Adds Proof of Possession for Node Staking Keys (#457)

* add POP changes to a new branch

* remove outdated todo comment

* include old register node transaction for backwards compatibility

* update SCO.17 name

* fix test helper

* fix another helper issue

---------

Co-authored-by: Tarak Ben youssef <[email protected]>

Author: joshuahannan

contracts/FlowIDTableStaking.cdc

@@ -122,8 +122,6 @@ access(all) contract FlowIDTableStaking {
         access(all) var networkingKey: String
         access(all) var stakingKey: String
 
-        /// TODO: Proof of Possession (PoP) of the staking private key
-
         /// The total tokens that only this node currently has staked, not including delegators
         /// This value must always be above the minimum requirement to stay staked or accept delegators
         access(mapping Identity) var tokensStaked: @FlowToken.Vault
@@ -160,6 +158,7 @@ access(all) contract FlowIDTableStaking {
             networkingAddress: String,
             networkingKey: String,
             stakingKey: String,
+            stakingKeyPoP: String,
             tokensCommitted: @{FungibleToken.Vault}
         ) {
             pre {
@@ -180,13 +179,20 @@ access(all) contract FlowIDTableStaking {
                 signatureAlgorithm: SignatureAlgorithm.BLS_BLS12_381
             )
 
+            // Verify the proof of possesion of the private staking key
+            assert(
+                stakeKey.verifyPoP(stakingKeyPoP.decodeHex()),
+                message: 
+                    "FlowIDTableStaking.NodeRecord.init: Cannot create node with ID "
+                    .concat(id).concat(". The Proof of Possession (").concat(stakingKeyPoP)
+                    .concat(") for the node's staking key (").concat(") is invalid")
+            )
+
             let netKey = PublicKey(
                 publicKey: networkingKey.decodeHex(),
                 signatureAlgorithm: SignatureAlgorithm.ECDSA_P256
             )
 
-            // TODO: Verify the provided Proof of Possession of the staking private key
-
             self.id = id
             self.role = role
             self.networkingAddress = networkingAddress
@@ -1560,6 +1566,7 @@ access(all) contract FlowIDTableStaking {
                           networkingAddress: String,
                           networkingKey: String,
                           stakingKey: String,
+                          stakingKeyPoP: String,
                           tokensCommitted: @{FungibleToken.Vault}): @NodeStaker
     {
         assert (
@@ -1572,6 +1579,7 @@ access(all) contract FlowIDTableStaking {
                                          networkingAddress: networkingAddress,
                                          networkingKey: networkingKey,
                                          stakingKey: stakingKey,
+                                         stakingKeyPoP: stakingKeyPoP,
                                          tokensCommitted: <-FlowToken.createEmptyVault(vaultType: Type<@FlowToken.Vault>()))
 
         let minimum = self.minimumStakeRequired[role]!

contracts/FlowStakingCollection.cdc

@@ -473,6 +473,7 @@ access(all) contract FlowStakingCollection {
             networkingAddress: String,
             networkingKey: String,
             stakingKey: String,
+            stakingKeyPoP: String,
             amount: UFix64,
             payer: auth(BorrowValue) &Account
         ): auth(Storage, Capabilities, Contracts, Keys, Inbox) &Account? {
@@ -485,6 +486,7 @@ access(all) contract FlowStakingCollection {
                 networkingAddress: networkingAddress,
                 networkingKey: networkingKey,
                 stakingKey: stakingKey,
+                stakingKeyPoP: stakingKeyPoP,
                 tokensCommitted: <-tokens
             )
 

contracts/LockedTokens.cdc

@@ -203,7 +203,10 @@ access(all) contract LockedTokens {
 
         /// Registers a new node operator with the Flow Staking contract
         /// and commits an initial amount of locked tokens to stake
-        access(account) fun registerNode(nodeInfo: StakingProxy.NodeInfo, amount: UFix64) {
+        access(account) fun registerNode(nodeInfo: StakingProxy.NodeInfo,
+                                         stakingKeyPoP: String,
+                                         amount: UFix64
+        ) {
             if let nodeStaker <- self.nodeStaker <- nil {
                 let stakingInfo = FlowIDTableStaking.NodeInfo(nodeID: nodeStaker.id)
 
@@ -219,7 +222,13 @@ access(all) contract LockedTokens {
 
             let tokens <- vaultRef.withdraw(amount: amount)
 
-            let nodeStaker <- self.nodeStaker <- FlowIDTableStaking.addNodeRecord(id: nodeInfo.id, role: nodeInfo.role, networkingAddress: nodeInfo.networkingAddress, networkingKey: nodeInfo.networkingKey, stakingKey: nodeInfo.stakingKey, tokensCommitted: <-tokens)
+            let nodeStaker <- self.nodeStaker <- FlowIDTableStaking.addNodeRecord(id: nodeInfo.id,
+                                                    role: nodeInfo.role,
+                                                    networkingAddress: nodeInfo.networkingAddress,
+                                                    networkingKey: nodeInfo.networkingKey,
+                                                    stakingKey: nodeInfo.stakingKey,
+                                                    stakingKeyPoP: stakingKeyPoP,
+                                                    tokensCommitted: <-tokens)
 
             destroy nodeStaker
 
@@ -400,9 +409,9 @@ access(all) contract LockedTokens {
 
         /// The user calls this function if they want to register as a node operator
         /// They have to provide all the info for their node
-        access(TokenOperations) fun createNodeStaker(nodeInfo: StakingProxy.NodeInfo, amount: UFix64) {
+        access(TokenOperations) fun createNodeStaker(nodeInfo: StakingProxy.NodeInfo, stakingKeyPoP: String, amount: UFix64) {
 
-            self.borrowTokenManager().registerNode(nodeInfo: nodeInfo, amount: amount)
+            self.borrowTokenManager().registerNode(nodeInfo: nodeInfo, stakingKeyPoP: stakingKeyPoP, amount: amount)
 
             // Create a new staker proxy that can be accessed in transactions
             self.nodeStakerProxy = LockedNodeStakerProxy(tokenManager: self.tokenManager)

contracts/testContracts/TestFlowIDTableStaking.cdc

@@ -253,6 +253,7 @@ access(all) contract FlowIDTableStaking {
         networkingAddress: String,
         networkingKey: String,
         stakingKey: String,
+        stakingKeyPoP: String,
         tokensCommitted: @{FungibleToken.Vault}
     ): @NodeStaker {
         destroy tokensCommitted

lib/go/contracts/internal/assets/assets.go

@@ -128,7 +128,11 @@ func generateManifest(env templates.Environment) *manifest {
 	}
 
 	sampleStakingKey := cadenceValue{
-		cadence.String("9e9ae0d645fd5fd9050792e0b0daa82cc1686d9133afa0f81a784b375c42ae48567d1545e7a9e1965f2c1a32f73cf8575ebb7a967f6e4d104d2df78eb8be409135d12da0499b8a00771f642c1b9c49397f22b440439f036c3bdee82f5309dab3"),
+		cadence.String("8dec36ed8a91e3e5d737b06434d94a8a561c7889495d6c7081cd5e123a42124415b9391c9b9aa165c2f71994bf9607cb0ea262ad162fec74146d1ebc482a33b9dad203d16a83bbfda89b3f6e1cd1d8fb2e704a162d259a0ac9f26bc8635d74f6"),
+	}
+
+	sampleStakingKeyPoP := cadenceValue{
+		cadence.String("828a68a2be392804044d85888100462702a422901da3269fb6512defabad07250aad24f232671e4ac8ae531f54e062fc"),
 	}
 
 	sampleNullOptional := cadenceValue{
@@ -436,7 +440,7 @@ func generateManifest(env templates.Environment) *manifest {
 	m.addTemplate(generateTemplate(
 		"SCO.03", "Register Node",
 		env,
-		templates.GenerateCollectionRegisterNode,
+		templates.GenerateCollectionRegisterNodeOld,
 		[]argument{
 			{
 				Type:         "String",
@@ -824,6 +828,74 @@ func generateManifest(env templates.Environment) *manifest {
 		},
 	))
 
+	m.addTemplate(generateTemplate(
+		"SCO.17", "Register Node",
+		env,
+		templates.GenerateCollectionRegisterNode,
+		[]argument{
+			{
+				Type:         "String",
+				Name:         "id",
+				Label:        "Node ID",
+				SampleValues: []cadenceValue{sampleNodeID},
+			},
+			{
+				Type:         "UInt8",
+				Name:         "role",
+				Label:        "Node Role",
+				SampleValues: []cadenceValue{sampleNodeRole},
+			},
+			{
+				Type:         "String",
+				Name:         "networkingAddress",
+				Label:        "Networking Address",
+				SampleValues: []cadenceValue{sampleNetworkingAddress},
+			},
+			{
+				Type:         "String",
+				Name:         "networkingKey",
+				Label:        "Networking Key",
+				SampleValues: []cadenceValue{sampleNetworkingKey},
+			},
+			{
+				Type:         "String",
+				Name:         "stakingKey",
+				Label:        "Staking Key",
+				SampleValues: []cadenceValue{sampleStakingKey},
+			},
+			{
+				Type:         "String",
+				Name:         "stakingKeyPoP",
+				Label:        "Staking Key PoP",
+				SampleValues: []cadenceValue{sampleStakingKeyPoP},
+			},
+			{
+				Type:         "UFix64",
+				Name:         "amount",
+				Label:        "Amount",
+				SampleValues: []cadenceValue{sampleAmount},
+			},
+			{
+				Type:         "String",
+				Name:         "machineAccountKey",
+				Label:        "Machine Account Public Key",
+				SampleValues: []cadenceValue{sampleKey},
+			},
+			{
+				Type:         "UInt8",
+				Name:         "machineAccountKeySignatureAlgorithm",
+				Label:        "Raw Value for Machine Account Signature Algorithm Enum",
+				SampleValues: []cadenceValue{sampleSigAlgoEnumRawValue},
+			},
+			{
+				Type:         "UInt8",
+				Name:         "machineAccountKeyHashAlgorithm",
+				Label:        "Raw Value for Machine Account Hash Algorithm Enum",
+				SampleValues: []cadenceValue{sampleHashAlgoEnumRawValue},
+			},
+		},
+	))
+
 	return m
 }