chore(test-suite): use acl relayer (#2064)

* chore(test-suite): update copro params

* chore(test-suite): update contract addresses

* chore(gateway-contracts): pauser task minor fix

* chore(test-suite): update relayer

* chore(test-suite): update relayer-sdk v0.4.1

* chore(test-suite): draft add negative acl tests

* chore(test-suite): fix expired delegation, acl not allow tests (#2060)

* chore(test-suite): update acl failure test for delegated user decr

- Previously: negative delegated user decryption tests asserted on raw
  Solidity selector 0x0190c506 and was using relayer-sdk v0.4.1 that was
  not handling the label 'now_allowed_on_host_acl' from relayer.

- Now: bump relayer-sdk to v0.4.2 that handles the label and asserts on
  relayer-sdk error label not_allowed_on_host_acl, matching the
  structured error returned by the relayer on HTTP 400

* chore(test-suite): fix expired delegation test

- Issue: setting pastExpiration=1 reverted at the
  contract level (ExpirationDateBeforeOneHour) so
  the test never reached the decryption step

- Fix: delegate with a valid expiration (now + 1h1m),
  then use evm_increaseTime to fast-forward past it
  before attempting decryption

* chore(common): update package-lock.json

---------

Co-authored-by: Simon Eudeline <simon.eudeline@zama.ai>

* fix(test-suite): relayer and copro config update

* chore(test-suite): update test-suite versions

---------

Co-authored-by: Manoranjith <manoranjith.ponnuraj@zama.ai>

Author: 2 people

gateway-contracts/tasks/addPausers.ts

@@ -7,7 +7,7 @@ import { getRequiredEnvVar, loadGatewayAddresses } from "./utils/loadVariables";
 // for local testing. By default, we use the PAUSER_SET_ADDRESS env var, as done in deployment
 task("task:addGatewayPausers")
   .addParam("useInternalPauserSetAddress", "If internal PauserSet address should be used", false, types.boolean)
-  .setAction(async function ({ useInternalGatewayConfigAddress }, hre) {
+  .setAction(async function ({ useInternalPauserSetAddress }, hre) {
     await hre.run("compile:specific", { contract: "contracts/immutable" });
     console.log("Adding pausers to PauserSet contract");
 
@@ -21,7 +21,7 @@ task("task:addGatewayPausers")
       pausers.push(getRequiredEnvVar(`PAUSER_ADDRESS_${idx}`));
     }
 
-    if (useInternalGatewayConfigAddress) {
+    if (useInternalPauserSetAddress) {
       loadGatewayAddresses();
     }
     const pauserSetAddress = getRequiredEnvVar("PAUSER_SET_ADDRESS");

package-lock.json

@@ -10,7 +10,9 @@ RUN apk add --no-cache \
     curl \
     wget \
     vim \
-    jq && \
+    jq \
+    python3 \
+    build-base && \
     rm -rf /var/cache/apk/*
 
 RUN addgroup -g 10001 fhevm && \

test-suite/e2e/Dockerfile

@@ -16,9 +16,9 @@
   "dependencies": {
     "@fhevm/solidity": "*",
     "@openzeppelin/contracts": "^5.3.0",
-    "@zama-fhe/relayer-sdk": "^0.4.0",
+    "@zama-fhe/relayer-sdk": "^0.4.2",
     "bigint-buffer": "^1.1.5",
     "dotenv": "^16.0.3",
     "encrypted-types": "^0.0.4"
   }
-}
+}

test-suite/e2e/package.json

@@ -5,11 +5,11 @@ import { createInstances } from '../instance';
 import { getSigners, initSigners } from '../signers';
 import { delegatedUserDecryptSingleHandle, waitForBlock } from '../utils';
 
-const USER_DECRYPTION_NOT_DELEGATED_SELECTOR = '0x0190c506';
+const NOT_ALLOWED_ON_HOST_ACL = 'not_allowed_on_host_acl';
 
 describe('Delegated user decryption', function () {
   before(async function () {
-    await initSigners(3);
+    await initSigners(5);
     this.signers = await getSigners();
     this.instances = await createInstances(this.signers);
 
@@ -233,8 +233,8 @@ describe('Delegated user decryption', function () {
     const balanceHandle = await this.token.balanceOf(this.smartWalletAddress);
     const { publicKey, privateKey } = this.instances.bob.generateKeypair();
 
-    await expect(
-      delegatedUserDecryptSingleHandle(
+    try {
+      await delegatedUserDecryptSingleHandle(
         this.instances.bob,
         balanceHandle,
         this.tokenAddress,
@@ -243,9 +243,104 @@ describe('Delegated user decryption', function () {
         this.signers.bob,
         privateKey,
         publicKey,
-      )
-    ).to.be.rejectedWith(
-      new RegExp(USER_DECRYPTION_NOT_DELEGATED_SELECTOR),
-    );
+      );
+      expect.fail('Expected delegated user decrypt to be rejected after revocation');
+    } catch (err: any) {
+      expect(err.relayerApiError?.label).to.equal(NOT_ALLOWED_ON_HOST_ACL);
+    }
+  });
+
+  it('test delegated user decryption should fail when no delegation exists', async function () {
+    const balanceHandle = await this.token.balanceOf(this.smartWalletAddress);
+    const { publicKey, privateKey } = this.instances.dave.generateKeypair();
+
+    try {
+      await delegatedUserDecryptSingleHandle(
+        this.instances.dave,
+        balanceHandle,
+        this.tokenAddress,
+        this.smartWalletAddress,
+        this.signers.dave.address,
+        this.signers.dave,
+        privateKey,
+        publicKey,
+      );
+      expect.fail('Expected delegated user decrypt to be rejected without delegation');
+    } catch (err: any) {
+      expect(err.relayerApiError?.label).to.equal(NOT_ALLOWED_ON_HOST_ACL);
+    }
+  });
+
+  it('test delegated user decryption should fail when delegation is for wrong contract', async function () {
+    const dummyFactory = await ethers.getContractFactory('UserDecrypt');
+    const dummy = await dummyFactory.connect(this.signers.alice).deploy();
+    await dummy.waitForDeployment();
+    const wrongAddress = await dummy.getAddress();
+
+    const expirationTimestamp = Math.floor(Date.now() / 1000) + 86400;
+    const tx = await this.smartWallet
+      .connect(this.signers.bob)
+      .delegateUserDecryption(this.signers.eve.address, wrongAddress, expirationTimestamp);
+    await tx.wait();
+    const currentBlock = await ethers.provider.getBlockNumber();
+    await waitForBlock(currentBlock + 15);
+
+    const balanceHandle = await this.token.balanceOf(this.smartWalletAddress);
+    const { publicKey, privateKey } = this.instances.eve.generateKeypair();
+
+    try {
+      await delegatedUserDecryptSingleHandle(
+        this.instances.eve,
+        balanceHandle,
+        this.tokenAddress,
+        this.smartWalletAddress,
+        this.signers.eve.address,
+        this.signers.eve,
+        privateKey,
+        publicKey,
+      );
+      expect.fail('Expected delegated user decrypt to be rejected for wrong contract');
+    } catch (err: any) {
+      expect(err.relayerApiError?.label).to.equal(NOT_ALLOWED_ON_HOST_ACL);
+    }
+  });
+
+  it('test delegated user decryption should fail when delegation has expired', async function () {
+    // Expiration must be >1h from chain time (FHE library constraint).
+    // Use block timestamp, not Date.now(), since evm_increaseTime shifts chain clock.
+    const oneHour = 3600;
+    const buffer = 60;
+    const latestBlock = await ethers.provider.getBlock('latest');
+    const expirationTimestamp = latestBlock!.timestamp + oneHour + buffer;
+    const tx = await this.smartWallet
+      .connect(this.signers.bob)
+      .delegateUserDecryption(this.signers.eve.address, this.tokenAddress, expirationTimestamp);
+    await tx.wait();
+
+    // Fast-forward time past the expiration.
+    await ethers.provider.send('evm_increaseTime', [oneHour + buffer + 1]);
+    await ethers.provider.send('evm_mine', []);
+
+    const currentBlock = await ethers.provider.getBlockNumber();
+    await waitForBlock(currentBlock + 15);
+
+    const balanceHandle = await this.token.balanceOf(this.smartWalletAddress);
+    const { publicKey, privateKey } = this.instances.eve.generateKeypair();
+
+    try {
+      await delegatedUserDecryptSingleHandle(
+        this.instances.eve,
+        balanceHandle,
+        this.tokenAddress,
+        this.smartWalletAddress,
+        this.signers.eve.address,
+        this.signers.eve,
+        privateKey,
+        publicKey,
+      );
+      expect.fail('Expected delegated user decrypt to be rejected for expired delegation');
+    } catch (err: any) {
+      expect(err.relayerApiError?.label).to.equal(NOT_ALLOWED_ON_HOST_ACL);
+    }
   });
 });

test-suite/e2e/test/delegatedUserDecryption/delegatedUserDecryption.ts

@@ -1,4 +1,4 @@
-import { assert } from 'chai';
+import { assert, expect } from 'chai';
 import { ethers } from 'hardhat';
 
 import { createInstances } from '../instance';
@@ -38,4 +38,18 @@ describe('HTTPPublicDecrypt', function () {
     };
     assert.deepEqual(res.clearValues, expectedRes);
   });
+
+  it('test public decrypt should fail for non-publicly-decryptable handle', async function () {
+    const factory = await ethers.getContractFactory('UserDecrypt');
+    const contract = await factory.connect(this.signers.alice).deploy();
+    await contract.waitForDeployment();
+    const handle = await contract.xBool();
+
+    try {
+      await this.instances.alice.publicDecrypt([handle]);
+      expect.fail('Expected an error - handle is not publicly decryptable');
+    } catch (error) {
+      expect(error.message).to.include('not allowed for public decryption');
+    }
+  });
 });

test-suite/e2e/test/httpPublicDecrypt/httpPublicDecrypt.ts

@@ -190,6 +190,43 @@ describe('User decryption', function () {
     expect(decryptedValue).to.equal(74285495974541385002137713624115238327312291047062397922780925695323480915729n);
   });
 
+  it('test user decrypt should fail when dapp contract is not allowed for handle', async function () {
+    const handle = await this.contract.xBool();
+    // Deploy a second contract to get an address NOT allowed on the handle
+    const factory2 = await ethers.getContractFactory('HTTPPublicDecrypt');
+    const contract2 = await factory2.connect(this.signers.alice).deploy();
+    await contract2.waitForDeployment();
+    const wrongContractAddress = await contract2.getAddress();
+
+    const { publicKey, privateKey } = this.instances.alice.generateKeypair();
+    const handleContractPairs = [{ handle, contractAddress: wrongContractAddress }];
+    const startTimeStamp = Math.floor(Date.now() / 1000);
+    const durationDays = 10;
+    const contractAddresses = [wrongContractAddress];
+    const eip712 = this.instances.alice.createEIP712(publicKey, contractAddresses, startTimeStamp, durationDays);
+    const signature = await this.signers.alice.signTypedData(
+      eip712.domain,
+      { UserDecryptRequestVerification: eip712.types.UserDecryptRequestVerification },
+      eip712.message,
+    );
+
+    try {
+      await this.instances.alice.userDecrypt(
+        handleContractPairs,
+        privateKey,
+        publicKey,
+        signature.replace('0x', ''),
+        contractAddresses,
+        this.signers.alice.address,
+        startTimeStamp,
+        durationDays,
+      );
+      expect.fail('Expected an error - contract should not be allowed');
+    } catch (error) {
+      expect(error.message).to.include('is not authorized to user decrypt handle');
+    }
+  });
+
   it('test user decrypt request expired', async function () {
     const handle = await this.contract.xBool();
     const HandleContractPairs = [

test-suite/e2e/test/userDecryption/userDecryption.ts

@@ -1,3 +1,7 @@
+host_chains:
+  - chain_id: 12345
+    url: "http://host-node:8545"
+    acl_address: "0x05fD9B5EFE0a996095f42Ed7e77c390810CF660c"
 
 gateway:
   blockchain_rpc:
@@ -70,9 +74,14 @@ gateway:
     tx_throttler_capacity: 11000 # To allow actual capacity of 10k, after accounting for safety margin.
     tx_throttler_safety_margin: 1000
   readiness_checker:
-    retry:
-      max_attempts: 30
-      retry_interval_ms: 2000
+    host_acl_check:
+      retry:
+        max_attempts: 3
+        retry_interval_ms: 1000
+    gw_ciphertext_check:
+      retry:
+        max_attempts: 15
+        retry_interval_ms: 2000
     public_decrypt:
       max_concurrency: 250
       capacity: 11000
@@ -86,24 +95,23 @@ gateway:
       capacity: 11000
       safety_margin: 1000
   contracts:
-    decryption_address: "0x35760912360E875DA50D40a74305575c23D55783"
-    input_verification_address: "0x1ceFA8E3F3271358218B52c33929Cf76078004c1"
+    decryption_address: "0xF0bFB159C7381F7CB332586004d8247252C5b816"
+    input_verification_address: "0x3b12Fc766Eb598b285998877e8E90F3e43a1F8d2"
     user_decrypt_shares_threshold: 1 # KMS centralized mode
 log:
-
-  format: "compact"          # compact, pretty, or json
+  format: "compact" # compact, pretty, or json
   show_file_line: true
   show_thread_ids: true
   show_timestamp: true
   show_target: true
 
 keyurl:
-    fhe_public_key:
-      data_id: "fhe-public-key-data-id"
-      url: "http://0.0.0.0:3001/publicKey.bin"
-    crs:
-      data_id: "crs-data-id"
-      url: "http://0.0.0.0:3001/crs2048.bin"
+  fhe_public_key:
+    data_id: "fhe-public-key-data-id"
+    url: "http://0.0.0.0:3001/publicKey.bin"
+  crs:
+    data_id: "crs-data-id"
+    url: "http://0.0.0.0:3001/crs2048.bin"
 
 http:
   endpoint: "0.0.0.0:3000"
@@ -194,4 +202,4 @@ storage:
     public_decrypt_expiry: "365d" # 1 year
     user_decrypt_expiry: "7d"
     input_proof_expiry: "7d"
-    cron_startup_delay_after_recovery: "30s"
+    cron_startup_delay_after_recovery: "30s"

test-suite/fhevm/config/connector/config.toml

@@ -81,6 +81,7 @@ services:
       - --acl-contract-address=${ACL_CONTRACT_ADDRESS}
       - --tfhe-contract-address=${FHEVM_EXECUTOR_CONTRACT_ADDRESS}
       - --url=${RPC_HTTP_URL}
+      - --finality-lag=2
     depends_on:
       coprocessor-db-migration:
         condition: service_completed_successfully
@@ -236,9 +237,6 @@ services:
       - --verify-proof-resp-max-retries=15
       - --verify-proof-remove-after-max-retries
       - --signer-type=private-key
-      - --delegation-fallback-polling=30
-      - --delegation-max-retry=100000
-      - --retry-immediately-on-nonce-error=2
     depends_on:
       coprocessor-db-migration:
         condition: service_completed_successfully