feat: whitelist connection gater (#3028)

* bump go tss to remove dht

* add whitelist fields

* disable whitelist for localnet

* bump go-tss

* resolve whitelisted peers wip

* dont disable whitelist in e2e tests

* cleanup whitelist fields from config and fix e2e tests

* bump go-tss

* cleanup

* bump go tss

* use node accounts to get whitelisted peers

* bump go tss

* changelog

* fix unit test

* bump go tss

* remove usage of pointers in node accounts

* fix unit test

* revert back to using keygen for whitelist peers

---------

Co-authored-by: Alex Gartner <[email protected]>

changelog.md

@@ -24,6 +24,7 @@
 * [2979](https://github.com/zeta-chain/node/pull/2979) - add fungible keeper ability to lock/unlock ZRC20 tokens
 * [3012](https://github.com/zeta-chain/node/pull/3012) - integrate authenticated calls erc20 smart contract functionality into protocol
 * [3025](https://github.com/zeta-chain/node/pull/3025) - standard memo for Bitcoin inbound
+* [3028](https://github.com/zeta-chain/node/pull/3028) - whitelist connection gater
 
 ### Refactor
 

cmd/zetaclientd/start.go

@@ -13,10 +13,12 @@ import (
 	"time"
 
 	"github.com/cometbft/cometbft/crypto/secp256k1"
+	"github.com/libp2p/go-libp2p/core/peer"
 	maddr "github.com/multiformats/go-multiaddr"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"gitlab.com/thorchain/tss/go-tss/conversion"
 
 	"github.com/zeta-chain/node/pkg/authz"
 	"github.com/zeta-chain/node/pkg/chains"
@@ -204,8 +206,19 @@ func start(_ *cobra.Command, _ []string) error {
 	}
 
 	telemetryServer.SetIPAddress(cfg.PublicIP)
+
+	keygen := appContext.GetKeygen()
+	whitelistedPeers := []peer.ID{}
+	for _, pk := range keygen.GranteePubkeys {
+		pid, err := conversion.Bech32PubkeyToPeerID(pk)
+		if err != nil {
+			return err
+		}
+		whitelistedPeers = append(whitelistedPeers, pid)
+	}
+
 	// Create TSS server
-	server, err := mc.SetupTSSServer(peers, priKey, preParams, appContext.Config(), tssKeyPass, true)
+	server, err := mc.SetupTSSServer(peers, priKey, preParams, appContext.Config(), tssKeyPass, true, whitelistedPeers)
 	if err != nil {
 		return fmt.Errorf("SetupTSSServer error: %w", err)
 	}

go.mod

@@ -367,5 +367,5 @@ replace (
 	github.com/bnb-chain/tss-lib => github.com/zeta-chain/tss-lib v0.0.0-20240916163010-2e6b438bd901
 	github.com/ethereum/go-ethereum => github.com/zeta-chain/go-ethereum v1.10.26-spc
 	github.com/libp2p/go-libp2p => github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4
-	gitlab.com/thorchain/tss/go-tss => github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f
+	gitlab.com/thorchain/tss/go-tss => github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949
 )

go.sum

@@ -4204,8 +4204,8 @@ github.com/zeta-chain/go-ethereum v1.10.26-spc h1:NvY4rR9yw52wfxWt7YoFsWbaIwVMyO
 github.com/zeta-chain/go-ethereum v1.10.26-spc/go.mod h1:/6CsT5Ceen2WPLI/oCA3xMcZ5sWMF/D46SjM/ayY0Oo=
 github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4 h1:FmO3HfVdZ7LzxBUfg6sVzV7ilKElQU2DZm8PxJ7KcYI=
 github.com/zeta-chain/go-libp2p v0.0.0-20240710192637-567fbaacc2b4/go.mod h1:TBv5NY/CqWYIfUstXO1fDWrt4bDoqgCw79yihqBspg8=
-github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f h1:XqUvw9a3EnDa271r5/tjRy90U2l1E8thdWzlrkbrEGE=
-github.com/zeta-chain/go-tss v0.0.0-20240916173049-89fee4b0ae7f/go.mod h1:B1FDE6kHs8hozKSX1/iXgCdvlFbS6+FeAupoBHDK0Cc=
+github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949 h1:dBwx99+oymiyecnRGu1dnkJmYn2SAgBexBJ6nsdJt+E=
+github.com/zeta-chain/go-tss v0.0.0-20241028203048-62ae2bb54949/go.mod h1:B1FDE6kHs8hozKSX1/iXgCdvlFbS6+FeAupoBHDK0Cc=
 github.com/zeta-chain/keystone/keys v0.0.0-20240826165841-3874f358c138 h1:vck/FcIIpFOvpBUm0NO17jbEtmSz/W/a5Y4jRuSJl6I=
 github.com/zeta-chain/keystone/keys v0.0.0-20240826165841-3874f358c138/go.mod h1:U494OsZTWsU75hqoriZgMdSsgSGP1mUL1jX+wN/Aez8=
 github.com/zeta-chain/protocol-contracts v1.0.2-athens3.0.20241021075719-d40d2e28467c h1:ZoFxMMZtivRLquXVq1sEVlT45UnTPMO1MSXtc88nDv4=

zetaclient/tss/tss_signer.go

@@ -148,6 +148,7 @@ func SetupTSSServer(
 	cfg config.Config,
 	tssPassword string,
 	enableMonitor bool,
+	whitelistedPeers []gopeer.ID,
 ) (*tss.TssServer, error) {
 	bootstrapPeers := peer
 	log.Info().Msgf("Peers AddrList %v", bootstrapPeers)
@@ -185,6 +186,7 @@ func SetupTSSServer(
 		preParams, // use pre-generated pre-params if non-nil
 		IP,        // for docker test
 		tssPassword,
+		whitelistedPeers,
 	)
 	if err != nil {
 		log.Error().Err(err).Msg("NewTSS error")