espeoblockchain / gardener-server Goto Github PK
View Code? Open in Web Editor NEWNode.js server for Gardener open source oracle project
License: MIT License
Node.js server for Gardener open source oracle project
License: MIT License
XPath not handled correctly for node attributes
Example of good behavior:
xml(http://samples.openweathermap.org/data/2.5/weather?q=London&mode=xml&appid=b6907d289e10d714a6e88b30761fae22)/current/city/country
Returns:
// correct
value: "GB"
error: 0
Example of bad behavior:
xml(http://samples.openweathermap.org/data/2.5/weather?q=London&mode=xml&appid=b6907d289e10d714a6e88b30761fae22)/current/temperature/@value
Returns nothing and throw error on server side but should:
value: "280.15"
error: 0
We could create a web app that demonstrates what Gardener can do to new users and developers. This is what I suggest as a high level overview of the app:
Similar type of demo has been done by Provable: http://app.provable.xyz/home/test_query
Some user stories(all features are not ready, but we should be able to add them to the app later):
Integrate Gardener with Hyperledger Fabric. It should be seamless - all the smart contracts that currently work on Ethereum should also on Fabric. Server-side part of Gardener should remain unchanged.
oracle-demo.espeo.pl
in order to get to those)Expected: fetched data is sent to blockchain
Actual: Data is fetched but sending it to blockchain fails with a following error:
Sending response failed [requestId=0x38b681e93ed93ca529c65bd81c9ff50d0ba0cee250846bc0a9eb95bbca99cb6c] Error: Returned error: gas required exceeds allowance (8000000) or always failing transaction
at Object.ErrorResponse (/usr/src/app/node_modules/web3-core-helpers/src/errors.js:29:16)
at /usr/src/app/node_modules/web3-core-requestmanager/src/index.js:140:36
at XMLHttpRequest.request.onreadystatechange (/usr/src/app/node_modules/web3-providers-http/src/index.js:91:13)
at XMLHttpRequestEventTarget.dispatchEvent (/usr/src/app/node_modules/xhr2-cookies/xml-http-request-event-target.ts:44:13)
at XMLHttpRequest._setReadyState (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:219:8)
at XMLHttpRequest._onHttpResponseEnd (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:345:8)
at IncomingMessage.<anonymous> (/usr/src/app/node_modules/xhr2-cookies/xml-http-request.ts:311:39)
at IncomingMessage.emit (events.js:203:15)
at IncomingMessage.EventEmitter.emit (domain.js:448:20)
at endReadableNT (_stream_readable.js:1129:12)
at process._tickCallback (internal/process/next_tick.js:63:19)
Before investigating this, resolve #60 - it might help.
Integrate IPFS as a data source.
Currently, running npm audit
shows multiple security vulnerabilities, due to unsafe package version.
Fix it, according to best npm standards. This task is done when we have 0 security vulnerabilities after running npm audit
Verify the that the computation has been performed correctly.
Because gardener-monitor will be used for demos and error code won't mean anything to anyone but Gardener devs.
Create access for APIs that need authentication.
I suggest to migrate npm to yarn and stop freezing packages manually.
Yarn has more intuitive commands than npm, and doesn't allow user to e.g. install lib without adding it to package.json or install node_modules with update lock file.
Currently our test files live next to source files. This leads to some awkwardness like:
Objectives of this tasks are:
*.spec.ts
and *.integration.ts
to a location separate from source code. Look up what are TS standards for this, but my idea is a "Java-like" approach with src/ root for source code and test/ root for test stuff.tsconfig.json
) for app and tests. Test config and app config will likely derive from some root config (use "extends" keyword)Current setup guide https://gardener.readthedocs.io/en/latest/getting-started.html does not work on Windows. This is a problem since users that would like to take advantage of SGX will be most likely running Windows.
In scope of this task, adjust Gardener codebase (all projects) to be as compatible with Windows as possible and also update https://gardener.readthedocs.io/en/latest/getting-started.html
Design the architecture of the off chain oracle network based on Schnorr signatures.
Currently only responses for valid requests are generated. We should support also failed ones with proper codes in order to know what exactly happens from the smart contracts perspective.
As our whole server is written in OOP, it would be very useful from developer perspective to have more restrictions on object or parameter type. It would speed up development and be less error prone.
Configure Gardener with PERSISTENCE=MONGODB
Send any query to Oracle
Query is processed by gardener-server
Expected: query response is sent to blockchain and no error messages are shown
Actual: sending query response fails with following error message:
Sending response failed [requestId=0xa2b8357552a4ae3ae94e99949a5ea45ff35f7e9e74657207cdcc2d5b2ec9c955] Error: No "from" address specified in neither the given options, nor the default options.
at Object._executeMethod (/usr/src/app/node_modules/web3-eth-contract/src/index.js:832:45)
at EthereumOracleAdapter._sendPendingResponse (/usr/src/app/src/infrastructure/blockchain/ethereum/EthereumOracleAdapter.js:73:20)
at process._tickCallback (internal/process/next_tick.js:68:7)
In package.json web3 is used with version 1.0.0-beta.36
instead of 1.0.0-beta.55
.
Investigate how to hire an AWS instance that supports SGX. It needs to have a SGX-ready processor which is any modern Intel processor as well as SGX enabled in BIOS.
After we have an AWS instance, deploy a gardener stack on it.
This needs to be done as a prerequisite of SGX-powered Random Number Generator demo : #39
This task requires #22 in master to be finished.
So far it seems that Oracle does not have a SGX integration in their Blockchain Platform. We should look into what are the benefits that we can offer to them by integrating Gardener to their platform.
Think of this in terms of:
Oracle's core business is selling database licenses and hosting to enterprises.
They have a PaaS Blockchain Platform that uses Fabric to allow their clients to have business logic on top of their stored data. This allows to automate business processes and create innovative solutions.
Oracle's clients come from all possible industries.
For example, their client uses MySQL to store their supply chain data. They want to build an automation to their workflow by implementing chain code that automates a large chunk of their process and removes risk for errors when people make entries manually across the supply chain.
How can Gardener improve the security of their Blockchain Platform and benefit their clients. For example, if they don't have remote attestation and sealing implemented, how would that benefit them and their clients?
More details of their platform can be found in:
https://www.oracle.com/application-development/cloud-services/blockchain-platform/
It is hard to understand SGX capabilities by business people. Solve that issue by creating a high level presentation about SGX that shows what are the benefits of it from use case point of view - and to allow a differentiation from ones where SGX cannot help.
After it's done. run it with @imacoindev and Sylwia.
Gardener-server should deliver random data when requested.
After #32 and #42 , some logic that is specific to contentType is still being done outside of RequestStrategy. This leads to code duplication, worse testability and maintainability.
In scope of this task, refactor exisiting solution to move contentType-speciic logic into RequestStrategy. This will probably mean that contentType enum will be interoduced, Request class will be made abstract and some extensions to it will be created and RequestUrlParser logic will be moved to RequestStrategy. Refer to Code Review comments in #32 and #42 .
While you're at it, it would be nice to add more tests around RequestExecutor logic.
Integrate Intel SGX to prove data validity.
Currently we're using beta versions of web3.js:
"web3": "1.0.0-beta.36",
"web3-eth-contract": "1.0.0-beta.55",
"web3-utils": "1.0.0-beta.55",
In scope of this task, please update all web3 packages to a stable version as per https://www.npmjs.com/package/web3 . Test application thoroughly and adjust code if needed.
Doing this might fix #57 or at least shed some light on it.
When data part doesn't exists in existing response oracle should return 404 not 0 errorCode.
Currently for:
//misspell, correctly should be .chartName
json(https://api.coindesk.com/v1/bpi/currentprice.json).chartname
is:
value: ""
error: 0
should be:
value: ""
error: 4004
Javascript doesn't allow to specify input/output types. As this is the essence of ports which we are using in hexagonal architecture it would be nice to get clean view of these parameters. It can be achieved by adding JSDocs comments.
UsingOracle.deployed().then(instance => instance.request("json(badUrl"))
Expected: A stacktrace of InvalidUrlError is found in the logs
Expected: 1000 error code is being logged
Actual: No error logging at all
Actual: No error code is logged: Created response [response={"requestId":"0x3b7602292b26ffa4b1bea411d4594bcbd24a9b288169cd3f739c88a19c604cf4","state":{"name":"Processed"},"errorCode":0}]
This is just an example, such a case is also true for other custom errors, namely HttpError and InvalidContentTypeError.
Currently, a process of generating random value in Enclave is vulnerable to man-in-the-middle attack - should attacker take control of a machine that hosts gardener-server
, he could replace generated value with one of his choice.
To remedy that, we should use SGX Sealing mechanism to hardcode user's public key (assymetric cryptography, does not necessarily have anything to do with blockchain keys - even though it could) . This public key would be used to encrypt generated data in enclave and send it to the user - decrypting value with his private key would be user's responsibility.
Potential security risk: attacker could take control of user's public key, intercept gardener-server
machine and generate encrypted value. This means that IF such attack is feasible, then instead of just hardcoding user's public key, we could go for Diffie-Hellman Key Exchange.
Finishing this task is the last milestone for SGX implementation in the context of RNG for gambling, since having it guarantees that the only Third Trusted Party in entire RNG process is Intel - user does not even have to trust a party that hosts gardener-server
.
IntelSGX proof for URL and random data sources
TLS Notary proof for URL and random data sources
Computation data source without proof
IntelSGX and TLSNotary proofs for Computation
As a request from the Oracle execute a script in the server and return the result (with capped length).
One possibility for creating the computation:
Alternative solutions always welcome :)
Currently only in memory storage is supported so data disappears during server recreation. More persistant storage needed. MongoDB would be a good shot. Even if someone want something different hexagonal architecture allows easily create new adapters for the same interfaces.
Currently, many of the Gardener tests use custom, promitive mocking mechanism. An example of that can be found in ExecuteReadyRequestsUseCase.spec.ts
. They look like this:
const fetchDataUseCase = () => ({ fetchData: () => Promise.resolve('fetchedData'), });
In scope of this task, refactor entire gardener-server
codebase to use some standard mock mechanism instead. A specific technnique to be used is left to be researched but this looks promising: https://jestjs.io/docs/en/es6-class-mocks#automatic-mock .
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.