := filepath.Join(
+		dataDir,
+		"staking",
+		"signer.key",
+	)
+
+	tests := []struct {
+		name                 string
+		viperKeys            string
+		config               map[string]any
+		expectedSignerConfig any
+		expectedErr          error
+	}{
+		{
+			name:   "default signer",
+			config: map[string]any{DataDirKey: dataDir},
+			expectedSignerConfig: node.DefaultSignerConfig{
+				SignerKeyPath: defaultSignerKeyPath,
+			},
+		},
+		{
+			name:                 "ephemeral signer",
+			config:               map[string]any{StakingEphemeralSignerEnabledKey: true},
+			expectedSignerConfig: node.EphemeralSignerConfig{},
+		},
+		{
+			name:   "content key",
+			config: map[string]any{StakingSignerKeyContentKey: testKey},
+			expectedSignerConfig: node.ContentKeyConfig{
+				SignerKeyRawContent: testKey,
+			},
+		},
+		{
+			name: "file key",
+			config: map[string]any{
+				StakingSignerKeyPathKey: fileKeyPath,
+			},
+			expectedSignerConfig: node.SignerPathConfig{
+				SignerKeyPath: fileKeyPath,
+			},
+		},
+		{
+			name:   "rpc signer",
+			config: map[string]any{StakingRPCSignerEndpointKey: "localhost"},
+			expectedSignerConfig: node.RPCSignerConfig{
+				StakingSignerRPC: "localhost",
+			},
+		},
+		{
+			name: "multiple configurations set",
+			config: map[string]any{
+				StakingEphemeralSignerEnabledKey: true,
+				StakingSignerKeyContentKey:       testKey,
+			},
+			expectedErr: errInvalidSignerConfig,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			require := require.New(t)
+			v := setupViperFlags()
+
+			for key, value := range tt.config {
+				v.Set(key, value)
+			}
+
+			config, err := GetNodeConfig(v)
+
+			require.ErrorIs(err, tt.expectedErr)
+			require.Equal(tt.expectedSignerConfig, config.StakingSignerConfig)
+		})
+	}
+}
+
 // setups config json file and writes content
 func setupConfigJSON(t *testing.T, rootPath string, value string) string {
 	configFilePath := filepath.Join(rootPath, "config.json")

@@ -264,6 +264,7 @@ func addNodeFlags(fs *pflag.FlagSet) {
 	fs.Bool(StakingEphemeralSignerEnabledKey, false, "If true, the node uses an ephemeral staking signer key")
 	fs.String(StakingSignerKeyPathKey, defaultStakingSignerKeyPath, fmt.Sprintf("Path to the signer private key for staking. Ignored if %s is specified", StakingSignerKeyContentKey))
 	fs.String(StakingSignerKeyContentKey, "", "Specifies base64 encoded signer private key for staking")
+	fs.String(StakingRPCSignerEndpointKey, "", "Specifies the RPC endpoint of the staking signer")
 	fs.Bool(SybilProtectionEnabledKey, true, "Enables sybil protection. If enabled, Network TLS is required")
 	fs.Uint64(SybilProtectionDisabledWeightKey, 100, "Weight to provide to each peer when sybil protection is disabled")
 	fs.Bool(PartialSyncPrimaryNetworkKey, false, "Only sync the P-chain on the Primary Network. If the node is a Primary Network validator, it will report unhealthy")

@@ -85,6 +85,7 @@ const (
 	StakingEphemeralSignerEnabledKey                   = "staking-ephemeral-signer-enabled"
 	StakingSignerKeyPathKey                            = "staking-signer-key-file"
 	StakingSignerKeyContentKey                         = "staking-signer-key-file-content"
+	StakingRPCSignerEndpointKey                        = "staking-rpc-signer-endpoint"
 	SybilProtectionEnabledKey                          = "sybil-protection-enabled"
 	SybilProtectionDisabledWeightKey                   = "sybil-protection-disabled-weight"
 	NetworkInitialTimeoutKey                           = "network-initial-timeout"

@@ -19,7 +19,6 @@ import (
 	"github.com/ava-labs/avalanchego/subnets"
 	"github.com/ava-labs/avalanchego/trace"
 	"github.com/ava-labs/avalanchego/upgrade"
-	"github.com/ava-labs/avalanchego/utils/crypto/bls"
 	"github.com/ava-labs/avalanchego/utils/logging"
 	"github.com/ava-labs/avalanchego/utils/profiler"
 	"github.com/ava-labs/avalanchego/utils/set"
@@ -76,12 +75,30 @@ type StakingConfig struct {
 	SybilProtectionEnabled        bool            `json:"sybilProtectionEnabled"`
 	PartialSyncPrimaryNetwork     bool            `json:"partialSyncPrimaryNetwork"`
 	StakingTLSCert                tls.Certificate `json:"-"`
-	StakingSigningKey             bls.Signer      `json:"-"`
 	SybilProtectionDisabledWeight uint64          `json:"sybilProtectionDisabledWeight"`
-	// not accessed but used for logging
-	StakingKeyPath    string `json:"stakingKeyPath"`
-	StakingCertPath   string `json:"stakingCertPath"`
-	StakingSignerPath string `json:"stakingSignerPath"`
+	StakingTLSKeyPath             string          `json:"stakingTLSKeyPath"`
+	StakingTLSCertPath            string          `json:"stakingTLSCertPath"`
+
+	// This is set in order to instatiate the correct signer type at runtime.
+	StakingSignerConfig any
+}
+
+type EphemeralSignerConfig struct{}
+
+type ContentKeyConfig struct {
+	SignerKeyRawContent string
+}
+
+type SignerPathConfig struct {
+	SignerKeyPath string
+}
+
+type DefaultSignerConfig struct {
+	SignerKeyPath string
+}
+
+type RPCSignerConfig struct {
+	StakingSignerRPC string
 }
 
 type StateSyncConfig struct {