Adding notion of a recovery owner for network recovery #6705
Conversation
gaurav137
changed the title
…137/CCF into dev/gsinha/recovery-owner
…137/CCF into dev/gsinha/recovery-owner
| assert ( | ||
| f"{submitted_shares_count}/{self.recovery_threshold}" in r.body.text() | ||
| ) |
There was a problem hiding this comment.
I don't think this should be in the response body in this case, as it's misleading.
There was a problem hiding this comment.
Do you mean the number submitted out of threshold, because it's really owner recovery?
| @@ -372,6 +372,17 @@ const actions = new Map([ | |||
| function (args) { | |||
| checkX509CertBundle(args.cert, "cert"); | |||
| checkType(args.member_data, "object?", "member_data"); | |||
| checkType(args.recovery_role, "string?", "recovery_role"); | |||
There was a problem hiding this comment.
There's also a checkEnum() that will be slightly more precise (and prevent a much-later error, if C++ code tries to deserialise an unknown/badly-cased string). It doesn't have the ? optional syntax, so I think it would be something like:
| checkType(args.recovery_role, "string?", "recovery_role"); | |
| const recovery_role = args.recovery_role; | |
| if (recovery_role !== undefined) { | |
| checkEnum( | |
| recovery_role, | |
| ["NonParticipant", "Participant", "Owner"], | |
| "recovery_role" | |
| ); | |
| } |
(I'm not completely sure of the semantics here - should recovery_role be null or "NonParticipant"?)
| if (full_key_submitted) | ||
| { | ||
| message += "\nFull recovery key successfully submitted"; | ||
| } |
There was a problem hiding this comment.
Can't add as suggestion because it affects the untouched lines above, but suggest that this is a replacement for the "x/n" message above when full_key_submitted.
Something like:
std::string message;
if (full_key_submitted)
{
message = "Full Owner recovery key successfuly submitted";
}
else
{
// Same format of message, whether this is sufficient to trigger
// recovery or not
message = fmt::format(
"{}/{} recovery shares successfully submitted",
submitted_shares_count,
threshold);
}
if (submitted_shares_count >= threshold || full_key_submitted)
{
message += "\nEnd of recovery procedure initiated";
...
Adding support for a member that can act as a recovery owner and gets assigned the full recovery share to it. Such a member can single handedly recover the network on their own w/o requiring any other recovery members to submit their recovery shares.
This capability is going to be used in the confidential clean room scenario where a confidential recovery service gets created and is able to recover the CCF network on its own using a recovery owner identity. Only if the confidential recovery service is unable to perform recovery then the recovery members can come together and perform break glass recovery by submitting the threshold amount of recovery shares.
Changes done:
Added an optional recovery_role enum in MemberDetails to indicate whether a recovery member is a recovery owner or not.
Added support to set the above flag both via the cchost config file during network create and set_member proposal.
Recovery owners don't count towards the recovery threshold calculation so updated code paths accordingly.
Added test cases to recover a network using the recovery owner.