[static] working in logs but missing test + cleanups

Signed-off-by: Julien Tinguely <[email protected]>

Author: julientinguely-da

apps/app/src/test/scala/org/lfdecentralizedtrust/splice/integration/tests/ManualSignatureIntegrationTest.scala

@@ -1,18 +1,20 @@
 package org.lfdecentralizedtrust.splice.integration.tests
 
-import org.lfdecentralizedtrust.splice.integration.tests.SpliceTests.IntegrationTestWithSharedEnvironment
+import com.digitalasset.canton.HasExecutionContext
+import com.digitalasset.canton.topology.admin.grpc.TopologyStoreId
+import com.digitalasset.canton.topology.store.TimeQuery
 import org.lfdecentralizedtrust.splice.integration.EnvironmentDefinition
-import org.lfdecentralizedtrust.splice.integration.tests.WalletTxLogTestUtil
+import org.lfdecentralizedtrust.splice.integration.tests.SpliceTests.IntegrationTestWithSharedEnvironment
 import org.lfdecentralizedtrust.splice.util.WalletTestUtil
-import com.digitalasset.canton.HasExecutionContext
-
 
 class ManualSignatureIntegrationTest
     extends IntegrationTestWithSharedEnvironment
     with HasExecutionContext
     with WalletTestUtil
     with WalletTxLogTestUtil {
 
+  override lazy val resetRequiredTopologyState = false
+
   override def environmentDefinition: EnvironmentDefinition = {
     EnvironmentDefinition
       .simpleTopology1Sv(this.getClass.getSimpleName)
@@ -24,6 +26,20 @@ class ManualSignatureIntegrationTest
 
     "rotate signatures" in { implicit env =>
       sv1Backend.startSync()
+      eventually() {
+        val synchronizerId = sv1Backend.participantClientWithAdminToken.synchronizers.id_of(
+          sv1Backend.config.domains.global.alias
+        )
+        // FIXME: SV: add checks for mediator, sequencer and participant signatures + add checks
+        val store = TopologyStoreId.Synchronizer(synchronizerId)
+        sv1Backend.participantClientWithAdminToken.topology.owner_to_key_mappings
+          .list(store = Some(store), timeQuery = TimeQuery.Range(None, None))
+          .filter(
+            _.item.member.toProtoPrimitive == sv1Backend.sequencerClient.name
+          ) should not be empty
+        // FIXME: Validator: add checks for validator signatures + add checks
+      }
     }
+
   }
 }

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/setup/NodeInitializer.scala

@@ -6,12 +6,12 @@ package org.lfdecentralizedtrust.splice.setup
 import cats.implicits.showInterpolator
 import com.daml.nonempty.NonEmpty
 import com.digitalasset.canton.admin.api.client.data.{NodeStatus, WaitingForId}
-import com.digitalasset.canton.crypto.{EncryptionPublicKey, SigningKeyUsage, SigningPublicKey}
+import com.digitalasset.canton.crypto.{SigningKeyUsage, SigningPublicKey}
 import com.digitalasset.canton.logging.{NamedLoggerFactory, NamedLogging}
-import com.digitalasset.canton.topology.store.TimeQuery
 import com.digitalasset.canton.topology.store.TopologyStoreId.AuthorizedStore
+import com.digitalasset.canton.topology.store.{TimeQuery, TopologyStoreId}
 import com.digitalasset.canton.topology.transaction.OwnerToKeyMapping
-import com.digitalasset.canton.topology.{Member, Namespace, NodeIdentity, UniqueIdentifier}
+import com.digitalasset.canton.topology.*
 import com.digitalasset.canton.tracing.TraceContext
 import com.digitalasset.canton.util.MonadUtil
 import com.google.protobuf.ByteString
@@ -104,6 +104,7 @@ class NodeInitializer(
   def initializeWithNewIdentityIfNeeded(
       idenfitierName: String,
       nodeIdentity: UniqueIdentifier => Member & NodeIdentity,
+      synchronizerId: SynchronizerId,
   )(implicit tc: TraceContext, ec: ExecutionContext): Future[Unit] = {
     logger.info(s"Making sure canton node has an identity")
     for {
@@ -127,7 +128,7 @@ class NodeInitializer(
             )
             for {
               // rotate existing keys that are not signed by owner
-              _ <- rotateOwnerToKeyMappingNotSignedByKeys(id, nodeIdentity)
+              _ <- rotateOwnerToKeyMappingNotSignedByKeys(id, nodeIdentity, synchronizerId)
               // fixes previously initialized nodes with messed up keys
               _ <- rotateSigningKeyIfSameAsNamespaceKey(id, nodeIdentity)
             } yield ()
@@ -322,27 +323,39 @@ class NodeInitializer(
   private def rotateOwnerToKeyMappingNotSignedByKeys(
       id: UniqueIdentifier,
       nodeIdentity: UniqueIdentifier => Member & NodeIdentity,
+      synchronizerId: SynchronizerId,
   )(implicit tc: TraceContext, ec: ExecutionContext): Future[Unit] =
     for {
-      ownerToKeyMappingHistory <- connection.listOwnerToKeyMapping(
-        nodeIdentity(id),
-        TimeQuery.Range(None, None),
+      // FIXME: clean this logic
+      fullTxHistory <- connection.listAllTransactions(
+        store = TopologyStoreId.SynchronizerStore(synchronizerId),
+        timeQuery = TimeQuery.Range(None, None),
+        includeMappings = Set(OwnerToKeyMapping.code),
       )
-      latestKeys = ownerToKeyMappingHistory
-        .sortBy(_.base.serial)
+      ownerToKeyMappingTxHistory = fullTxHistory.filter(_.transaction.mapping match {
+        case mapping: OwnerToKeyMapping if mapping.member == nodeIdentity(id) => true
+        case _ => false
+      })
+      _ = logger.info(s"YOHOU: $ownerToKeyMappingTxHistory")
+      allOtkSignatures = ownerToKeyMappingTxHistory
+        .map(_.transaction)
+        .flatMap(_.signatures)
+        .map(_.signedBy)
+        .distinct
+      latestKeys = ownerToKeyMappingTxHistory
+        .map(_.transaction)
+        .sortBy(_.transaction.serial)
         .lastOption
         .getOrElse(throw new IllegalStateException("ownerToKeyMappingHistory is empty."))
-        .mapping
-        .keys
-        .filter {
-          case _: SigningPublicKey => true
-          case _ => false
-        }
-      allSignedBy = ownerToKeyMappingHistory.flatMap(_.base.signedBy).distinct
-      (_, toRotate) = latestKeys.map(_.id).partition(allSignedBy.contains)
-      _ = logger.info(
-        s"Keys that are not signed by the owner: ${toRotate.mkString(", ")}"
-      )
+        .mapping match {
+        case mapping: OwnerToKeyMapping =>
+          mapping.keys.filter {
+            case _: SigningPublicKey => true
+            case _ => false
+          }
+        case _ => throw new IllegalStateException("Latest transaction is not an OwnerToKeyMapping.")
+      }
+      (_, toRotate) = latestKeys.map(_.id).partition(allOtkSignatures.contains)
       _ = if (toRotate.nonEmpty) {
         logger.info(s"keyToRotate: ${toRotate}")
         val rotatedKeys = latestKeys.map {
@@ -351,10 +364,6 @@ class NodeInitializer(
               key.keySpec.name,
               key.usage,
             )
-          case key: EncryptionPublicKey if toRotate.contains(key.id) =>
-            connection.generateEncryptionKeyPair(
-              key.keySpec.name
-            )
           case key => Future.successful(key)
         }
         for {

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/setup/ParticipantInitializer.scala

@@ -3,6 +3,7 @@
 
 package org.lfdecentralizedtrust.splice.setup
 
+import com.digitalasset.canton.SynchronizerAlias
 import org.lfdecentralizedtrust.splice.config.ParticipantBootstrapDumpConfig
 import org.lfdecentralizedtrust.splice.environment.{ParticipantAdminConnection, RetryProvider}
 import org.lfdecentralizedtrust.splice.identities.NodeIdentitiesDump
@@ -23,6 +24,7 @@ object ParticipantInitializer {
       dumpConfig: Option[ParticipantBootstrapDumpConfig],
       loggerFactory: NamedLoggerFactory,
       retryProvider: RetryProvider,
+      synchronizerAlias: SynchronizerAlias,
   )(implicit
       ec: ExecutionContextExecutor,
       tc: TraceContext,
@@ -33,6 +35,7 @@ object ParticipantInitializer {
       loggerFactory,
       retryProvider,
       participantAdminConnection,
+      synchronizerAlias,
     )
     participantInitializer
       .ensureInitializedWithExpectedId()
@@ -62,6 +65,7 @@ class ParticipantInitializer(
     override protected val loggerFactory: NamedLoggerFactory,
     retryProvider: RetryProvider,
     participantAdminConnection: ParticipantAdminConnection,
+    synchronizerAlias: SynchronizerAlias,
 )(implicit
     ec: ExecutionContextExecutor,
     tc: TraceContext,
@@ -84,9 +88,11 @@ class ParticipantInitializer(
       case None =>
         logger.info(s"Initializing participant $identifierName")
         for {
+          synchronizerId <- participantAdminConnection.getSynchronizerId(synchronizerAlias)
           _ <- nodeInitializer.initializeWithNewIdentityIfNeeded(
             identifierName,
             ParticipantId.apply,
+            synchronizerId,
           )
           _ <- nodeInitializer.waitForNodeInitialized()
         } yield {

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/SvApp.scala

@@ -176,6 +176,7 @@ class SvApp(
                     config.participantBootstrappingDump,
                     loggerFactory,
                     retryProvider,
+                    config.domains.global.alias,
                   )
               }
           }

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/onboarding/SynchronizerNodeInitializer.scala

@@ -9,7 +9,7 @@ import org.lfdecentralizedtrust.splice.sv.LocalSynchronizerNode
 import org.lfdecentralizedtrust.splice.sv.config.SvCantonIdentifierConfig
 import com.digitalasset.canton.logging.NamedLoggerFactory
 import com.digitalasset.canton.time.Clock
-import com.digitalasset.canton.topology.{MediatorId, SequencerId}
+import com.digitalasset.canton.topology.{MediatorId, SequencerId, SynchronizerId}
 import com.digitalasset.canton.tracing.TraceContext
 
 import scala.concurrent.{ExecutionContext, Future}
@@ -40,6 +40,7 @@ object SynchronizerNodeInitializer {
       clock: Clock,
       logger: NamedLoggerFactory,
       retryProvider: RetryProvider,
+      synchronizerId: SynchronizerId,
   )(implicit tc: TraceContext, ec: ExecutionContext): Future[Unit] = {
     val synchronizerNodeInitializer = SynchronizerNodeInitializer(
       synchronizerNode,
@@ -52,10 +53,12 @@ object SynchronizerNodeInitializer {
       _ <- synchronizerNodeInitializer.sequencerInitializer.initializeWithNewIdentityIfNeeded(
         identifierConfig.sequencer,
         SequencerId.apply,
+        synchronizerId,
       )
       _ <- synchronizerNodeInitializer.mediatorInitializer.initializeWithNewIdentityIfNeeded(
         identifierConfig.mediator,
         MediatorId.apply,
+        synchronizerId,
       )
     } yield ()
   }

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/onboarding/joining/JoiningNodeInitializer.scala

@@ -312,6 +312,7 @@ class JoiningNodeInitializer(
               clock,
               loggerFactory,
               retryProvider,
+              decentralizedSynchronizerId,
             )
           )
         } else {

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/onboarding/sv1/SV1Initializer.scala

@@ -143,6 +143,7 @@ class SV1Initializer(
       cantonIdentifierConfig = config.cantonIdentifierConfig.getOrElse(
         SvCantonIdentifierConfig.default(config)
       )
+      synchronizerId <- participantAdminConnection.getSynchronizerId(config.domains.global.alias)
       _ <-
         if (!config.skipSynchronizerInitialization) {
           SynchronizerNodeInitializer.initializeLocalCantonNodesWithNewIdentities(
@@ -151,6 +152,7 @@ class SV1Initializer(
             clock,
             loggerFactory,
             retryProvider,
+            synchronizerId,
           )
         } else {
           logger.info(

apps/validator/src/main/scala/org/lfdecentralizedtrust/splice/validator/ValidatorApp.scala

@@ -175,6 +175,7 @@ class ValidatorApp(
                 config.participantBootstrappingDump,
                 loggerFactory,
                 retryProvider,
+                config.domains.global.alias,
               )
           }
       }

bootstrap-canton.sc

@@ -17,7 +17,10 @@ import com.digitalasset.canton.topology.transaction.SignedTopologyTransaction.Ge
 import com.digitalasset.canton.topology.transaction.TopologyChangeOp
 import com.digitalasset.canton.version.ProtocolVersion
 import com.digitalasset.canton.console.commands.TopologyAdministrationGroup
-import com.digitalasset.canton.topology.store.{StoredTopologyTransaction, StoredTopologyTransactions}
+import com.digitalasset.canton.topology.store.{
+  StoredTopologyTransaction,
+  StoredTopologyTransactions,
+}
 import com.digitalasset.canton.topology.processing.{EffectiveTime, SequencedTime}
 import com.digitalasset.canton.sequencing.SequencerConnectionValidation
 import com.digitalasset.canton.discard.Implicits.DiscardOps
@@ -31,7 +34,8 @@ val domainParametersConfig = SynchronizerParametersConfig(
 def dropSignatures(tx: GenericSignedTopologyTransaction): GenericSignedTopologyTransaction = {
   tx.transaction.mapping match {
     case OwnerToKeyMapping(member, _) =>
-      val signaturesToRemove = tx.signatures.forgetNE.filter(_.signedBy != member.namespace.fingerprint).map(_.signedBy)
+      val signaturesToRemove =
+        tx.signatures.forgetNE.filter(_.signedBy != member.namespace.fingerprint).map(_.signedBy)
       tx.removeSignatures(signaturesToRemove).get
     case _ => tx
   }
@@ -43,11 +47,12 @@ def staticParameters(sequencer: LocalInstanceReference) =
     .map(StaticSynchronizerParameters(_))
     .getOrElse(sys.error("whatever"))
 
+// FIXME: replace this by original code and put that into a separate file or under new flag
 def bootstrapOtherDomain(
     name: String,
     sequencer: LocalSequencerReference,
     mediator: LocalMediatorReference,
-    extraParticipant : LocalInstanceReference,
+    extraParticipant: LocalInstanceReference,
 ) = {
   // first synchronizer method
   val synchronizerName = name
@@ -114,7 +119,8 @@ def bootstrapOtherDomain(
     .mapFilter(_.selectOp[TopologyChangeOp.Replace])
     .distinct
 
-  val merged = SignedTopologyTransactions.compact(initialTopologyState).map(_.updateIsProposal(false))
+  val merged =
+    SignedTopologyTransactions.compact(initialTopologyState).map(_.updateIsProposal(false))
 
   val storedTopologySnapshot = StoredTopologyTransactions[TopologyChangeOp, TopologyMapping](
     merged.map(stored =>