[DO NOT MERGE] Command peer connections from runtime

Cargo.toml

@@ -88,6 +88,7 @@ members = [
 	"frame/metadata",
 	"frame/multisig",
 	"frame/nicks",
+	"frame/node-authorization",
 	"frame/offences",
 	"frame/proxy",
 	"frame/randomness-collective-flip",

bin/node/runtime/src/lib.rs

@@ -109,7 +109,7 @@ pub const VERSION: RuntimeVersion = RuntimeVersion {
 	// and set impl_version to 0. If only runtime
 	// implementation changes and behavior does not, then leave spec_version as
 	// is and increment impl_version.
-	spec_version: 257,
+	spec_version: 258,
 	impl_version: 0,
 	apis: RUNTIME_API_VERSIONS,
 	transaction_version: 1,

client/network/src/service.rs

@@ -889,6 +889,12 @@ impl<B: BlockT + 'static, H: ExHashT> NetworkService<B, H> {
 		Ok(())
 	}
 
+	/// Sets reserved peers to the new peers
+	pub fn set_reserved_peers(&self, peer_ids: HashSet<PeerId>, reserved_only: bool) {
+		self.peerset.set_reserved_peers(peer_ids);
+		self.peerset.set_reserved_only(reserved_only);
+	}
+
 	/// Configure an explicit fork sync request.
 	/// Note that this function should not be used for recent blocks.
 	/// Sync should be able to download all the recent forks normally.

client/peerset/src/lib.rs

@@ -45,6 +45,7 @@ const FORGET_AFTER: Duration = Duration::from_secs(3600);
 enum Action {
 	AddReservedPeer(PeerId),
 	RemoveReservedPeer(PeerId),
+	SetReservedPeers(HashSet<PeerId>),
 	SetReservedOnly(bool),
 	ReportPeer(PeerId, ReputationChange),
 	SetPriorityGroup(String, HashSet<PeerId>),
@@ -98,6 +99,11 @@ impl PeersetHandle {
 		let _ = self.tx.unbounded_send(Action::RemoveReservedPeer(peer_id));
 	}
 
+	/// Set reserved peers to the new peers.
+	pub fn set_reserved_peers(&self, peer_ids: HashSet<PeerId>) {
+		let _ = self.tx.unbounded_send(Action::SetReservedPeers(peer_ids));
+	}
+
 	/// Sets whether or not the peerset only has connections .
 	pub fn set_reserved_only(&self, reserved: bool) {
 		let _ = self.tx.unbounded_send(Action::SetReservedOnly(reserved));
@@ -247,6 +253,10 @@ impl Peerset {
 		self.on_remove_from_priority_group(RESERVED_NODES, peer_id);
 	}
 
+	fn on_set_reserved_peers(&mut self, peer_ids: HashSet<PeerId>) {
+		self.on_set_priority_group(RESERVED_NODES, peer_ids);
+	}
+
 	fn on_set_reserved_only(&mut self, reserved_only: bool) {
 		self.reserved_only = reserved_only;
 
@@ -655,6 +665,8 @@ impl Stream for Peerset {
 					self.on_add_reserved_peer(peer_id),
 				Action::RemoveReservedPeer(peer_id) =>
 					self.on_remove_reserved_peer(peer_id),
+				Action::SetReservedPeers(peer_ids) =>
+					self.on_set_reserved_peers(peer_ids),
 				Action::SetReservedOnly(reserved) =>
 					self.on_set_reserved_only(reserved),
 				Action::ReportPeer(peer_id, score_diff) =>

client/service/src/builder.rs

@@ -56,7 +56,7 @@ use sp_core::traits::{CodeExecutor, SpawnNamed};
 use sp_runtime::BuildStorage;
 use sc_client_api::{
 	BlockBackend, BlockchainEvents,
-	backend::StorageProvider,
+	backend::{StorageProvider, Backend as BackendT},
 	proof_provider::ProofProvider,
 	execution_extensions::ExecutionExtensions
 };
@@ -815,7 +815,7 @@ pub struct BuildNetworkParams<'a, TBl: BlockT, TExPool, TImpQu, TCl> {
 }
 
 /// Build the network service, the network status sinks and an RPC sender.
-pub fn build_network<TBl, TExPool, TImpQu, TCl>(
+pub fn build_network<TBl, TBE, TExPool, TImpQu, TCl>(
 	params: BuildNetworkParams<TBl, TExPool, TImpQu, TCl>
 ) -> Result<
 	(
@@ -828,9 +828,10 @@ pub fn build_network<TBl, TExPool, TImpQu, TCl>(
 >
 	where
 		TBl: BlockT,
+		TBE: BackendT<TBl> + 'static,
 		TCl: ProvideRuntimeApi<TBl> + HeaderMetadata<TBl, Error=sp_blockchain::Error> + Chain<TBl> +
 		BlockBackend<TBl> + BlockIdTo<TBl, Error=sp_blockchain::Error> + ProofProvider<TBl> +
-		HeaderBackend<TBl> + BlockchainEvents<TBl> + 'static,
+		HeaderBackend<TBl> + BlockchainEvents<TBl> + StorageProvider<TBl, TBE> + 'static,
 		TExPool: MaintainedTransactionPool<Block=TBl, Hash = <TBl as BlockT>::Hash> + 'static,
 		TImpQu: ImportQueue<TBl> + 'static,
 {

client/service/src/lib.rs

@@ -36,19 +36,28 @@ mod task_manager;
 
 use std::{io, pin::Pin};
 use std::net::SocketAddr;
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 use std::time::Duration;
 use std::task::Poll;
+use sc_network::config::identity::{
+	ed25519::PublicKey as Ed25519PublicKey,
+	PublicKey
+};
 use parking_lot::Mutex;
 
 use futures::{Future, FutureExt, Stream, StreamExt, stream, compat::*};
 use sc_network::{NetworkStatus, network_state::NetworkState, PeerId};
 use log::{warn, debug, error};
-use codec::{Encode, Decode};
+use codec::{Encode, Decode, DecodeAll};
 use sp_runtime::generic::BlockId;
 use sp_runtime::traits::{Block as BlockT, Header as HeaderT};
 use parity_util_mem::MallocSizeOf;
 use sp_utils::{status_sinks, mpsc::{tracing_unbounded, TracingUnboundedReceiver,  TracingUnboundedSender}};
+use sp_core::storage::{StorageKey, well_known_keys};
+use sp_core::NodePublicKey;
+use sc_client_api::backend::{Backend as BackendT, StorageProvider};
+use sc_client_api::blockchain::HeaderBackend;
+use sc_client_api::BlockchainEvents;
 
 pub use self::error::Error;
 pub use self::builder::{
@@ -80,7 +89,6 @@ pub use sc_tracing::TracingReceiver;
 pub use task_manager::SpawnTaskHandle;
 pub use task_manager::TaskManager;
 pub use sp_consensus::import_queue::ImportQueue;
-use sc_client_api::BlockchainEvents;
 pub use sc_keystore::KeyStorePtr as KeyStore;
 
 const DEFAULT_PROTOCOL_ID: &str = "sup";
@@ -186,7 +194,8 @@ pub struct PartialComponents<Client, Backend, SelectChain, ImportQueue, Transact
 /// The `status_sink` contain a list of senders to send a periodic network status to.
 async fn build_network_future<
 	B: BlockT,
-	C: BlockchainEvents<B>,
+	BE: BackendT<B>,
+	C: BlockchainEvents<B> + StorageProvider<B, BE> + HeaderBackend<B>,
 	H: sc_network::ExHashT
 > (
 	role: Role,
@@ -197,6 +206,8 @@ async fn build_network_future<
 	should_have_peers: bool,
 	announce_imported_blocks: bool,
 ) {
+	check_node_allow_list(&network, &client);
+
 	let mut imported_blocks_stream = client.import_notification_stream().fuse();
 
 	// Stream of finalized blocks reported by the client.
@@ -239,6 +250,8 @@ async fn build_network_future<
 						notification.header.number().clone(),
 					);
 				}
+
+				check_node_allow_list(&network, &client);
 			}
 
 			// List of blocks that the client has finalized.
@@ -338,6 +351,42 @@ async fn build_network_future<
 	}
 }
 
+/// Set storage `NODE_ALLOW_LIST` means it's a permissioned network,
+/// then only connect to these well known peers.
+fn check_node_allow_list<
+	B: BlockT,
+	BE: BackendT<B>,
+	C: BlockchainEvents<B> + StorageProvider<B, BE> + HeaderBackend<B>,
+	H: sc_network::ExHashT
+> (
+	network: &sc_network::NetworkWorker<B, H>,
+	client: &Arc<C>,
+) {
+	let id = BlockId::hash(client.info().best_hash);
+	let allow_list_storage = client.storage(&id, &StorageKey(well_known_keys::NODE_ALLOW_LIST.to_vec()));
+	if let Ok(Some(raw_allow_list)) = allow_list_storage {
+		let node_allow_list = Vec::<NodePublicKey>::decode_all(&mut &raw_allow_list.0[..]);
+
+		if let Ok(node_allow_list) = node_allow_list {
+			let mut peer_ids: HashSet<PeerId> = node_allow_list.iter()
+				.filter_map(|node_public_key| {
+					match node_public_key {
+						NodePublicKey::Ed25519(pubkey) => Ed25519PublicKey::decode(&pubkey.0).ok()
+					}
+				})
+				.map(|pubkey| PublicKey::Ed25519(pubkey).into_peer_id())
+				.collect();
+			peer_ids.remove(network.local_peer_id());
+
+			// Set only reserved peers are allowed to connect.
+			network.service().set_reserved_peers(peer_ids, true);
+		}
+	} else {
+		// Note that the situation where the storage entry previously existed but no longer
+		// does isn't handled at the moment.
+	}
+}
+
 #[cfg(not(target_os = "unknown"))]
 // Wrapper for HTTP and WS servers that makes sure they are properly shut down.
 mod waiting {
@@ -488,9 +537,9 @@ where
 impl<B, H, C, Pool, E> sc_network::config::TransactionPool<H, B> for
 	TransactionPoolAdapter<C, Pool>
 where
+	B: BlockT,
 	C: sc_network::config::Client<B> + Send + Sync,
 	Pool: 'static + TransactionPool<Block=B, Hash=H, Error=E>,
-	B: BlockT,
 	H: std::hash::Hash + Eq + sp_runtime::traits::Member + sp_runtime::traits::MaybeSerialize,
 	E: 'static + IntoPoolError + From<sp_transaction_pool::error::Error>,
 {

frame/node-authorization/Cargo.toml

@@ -0,0 +1,38 @@
+[package]
+name = "pallet-node-authorization"
+version = "2.0.0-rc6"
+authors = ["Parity Technologies <admin@parity.io>"]
+edition = "2018"
+license = "Apache-2.0"
+homepage = "https://substrate.dev"
+repository = "https://github.com/paritytech/substrate/"
+description = "FRAME pallet for node authorization"
+
+[package.metadata.docs.rs]
+targets = ["x86_64-unknown-linux-gnu"]
+
+[dependencies]
+serde = { version = "1.0.101", optional = true }
+codec = { package = "parity-scale-codec", version = "1.3.4", default-features = false, features = ["derive"] }
+frame-support = { version = "2.0.0-rc6", default-features = false, path = "../support" }
+frame-system = { version = "2.0.0-rc6", default-features = false, path = "../system" }
+sp-core = { version = "2.0.0-rc6", default-features = false, path = "../../primitives/core" }
+sp-io = { version = "2.0.0-rc6", default-features = false, path = "../../primitives/io" }
+sp-runtime = { version = "2.0.0-rc6", default-features = false, path = "../../primitives/runtime" }
+sp-std = { version = "2.0.0-rc6", default-features = false, path = "../../primitives/std" }
+
+[dev-dependencies]
+hex-literal = "0.2.1"
+
+[features]
+default = ["std"]
+std = [
+	"serde",
+	"codec/std",
+	"frame-support/std",
+	"frame-system/std",
+	"sp-core/std",
+	"sp-io/std",
+	"sp-runtime/std",
+	"sp-std/std",
+]