Private Log Filters track enclavePublicKey and are removed when user removed from group

besu/src/main/java/org/hyperledger/besu/RunnerBuilder.java

@@ -54,11 +54,15 @@
 import org.hyperledger.besu.ethereum.api.query.PrivacyQueries;
 import org.hyperledger.besu.ethereum.blockcreation.MiningCoordinator;
 import org.hyperledger.besu.ethereum.chain.Blockchain;
+import org.hyperledger.besu.ethereum.core.Account;
+import org.hyperledger.besu.ethereum.core.Address;
 import org.hyperledger.besu.ethereum.core.MiningParameters;
 import org.hyperledger.besu.ethereum.core.PrivacyParameters;
 import org.hyperledger.besu.ethereum.core.Synchronizer;
 import org.hyperledger.besu.ethereum.eth.transactions.TransactionPool;
+import org.hyperledger.besu.ethereum.mainnet.PrecompiledContract;
 import org.hyperledger.besu.ethereum.mainnet.ProtocolSchedule;
+import org.hyperledger.besu.ethereum.mainnet.precompiles.privacy.OnChainPrivacyPrecompiledContract;
 import org.hyperledger.besu.ethereum.p2p.config.DiscoveryConfiguration;
 import org.hyperledger.besu.ethereum.p2p.config.NetworkingConfiguration;
 import org.hyperledger.besu.ethereum.p2p.config.RlpxConfiguration;
@@ -436,6 +440,8 @@ public Runner build() {
             .build();
     vertx.deployVerticle(filterManager);
 
+    createPrivateTransactionObserver(filterManager, privacyParameters);
+
     final P2PNetwork peerNetwork = networkRunner.getNetwork();
 
     final MiningParameters miningParameters = besuController.getMiningParameters();
@@ -789,6 +795,26 @@ private void createLogsSubscriptionService(
     }
   }
 
+  // TODO where do I need to unsubscribe the filterManager
+  private void createPrivateTransactionObserver(
+      final FilterManager filterManager, final PrivacyParameters privacyParameters) {
+
+    // register filterManager as observer of events fired by the onchain precompile
+    // filterManager needs to remove filters when the creator is removed from onchain groups
+    if (privacyParameters.isOnchainPrivacyGroupsEnabled()) {
+      // TODO this is prob not the right way to get the precompile
+      PrecompiledContract precompiledContract =
+          besuController
+              .getProtocolSchedule()
+              .getByBlockNumber(1)
+              .getPrecompileContractRegistry()
+              .get(Address.ONCHAIN_PRIVACY, Account.DEFAULT_VERSION);
+      OnChainPrivacyPrecompiledContract onChainPrivacyPrecompiledContract =
+          (OnChainPrivacyPrecompiledContract) precompiledContract;
+      onChainPrivacyPrecompiledContract.addPrivateTransactionObserver(filterManager);
+    }
+  }
+
   private void createSyncingSubscriptionService(
       final Synchronizer synchronizer, final SubscriptionManager subscriptionManager) {
     new SyncingSubscriptionService(subscriptionManager, synchronizer);

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/filter/FilterManager.java

@@ -27,6 +27,8 @@
 import org.hyperledger.besu.ethereum.core.LogWithMetadata;
 import org.hyperledger.besu.ethereum.core.Transaction;
 import org.hyperledger.besu.ethereum.eth.transactions.TransactionPool;
+import org.hyperledger.besu.ethereum.privacy.PrivateTransactionEvent;
+import org.hyperledger.besu.ethereum.privacy.PrivateTransactionObserver;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -37,7 +39,7 @@
 import io.vertx.core.AbstractVerticle;
 
 /** Manages JSON-RPC filter events. */
-public class FilterManager extends AbstractVerticle {
+public class FilterManager extends AbstractVerticle implements PrivateTransactionObserver {
 
   private static final int FILTER_TIMEOUT_CHECK_TIMER = 10000;
 
@@ -120,19 +122,22 @@ public String installLogFilter(
    * Installs a new private log filter
    *
    * @param privacyGroupId String privacyGroupId
+   * @param enclavePublicKey String enclavePublicKey of user creating the filter
    * @param fromBlock {@link BlockParameter} Integer block number, or latest/pending/earliest.
    * @param toBlock {@link BlockParameter} Integer block number, or latest/pending/earliest.
    * @param logsQuery {@link LogsQuery} Addresses and/or topics to filter by
    * @return the log filter id
    */
   public String installPrivateLogFilter(
       final String privacyGroupId,
+      final String enclavePublicKey,
       final BlockParameter fromBlock,
       final BlockParameter toBlock,
       final LogsQuery logsQuery) {
     final String filterId = filterIdGenerator.nextId();
     filterRepository.save(
-        new PrivateLogFilter(filterId, privacyGroupId, fromBlock, toBlock, logsQuery));
+        new PrivateLogFilter(
+            filterId, privacyGroupId, enclavePublicKey, fromBlock, toBlock, logsQuery));
     return filterId;
   }
 
@@ -192,6 +197,20 @@ public void recordBlockEvent(final BlockAddedEvent event) {
             });
   }
 
+  @Override
+  public void onPrivateTransactionProcessed(final PrivateTransactionEvent event) {
+    // when user removed from privacy group, remove all filters created by that user in that group
+    filterRepository.getFiltersOfType(PrivateLogFilter.class).stream()
+        .filter(
+            privateLogFilter ->
+                privateLogFilter.getPrivacyGroupId().equals(event.getPrivacyGroupId())
+                    && privateLogFilter.getEnclavePublicKey().equals(event.getEnclavePublicKey()))
+        .forEach(
+            privateLogFilter -> {
+              uninstallFilter(privateLogFilter.getId());
+            });
+  }
+
   @VisibleForTesting
   void recordPendingTransactionEvent(final Transaction transaction) {
     final Collection<PendingTransactionFilter> pendingTransactionFilters =

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/filter/PrivateLogFilter.java

@@ -20,18 +20,25 @@
 public class PrivateLogFilter extends LogFilter {
 
   private final String privacyGroupId;
+  private final String enclavePublicKey;
 
   PrivateLogFilter(
       final String id,
       final String privacyGroupId,
+      final String enclavePublicKey,
       final BlockParameter fromBlock,
       final BlockParameter toBlock,
       final LogsQuery logsQuery) {
     super(id, fromBlock, toBlock, logsQuery);
     this.privacyGroupId = privacyGroupId;
+    this.enclavePublicKey = enclavePublicKey;
   }
 
   public String getPrivacyGroupId() {
     return privacyGroupId;
   }
+
+  public String getEnclavePublicKey() {
+    return enclavePublicKey;
+  }
 }

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/privacy/methods/eea/EeaSendRawTransaction.java

@@ -98,7 +98,7 @@ public JsonRpcResponse response(final JsonRpcRequestContext requestContext) {
         if (maybePrivacyGroup.isEmpty()) {
           return new JsonRpcErrorResponse(id, JsonRpcError.ONCHAIN_PRIVACY_GROUP_DOES_NOT_EXIST);
         }
-      } else { // !onchainPirvacyGroupEnabled
+      } else { // !onchainPrivacyGroupEnabled
         if (maybePrivacyGroupId.isPresent()) {
           maybePrivacyGroup =
               privacyController.retrieveOffChainPrivacyGroup(

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/privacy/methods/priv/PrivDistributeRawTransaction.java

@@ -93,7 +93,7 @@ public JsonRpcResponse response(final JsonRpcRequestContext requestContext) {
         if (maybePrivacyGroup.isEmpty()) {
           return new JsonRpcErrorResponse(id, JsonRpcError.ONCHAIN_PRIVACY_GROUP_DOES_NOT_EXIST);
         }
-      } else { // !onchainPirvacyGroupEnabled
+      } else { // !onchainPrivacyGroupEnabled
         if (maybePrivacyGroupId.isPresent()) {
           maybePrivacyGroup =
               privacyController.retrieveOffChainPrivacyGroup(

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/privacy/methods/priv/PrivNewFilter.java

@@ -50,23 +50,27 @@ public String getName() {
   public JsonRpcResponse response(final JsonRpcRequestContext request) {
     final String privacyGroupId = request.getRequiredParameter(0, String.class);
     final FilterParameter filter = request.getRequiredParameter(1, FilterParameter.class);
+    final String enclavePublicKey = enclavePublicKeyProvider.getEnclaveKey(request.getUser());
 
-    checkIfPrivacyGroupMatchesAuthenticatedEnclaveKey(request, privacyGroupId);
+    checkIfPrivacyGroupMatchesAuthenticatedEnclaveKey(enclavePublicKey, privacyGroupId);
 
     if (!filter.isValid()) {
       return new JsonRpcErrorResponse(request.getRequest().getId(), JsonRpcError.INVALID_PARAMS);
     }
 
     final String logFilterId =
         filterManager.installPrivateLogFilter(
-            privacyGroupId, filter.getFromBlock(), filter.getToBlock(), filter.getLogsQuery());
+            privacyGroupId,
+            enclavePublicKey,
+            filter.getFromBlock(),
+            filter.getToBlock(),
+            filter.getLogsQuery());
 
     return new JsonRpcSuccessResponse(request.getRequest().getId(), logFilterId);
   }
 
   private void checkIfPrivacyGroupMatchesAuthenticatedEnclaveKey(
-      final JsonRpcRequestContext request, final String privacyGroupId) {
-    final String enclavePublicKey = enclavePublicKeyProvider.getEnclaveKey(request.getUser());
+      final String enclavePublicKey, final String privacyGroupId) {
     privacyController.verifyPrivacyGroupContainsEnclavePublicKey(privacyGroupId, enclavePublicKey);
   }
 }

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/filter/FilterManagerLogFilterTest.java

@@ -41,6 +41,7 @@
 import org.hyperledger.besu.ethereum.core.Hash;
 import org.hyperledger.besu.ethereum.core.LogWithMetadata;
 import org.hyperledger.besu.ethereum.eth.transactions.TransactionPool;
+import org.hyperledger.besu.ethereum.privacy.PrivateTransactionEvent;
 
 import java.util.List;
 import java.util.Optional;
@@ -59,6 +60,7 @@
 public class FilterManagerLogFilterTest {
 
   private static final String PRIVACY_GROUP_ID = "Ko2bVqD+nNlNYL5EE7y3IdOnviftjiizpjRt+HTuFBs=";
+  private static final String ENCLAVE_PUBLIC_KEY = "iOCzoGo5kwtZU0J41Z9xnGXHN6ZNukIa9MspvHtu3Jk=";
 
   private FilterManager filterManager;
 
@@ -93,7 +95,8 @@ public void installUninstallNewLogFilter() {
 
   @Test
   public void shouldCheckMatchingLogsWhenRecordedNewBlockEventForPrivateFiltersOnly() {
-    filterManager.installPrivateLogFilter(PRIVACY_GROUP_ID, latest(), latest(), logsQuery());
+    filterManager.installPrivateLogFilter(
+        PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, latest(), latest(), logsQuery());
     filterManager.installLogFilter(latest(), latest(), logsQuery());
     final Hash blockAddedHash = recordBlockEvents(1).get(0).getBlock().getHash();
 
@@ -104,7 +107,7 @@ public void shouldCheckMatchingLogsWhenRecordedNewBlockEventForPrivateFiltersOnl
   @Test
   public void shouldUseBlockHashWhenCheckingLogsForChangesForPrivateFiltersOnly() {
     filterManager.installPrivateLogFilter(
-        PRIVACY_GROUP_ID, blockNum(1L), blockNum(10L), logsQuery());
+        PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, blockNum(1L), blockNum(10L), logsQuery());
     filterManager.installLogFilter(blockNum(1L), blockNum(10L), logsQuery());
 
     final Hash blockAddedHash = recordBlockEvents(1).get(0).getBlock().getHash();
@@ -222,7 +225,8 @@ public void getLogsShouldResetFilterExpireDate() {
   @Test
   public void installAndUninstallPrivateFilter() {
     final String filterId =
-        filterManager.installPrivateLogFilter(PRIVACY_GROUP_ID, latest(), latest(), logsQuery());
+        filterManager.installPrivateLogFilter(
+            PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, latest(), latest(), logsQuery());
 
     assertThat(filterRepository.getFilter(filterId, PrivateLogFilter.class)).isPresent();
 
@@ -239,7 +243,8 @@ public void privateLogFilterShouldQueryPrivacyQueriesObject() {
         .thenReturn(singletonList(logWithMetadata));
 
     final String filterId =
-        filterManager.installPrivateLogFilter(PRIVACY_GROUP_ID, latest(), latest(), logsQuery);
+        filterManager.installPrivateLogFilter(
+            PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, latest(), latest(), logsQuery);
     final Hash blockAddedHash = recordBlockEvents(1).get(0).getBlock().getHash();
 
     verify(privacyQueries).matchingLogs(eq(PRIVACY_GROUP_ID), eq(blockAddedHash), eq(logsQuery));
@@ -253,7 +258,8 @@ public void getLogsForPrivateFilterShouldQueryPrivacyQueriesObject() {
         .thenReturn(Lists.newArrayList(logWithMetadata));
 
     final String privateLogFilterId =
-        filterManager.installPrivateLogFilter(PRIVACY_GROUP_ID, latest(), latest(), logsQuery());
+        filterManager.installPrivateLogFilter(
+            PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, latest(), latest(), logsQuery());
 
     final List<LogWithMetadata> logs = filterManager.logs(privateLogFilterId);
 
@@ -264,6 +270,36 @@ public void getLogsForPrivateFilterShouldQueryPrivacyQueriesObject() {
     assertThat(logs.get(0)).isEqualTo(logWithMetadata);
   }
 
+  @Test
+  public void removalEvent_uninstallsFilter() {
+    final LogWithMetadata logWithMetadata = logWithMetadata();
+    when(privacyQueries.matchingLogs(eq(PRIVACY_GROUP_ID), anyLong(), anyLong(), any()))
+        .thenReturn(Lists.newArrayList(logWithMetadata));
+
+    final String privateLogFilterId =
+        filterManager.installPrivateLogFilter(
+            PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY, latest(), latest(), logsQuery());
+
+    final List<LogWithMetadata> logs = filterManager.logs(privateLogFilterId);
+
+    verify(blockchainQueries, times(2)).headBlockNumber();
+    verify(blockchainQueries, never()).matchingLogs(anyLong(), anyLong(), any(), any());
+
+    verify(privacyQueries).matchingLogs(eq(PRIVACY_GROUP_ID), anyLong(), anyLong(), any());
+    assertThat(logs.get(0)).isEqualTo(logWithMetadata);
+
+    // signal removal of user from group
+    privateTransactionEvent(PRIVACY_GROUP_ID, ENCLAVE_PUBLIC_KEY);
+
+    assertThat(filterManager.logs(privateLogFilterId)).isNull();
+    assertThat(filterRepository.getFilter(privateLogFilterId, PrivateLogFilter.class)).isEmpty();
+  }
+
+  private void privateTransactionEvent(final String privacyGroupId, final String enclavePublicKey) {
+    PrivateTransactionEvent event = new PrivateTransactionEvent(privacyGroupId, enclavePublicKey);
+    filterManager.onPrivateTransactionProcessed(event);
+  }
+
   private LogWithMetadata logWithMetadata() {
     return new LogWithMetadata(
         0,

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/internal/privacy/methods/priv/PrivNewFilterTest.java

@@ -43,6 +43,7 @@
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 
 import io.vertx.ext.auth.User;
 import org.apache.tuweni.bytes.Bytes32;
@@ -115,7 +116,9 @@ public void filterWithInvalidParameters() {
   @Test
   public void filterWithExpectedQueryIsCreated() {
     final List<Address> addresses = List.of(Address.ZERO);
+    final User user = mock(User.class);
     final List<List<LogTopic>> logTopics = List.of(List.of(LogTopic.of(Bytes32.random())));
+    when(enclavePublicKeyProvider.getEnclaveKey(eq(Optional.of(user)))).thenReturn(ENCLAVE_KEY);
 
     final FilterParameter filter =
         new FilterParameter(
@@ -124,12 +127,14 @@ public void filterWithExpectedQueryIsCreated() {
     final LogsQuery expectedQuery =
         new LogsQuery.Builder().addresses(addresses).topics(logTopics).build();
 
-    final JsonRpcRequestContext request = privNewFilterRequest(PRIVACY_GROUP_ID, filter);
+    final JsonRpcRequestContext request =
+        privNewFilterRequestWithUser(PRIVACY_GROUP_ID, filter, user);
     method.response(request);
 
     verify(filterManager)
         .installPrivateLogFilter(
             eq(PRIVACY_GROUP_ID),
+            eq(ENCLAVE_KEY),
             refEq(BlockParameter.EARLIEST),
             refEq(BlockParameter.LATEST),
             eq((expectedQuery)));

ethereum/core/src/main/java/org/hyperledger/besu/ethereum/mainnet/precompiles/privacy/OnChainPrivacyPrecompiledContract.java

@@ -34,6 +34,8 @@
 import org.hyperledger.besu.ethereum.debug.TraceOptions;
 import org.hyperledger.besu.ethereum.privacy.PrivateStateRootResolver;
 import org.hyperledger.besu.ethereum.privacy.PrivateTransaction;
+import org.hyperledger.besu.ethereum.privacy.PrivateTransactionEvent;
+import org.hyperledger.besu.ethereum.privacy.PrivateTransactionObserver;
 import org.hyperledger.besu.ethereum.privacy.PrivateTransactionProcessor;
 import org.hyperledger.besu.ethereum.privacy.Restriction;
 import org.hyperledger.besu.ethereum.privacy.VersionedPrivateTransaction;
@@ -45,6 +47,7 @@
 import org.hyperledger.besu.ethereum.vm.DebugOperationTracer;
 import org.hyperledger.besu.ethereum.vm.GasCalculator;
 import org.hyperledger.besu.ethereum.vm.MessageFrame;
+import org.hyperledger.besu.util.Subscribers;
 import org.hyperledger.besu.ethereum.worldstate.WorldStateArchive;
 
 import java.util.ArrayList;
@@ -65,6 +68,9 @@ public class OnChainPrivacyPrecompiledContract extends PrivacyPrecompiledContrac
   private static final SECP256K1.Signature FAKE_SIGNATURE =
       SECP256K1.Signature.create(SECP256K1.HALF_CURVE_ORDER, SECP256K1.HALF_CURVE_ORDER, (byte) 0);
 
+  private final Subscribers<PrivateTransactionObserver> privateTransactionEventObservers =
+      Subscribers.create();
+
   private static final Logger LOG = LogManager.getLogger();
 
   public OnChainPrivacyPrecompiledContract(
@@ -87,6 +93,14 @@ public OnChainPrivacyPrecompiledContract(
         "OnChainPrivacy");
   }
 
+  public long addPrivateTransactionObserver(final PrivateTransactionObserver observer) {
+    return privateTransactionEventObservers.subscribe(observer);
+  }
+
+  public boolean removePrivateTransactionObserver(final long observerId) {
+    return privateTransactionEventObservers.unsubscribe(observerId);
+  }
+
   @Override
   public Bytes compute(final Bytes input, final MessageFrame messageFrame) {
 
@@ -176,6 +190,18 @@ public Bytes compute(final Bytes input, final MessageFrame messageFrame) {
       return Bytes.EMPTY;
     }
 
+    if (privateTransaction.isGroupRemovalTransaction()) {
+      // get first participant parameter - there will be only one for removal transaction
+      final String removedParticipant = getParticipantsFromParameter(privateTransaction.getPayload()).get(0);
+
+      final PrivateTransactionEvent removalEvent =
+          new PrivateTransactionEvent(
+              privateTransaction.getPrivacyGroupId().get().toBase64String(),
+              removedParticipant);
+      privateTransactionEventObservers.forEach(
+          sub -> sub.onPrivateTransactionProcessed(removalEvent));
+    }
+
     if (messageFrame.isPersistingPrivateState()) {
       persistPrivateState(
           pmtHash,