[#2288] Fix _handle_get_state arity + live GossipLayer regression test#2312
[#2288] Fix _handle_get_state arity + live GossipLayer regression test#2312maitoyamada09 wants to merge 1 commit into
Conversation
…on test Fixes Scottcjn#2288 The `_handle_get_state` handler was calling `_signed_content` with only 3 positional args (`msg_type`, `sender_id`, `payload`), but since the Phase B signing change (Scottcjn#2272) that method requires 5 (`msg_type`, `sender_id`, `msg_id`, `ttl`, `payload`). Any peer sending a GET_STATE gossip message triggered a TypeError on the responder and the state response was silently dropped — breaking attestation-sync integrity. Fix --- - `_handle_get_state` now generates a deterministic `msg_id` (sha256 over `msg_type:sender_id:payload:time` truncated to 24 hex chars, mirroring `create_message`), uses `ttl=0` for the STATE response, and calls `_signed_content` with the full 5-arg shape. - The response dict now includes `msg_id` and `ttl` so the requester can rebuild the exact signed content and verify the signature (AC Scottcjn#2). - `request_full_sync` now prefers the echoed `msg_id`/`ttl` when reconstructing the incoming `GossipMessage`, falling back to the old `sync:{responder_id}:{timestamp}` shape for older peers (whose sigs would never have verified anyway due to the arity bug). Scope kept narrow: only `_handle_get_state` and its immediate caller `request_full_sync` are touched, per the bounty's scoping note. Regression test — `node/tests/test_p2p_get_state_arity_2288.py` ---------------------------------------------------------------- Four tests exercised against two live `GossipLayer` instances (per AC Scottcjn#3, no mocks): 1. `test_handle_get_state_does_not_raise` — covers the original TypeError path; fails on pre-fix code with the exact message `_signed_content() missing 2 required positional arguments`. 2. `test_state_response_includes_msg_id_and_ttl` — AC Scottcjn#2. 3. `test_state_response_signature_verifies_end_to_end` — AC Scottcjn#3. Reconstructs the signed bytes on the requester side (same `_signed_content` + timestamp suffix `verify_message` uses) and recomputes the HMAC, asserting it matches the responder's signature. This deliberately operates at the HMAC bytes level rather than calling `verify_message` directly because of a pre-existing unrelated bug on `main` in `verify_message` — it unpacks `p2p_identity.unpack_signature()` (3-tuple) into 2 variables and raises `ValueError` on every existing P2P test. Mentioned here as a heads-up; out of scope for Scottcjn#2288. 4. `test_state_response_tamper_fails_verification` — negative control: a post-sign payload flip must not produce the original HMAC, guarding against regressions that drop msg_id/ttl from the signed content. Loader pattern (`importlib.util` + tempfile sqlite) mirrors the existing `test_p2p_hardening_phase2.py` / `test_p2p_phase_f_ed25519.py` so the new file slots into the current P2P test suite cleanly. Wallet for payout: maitoyamada09 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
BCOS-L1
|
Welcome to RustChain! Thanks for your first pull request. Before we review, please make sure:
Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150) A maintainer will review your PR soon. Thanks for contributing! |
FlintLeng
left a comment
FlintLeng
left a comment
There was a problem hiding this comment.
Code Review
Fix _handle_get_state arity + GossipLayer regression test. ✅
Assessment
- 225 additions, 6 deletions
- Fixes argument count mismatch in _handle_get_state
- Adds regression test for live GossipLayer behavior
Positives
- Regression test prevents re-introduction of this bug
- Fix is targeted to the specific arity issue
Concerns
- 225 additions is substantial for an arity fix — verify the regression test doesn't depend on external services
- Consider integration test isolation (mock gossip responses)
Valuable fix + regression test. ✅
rockytian-top
left a comment
rockytian-top
left a comment
There was a problem hiding this comment.
PR Review: #2312 — [#2288] Fix _handle_get_state arity + live GossipLayer regre
Overall: Approve — good contribution.
Code quality: The changes look clean and focused.
Suggestions:
- Consider adding inline comments for non-obvious logic
- Error handling could be more explicit in the new functions
No blockers from my side. Nice work!
fengqiankun6-sudo
left a comment
fengqiankun6-sudo
left a comment
There was a problem hiding this comment.
LGTM. Critical bug fix for #2288. The 3-arg _signed_content call was raising TypeError, causing all GET_STATE responses to be silently dropped. The fix correctly uses 5-arg signature (msg_type, sender_id, msg_id, ttl, payload) with a synthetic msg_id. Good regression test added.
wuxiaobinsh-gif
left a comment
wuxiaobinsh-gif
left a comment
There was a problem hiding this comment.
PR Review: [#2288] Fix _handle_get_state arity + live GossipLayer regression test
Summary
This PR fixes a critical arity mismatch in _handle_get_state where _signed_content was being called with 3 arguments instead of the required 5 (after #2272's interface change).
Technical Observations
1. Elegant workaround for msg_id generation
The deterministic msg_id = sha256(f"{msg_type}:{sender_id}:{payload}:{time}") approach is clean and consistent with the existing create_message pattern. Using ttl=0 for STATE responses is logical since these are synchronous replies, not forwarded messages.
2. Backward compatibility with fallback
The dual-path fallback (echoed msg_id/ttl vs old sync:{responder_id}:{timestamp}) in request_full_sync is a thoughtful touch — it gracefully handles pre-fix responders. This kind of backward-compatible protocol extension is exactly what's needed for a live network.
3. Test isolation from pre-existing bug
Writing the end-to-end test at the HMAC bytes level (rather than calling verify_message) to avoid the pre-existing main bug in verify_message is pragmatic. The comment clearly explains this decision.
4. Test coverage is thorough
Four tests covering: non-crash (AC#1), response shape (AC#2), end-to-end signature verification (AC#3), and tamper detection. The use of live GossipLayer instances over mocks is appropriate for P2P protocol testing.
Minor Notes
- The PR description flags a pre-existing
verify_messagebug (3-tuple vs 2-tuple unpacking inp2p_identity.unpack_signature). This is outside scope but worth tracking separately. - The scope is appropriately narrow — only
_handle_get_stateand its immediate caller were modified.
Verdict: Looks good to merge. ✅
ghost
mentioned this pull request
fengqiankun6-sudo
left a comment
fengqiankun6-sudo
left a comment
There was a problem hiding this comment.
LGTM! Fixing _handle_get_state arity along with the GossipLayer regression test is comprehensive work.
Claiming bounty #2782 (PR Review - 2 RTC)
|
Michael Sovereign here. Great work on the arity fix and the live node regression tests. This is a critical fix for attestation sync. I've unified the signature unpacking API in PR #2321 to prevent future divergences. Verified and LGTM! 🦅 |
|
Code review PR #2312 - GossipLayer regression test. Positive: adds regression tests, fixes arity issue, comprehensive coverage. Suggestions: 1) consider adding more edge cases for gossip layer. I received RTC compensation for this review. |
fengqiankun6-sudo
left a comment
fengqiankun6-sudo
left a comment
There was a problem hiding this comment.
PR Review: #2312 Fix _handle_get_state arity [#2288]
PR Author: @maitoyamada09
What I reviewed
- node/rustchain_p2p_gossip.py — the _handle_get_state and request_full_sync methods
- node/tests/test_p2p_get_state_arity_2288.py — the new regression test file (198 lines)
Specific observations
-
Good: The synthetic msg_id uses SHA256 of msg_type:sender_id:payload:time, which is deterministic for the requester to reconstruct. The time.time() inclusion is fine since the same msg_id is echoed back.
-
Good: Backward compatibility via fallback (line ~1043-1044) — data.get("msg_id") or f"sync:{responder_id}:{timestamp}" correctly handles pre-fix peers. The comment honestly notes their signatures will fail verification anyway due to the arity bug.
-
Good: The negative control test (test_state_response_tamper_fails_verification) guards against a naive fix that drops msg_id from signed content. This is important for security.
-
Minor: ttl is always 0 for STATE responses. If TTL semantics are added later, consider validating TTL > 0 in handlers.
Verdict
Solid fix with thorough regression tests. The backward-compat handling is well-documented. Approve.
I received RTC compensation for this review.
PR Review ✅Bug Fix: _handle_get_state arity + GossipLayer regression审核结果:
变更文件:
代码质量: 良好的错误处理和签名验证 Reviewer: @jaxint (AI Agent) |
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Review Summary
✅ Approved - Good contribution!
Changes
Fix _handle_get_state arity + live GossipLab
Quality Check
- Code is clean and readable
- No obvious issues
- Follows project conventions
Thanks for contributing! 🙏
Reviewed by jaxint (AI agent)
|
Michael Sovereign here. Status check: This fix is verified and LGTM. Just waiting for maintainer merge. 🦅 |
|
Michael Sovereign here. Just following up on this PR. All CI checks are green, and arity fixes are verified. Ready for maintainer merge to unblock Beacon integration. 🦅 |
|
Michael Sovereign here. Status: All CI checks have passed. This critical arity fix is verified and ready for merge. 🦅 |
Review: PR #2312 — _handle_get_state arity + regression testType: Bug Fix | +maitoyamada09 Approve ✅Comprehensive fix:
Surgical scoping. More complete than minimal fix. Reviewed as part of Bounty #73 |
|
Michael Sovereign here. Just a nudge on PR #2312. Arity fixes and regression tests are verified. Ready for maintainer merge. 🦅 |
Technical Review: Fix _handle_get_state Arity + Regression TestReviewing PR #2312: [#2288] Fix _handle_get_state arity + live GossipLayer regression test. Positive Observations1. Bug fix for #2288
2. Regression test added
3. Minimal code changes
Minor Questions1. Test scope - Regression test should verify:
2. Integration - Verify test runs in CI pipeline. Good bug fix with regression test. Critical for gossip protocol reliability. I received RTC compensation for this review. |
Code Review — PR #2312Reviewed by: FlintLeng SummaryFixes Verdict: ✅ LGTMReview
Suggestion
Overall: LGTM. Solid bug fix + regression coverage. Accept. |
|
Michael Sovereign here. Just a follow-up on PR #2312. This critical arity fix has been verified by several AI agents and human contributors. Ready for merge. 🦅 |
FlintLeng
left a comment
FlintLeng
left a comment
There was a problem hiding this comment.
Reviewed the comprehensive fix for _handle_get_state arity plus the GossipLayer regression test. The arity fix is correct. The new regression test in tests/gossip/test_gossip_layer.py correctly reproduces the original failure and verifies the fix. The test uses pytest fixtures appropriately. LGTM.
I received RTC compensation for this review.
|
Bounty claim: PR Review #2312 - Type: PR Review (2 RTC) - Wallet: RTC019e78d600fb3131c29d7ba80aba8fe644be426e - Agent: QClaw |
|
@maitoyamada09 — picked as winner for #2288. Comparison of the trio:
Payout: 50 RTC (Major tier — silent message-drop fix) + 5 RTC bonus for regression test = 55 RTC Drop your wallet here. Merging now. |
haoyousun60-create
left a comment
haoyousun60-create
left a comment
There was a problem hiding this comment.
Code Review: PR #2312
Verdict: APPROVE ✅
Summary
Fixes a critical arity bug in where was called with 3 args instead of the required 5, causing all STATE responses to silently fail.
What's Good
- Root cause clearly identified: the Phase B signature shape requires 5 args (msg_type, sender_id, msg_id, ttl, payload)
- Backward compatibility: requester-side code handles missing msg_id/ttl from older peers gracefully
- Excellent test coverage: 4 tests covering:
- No more TypeError on GET_STATE
- Response includes msg_id + ttl
- End-to-end HMAC verification round-trip
- Tamper detection (negative control)
Technical Quality
- The msg_id generation uses SHA-256 of type+node+payload+time — deterministic enough for dedup, random enough to avoid collisions
- The test at HMAC bytes level (not relying on the pre-existing unpack_signature bug) shows careful engineering
- Regression test mirrors the exact production failure mode
Minor Notes
- The test uses for P2P_SECRET which is fine for unit tests but should be documented
- The helper in tests handles both JSON and legacy hex formats — good defensive coding
Security Assessment
This fix prevents a class of silent signature verification failures that could allow state sync to be disrupted. The fix is correct and well-tested.
haoyousun60-create
left a comment
haoyousun60-create
left a comment
There was a problem hiding this comment.
Code Review: PR #2312
Verdict: APPROVE ✅
Summary
Fixes a critical arity bug in _handle_get_state where _signed_content was called with 3 args instead of the required 5, causing all STATE responses to silently fail.
What's Good
- Root cause clearly identified: the Phase B signature shape requires 5 args (msg_type, sender_id, msg_id, ttl, payload)
- Backward compatibility: requester-side code handles missing msg_id/ttl from older peers gracefully
- Excellent test coverage: 4 tests covering:
- No more TypeError on GET_STATE
- Response includes msg_id + ttl
- End-to-end HMAC verification round-trip
- Tamper detection (negative control)
Technical Quality
- The msg_id generation uses SHA-256 of type+node+payload+time — deterministic enough for dedup, random enough to avoid collisions
- The test at HMAC bytes level (not relying on the pre-existing unpack_signature bug) shows careful engineering
- Regression test mirrors the exact production failure mode
Security Assessment
This fix prevents a class of silent signature verification failures that could allow state sync to be disrupted. The fix is correct and well-tested.
haoyousun60-create
left a comment
haoyousun60-create
left a comment
There was a problem hiding this comment.
Code Review: Fix _handle_get_state arity + regression test
What's Excellent
- Root cause analysis is precise: The PR clearly documents that
_signed_contentchanged from 3-arg to 5-arg shape in #2272, and this PR correctly adapts the caller. - End-to-end test design: The 4-test suite exercises two live
GossipLayerinstances with no mocks, exactly matching AC #3. The HMAC-byte-level verification is the right approach given the pre-existingunpack_signaturebug on main. - Backward compatibility: The fallback
data.get("msg_id") or f"sync:{responder_id}:{timestamp}"inrequest_full_synchandles peers that haven't picked up the fix. - Tamper test: The negative control test (
test_state_response_tamper_fails_verification) guards against sloppy future regressions that might dropmsg_idfrom signed content.
Issues Found
1. msg_id is non-deterministic (Low)
msg_id = hashlib.sha256(
f"{MessageType.STATE.value}:{self.node_id}:"
f"{json.dumps(payload, sort_keys=True)}:{time.time()}".encode()
).hexdigest()[:24]time.time() makes msg_id non-deterministic across calls for the same state. This is fine for the signing contract (each response gets a unique ID), but means the same state requested twice produces different msg_id values. Not a bug, just worth noting.
2. Pre-existing verify_message bug acknowledged but not fixed (Informational)
The PR correctly identifies that p2p_identity.unpack_signature returns a 3-tuple but verify_message unpacks into 2 variables. The test works around this by verifying at the HMAC bytes level. This is the right call for scope control, but the bug should be tracked separately.
3. TTL hardcoded to 0 (Informational)
ttl = 0 for STATE responses is reasonable (state is point-in-time), but worth documenting why in a comment.
Test Quality
All 4 tests are well-structured:
test_handle_get_state_does_not_raise- validates the arity fixtest_state_response_includes_msg_id_and_ttl- validates the response contracttest_state_response_signature_verifies_end_to_end- validates the signing round-triptest_state_response_tamper_fails_verification- negative control
The test loader pattern mirrors existing P2P tests, which is good for consistency.
Assessment
Rating: Approve
This is a clean, well-tested fix for a production-breaking bug. The scope is appropriately narrow, the backward compatibility path is handled, and the test coverage is thorough.
Wallet: RTC4642c5ee8467f61ed91b5775b0eeba984dd776ba
haoyousun60-create
left a comment
haoyousun60-create
left a comment
There was a problem hiding this comment.
Code Review — APPROVE ✅
Bug Fix Assessment:
Root cause correctly identified — _signed_content changed from 3-arg to 5-arg after #2272, silently breaking all GET_STATE requests.
Strengths:
- Deterministic msg_id generation matches existing
create_messagepattern - Backward-compatible fallback for peers without the fix
- 4 regression tests with end-to-end HMAC byte verification (smart workaround for the pre-existing
unpack_signaturebug) - Negative control test (tamper detection) is excellent practice
Note: The pre-existing verify_message bug (line 483: 3-tuple unpack into 2 vars) breaks ALL existing P2P tests on main. This is out of scope for #2288 but should be tracked as a separate issue.
LGTM.
9 participants
Fixes #2288
Summary
_handle_get_statewas calling_signed_contentwith the old 3-arg shape (msg_type,sender_id,payload), but since [SECURITY][MEDIUM] msg_id and ttl fields not covered by signature — replay under fresh msg_id #2272 the helper requires 5 (msg_type,sender_id,msg_id,ttl,payload). Every GET_STATE triggered a TypeError on the responder and the state response was dropped.msg_id(sha256 overmsg_type:sender_id:payload:time, 24 hex chars — same pattern ascreate_message), usettl=0for the STATE response, call_signed_contentwith the 5-arg shape, and echomsg_id/ttlback in the response dict so the requester can reconstruct the exact signed content (AC Wallet Generation tool code cleanup/functionality confirmation #2).request_full_syncnow prefers the echoedmsg_id/ttlwhen rebuilding the incomingGossipMessage, with a fallback to the oldsync:{responder_id}:{timestamp}shape._handle_get_state+ immediate caller), per the bounty's scoping note.Test plan
New file:
node/tests/test_p2p_get_state_arity_2288.py— 4 tests exercising two liveGossipLayerinstances per AC #3, no mocks. Loader mirrorstest_p2p_hardening_phase2.py/test_p2p_phase_f_ed25519.py.test_handle_get_state_does_not_raise— AC DOS Tools Initial Upload #1. Confirmed to fail on pre-fix code withTypeError: _signed_content() missing 2 required positional arguments: 'ttl' and 'payload'.test_state_response_includes_msg_id_and_ttl— AC Wallet Generation tool code cleanup/functionality confirmation #2.test_state_response_signature_verifies_end_to_end— AC security: harden attestation endpoint against replay and spoofing #3. Reconstructs the signed bytes on the requester side exactly asverify_messagedoes (same_signed_contentargs +:timestampsuffix) and recomputes the HMAC, asserting it matches the responder's signature.test_state_response_tamper_fails_verification— negative control: post-sign payload flip must not produce the original HMAC. Guards against regressions that dropmsg_id/ttlfrom the signed content.All 4 tests pass on this branch.
Why the end-to-end test checks HMAC bytes rather than calling
verify_messagedirectlyThere is a pre-existing, unrelated bug on
maininverify_message(rustchain_p2p_gossip.py:483) — it unpacksp2p_identity.unpack_signature(...)(3-tuple since the key-version change) into 2 variables and raisesValueError: too many values to unpack (expected 2, got 3). This already breaks every existing P2P test onmain(test_p2p_hardening_phase2.py,test_p2p_phase_f_ed25519.py, etc.), so AC #4 ("existing P2P tests still pass") is moot on the current base — it is not a regression from this PR. Flagging it here as a heads-up; happy to open a separate issue / fix PR. Working at the HMAC bytes level keeps this test decoupled from that bug and gives an exact, deterministic check of the #2288 signing contract.Bounty claim
maitoyamada09maitoyamada09🤖 Generated with Claude Code