Impl signing for minting/burning in new tx flow #3199
Conversation
specifications/api/swagger.yaml
Outdated
| Create policy key for the wallet. Used for public account key derived | ||
| wallets or already instantiated mnemonic wallets to set policy public key |
There was a problem hiding this comment.
| Create policy key for the wallet. Used for public account key derived | |
| wallets or already instantiated mnemonic wallets to set policy public key | |
| Create policy key for the wallet. | |
| In order to be able to mint/burn assets with `POST Construct` endpoint there needs to be | |
| a policy key set for the wallet. Invoking this endpoint would be required for all wallets instantiated | |
| before introducing mint/burn feature prior to making a mint/burn transaction from them. | |
There was a problem hiding this comment.
I guess that this endpoint now invalidates https://input-output-hk.github.io/cardano-wallet/api/edge/#operation/getPolicyKey... I mean there's basically no need for it, right?
Also postPolicyKey returns actually a hash (policy_vkh), perhaps we should add a query parameter hash=true here and return policy_vk or policy_vkh based on it?
There was a problem hiding this comment.
now, for the consistency I added optional parameter like in getPolicyKey.
I would advocate for maintaining getPolicyKey in line with postPolicyKey. Could be helpful for consumers of the API, also POST writes to DB, and GET is reading
There was a problem hiding this comment.
Ok, sounds good to leave getPolicyKey, but perhaps for postPolicyKey the POST should be actually PUT... it doesn't create new one every time, but sets one if doesn't exists (or overwrites the old one, but it is always the same if I'm not mistaken)
paweljakubas
force-pushed
the
paweljakubas/adp-1542/sign-minting
branch
2 times, most recently
from
effdcba
to
83bc1f3
Compare
paweljakubas
force-pushed
the
paweljakubas/adp-1542/sign-minting
branch
from
cf83f21
to
f43122f
Compare
See `.editorconfig`.
There was a problem hiding this comment.
Thanks for this work @paweljakubas. This kind of work which involves making changes from the lowest level to the highest is difficult.
I've read through everything and it seems sensible. However, just like the last PR I reviewed it is hard to give proper review.
For me, being able to read and understand the tests is more important than the code and it's performance characteristics. In my review I can't assert that:
- All edge cases are being tested.
- Tests do indeed test what they're trying to test.
I have two requests:
- Is it possible to structure the code so that it can be property tested? I'd be really interested in property tests that cover the edge cases of common attack vectors like burning tokens you don't have, minting and burning at the same time, etc.
- Structuring the code such that it can be property tested may make it easier to review too.
- Could we raise the level of abstraction in the integration tests? It's becoming increasingly difficult to untangle the core of the integration tests from the code (i.e. "with this input, I expect this output").
- Even just some high-level functions (no need to make a new DSL) could help here.
I understand you're just working with what you've got, and these aren't issues you've introduced, but I can't give meaningful review without a clearer relationship between the code and the proof that code works.
|
hi @sevanspowell , Thanks for looking at the PR.
I plan to un-pend the pending tests in the forthcoming PR. I will also think about testing this during property testing. The next PRs will be very focused. This one is big as I needed to prove that minting/burning signing really works in integration testing |
If this is possible that would be awesome. I think testing all cases on integration level is a bit of overkill so if there are any cases that could be verified with property tests that would be great. Then integration tests can be more about e2e flow rather than edge cases. Just to note, besides the integration tests that are pending here and cover some of the edge cases (too big amount when minting, to long asset_name when minting) I have discovered following issues while working on e2e tests in #3207:
|
|
@sevanspowell @piotr-iohk @jonathanknowles yes, we can try to address all edge cases in next PR. This PR is adding the backbone of signing, plus e2e integration tests showing he case. This is first interaction out of three needed to have it in production. I am in favor of merging it, and then (1) improve edge cases via adding more integration tests and property tests, (2) fixing validity interval to enable timelocks. Please take notice that this affects only new tx workflow which is STILL experimental. Otherwise, we could spend many days getting (1) married with some signing/fee/server/wallet bits. Let's merge this and address (1) and (2) in next PRs and move on. |
This is for consistency with its sister function `burnAssetsCheck`.
After review discussion.
(Remove redundant `<$> pure` combinations.)
This is consistent with the `ApiTokenAmountFingerprint` name.
lib/core-integration/src/Test/Integration/Scenario/API/Shelley/TransactionsNew.hs
Outdated
Show resolved
Hide resolved
See review conversation here: #3199 (comment)
There was a problem hiding this comment.
Hi Pawel
Many thanks for creating this PR!
I think it's going in the right direction. However, I do share the concerns that @sevanspowell expressed above, namely that:
Is it possible to structure the code so that it can be property tested? I'd be really interested in property tests that cover the edge cases of common attack vectors like burning tokens you don't have, minting and burning at the same time, etc.
I also feel we should invest more time in writing some focussed property tests, in addition to the integration tests you've already written.
I feel the main advantage would be that we can generate hundreds of random examples, rather than the very small number we're able to test in our integration test framework. We'd also gain a shorter editing-testing iteration cycle, which means faster feedback when things break. Lastly, it might help us to break code up into smaller, clearer chunks, which would answer Sam's point about making the code easier to review.
At the end of the day, as you pointed out, we do still need the integration tests to prove that the system works from end-to-end, but I feel this should be more of a "sanity check" rather than the main thrust of our test effort.
Perhaps we can add more property testing in the next PR? In particular, I'm curious to verify what happens in the following edge cases, in addition to what Sam already mentioned:
- minting and burning in the same transaction (disjoint sets of assets)
- minting and burning in the same transaction (intersecting sets of assets: this might provoke some failures)
- attempting to burn assets that are not available
- attempting to mint or burn large numbers of assets (so that the map is very large: I wonder whether we'll hit upon some kind of limit).
I suspect there are also lots of other things we can test.
Anyway, I'm happy to approve, but I do think it would also be good to also get a review from someone who is more knowledgeable about what kind of design we really want for the new transaction API. (I can only review this part very superficially!) Perhaps @rvl has an opinion here.
Thanks again!
Jonathan
|
thanks @jonathanknowles a lot for the review and commits. I will address those points in the forthcoming PR! |
|
bors r+ |
|
Build succeeded: |
3207: E2e testing: Minting/burning r=piotr-iohk a=piotr-iohk - [x] e2e tests fpr policy keys endpoints - [x] e2e tests for minting/burning ### Comments Can be merged after: #3199 Some tests are currently `pending` due to issues with mint/burn. ``` Minting and Burning Can mint and then burn Can mint and burn with metadata Can mint and burn in the same tx (PENDING: TODO MINT: Mint and burn fails in single tx) Cannot mint and burn the same asset in single tx (PENDING: TODO MINT: Mint and burn fails in single tx) Cannot burn if I don't have it Cannot burn with wrong policy_script or more than I have Mint to foreign wallet / Cannot burn if I don't have keys (PENDING: TODO MINT: It doesn't mint to foreign wallet!) Cannot mint if I make too big transaction Mint/Burn quantities Cannot mint -9223372036854775808 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot burn -9223372036854775808 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot mint -1 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot burn -1 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot mint 0 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot burn 0 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot mint 9223372036854775808 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Cannot burn 9223372036854775808 assets (PENDING: TODO MINT: Mint burn quantities edge cases) Mint/Burn asset_name Cannot mint if my asset name is too long (PENDING: TODO MINT: asset name too long throws 'Something went wrong' on construct) Cannot mint if my asset name is invalid hex (PENDING: TODO MINT: asset name too long throws 'Something went wrong' on construct) Mint/Burn invalid policy script Cannot mint if my policy script is invalid: cosigner#1 Cannot mint if my policy script is invalid: {"all"=>["cosigner#0", "cosigner#1"]} Cannot mint if my policy script is invalid: {"any"=>["cosigner#0", "cosigner#0"]} Cannot mint if my policy script is invalid: {"some"=>{"at_least"=>2, "from"=>["cosigner#0"]}} Cannot mint if my policy script is invalid: {"some"=>["cosigner#0"]} ``` <!-- Additional comments, links, or screenshots to attach, if any. --> ### Issue Number ADP-1574 Co-authored-by: Piotr Stachyra <[email protected]>
Comments
Minting/burning working without timelocks at this moment - needs validation integral fixing to enable this - coming in the next PR
I want to have construct/decode responses:
Issue Number
adp-955
adp-1542