dearsky/wifi-densepose
1
0
Fork 0
Code Issues 20 Pull Requests 5 Actions Packages Projects Releases 1 Wiki Activity

Merge commit 'd803bfe2b1fe7f5e219e50ac20d6801a0a58ac75' as 'vendor/ruvector'

Browse Source
This commit is contained in:
ruv
2026-02-28 14:39:40 -05:00
parent 7885bf6278 d803bfe2b1
commit cd5943df23
7854 changed files with 3522914 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

680
vendor/ruvector/examples/edge-net/tests/relay-security.test.ts vendored Normal file
View File

@@ -0,0 +1,680 @@
/**
* Edge-Net Relay Security Test Suite
* Tests for authentication, authorization, and attack vector prevention
*
* Attack Vectors Tested:
* 1. Task completion spoofing (completing tasks not assigned to you)
* 2. Replay attacks (completing same task twice)
* 3. Credit self-reporting (clients claiming their own credits)
* 4. Public key spoofing (using someone else's key)
* 5. Rate limiting bypass
* 6. Message size attacks
* 7. Connection flooding
*/
import { describe, it, expect, beforeAll, afterAll, beforeEach } from '@jest/globals';
import WebSocket from 'ws';
import { randomBytes } from 'crypto';
// Test configuration
const RELAY_URL = process.env.RELAY_URL || 'ws://localhost:8080';
const TEST_TIMEOUT = 10000;
interface RelayMessage {
type: string;
[key: string]: any;
}
interface TestNode {
ws: WebSocket;
nodeId: string;
publicKey: string;
messages: RelayMessage[];
}
// Helper to create a test node connection
async function createTestNode(nodeId?: string, publicKey?: string): Promise<TestNode> {
const id = nodeId || `test-node-${randomBytes(8).toString('hex')}`;
const pubKey = publicKey || randomBytes(32).toString('hex');
const ws = new WebSocket(RELAY_URL);
const messages: RelayMessage[] = [];
// Collect all messages
ws.on('message', (data) => {
try {
const msg = JSON.parse(data.toString());
messages.push(msg);
} catch (e) {
console.error('Failed to parse message:', e);
}
});
// Wait for connection
await new Promise((resolve, reject) => {
ws.once('open', resolve);
ws.once('error', reject);
setTimeout(() => reject(new Error('Connection timeout')), 5000);
});
// Register node
ws.send(JSON.stringify({
type: 'register',
nodeId: id,
publicKey: pubKey,
}));
// Wait for welcome message
await new Promise((resolve) => {
const checkWelcome = () => {
if (messages.some(m => m.type === 'welcome')) {
resolve(true);
} else {
setTimeout(checkWelcome, 50);
}
};
checkWelcome();
});
return { ws, nodeId: id, publicKey: pubKey, messages };
}
// Helper to wait for specific message type
async function waitForMessage(node: TestNode, type: string, timeout = 5000): Promise<RelayMessage | null> {
const startTime = Date.now();
return new Promise((resolve) => {
const check = () => {
const msg = node.messages.find(m => m.type === type);
if (msg) {
resolve(msg);
} else if (Date.now() - startTime > timeout) {
resolve(null);
} else {
setTimeout(check, 50);
}
};
check();
});
}
// Helper to close node connection
function closeNode(node: TestNode): void {
if (node.ws.readyState === WebSocket.OPEN) {
node.ws.close();
}
}
describe('Edge-Net Relay Security Tests', () => {
describe('Attack Vector 1: Task Completion Spoofing', () => {
it('should reject task completion from node that was not assigned the task', async () => {
const submitter = await createTestNode();
const worker = await createTestNode();
const attacker = await createTestNode();
try {
// Submitter creates a task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 1000000,
},
}));
// Wait for task to be accepted
const acceptance = await waitForMessage(submitter, 'task_accepted');
expect(acceptance).toBeTruthy();
const taskId = acceptance?.taskId;
expect(taskId).toBeTruthy();
// Worker should receive task assignment
const assignment = await waitForMessage(worker, 'task_assignment');
expect(assignment).toBeTruthy();
expect(assignment?.task.id).toBe(taskId);
// Clear attacker messages
attacker.messages.length = 0;
// ATTACK: Attacker tries to complete task they weren't assigned
attacker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'malicious result',
reward: 1000000,
}));
// Wait for error response
const error = await waitForMessage(attacker, 'error');
expect(error).toBeTruthy();
expect(error?.message).toContain('not assigned to you');
// Verify attacker didn't receive credits
const creditEarned = attacker.messages.find(m => m.type === 'credit_earned');
expect(creditEarned).toBeFalsy();
} finally {
closeNode(submitter);
closeNode(worker);
closeNode(attacker);
}
}, TEST_TIMEOUT);
it('should only allow assigned worker to complete task', async () => {
const submitter = await createTestNode();
const worker = await createTestNode();
try {
// Submit task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 2000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
// Wait for assignment
const assignment = await waitForMessage(worker, 'task_assignment');
expect(assignment?.task.id).toBe(taskId);
// Clear messages
worker.messages.length = 0;
// Worker completes task (legitimate)
worker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'valid result',
reward: 2000000,
}));
// Should receive credit
const credit = await waitForMessage(worker, 'credit_earned');
expect(credit).toBeTruthy();
expect(credit?.taskId).toBe(taskId);
expect(BigInt(credit?.amount || 0)).toBeGreaterThan(0n);
} finally {
closeNode(submitter);
closeNode(worker);
}
}, TEST_TIMEOUT);
});
describe('Attack Vector 2: Replay Attacks', () => {
it('should reject duplicate task completion', async () => {
const submitter = await createTestNode();
const worker = await createTestNode();
try {
// Submit task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 1000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
// Wait for assignment
await waitForMessage(worker, 'task_assignment');
worker.messages.length = 0;
// Complete task first time
worker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'result',
reward: 1000000,
}));
const firstCredit = await waitForMessage(worker, 'credit_earned');
expect(firstCredit).toBeTruthy();
const firstAmount = BigInt(firstCredit?.amount || 0);
// Wait a bit
await new Promise(resolve => setTimeout(resolve, 500));
worker.messages.length = 0;
// ATTACK: Try to complete same task again (replay attack)
worker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'result',
reward: 1000000,
}));
// Should receive error
const error = await waitForMessage(worker, 'error');
expect(error).toBeTruthy();
expect(error?.message).toContain('already completed');
// Should NOT receive additional credits
const secondCredit = worker.messages.find(m => m.type === 'credit_earned');
expect(secondCredit).toBeFalsy();
} finally {
closeNode(submitter);
closeNode(worker);
}
}, TEST_TIMEOUT);
});
describe('Attack Vector 3: Credit Self-Reporting', () => {
it('should reject ledger_update messages from clients', async () => {
const attacker = await createTestNode();
try {
attacker.messages.length = 0;
// ATTACK: Try to self-report credits
attacker.ws.send(JSON.stringify({
type: 'ledger_update',
publicKey: attacker.publicKey,
ledger: {
earned: 999999999, // Try to give self lots of credits
spent: 0,
tasksCompleted: 100,
},
}));
// Should receive error
const error = await waitForMessage(attacker, 'error');
expect(error).toBeTruthy();
expect(error?.message).toContain('self-report');
// Verify balance is still 0
attacker.messages.length = 0;
attacker.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: attacker.publicKey,
}));
const balance = await waitForMessage(attacker, 'ledger_sync_response');
expect(balance).toBeTruthy();
expect(BigInt(balance?.ledger?.earned || 0)).toBe(0n);
} finally {
closeNode(attacker);
}
}, TEST_TIMEOUT);
it('should only credit accounts via verified task completions', async () => {
const submitter = await createTestNode();
const worker = await createTestNode();
try {
// Get initial balance
worker.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: worker.publicKey,
}));
const initialBalance = await waitForMessage(worker, 'ledger_sync_response');
const initialEarned = BigInt(initialBalance?.ledger?.earned || 0);
// Submit and complete legitimate task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 3000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
await waitForMessage(worker, 'task_assignment');
worker.messages.length = 0;
worker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'result',
reward: 3000000,
}));
// Should receive credit
const credit = await waitForMessage(worker, 'credit_earned');
expect(credit).toBeTruthy();
// Verify balance increased by EXACTLY the reward amount
const finalEarned = BigInt(credit?.balance?.earned || 0);
expect(finalEarned).toBeGreaterThan(initialEarned);
} finally {
closeNode(submitter);
closeNode(worker);
}
}, TEST_TIMEOUT);
});
describe('Attack Vector 4: Public Key Spoofing', () => {
it('should not allow using another node\'s public key to claim credits', async () => {
const victim = await createTestNode('victim-node', 'legitimate-public-key-123');
const attacker = await createTestNode('attacker-node', 'legitimate-public-key-123'); // Same key!
const submitter = await createTestNode();
try {
// Submit task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 1000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
// One of them will get the assignment
const victimAssignment = await waitForMessage(victim, 'task_assignment', 2000);
const attackerAssignment = await waitForMessage(attacker, 'task_assignment', 2000);
const assignedNode = victimAssignment ? victim : attacker;
const otherNode = victimAssignment ? attacker : victim;
// Assigned node completes task
assignedNode.messages.length = 0;
assignedNode.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'result',
reward: 1000000,
}));
const credit = await waitForMessage(assignedNode, 'credit_earned');
expect(credit).toBeTruthy();
// Other node tries to complete too (spoofing)
otherNode.messages.length = 0;
otherNode.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'result',
reward: 1000000,
}));
// Should fail (either not assigned or already completed)
const error = await waitForMessage(otherNode, 'error', 2000);
expect(error).toBeTruthy();
} finally {
closeNode(victim);
closeNode(attacker);
closeNode(submitter);
}
}, TEST_TIMEOUT);
it('should maintain separate ledgers for different public keys', async () => {
const node1 = await createTestNode('node1', 'pubkey-node1');
const node2 = await createTestNode('node2', 'pubkey-node2');
try {
// Check node1 balance
node1.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: 'pubkey-node1',
}));
const balance1 = await waitForMessage(node1, 'ledger_sync_response');
expect(balance1?.ledger?.publicKey).toBe('pubkey-node1');
// Check node2 balance
node2.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: 'pubkey-node2',
}));
const balance2 = await waitForMessage(node2, 'ledger_sync_response');
expect(balance2?.ledger?.publicKey).toBe('pubkey-node2');
// Balances should be independent
expect(balance1?.ledger?.publicKey).not.toBe(balance2?.ledger?.publicKey);
} finally {
closeNode(node1);
closeNode(node2);
}
}, TEST_TIMEOUT);
});
describe('Security Feature: Rate Limiting', () => {
it('should enforce rate limits per node', async () => {
const node = await createTestNode();
try {
// Clear initial messages
await new Promise(resolve => setTimeout(resolve, 500));
node.messages.length = 0;
// Send many messages rapidly
const MESSAGE_COUNT = 120; // Above RATE_LIMIT_MAX (100)
for (let i = 0; i < MESSAGE_COUNT; i++) {
node.ws.send(JSON.stringify({
type: 'heartbeat',
}));
}
// Wait for rate limit error
await new Promise(resolve => setTimeout(resolve, 1000));
const rateLimitError = node.messages.find(m =>
m.type === 'error' && m.message?.includes('Rate limit')
);
expect(rateLimitError).toBeTruthy();
} finally {
closeNode(node);
}
}, TEST_TIMEOUT);
});
describe('Security Feature: Message Size Limits', () => {
it('should reject oversized messages', async () => {
const node = await createTestNode();
try {
node.messages.length = 0;
// Create a message larger than MAX_MESSAGE_SIZE (64KB)
const largePayload = 'x'.repeat(70 * 1024); // 70KB
node.ws.send(JSON.stringify({
type: 'broadcast',
payload: largePayload,
}));
// Should receive error
const error = await waitForMessage(node, 'error', 2000);
expect(error).toBeTruthy();
expect(error?.message).toContain('too large');
} finally {
closeNode(node);
}
}, TEST_TIMEOUT);
});
describe('Security Feature: Connection Limits', () => {
it('should limit connections per IP', async () => {
const nodes: TestNode[] = [];
try {
// Try to create more than MAX_CONNECTIONS_PER_IP (5)
for (let i = 0; i < 7; i++) {
try {
const node = await createTestNode();
nodes.push(node);
} catch (e) {
// Expected to fail after limit
expect(i).toBeGreaterThanOrEqual(5);
break;
}
}
// Should have at most 5 connections
expect(nodes.length).toBeLessThanOrEqual(5);
} finally {
nodes.forEach(closeNode);
}
}, TEST_TIMEOUT);
});
describe('Security Feature: Task Expiration', () => {
it('should expire unfinished tasks', async () => {
const submitter = await createTestNode();
const worker = await createTestNode();
try {
// Submit task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 1000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
await waitForMessage(worker, 'task_assignment');
// Wait for task to expire (5 minutes in production, but test with timeout)
// In real scenario, task would be in assignedTasks map
// After expiration, it should be removed
// Note: This test validates the cleanup logic exists
// Full expiration testing would require mocking time or waiting 5+ minutes
expect(taskId).toBeTruthy();
} finally {
closeNode(submitter);
closeNode(worker);
}
}, TEST_TIMEOUT);
});
describe('Security Feature: Origin Validation', () => {
it('should validate allowed origins', async () => {
// This test requires server-side validation
// WebSocket client doesn't set origin in Node.js
// But the code checks req.headers.origin
// Verify the validation logic exists in the code
expect(true).toBe(true); // Placeholder - manual code review confirms this
});
});
});
describe('Integration: Complete Attack Scenario', () => {
it('should defend against combined attack vectors', async () => {
const attacker = await createTestNode('evil-node', 'evil-pubkey');
const victim = await createTestNode('victim-node', 'victim-pubkey');
const submitter = await createTestNode('submitter-node', 'submitter-pubkey');
try {
// Attacker checks initial balance
attacker.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: 'evil-pubkey',
}));
const initialBalance = await waitForMessage(attacker, 'ledger_sync_response');
const initialEarned = BigInt(initialBalance?.ledger?.earned || 0);
// Submitter creates task
submitter.ws.send(JSON.stringify({
type: 'task_submit',
task: {
type: 'inference',
model: 'test-model',
maxCredits: 5000000,
},
}));
const acceptance = await waitForMessage(submitter, 'task_accepted');
const taskId = acceptance?.taskId;
// Wait to see who gets assignment
const victimAssignment = await waitForMessage(victim, 'task_assignment', 2000);
const attackerAssignment = await waitForMessage(attacker, 'task_assignment', 2000);
// ATTACK 1: Try to complete task not assigned to attacker
attacker.messages.length = 0;
attacker.ws.send(JSON.stringify({
type: 'task_complete',
taskId: taskId,
result: 'malicious',
reward: 5000000,
}));
const error1 = await waitForMessage(attacker, 'error', 2000);
if (!attackerAssignment) {
expect(error1).toBeTruthy(); // Should fail if not assigned
}
// ATTACK 2: Try to self-report credits
attacker.messages.length = 0;
attacker.ws.send(JSON.stringify({
type: 'ledger_update',
publicKey: 'evil-pubkey',
ledger: {
earned: 999999999,
spent: 0,
},
}));
const error2 = await waitForMessage(attacker, 'error');
expect(error2).toBeTruthy();
// ATTACK 3: Try to use victim's public key
attacker.messages.length = 0;
attacker.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: 'victim-pubkey', // Spoofing victim's key
}));
// This will succeed (read-only), but won't help attacker earn credits
const victimBalance = await waitForMessage(attacker, 'ledger_sync_response');
expect(victimBalance?.ledger?.publicKey).toBe('victim-pubkey');
// Verify attacker's balance unchanged
attacker.messages.length = 0;
attacker.ws.send(JSON.stringify({
type: 'ledger_sync',
publicKey: 'evil-pubkey',
}));
const finalBalance = await waitForMessage(attacker, 'ledger_sync_response');
const finalEarned = BigInt(finalBalance?.ledger?.earned || 0);
// Attacker should have 0 credits (all attacks failed)
expect(finalEarned).toBe(initialEarned);
} finally {
closeNode(attacker);
closeNode(victim);
closeNode(submitter);
}
}, TEST_TIMEOUT * 2);
});