Disable block production for the peer if it's not bioauth-unauthorized

crates/bioauth-consensus/Cargo.toml

@@ -10,15 +10,18 @@ pallet-bioauth = { version = "0.1", path = "../pallet-bioauth", optional = true
 
 async-trait = "0.1.42"
 codec = { package = "parity-scale-codec", version = "2", default-features = false, features = ["derive"] }
+futures = "0.3"
 sc-client-api = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sc-consensus = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sp-api = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sp-application-crypto = { git = "https://github.com/humanode-network/substrate", branch = "master", optional = true }
 sp-blockchain = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sp-consensus = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sp-consensus-aura = { git = "https://github.com/humanode-network/substrate", branch = "master", optional = true }
+sp-keystore = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 sp-runtime = { git = "https://github.com/humanode-network/substrate", branch = "master" }
 thiserror = "1"
+tokio = { version = "1", features = ["rt-multi-thread"] }
 
 [dev-dependencies]
 mockall = "0.10"

crates/bioauth-consensus/src/lib.rs

@@ -6,11 +6,14 @@
     clippy::clone_on_ref_ptr
 )]
 
+use futures::future;
+use futures::future::FutureExt;
 use sc_client_api::{backend::Backend, Finalizer};
 use sc_consensus::{BlockCheckParams, BlockImport, BlockImportParams, ImportResult};
-use sp_api::{ProvideRuntimeApi, TransactionFor};
+use sp_api::{HeaderT, ProvideRuntimeApi, TransactionFor};
 use sp_blockchain::{well_known_cache_keys, HeaderBackend};
-use sp_consensus::Error as ConsensusError;
+use sp_consensus::{Environment, Error as ConsensusError};
+use sp_keystore::SyncCryptoStorePtr;
 use sp_runtime::traits::Block as BlockT;
 use std::{collections::HashMap, marker::PhantomData, sync::Arc};
 use thiserror::Error;
@@ -151,3 +154,104 @@ where
         self.inner.import_block(block, cache).await
     }
 }
+
+/// A Proposer handler for Bioauth.
+pub struct BioauthProposer<Block: BlockT, AV, BAP> {
+    /// A basic authorship proposer.
+    base_proposer: BAP,
+    /// Keystore to extract validator public key.
+    keystore: SyncCryptoStorePtr,
+    /// The bioauth auhtrization verifier.
+    authorization_verifier: AV,
+    /// A phantom data for Block.
+    _phantom_block: PhantomData<Block>,
+}
+
+/// BioauthProposer Error Type.
+#[derive(Error, Debug, Eq, PartialEq)]
+pub enum BioauthProposerError<AV>
+where
+    AV: std::error::Error,
+{
+    /// The block author isn't Bioauth authorized.
+    #[error("the block author isn't bioauth-authorized")]
+    NotBioauthAuthorized,
+    /// Authorization verification error.
+    #[error("unable verify the authorization: {0}")]
+    AuthorizationVerifier(AV),
+}
+
+impl<Block: BlockT, AV, BAP> BioauthProposer<Block, AV, BAP> {
+    /// Simple constructor.
+    pub fn new(
+        base_proposer: BAP,
+        keystore: SyncCryptoStorePtr,
+        authorization_verifier: AV,
+    ) -> Self {
+        BioauthProposer {
+            base_proposer,
+            keystore,
+            authorization_verifier,
+            _phantom_block: PhantomData,
+        }
+    }
+}
+
+impl<Block: BlockT, AV, BAP> Environment<Block> for BioauthProposer<Block, AV, BAP>
+where
+    AV: AuthorizationVerifier<
+            Block = Block,
+            PublicKeyType = sp_consensus_aura::sr25519::AuthorityId,
+        > + Send,
+    <AV as AuthorizationVerifier>::Error: std::error::Error + Send + Sync + 'static,
+    BAP: Environment<Block> + Send + Sync + 'static,
+    BAP::Error: Send,
+    BAP::Proposer: Send,
+{
+    type Proposer = BAP::Proposer;
+
+    type CreateProposer = future::BoxFuture<'static, Result<Self::Proposer, Self::Error>>;
+
+    type Error = BAP::Error;
+
+    fn init(&mut self, parent_header: &Block::Header) -> Self::CreateProposer {
+        let mkerr = |err: BioauthProposerError<AV::Error>| -> Self::CreateProposer {
+            Box::pin(future::err(Self::Error::from(sp_consensus::Error::Other(
+                Box::new(err),
+            ))))
+        };
+
+        let keystore_ref = self.keystore.as_ref();
+
+        let aura_public_keys = tokio::task::block_in_place(move || {
+            sp_keystore::SyncCryptoStore::sr25519_public_keys(
+                keystore_ref,
+                sp_application_crypto::key_types::AURA,
+            )
+        });
+
+        assert!(
+            aura_public_keys.len() == 1,
+            "The list of aura public keys should contain only 1 key, please report this"
+        );
+
+        let aura_public_key = aura_public_keys[0];
+
+        let parent_hash = parent_header.hash();
+        let at = sp_api::BlockId::hash(parent_hash);
+
+        let is_authorized = match self
+            .authorization_verifier
+            .is_authorized(&at, &aura_public_key.into())
+        {
+            Ok(v) => v,
+            Err(err) => return mkerr(BioauthProposerError::AuthorizationVerifier(err)),
+        };
+
+        if !is_authorized {
+            return mkerr(BioauthProposerError::NotBioauthAuthorized);
+        }
+
+        self.base_proposer.init(parent_header).boxed()
+    }
+}

crates/humanode-peer/src/service.rs

@@ -170,6 +170,16 @@ pub async fn new_full(config: Configuration) -> Result<TaskManager, ServiceError
         None,
     );
 
+    let proposer_factory: bioauth_consensus::BioauthProposer<
+        Block,
+        bioauth_consensus::bioauth::AuthorizationVerifier<Block, FullClient, AuraId>,
+        _,
+    > = bioauth_consensus::BioauthProposer::new(
+        proposer_factory,
+        keystore_container.sync_keystore(),
+        bioauth_consensus::bioauth::AuthorizationVerifier::new(Arc::clone(&client)),
+    );
+
     let (network, system_rpc_tx, network_starter) =
         sc_service::build_network(sc_service::BuildNetworkParams {
             config: &config,