MarketTakers/arbiter
5
0
Fork 0
Code Issues 27 Pull Requests 4 Packages Projects Releases Wiki Activity

refactor(proto): nest client protocol and extract shared schemas
Some checks failed
ci/woodpecker/pr/server-audit Pipeline was successful
Details
ci/woodpecker/pr/server-lint Pipeline failed
Details
ci/woodpecker/pr/server-vet Pipeline failed
Details
ci/woodpecker/pr/server-test Pipeline was successful
Details
ci/woodpecker/pr/useragent-analyze Pipeline failed
Details

Browse Source
This commit is contained in:
hdbg
2026-04-03 19:15:53 +02:00
parent 5141ac4f55
commit 366a58f5eb
6 changed files with 133 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
server/crates/arbiter-client/src/auth.rs
View File

@@ -1,9 +1,17 @@
use arbiter_proto::{ use arbiter_proto::{
ClientMetadata, format_challenge, ClientMetadata, format_challenge,
proto::client::{ proto::{
AuthChallengeRequest, AuthChallengeSolution, AuthResult, ClientInfo as ProtoClientInfo, client::{
ClientRequest, client_request::Payload as ClientRequestPayload, ClientRequest,
client_response::Payload as ClientResponsePayload, auth::{
self as proto_auth, AuthChallenge, AuthChallengeRequest, AuthChallengeSolution,
AuthResult, request::Payload as AuthRequestPayload,
response::Payload as AuthResponsePayload,
},
client_request::Payload as ClientRequestPayload,
client_response::Payload as ClientResponsePayload,
},
shared::ClientInfo as ProtoClientInfo,
}, },
}; };
use ed25519_dalek::Signer as _; use ed25519_dalek::Signer as _;
@@ -51,16 +59,16 @@ async fn send_auth_challenge_request(
transport transport
.send(ClientRequest { .send(ClientRequest {
request_id: next_request_id(), request_id: next_request_id(),
payload: Some(ClientRequestPayload::AuthChallengeRequest( payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
AuthChallengeRequest { payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
pubkey: key.verifying_key().to_bytes().to_vec(), pubkey: key.verifying_key().to_bytes().to_vec(),
client_info: Some(ProtoClientInfo { client_info: Some(ProtoClientInfo {
name: metadata.name, name: metadata.name,
description: metadata.description, description: metadata.description,
version: metadata.version, version: metadata.version,
}), }),
}, })),
)), })),
}) })
.await .await
.map_err(|_| AuthError::UnexpectedAuthResponse) .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -68,7 +76,7 @@ async fn send_auth_challenge_request(
async fn receive_auth_challenge( async fn receive_auth_challenge(
transport: &mut ClientTransport, transport: &mut ClientTransport,
) -> std::result::Result<arbiter_proto::proto::client::AuthChallenge, AuthError> { ) -> std::result::Result<AuthChallenge, AuthError> {
let response = transport let response = transport
.recv() .recv()
.await .await
@@ -76,8 +84,11 @@ async fn receive_auth_challenge(
let payload = response.payload.ok_or(AuthError::MissingAuthChallenge)?; let payload = response.payload.ok_or(AuthError::MissingAuthChallenge)?;
match payload { match payload {
ClientResponsePayload::AuthChallenge(challenge) => Ok(challenge), ClientResponsePayload::Auth(response) => match response.payload {
ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)), Some(AuthResponsePayload::Challenge(challenge)) => Ok(challenge),
Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
None => Err(AuthError::MissingAuthChallenge),
},
_ => Err(AuthError::UnexpectedAuthResponse), _ => Err(AuthError::UnexpectedAuthResponse),
} }
} }
@@ -85,7 +96,7 @@ async fn receive_auth_challenge(
async fn send_auth_challenge_solution( async fn send_auth_challenge_solution(
transport: &mut ClientTransport, transport: &mut ClientTransport,
key: &ed25519_dalek::SigningKey, key: &ed25519_dalek::SigningKey,
challenge: arbiter_proto::proto::client::AuthChallenge, challenge: AuthChallenge,
) -> std::result::Result<(), AuthError> { ) -> std::result::Result<(), AuthError> {
let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey); let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
let signature = key.sign(&challenge_payload).to_bytes().to_vec(); let signature = key.sign(&challenge_payload).to_bytes().to_vec();
@@ -93,9 +104,11 @@ async fn send_auth_challenge_solution(
transport transport
.send(ClientRequest { .send(ClientRequest {
request_id: next_request_id(), request_id: next_request_id(),
payload: Some(ClientRequestPayload::AuthChallengeSolution( payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
AuthChallengeSolution { signature }, payload: Some(AuthRequestPayload::ChallengeSolution(
)), AuthChallengeSolution { signature },
)),
})),
}) })
.await .await
.map_err(|_| AuthError::UnexpectedAuthResponse) .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -113,12 +126,15 @@ async fn receive_auth_confirmation(
.payload .payload
.ok_or(AuthError::UnexpectedAuthResponse)?; .ok_or(AuthError::UnexpectedAuthResponse)?;
match payload { match payload {
ClientResponsePayload::AuthResult(result) ClientResponsePayload::Auth(response) => match response.payload {
if AuthResult::try_from(result).ok() == Some(AuthResult::Success) => Some(AuthResponsePayload::Result(result))
{ if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
Ok(()) {
} Ok(())
ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)), }
Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
_ => Err(AuthError::UnexpectedAuthResponse),
},
_ => Err(AuthError::UnexpectedAuthResponse), _ => Err(AuthError::UnexpectedAuthResponse),
} }
} }

20
server/crates/arbiter-proto/src/lib.rs
View File

@@ -6,6 +6,14 @@ use base64::{Engine, prelude::BASE64_STANDARD};
pub mod proto { pub mod proto {
tonic::include_proto!("arbiter"); tonic::include_proto!("arbiter");
pub mod shared {
tonic::include_proto!("arbiter.shared");
pub mod evm {
tonic::include_proto!("arbiter.shared.evm");
}
}
pub mod user_agent { pub mod user_agent {
tonic::include_proto!("arbiter.user_agent"); tonic::include_proto!("arbiter.user_agent");
@@ -36,6 +44,18 @@ pub mod proto {
pub mod client { pub mod client {
tonic::include_proto!("arbiter.client"); tonic::include_proto!("arbiter.client");
pub mod auth {
tonic::include_proto!("arbiter.client.auth");
}
pub mod evm {
tonic::include_proto!("arbiter.client.evm");
}
pub mod vault {
tonic::include_proto!("arbiter.client.vault");
}
} }
pub mod evm { pub mod evm {

39
server/crates/arbiter-server/src/grpc/client.rs
View File

@@ -1,8 +1,12 @@
use arbiter_proto::{ use arbiter_proto::{
proto::client::{ proto::{
ClientRequest, ClientResponse, VaultState as ProtoVaultState, client::{
client_request::Payload as ClientRequestPayload, ClientRequest, ClientResponse,
client_response::Payload as ClientResponsePayload, client_request::Payload as ClientRequestPayload,
client_response::Payload as ClientResponsePayload,
vault::{self as proto_vault, request::Payload as VaultRequestPayload, response::Payload as VaultResponsePayload},
},
shared::VaultState as ProtoVaultState,
}, },
transport::{Receiver, Sender, grpc::GrpcBi}, transport::{Receiver, Sender, grpc::GrpcBi},
}; };
@@ -79,7 +83,24 @@ async fn dispatch_inner(
payload: ClientRequestPayload, payload: ClientRequestPayload,
) -> Result<ClientResponsePayload, Status> { ) -> Result<ClientResponsePayload, Status> {
match payload { match payload {
ClientRequestPayload::QueryVaultState(_) => { ClientRequestPayload::Vault(req) => dispatch_vault_request(actor, req).await,
payload => {
warn!(?payload, "Unsupported post-auth client request");
Err(Status::invalid_argument("Unsupported client request"))
}
}
}
async fn dispatch_vault_request(
actor: &ActorRef<ClientSession>,
req: proto_vault::Request,
) -> Result<ClientResponsePayload, Status> {
let Some(payload) = req.payload else {
return Err(Status::invalid_argument("Missing client vault request payload"));
};
match payload {
VaultRequestPayload::QueryState(_) => {
let state = match actor.ask(HandleQueryVaultState {}).await { let state = match actor.ask(HandleQueryVaultState {}).await {
Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped, Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed, Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
@@ -90,11 +111,9 @@ async fn dispatch_inner(
ProtoVaultState::Error ProtoVaultState::Error
} }
}; };
Ok(ClientResponsePayload::VaultState(state.into())) Ok(ClientResponsePayload::Vault(proto_vault::Response {
} payload: Some(VaultResponsePayload::State(state.into())),
payload => { }))
warn!(?payload, "Unsupported post-auth client request");
Err(Status::invalid_argument("Unsupported client request"))
} }
} }
} }

72
server/crates/arbiter-server/src/grpc/client/auth.rs
View File

@@ -1,11 +1,20 @@
use arbiter_proto::{ use arbiter_proto::{
ClientMetadata, proto::client::{ ClientMetadata,
AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest, proto::{
AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult, client::{
ClientInfo as ProtoClientInfo, ClientRequest, ClientResponse, ClientRequest, ClientResponse,
client_request::Payload as ClientRequestPayload, auth::{
client_response::Payload as ClientResponsePayload, self as proto_auth, AuthChallenge as ProtoAuthChallenge,
}, transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi} AuthChallengeRequest as ProtoAuthChallengeRequest,
AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
request::Payload as AuthRequestPayload, response::Payload as AuthResponsePayload,
},
client_request::Payload as ClientRequestPayload,
client_response::Payload as ClientResponsePayload,
},
shared::ClientInfo as ProtoClientInfo,
},
transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
}; };
use async_trait::async_trait; use async_trait::async_trait;
use tonic::Status; use tonic::Status;
@@ -32,22 +41,20 @@ impl<'a> AuthTransportAdapter<'a> {
} }
} }
fn response_to_proto(response: auth::Outbound) -> ClientResponsePayload { fn response_to_proto(response: auth::Outbound) -> AuthResponsePayload {
match response { match response {
auth::Outbound::AuthChallenge { pubkey, nonce } => { auth::Outbound::AuthChallenge { pubkey, nonce } => {
ClientResponsePayload::AuthChallenge(ProtoAuthChallenge { AuthResponsePayload::Challenge(ProtoAuthChallenge {
pubkey: pubkey.to_bytes().to_vec(), pubkey: pubkey.to_bytes().to_vec(),
nonce, nonce,
}) })
} }
auth::Outbound::AuthSuccess => { auth::Outbound::AuthSuccess => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
ClientResponsePayload::AuthResult(ProtoAuthResult::Success.into())
}
} }
} }
fn error_to_proto(error: auth::Error) -> ClientResponsePayload { fn error_to_proto(error: auth::Error) -> AuthResponsePayload {
ClientResponsePayload::AuthResult( AuthResponsePayload::Result(
match error { match error {
auth::Error::InvalidChallengeSolution => ProtoAuthResult::InvalidSignature, auth::Error::InvalidChallengeSolution => ProtoAuthResult::InvalidSignature,
auth::Error::ApproveError(auth::ApproveError::Denied) => { auth::Error::ApproveError(auth::ApproveError::Denied) => {
@@ -67,18 +74,20 @@ impl<'a> AuthTransportAdapter<'a> {
async fn send_client_response( async fn send_client_response(
&mut self, &mut self,
payload: ClientResponsePayload, payload: AuthResponsePayload,
) -> Result<(), TransportError> { ) -> Result<(), TransportError> {
self.bi self.bi
.send(Ok(ClientResponse { .send(Ok(ClientResponse {
request_id: Some(self.request_tracker.current_request_id()), request_id: Some(self.request_tracker.current_request_id()),
payload: Some(payload), payload: Some(ClientResponsePayload::Auth(proto_auth::Response {
payload: Some(payload),
})),
})) }))
.await .await
} }
async fn send_auth_result(&mut self, result: ProtoAuthResult) -> Result<(), TransportError> { async fn send_auth_result(&mut self, result: ProtoAuthResult) -> Result<(), TransportError> {
self.send_client_response(ClientResponsePayload::AuthResult(result.into())) self.send_client_response(AuthResponsePayload::Result(result.into()))
.await .await
} }
} }
@@ -117,9 +126,25 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
} }
}; };
let payload = request.payload?; let payload = request.payload?;
let ClientRequestPayload::Auth(auth_request) = payload else {
let _ = self
.bi
.send(Err(Status::invalid_argument(
"Unsupported client auth request",
)))
.await;
return None;
};
let Some(payload) = auth_request.payload else {
let _ = self
.bi
.send(Err(Status::invalid_argument("Missing client auth request payload")))
.await;
return None;
};
match payload { match payload {
ClientRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest { AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
pubkey, pubkey,
client_info, client_info,
}) => { }) => {
@@ -143,7 +168,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
metadata: client_metadata_from_proto(client_info), metadata: client_metadata_from_proto(client_info),
}) })
} }
ClientRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution { AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
signature, signature,
}) => { }) => {
let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else { let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
@@ -154,15 +179,6 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
}; };
Some(auth::Inbound::AuthChallengeSolution { signature }) Some(auth::Inbound::AuthChallengeSolution { signature })
} }
_ => {
let _ = self
.bi
.send(Err(Status::invalid_argument(
"Unsupported client auth request",
)))
.await;
None
}
} }
} }
} }

2
server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
View File

@@ -1,5 +1,4 @@
use arbiter_proto::proto::{ use arbiter_proto::proto::{
client::ClientInfo as ProtoClientMetadata,
user_agent::{ user_agent::{
sdk_client::{ sdk_client::{
self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel, self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -14,6 +13,7 @@ use arbiter_proto::proto::{
}, },
user_agent_response::Payload as UserAgentResponsePayload, user_agent_response::Payload as UserAgentResponsePayload,
}, },
shared::ClientInfo as ProtoClientMetadata,
}; };
use kameo::actor::ActorRef; use kameo::actor::ActorRef;
use tonic::Status; use tonic::Status;

3
server/crates/arbiter-server/src/grpc/user_agent/vault.rs
View File

@@ -1,7 +1,7 @@
use arbiter_proto::proto::user_agent::{ use arbiter_proto::proto::user_agent::{
user_agent_response::Payload as UserAgentResponsePayload, user_agent_response::Payload as UserAgentResponsePayload,
vault::{ vault::{
self as proto_vault, VaultState as ProtoVaultState, self as proto_vault,
bootstrap::{ bootstrap::{
self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey, self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
BootstrapResult as ProtoBootstrapResult, BootstrapResult as ProtoBootstrapResult,
@@ -16,6 +16,7 @@ use arbiter_proto::proto::user_agent::{
}, },
}, },
}; };
use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
use kameo::{actor::ActorRef, error::SendError}; use kameo::{actor::ActorRef, error::SendError};
use tonic::Status; use tonic::Status;
use tracing::warn; use tracing::warn;