From 4f5dd6e77a1a67b84120e02d4b239d763375883b Mon Sep 17 00:00:00 2001 From: finch Date: Fri, 22 Mar 2024 21:17:11 -0400 Subject: [PATCH] Use separate governance custody in pcli, once more --- crates/bin/pcli/src/main.rs | 1 + crates/bin/pcli/src/network.rs | 5 ++++- crates/bin/pcli/src/opt.rs | 27 ++++++++++++++++++++++++++- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/crates/bin/pcli/src/main.rs b/crates/bin/pcli/src/main.rs index 004a6cb5ff..bfa17d64a3 100644 --- a/crates/bin/pcli/src/main.rs +++ b/crates/bin/pcli/src/main.rs @@ -36,6 +36,7 @@ pub struct App { /// correctly, this can be unwrapped safely. pub view: Option>, pub custody: CustodyServiceClient, + pub governance_custody: CustodyServiceClient, pub config: PcliConfig, } diff --git a/crates/bin/pcli/src/network.rs b/crates/bin/pcli/src/network.rs index 676713f56a..d9f0502f67 100644 --- a/crates/bin/pcli/src/network.rs +++ b/crates/bin/pcli/src/network.rs @@ -102,7 +102,10 @@ impl App { validator_vote: Some(validator_vote.into()), pre_authorizations: vec![], }; - self.custody + // Use the separate governance custody service, if one is configured, to sign the validator + // vote. This allows the governance custody service to have a different key than the main + // custody, which is useful for validators who want to have a separate key for voting. + self.governance_custody // VERY IMPORTANT: use governance custody here! .authorize_validator_vote(request) .await? .into_inner() diff --git a/crates/bin/pcli/src/opt.rs b/crates/bin/pcli/src/opt.rs index 5e29a7b689..b9ce54a565 100644 --- a/crates/bin/pcli/src/opt.rs +++ b/crates/bin/pcli/src/opt.rs @@ -1,5 +1,5 @@ use crate::{ - config::{CustodyConfig, PcliConfig}, + config::{CustodyConfig, GovernanceCustodyConfig, PcliConfig}, terminal::ActualTerminal, App, Command, }; @@ -78,6 +78,30 @@ impl Opt { } }; + // Build the governance custody service... + let governance_custody = match &config.governance_custody { + Some(separate_governance_custody) => match separate_governance_custody { + GovernanceCustodyConfig::SoftKms(config) => { + tracing::info!( + "using separate software KMS custody service for validator voting" + ); + let soft_kms = SoftKms::new(config.clone()); + let custody_svc = CustodyServiceServer::new(soft_kms); + CustodyServiceClient::new(box_grpc_svc::local(custody_svc)) + } + GovernanceCustodyConfig::Threshold(config) => { + tracing::info!( + "using separate manual threshold custody service for validator voting" + ); + let threshold_kms = + penumbra_custody::threshold::Threshold::new(config.clone(), ActualTerminal); + let custody_svc = CustodyServiceServer::new(threshold_kms); + CustodyServiceClient::new(box_grpc_svc::local(custody_svc)) + } + }, + None => custody.clone(), // If no separate custody for validator voting, use the same one + }; + // ...and the view service... let view = match (self.cmd.offline(), &config.view_url) { // In offline mode, don't construct a view service at all. @@ -110,6 +134,7 @@ impl Opt { let app = App { view, custody, + governance_custody, config, }; Ok((app, self.cmd))