rfq: add tls support for price oracles #1775
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jtobin
added
security
mainnet preparedness
Pull Request Test Coverage Report for Build 17361316751Details
💛 - Coveralls |
jtobin
force-pushed
the
oracle-tls
branch
2 times, most recently
from
77cad42 to
9910220
Compare
Member
Author
|
(Changed this from draft; I think the litd tests are failing for an unrelated reason.) |
Member
Author
|
(As pointed out by @ZZiigguurraatt, to be more precise: TLS support already existed for price oracles, but certificate verification was skipped entirely.) |
jtobin
commented
Sep 3, 2025
|
|
||
| PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable price oracle certificate verification."` | ||
|
|
||
| PriceOracleTLSNoSystemCAs bool `long:"priceoracletlsnosystemcas" description:"Disable use of the operating system's list of root CA's when verifiying price oracle certificates."` |
Member
Author
There was a problem hiding this comment.
typo: s/verifiying/verifying
ffranr
reviewed
Sep 16, 2025
Contributor
ffranr
left a comment
ffranr
left a comment
There was a problem hiding this comment.
There are other cases where we need more precise control over TLS behavior. For example:
taproot-assets/proof/courier.go
Lines 309 to 320 in a17a67a
With that in mind, I wonder if we could define a more general, reusable solution in something like the new rfq/tls.go file, especially given the need for configuration and the importance of which package owns this logic.
Comment on lines
+116
to
+124
| name: "invalid custom certificate", | ||
| expectInsecure: false, | ||
| tlsConfig: &TLSConfig{ | ||
| Enabled: true, | ||
| InsecureSkipVerify: false, | ||
| TrustSystemRootCAs: false, | ||
| CustomCertificates: []byte(invalidCertificate), | ||
| }, | ||
| }, |
Contributor
There was a problem hiding this comment.
I'm not sure I see the purpose of invalidCertificate here. It doesn't look like the test actually exercises its invalidity.
More broadly, do we need certificate examples in our unit tests at all? It seems like we're testing the behavior of the underlying TLS/certificate library rather than the logic we're adding on top of it.
Refactor the function by introducing an internal helper to improve readability.
Refactor MacaroonWhitelist to handle public universe proof courier permissions independently. This clarifies the logic and avoids coupling courier access with other universe server permissions.
Remove the defaultMacaroonWhitelist map and inline its entries directly into the conditional logic within MacaroonWhitelist. This ensures that access to previously always-available endpoints is now governed by explicit user configuration (read/write/courier), improving permission control and aligning with expected access restrictions.
Separate the mint anchor transaction fee rate calculation from fundGenesisPsbt into anchorTxFeeRate. This refactor is part of a broader effort to simplify calling fundGenesisPsbt from unit tests.
Extract the wallet funding call into a closure that is passed as an argument. This prepares fundGenesisPsbt to become a standalone function, making it easier to call in unit tests.
Pass the pending batch and chain params into fundGenesisPsbt and convert it into a standalone function rather than a method on ChainPlanter. This change makes it easier to call fundGenesisPsbt from unit tests.
The batch key was only used for logging. This commit moves the log messages outside fundGenesisPsbt, simplifying the function for better code health.
The mock helper FundGenesisTx now returns the index of the change output. It also dynamically computes the index of the change output it adds. These enhancements will be useful when handling packets with supply pre-commitment outputs.
The funding routine now uses the refactored fundGenesisPsbt function, introduced in a previous commit. Which adds test coverage for the batch funding logic. An optional argument is also added to allow skipping funding.
RandSeedlingMintingBatch retires.
Refactored GetBlockTimestamp to call GetBlockHeaderByHeight and return an optional error type. Removed the timestamp-to-block-height cache, as it did not handle re-orgs correctly. This prepares the codebase for a more comprehensive caching mechanism to be added in a follow-up commit.
Introduce a reusable cache that stores full headers keyed by height and hash. Tracks confirmation depth and treats shallow entries as unsettled (return miss). Detects conflicts at a height and invalidates shallower headers on reorg. Size and random purge fraction are configurable (default 100k entries, 10 percent). Not yet used by LndRpcChainBridge.
…-rpc-macaroonwhitelist Improve `MacaroonWhitelist` Structure and Permission Granularity
Adds a block header cache to LndRpcChainBridge, which indirectly improves performance of methods like GetBlockTimestamp by avoiding repeated block header fetches.
…int-pre-commit Refactor `fundGenesisPsbt` and enhance test helpers for coverage
…k-header-cache lndservices: add reorg aware block header cache; use in ChainBridge
Introduces rfq/tls.go, which contains a basic TLSConfig type and default value of such. The default value, which for now only indicates that certificate verification should be skipped, is used in place of the 'dialInsecure' bool when setting up the price oracle RPC.
Adds both 'TrustSystemRootCAs' and 'CustomCertificates' to the rfq TLSConfig. The former indicates whether or not to trust the operating system's root CA list; the latter allows additional certificates (CA or self-signed) to be trusted. Also adds a basic unit test skeleton.
We don't skip certificate verification by default, and also default to trusting the operating system's root CA list.
Adds some basic test cases for configuring transport credentials.
Ensures that certificate verification is skipped when constructing a communication channel with the itest oracle harness.
Ensures the price oracle TLS toggle fits the existing pattern of flags defaulting to false.
|
@GeorgeTsagk: review reminder |
darioAnongba
force-pushed
the
0-8-0-staging
branch
from
2b3ac4f to
035a840
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(Draft, for now, as the test suite still needs a little work.)
Adds TLS support for communication with price oracles, mostly following the suggestions proposed in #1278. Adds configuration options for skipping certificate verification, distrusting the operating system's root CA list, and using a custom certificate.
Resolves #1278.