Add release notes

[ci]

Signed-off-by: Robert Autenrieth <[email protected]>

Author: rautenrieth-da

apps/app/src/main/scala/org/lfdecentralizedtrust/splice/console/SvAppReference.scala

@@ -99,7 +99,7 @@ abstract class SvAppReference(
   @Help.Summary("Get the CometBFT node dump")
   def cometBftNodeDebugDump(): definitions.CometBftNodeDumpResponse =
     consoleEnvironment.run {
-      httpCommand(HttpSvPublicAppClient.GetCometBftNodeDump())
+      httpCommand(HttpSvOperatorAppClient.GetCometBftNodeDump())
     }
 
   @Help.Summary("Make a CometBFT Json RPC request")
@@ -385,7 +385,7 @@ class SvAppBackendReference(
   @Help.Summary("Get the CometBFT node debug dump")
   def cometBftNodeDump(): definitions.CometBftNodeDumpResponse =
     consoleEnvironment.run {
-      httpCommand(HttpSvPublicAppClient.GetCometBftNodeDump())
+      httpCommand(HttpSvOperatorAppClient.GetCometBftNodeDump())
     }
 
   @Help.Summary("Get the sequencer node status")

apps/sv/src/main/openapi/sv-internal.yaml

@@ -119,7 +119,7 @@ paths:
   /v0/admin/domain/cometbft/debug:
     get:
       tags: [sv]
-      x-jvm-package: sv_public
+      x-jvm-package: sv_operator
       operationId: "getCometBftNodeDebugDump"
       responses:
         "200":

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/SvApp.scala

@@ -551,6 +551,7 @@ class SvApp(
         clock,
         localSynchronizerNode,
         retryProvider,
+        cometBftClient,
         packageVersionSupport,
         timeouts,
         loggerFactory,

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/admin/api/client/commands/HttpSvOperatorAppClient.scala

@@ -372,4 +372,35 @@ object HttpSvOperatorAppClient {
       SpliceStatus.fromHttpNodeStatus(SpliceStatus.fromHttp)(response)
     }
   }
+
+  case class GetCometBftNodeDump()
+      extends BaseCommand[
+        http.GetCometBftNodeDebugDumpResponse,
+        definitions.CometBftNodeDumpResponse,
+      ] {
+
+    override def submitRequest(
+        client: Client,
+        headers: List[HttpHeader],
+    ): EitherT[Future, Either[Throwable, HttpResponse], http.GetCometBftNodeDebugDumpResponse] =
+      client.getCometBftNodeDebugDump(
+        headers = headers
+      )
+
+    override def handleOk()(implicit
+        decoder: TemplateJsonDecoder
+    ): PartialFunction[
+      http.GetCometBftNodeDebugDumpResponse,
+      Either[String, definitions.CometBftNodeDumpResponse],
+    ] = {
+      case http.GetCometBftNodeDebugDumpResponse.OK(
+            definitions.CometBftNodeDumpOrErrorResponse.members.CometBftNodeDumpResponse(response)
+          ) =>
+        Right(response)
+      case http.GetCometBftNodeDebugDumpResponse.OK(
+            definitions.CometBftNodeDumpOrErrorResponse.members.ErrorResponse(response)
+          ) =>
+        Left(response.error)
+    }
+  }
 }

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/admin/api/client/commands/HttpSvPublicAppClient.scala

@@ -424,35 +424,4 @@ object HttpSvPublicAppClient {
     }
   }
 
-  case class GetCometBftNodeDump()
-      extends BaseCommandPublic[
-        http.GetCometBftNodeDebugDumpResponse,
-        definitions.CometBftNodeDumpResponse,
-      ] {
-
-    override def submitRequest(
-        client: Client,
-        headers: List[HttpHeader],
-    ): EitherT[Future, Either[Throwable, HttpResponse], http.GetCometBftNodeDebugDumpResponse] =
-      client.getCometBftNodeDebugDump(
-        headers = headers
-      )
-
-    override def handleOk()(implicit
-        decoder: TemplateJsonDecoder
-    ): PartialFunction[
-      http.GetCometBftNodeDebugDumpResponse,
-      Either[String, definitions.CometBftNodeDumpResponse],
-    ] = {
-      case http.GetCometBftNodeDebugDumpResponse.OK(
-            definitions.CometBftNodeDumpOrErrorResponse.members.CometBftNodeDumpResponse(response)
-          ) =>
-        Right(response)
-      case http.GetCometBftNodeDebugDumpResponse.OK(
-            definitions.CometBftNodeDumpOrErrorResponse.members.ErrorResponse(response)
-          ) =>
-        Left(response.error)
-    }
-  }
-
 }

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/admin/http/HttpSvOperatorHandler.scala

@@ -35,6 +35,7 @@ import org.lfdecentralizedtrust.splice.http.{
 import org.lfdecentralizedtrust.splice.scan.admin.api.client.ScanConnection
 import org.lfdecentralizedtrust.splice.scan.config.ScanAppClientConfig
 import org.lfdecentralizedtrust.splice.store.{ActiveVotesStore, AppStore, AppStoreWithIngestion}
+import org.lfdecentralizedtrust.splice.sv.cometbft.CometBftClient
 import org.lfdecentralizedtrust.splice.sv.config.SvAppBackendConfig
 import org.lfdecentralizedtrust.splice.sv.store.{SvDsoStore, SvSvStore}
 import org.lfdecentralizedtrust.splice.sv.util.SvUtil.generateRandomOnboardingSecret
@@ -52,6 +53,7 @@ class HttpSvOperatorHandler(
     clock: Clock,
     localSynchronizerNode: Option[LocalSynchronizerNode],
     retryProvider: RetryProvider,
+    cometBftClient: Option[CometBftClient],
     override protected val packageVersionSupport: PackageVersionSupport,
     override protected val timeouts: ProcessingTimeout,
     protected val loggerFactory: NamedLoggerFactory,
@@ -429,6 +431,40 @@ class HttpSvOperatorHandler(
       .map(r0.FeatureSupportResponseOK(_))
   }
 
+  override def getCometBftNodeDebugDump(
+      respond: r0.GetCometBftNodeDebugDumpResponse.type
+  )()(extracted: ActAsKnownUserRequest): Future[
+    r0.GetCometBftNodeDebugDumpResponse
+  ] = {
+    implicit val ActAsKnownUserRequest(traceContext) = extracted
+    withSpan(s"$workflowId.getCometBftNodeDebugDump") { _ => _ =>
+      withClientOrNotFound(respond.NotFound) { client =>
+        client
+          .nodeDebugDump()
+          .map(response =>
+            definitions.CometBftNodeDumpOrErrorResponse(
+              definitions.CometBftNodeDumpResponse(
+                status = response.status,
+                networkInfo = response.networkInfo,
+                abciInfo = response.abciInfo,
+                validators = response.validators,
+              )
+            )
+          )
+      }
+    }
+  }
+
+  private def withClientOrNotFound[T](
+      notFound: definitions.ErrorResponse => T
+  )(call: CometBftClient => Future[T]) = cometBftClient
+    .fold {
+      notFound(definitions.ErrorResponse("CometBFT is not configured."))
+        .pure[Future]
+    } {
+      call
+    }
+
   private def withSequencerConnectionOrNotFound[T](
       notFound: definitions.ErrorResponse => T
   )(call: SequencerAdminConnection => Future[T]) = localSynchronizerNode

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/admin/http/HttpSvPublicHandler.scala

@@ -438,34 +438,6 @@ class HttpSvPublicHandler(
     }
   }
 
-  /** Intended use: Interacting with CometBFT node monitoring/debugging/testing purposes
-    *
-    * Protection: Endpoint is protected by IP allowlisting
-    */
-  override def getCometBftNodeDebugDump(
-      respond: r0.GetCometBftNodeDebugDumpResponse.type
-  )()(extracted: TraceContext): Future[
-    r0.GetCometBftNodeDebugDumpResponse
-  ] = {
-    implicit val traceContext: TraceContext = extracted
-    withSpan(s"$workflowId.getCometBftNodeDebugDump") { _ => _ =>
-      withClientOrNotFound(respond.NotFound) { client =>
-        client
-          .nodeDebugDump()
-          .map(response =>
-            definitions.CometBftNodeDumpOrErrorResponse(
-              definitions.CometBftNodeDumpResponse(
-                status = response.status,
-                networkInfo = response.networkInfo,
-                abciInfo = response.abciInfo,
-                validators = response.validators,
-              )
-            )
-          )
-      }
-    }
-  }
-
   /** Intended use: Used by other SV operators
     *
     * Protection: Endpoint is protected by IP allowlisting

docs/src/release_notes.rst

@@ -11,6 +11,43 @@ Release Notes
 0.4.20
 ------
 
+  - API security
+
+    - Tightened authorization checks for all non-public API endpoints.
+
+      All non-public endpoints now properly respect the current user rights
+      defined in the participant user management service.
+      Revoking user rights on the participant will revoke access to the corresponding API endpoints.
+
+      In general, endpoints that required authentication before will now check that the authenticated user
+      is not deactivated on the participant has has ``actAs`` rights for the relevant party
+      (wallet party for the wallet app API, SV operator party for the SV app API, etc).
+
+    - Administrative SV app endpoints now require participant admin rights.
+
+      The following SV app endpoints now require the user to have participant admin rights in
+      the participant user management service. This allows for finer grained access control
+      where users with ``actAs`` rights for the SV operator party but without participant admin
+      rights may use the SV or wallet UIs, but may not perform administrative actions like
+      hard synchronizer migrations.
+
+        - ``/v0/admin/domain/pause``
+        - ``/v0/admin/domain/unpause``
+        - ``/v0/admin/domain/migration-dump``
+        - ``/v0/admin/domain/migration-dump``
+        - ``/v0/admin/domain/identities-dump``
+        - ``/v0/admin/domain/data-snapshot``
+
+      Note that only the service users of the SV and validator apps should automatically have participant admin rights.
+      If you are using other users to access the above endpoints, check their rights.
+
+    - Some endpoints will have changed authorization rules in an upcoming release.
+
+        - SV app ``/v0/dso`` is currently public, but will require authorization as SV operator,
+          similar to most other SV app endpoints.
+          Use the corresponding public endpoint in the scan app if you need to fetch DSO info.
+
+
   - Deployment
 
     - Fix a bug where the setting the affinity for the ``splice-cometbft`` and ``splice-global-domain`` helm charts would remove the anti affinity for the ``cometbft`` and the ``sequencer`` deployment. This ensures that if multiple SVs are run on the same nodes, not more than one ``cometbft`` pod can be deployed on the same node and that no more than one ``sequencer`` pod can be deployed to the same node (a ``cometbft`` pod can still share a node with a ``sequencer`` pod). This can be disabled by setting the ``enableAntiAffinity`` helm value to ``false`` (default ``true``).