feat(kms-connector): decryption acl check (#1845)

* feat(kms-connector): acl check for decryption (#1829)

* feat(kms-connector): acl check for decryption

* chore(kms-connector): update tests for acl check

* chore(charts): support kms-connector acl check

* chore(test-suite): add connector host chains config

* chore(kms-connector): parametrized unit tests

* feat(kms-connector): fetch use decryption calldata

* fix(kms-connector): user decrypt acl check

* fix(kms-connector): review fix

* chore(test-suite): use acl kms-connector (#1844)

* chore(kms-connector): add more acl tests (#1841)

Author: eudelins-zama

charts/kms-connector/Chart.yaml

@@ -1,6 +1,6 @@
 name: kms-connector
 description: A helm chart to distribute and deploy the Zama KMS Connector services
-version: 1.3.1
+version: 1.4.0
 apiVersion: v2
 keywords:
   - fhevm

charts/kms-connector/README.md

@@ -30,8 +30,8 @@ The following table lists the configurable parameters of the `kms-connector` cha
 | Parameter                                     | Description                                               | Default                                                                                                                                                           |
 | --------------------------------------------- |-----------------------------------------------------------| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `commonConfig.databaseUrl`                    | The database URL.                                         | `postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_ENDPOINT)/connector`                                                                            |
-| `commonConfig.gatewayUrl`                     | The gateway URL.                                          | `ws://gateway-anvil-node:8546`                                                                                                                                    |
-| `commonConfig.chainId`                        | The chain ID.                                             | `54321`                                                                                                                                                           |
+| `commonConfig.gatewayUrl`                     | The gateway URL.                                          | `http://gateway-node:8546`                                                                                                                                    |
+| `commonConfig.gatewayChainId`                 | The gateway chain ID.                                     | `54321`                                                                                                                                                           |
 | `commonConfig.gatewayContractAddresses`       | The contract addresses for the gateway.                   | `{}`                                                                                                                                                              |
 | `commonConfig.tracing.enabled`                | If `true`, enable tracing for all components.             | `false`                                                                                                                                                           |
 | `commonConfig.tracing.endpoint`               | The OpenTelemetry collector endpoint.                     | `http://otel-deployment-opentelemetry-collector.observability.svc.cluster.local:4317`                                                                             |

charts/kms-connector/templates/kms-connector-gw-listener-deployment.yaml

@@ -59,9 +59,9 @@ spec:
             - name: KMS_CONNECTOR_DATABASE_URL
               value: {{ .Values.commonConfig.databaseUrl | quote }}
             - name: KMS_CONNECTOR_GATEWAY_URL
-              value: {{ default .Values.commonConfig.gatewayUrl .Values.kmsConnectorGwListener.config.gatewayUrl | quote }}
-            - name: KMS_CONNECTOR_CHAIN_ID
-              value: {{ .Values.commonConfig.chainId | quote }}
+              value: {{ default .Values.commonConfig.gatewayUrl (.Values.kmsConnectorGwListener.config).gatewayUrl | quote }}
+            - name: KMS_CONNECTOR_GATEWAY_CHAIN_ID
+              value: {{ .Values.commonConfig.gatewayChainId | quote }}
             - name: KMS_CONNECTOR_DECRYPTION_CONTRACT__ADDRESS
               value: {{ .Values.commonConfig.gatewayContractAddresses.decryption | quote }}
             - name: KMS_CONNECTOR_GATEWAY_CONFIG_CONTRACT__ADDRESS

charts/kms-connector/templates/kms-connector-kms-worker-deployment.yaml

@@ -59,9 +59,9 @@ spec:
             - name: KMS_CONNECTOR_DATABASE_URL
               value: {{ .Values.commonConfig.databaseUrl | quote }}
             - name: KMS_CONNECTOR_GATEWAY_URL
-              value: {{ default .Values.commonConfig.gatewayUrl .Values.kmsConnectorKmsWorker.config.gatewayUrl | quote }}
-            - name: KMS_CONNECTOR_CHAIN_ID
-              value: {{ .Values.commonConfig.chainId | quote }}
+              value: {{ default .Values.commonConfig.gatewayUrl (.Values.kmsConnectorKmsWorker.config).gatewayUrl | quote }}
+            - name: KMS_CONNECTOR_GATEWAY_CHAIN_ID
+              value: {{ .Values.commonConfig.gatewayChainId | quote }}
             - name: KMS_CONNECTOR_DECRYPTION_CONTRACT__ADDRESS
               value: {{ .Values.commonConfig.gatewayContractAddresses.decryption | quote }}
             - name: KMS_CONNECTOR_GATEWAY_CONFIG_CONTRACT__ADDRESS
@@ -78,6 +78,8 @@ spec:
           {{- end }}
             - name: KMS_CONNECTOR_KMS_CORE_ENDPOINTS
               value: {{ .Values.kmsConnectorKmsWorker.config.kmsCoreEndpoints | quote }}
+            - name: KMS_CONNECTOR_HOST_CHAINS
+              value: {{ toJson (.Values.kmsConnectorKmsWorker.config.hostChains) | quote }}
           ports:
             {{- range $portName, $portValue := .Values.kmsConnectorKmsWorker.ports }}
             - name: {{ $portName }}

charts/kms-connector/templates/kms-connector-tx-sender-deployment.yaml

@@ -59,9 +59,9 @@ spec:
             - name: KMS_CONNECTOR_DATABASE_URL
               value: {{ .Values.commonConfig.databaseUrl | quote }}
             - name: KMS_CONNECTOR_GATEWAY_URL
-              value: {{ default .Values.commonConfig.gatewayUrl .Values.kmsConnectorTxSender.config.gatewayUrl | quote }}
-            - name: KMS_CONNECTOR_CHAIN_ID
-              value: {{ .Values.commonConfig.chainId | quote }}
+              value: {{ default .Values.commonConfig.gatewayUrl (.Values.kmsConnectorTxSender.config).gatewayUrl | quote }}
+            - name: KMS_CONNECTOR_GATEWAY_CHAIN_ID
+              value: {{ .Values.commonConfig.gatewayChainId | quote }}
             - name: KMS_CONNECTOR_DECRYPTION_CONTRACT__ADDRESS
               value: {{ .Values.commonConfig.gatewayContractAddresses.decryption | quote }}
             - name: KMS_CONNECTOR_GATEWAY_CONFIG_CONTRACT__ADDRESS

charts/kms-connector/values.yaml

@@ -15,21 +15,18 @@
 # Shared configuration across all KMS connector components
 commonConfig:
   # Database connection string
-  databaseUrl: "postgresql://$(DATABASE_USERNAME):$(DATABASE_PASSWORD)@$(DATABASE_ENDPOINT)/connector"
+  databaseUrl: "postgresql://$(DATABASE_ENDPOINT)/connector"
 
-  # Gateway WebSocket endpoint
-  gatewayUrl: "ws://gateway-anvil-node:8546"
+  # Gateway chain RPC node endpoint (HTTP)
+  gatewayUrl: "http://gateway-node:8546"
 
   # Gateway chain identifier
-  chainId: "54321"
+  gatewayChainId: "54321"
 
   # Gateway smart contract addresses
   gatewayContractAddresses:
     decryption: "0xc9bAE822fE6793e3B456144AdB776D5A318CB71e"
     gatewayConfig: "0xeAC2EfFA07844aB326D92d1De29E136a6793DFFA"
-    # =========================================================================
-    # NEW VARIABLES
-    # =========================================================================
     kmsGeneration: "0xF0bFB159C7381F7CB332586004d8247252C5b816"
 
   # Distributed tracing configuration
@@ -45,12 +42,12 @@ commonConfig:
     #     secretKeyRef:
     #       name: connector-database
     #       key: endpoint
-    # - name: DATABASE_USERNAME
+    # - name: PGUSER
     #   valueFrom:
     #     secretKeyRef:
     #       name: connector-database
     #       key: username
-    # - name: DATABASE_PASSWORD
+    # - name: PGPASSWORD
     #   valueFrom:
     #     secretKeyRef:
     #       name: connector-database
@@ -78,19 +75,8 @@ kmsConnectorDbMigration:
 
   # Environment variables for database migration
   env:
-    # =========================================================================
-    # DEPRECATED ENVIRONMENT VARIABLES
-    # =========================================================================
-    # TODO: Apply new environment variable pattern to all services
     - name: DATABASE_ENDPOINT
-    - name: DATABASE_USERNAME
-    - name: DATABASE_PASSWORD
-
-    # =========================================================================
-    # NEW ENVIRONMENT VARIABLES
-    # =========================================================================
-    - name: DATABASE_URL
-      value: "postgresql://$(PGUSER):$(PGPASSWORD)@db:5432/kms-connector"
+      value: "postgresql://db:5432/kms-connector"
     - name: PGUSER
       value: "postgres"
     - name: PGPASSWORD
@@ -131,7 +117,7 @@ kmsConnectorGwListener:
   # Component-specific configuration
   config:
     # Override commonConfig.gatewayUrl if needed
-    gatewayUrl:
+    # gatewayUrl:
 
   # Additional environment variables
   env:
@@ -204,8 +190,14 @@ kmsConnectorKmsWorker:
     # KMS core endpoints for communication
     kmsCoreEndpoints: "http://kms-core:50051"
 
+    # List of host chain RPC node endpoints, chain ids, and ACL contract addresses
+    hostChains:
+      - url: "http://host-node:8545"
+        chainId: 12345
+        aclAddress: "0x05fD9B5EFE0a996095f42Ed7e77c390810CF660c"
+
     # Override commonConfig.gatewayUrl if needed
-    gatewayUrl:
+    # gatewayUrl:
 
   # Additional environment variables
   env:
@@ -276,7 +268,7 @@ kmsConnectorTxSender:
   # Component-specific configuration
   config:
     # Override commonConfig.gatewayUrl if needed
-    gatewayUrl:
+    # gatewayUrl:
 
   # Additional environment variables
   env: