test: fix e2e tests + PSS e2e tests use permissionless

[bermuell]

Description

Adapted e2e tests to current permissionless changes

current status:

"changeover",                                  // PASSED
"happy-path",                                  // PASSED
"democracy-reward",                            // PASSED
"democracy",                                   // PASSED
"slash-throttle",                              // PASSED
"consumer-double-sign",                        // TODO PERMISSIONLESS: failing
"consumer-misbehaviour",                       // TODO PERMISSIONLESS: failing
"consumer-double-downtime",                    // PASSED
"partial-set-security-opt-in",                 // PASSED
"partial-set-security-top-n",                  // PASSED
"partial-set-security-validator-set-cap",      // PASSED
"partial-set-security-validators-power-cap",   // PASSED
"partial-set-security-validators-allowlisted", // PASSED
"partial-set-security-validators-denylisted",  // PASSED
"partial-set-security-modification-proposal",  // PASSED
"active-set-changes",                          // PASSED
"inactive-provider-validators-on-consumer",    // PASSED
"inactive-vals-topN",                          // PASSED
"inactive-provider-validators-governance",     // PASSED
"min-stake",                                   // PASSED
"inactive-vals-mint",                          // PASSED

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• Included the correct type prefix in the PR title
• Targeted the correct branch (see PR Targeting)
• Provided a link to the relevant issue or specification
• Reviewed "Files changed" and left comments if necessary
• Confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• Confirmed the correct type prefix in the PR title
• Confirmed all author checklist items have been addressed
• Confirmed that this PR does not change production code

Summary by CodeRabbit

• New Features

  • Introduced new action types for managing consumer chains, enhancing control over creation and updates.
  • Implemented methods for creating and updating consumer chains with improved parameters and logging.
  • Added a new type for handling transaction responses, improving error handling and clarity.

• Bug Fixes

  • Improved error handling and logging for transaction responses, enhancing clarity on transaction outcomes.

[coderabbitai]

Walkthrough

Walkthrough

The changes introduce enhancements to consumer chain management within an interchain security context. New action types and methods for creating, updating, and managing consumer chains are added, along with improvements to logging, configuration handling, and governance proposal management. The overall structure of the codebase is refined to enhance clarity, maintainability, and functionality related to consumer chains and their interactions.

Changes

Files	Change Summary
tests/e2e/actions.go, tests/e2e/state.go	Introduced new types for consumer chain actions and responses, implemented methods for creating and updating consumer chains, and enhanced governance proposal management. Updated configuration handling with pointer types for better memory management and added structured handling for consumer identifiers.
tests/e2e/config.go, tests/e2e/testlib/types.go	Added a new type alias for ConsumerID and a mapping field in ChainConfig to manage relationships between consumers and chains. Enhanced ChainConfig to include ConsumerId for improved clarity.
tests/e2e/steps_partial_set_security.go	Replaced previous proposal actions with direct actions for creating and updating consumer chains, simplifying state management and removing unnecessary voting mechanisms. Adjusted control flow to focus on direct interactions with consumer chains.

Tip

We have updated our review workflow to use the Anthropic's Claude family of models. Please share any feedback in the discussion post on our Discord.

---

Recent review details

Configuration used: .coderabbit.yml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 61c853e and d10b610.

Files selected for processing (1)

• tests/e2e/actions.go (21 hunks)

Additional context used

Path-based instructions (1)

tests/e2e/actions.go (2)

Pattern **/*.go: Review the Golang code for conformity with the Uber Golang style guide, highlighting any deviations. Only report issues that you have a high degree of confidence in.

---

Pattern tests/e2e/*: "Assess the e2e test code assessing sufficient code coverage for the changes associated in the pull request. Only report issues that you have a high degree of confidence in."

Gitleaks

tests/e2e/actions.go

572-572: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

761-761: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

885-885: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

golangci-lint

tests/e2e/actions.go

605-605: string ipfs://CID has 6 occurrences, make it a constant

(goconst)

---

572-572: string cosmos10d07y265gmmuvt4z0w9aw880jnsr700j6zn9kn has 3 occurrences, make it a constant

(goconst)

GitHub Check: CodeQL

tests/e2e/actions.go

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

Additional comments not posted (7)

tests/e2e/actions.go (7)

46-51: LGTM!

The TxResponse struct is well-defined and captures the essential fields for handling transaction responses effectively.

---

261-276: LGTM!

The UpdateConsumerChainAction struct is well-defined and includes all the necessary parameters for updating a consumer chain. The field names are clear and self-explanatory.

---

278-315: LGTM!

The updateConsumerChain method is well-implemented. It properly constructs the MsgUpdateConsumer message using the provided parameters and calls the UpdateConsumer method to execute the update process.

---

317-331: LGTM!

The CreateConsumerChainAction struct is well-defined and includes all the necessary parameters for creating a consumer chain. The field names are clear and self-explanatory.

---

333-374: LGTM!

The createConsumerChain method is well-implemented. It properly constructs the initialization parameters and metadata using the provided parameters and calls the CreateConsumer method to register the new consumer chain. The logging statements enhance traceability.

---

Line range hint 542-649: LGTM!

The updated submitConsumerAdditionProposal method aligns with the new MsgUpdateConsumer message structure and utilizes the GenerateGovProposalContent function for generating the proposal content. This improves clarity and maintainability.

Tools

Gitleaks

572-572: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

golangci-lint

605-605: string ipfs://CID has 6 occurrences, make it a constant

(goconst)

---

572-572: string cosmos10d07y265gmmuvt4z0w9aw880jnsr700j6zn9kn has 3 occurrences, make it a constant

(goconst)

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

[failure] 612-612: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

Line range hint 754-928: LGTM!

The updated submitConsumerRemovalProposal and submitConsumerModificationProposal methods align with the new message structures and utilize the GenerateGovProposalContent function for generating the proposal content. This improves clarity and maintainability.

Tools

Gitleaks

885-885: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

GitHub Check: CodeQL

[failure] 903-903: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

Outside diff range, codebase verification and nitpick comments (8)

tests/e2e/state.go (1)

477-481: Address static analysis warnings about map iteration.

The static analysis tool has flagged potential issues with non-determinism due to map iteration. This is a common issue in Go when the order of iteration over maps, which is random, can lead to non-deterministic behavior.

Consider whether the order of elements is significant in these iterations. If the order is important, you might need to sort the keys before iterating or use a slice if applicable.

// Example of sorting map keys before iteration
keys := make([]string, 0, len(map))
for k := range map {
    keys = append(keys, k)
}
sort.Strings(keys)
for _, k := range keys {
    // process map[k]
}

Also applies to: 934-938

Tools

GitHub Check: CodeQL

[warning] 477-481: Iteration over map
Iteration over map may be a possible source of non-determinism

tests/e2e/steps_partial_set_security.go (5)

36-36: Consider handling known errors more robustly.

The SetConsumerCommissionRateAction expects an error with the message "unknown consumer chain". It's good practice to handle known errors more explicitly in test scenarios to ensure they are not just logged but acted upon, perhaps by retrying or correcting the test setup.

---

45-55: Review the use of future spawn times in test setups.

The CreateConsumerChainAction sets a spawn time far in the future (10 minutes). While this may be intended to test delayed chain starts, it's important to ensure that this setup aligns with the test's objectives. If the delay is not part of the test requirements, consider adjusting the spawn time to a more immediate setting to reduce test execution time.

---

1471-1481: Check future spawn times in the context of allowlisted validators.

The CreateConsumerChainAction sets a future spawn time in a scenario involving allowlisted validators. This setup should be carefully reviewed to ensure it matches the intended test behavior, especially regarding how allowlisting interacts with delayed chain starts.

---

1654-1665: Evaluate the setup of future spawn times with validator set caps.

The CreateConsumerChainAction uses a future spawn time in conjunction with a validator set cap. This combination should be scrutinized to ensure it serves the test's purpose, particularly how the cap affects chain initialization when delayed.

---

1835-1845: Review the configuration of future spawn times in modification scenarios.

The CreateConsumerChainAction sets a spawn time far in the future within a modification scenario. This setting should be evaluated to ensure it aligns with the testing goals, particularly in terms of how modifications are applied during the delay.

tests/e2e/actions.go (2)

Line range hint 552-656: Potential improvements in submitConsumerAdditionProposal method.

The method is crucial for submitting governance proposals related to consumer chains. It appears to handle the creation and submission of proposals adequately. However, consider adding more detailed comments explaining each step for better maintainability and readability.

Add detailed comments explaining the logic behind each major step in the submitConsumerAdditionProposal method.

Tools

Gitleaks

582-582: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

GitHub Check: CodeQL

[failure] 462-462: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

[failure] 621-621: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

Line range hint 889-1062: Potential security issue with unsafe quoting in JSON operations.

Similar to previous methods, this method uses potentially unsafe quoting which could lead to security vulnerabilities if the JSON content contains single quotes. Consider using parameterized or properly escaped queries to mitigate injection risks.

Apply this diff to fix the unsafe quoting issue:

- "/bin/bash", "-c", fmt.Sprintf(`echo '%s' > %s`, jsonStr, proposalFile),
+ "/bin/bash", "-c", fmt.Sprintf(`echo '%s' > %s`, json.EscapeString(jsonStr), proposalFile),

Tools

Gitleaks

894-894: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

Improve Error Handling in GenerateGovProposalContent

The function uses panic for error handling, which might not be ideal for a utility function as it can terminate the program unexpectedly. Consider returning an error instead, allowing the caller to decide how to handle it.

Consider refactoring the error handling:

-		panic(fmt.Errorf("failed marshalling message '%v' for gov proposal: err=%s", msg, err))
+		return "", fmt.Errorf("failed marshalling message '%v' for gov proposal: err=%s", msg, err)
-		panic(fmt.Errorf("failed to marshal proposal: %w", err))
+		return "", fmt.Errorf("failed to marshal proposal: %w", err)

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// GenerateGovProposalContent creates proposal content ready to be used by `gov submit-proposal` command
	func GenerateGovProposalContent(title, summary, metadata, deposit, description string, expedited bool, msgs ...sdk.Msg) string {
	// Register the messages. Needed for correct type annotation in the resulting json
	modcodec := codec.NewProtoCodec(codectypes.NewInterfaceRegistry())
	modcodec.InterfaceRegistry().RegisterImplementations(
	(*sdk.Msg)(nil),
	msgs...,
	)
	proposal := GovernanceProposal{
	Metadata: metadata,
	Deposit: deposit,
	Title: title,
	Summary: summary,
	Expedited: expedited,
	}
	for _, msg := range msgs {
	msgJson, err := modcodec.MarshalInterfaceJSON(msg)
	if err != nil {
	panic(fmt.Errorf("failed marshalling message '%v' for gov proposal: err=%s", msg, err))
	}
	proposal.Messages = append(proposal.Messages, msgJson)
	}
	raw, err := json.MarshalIndent(proposal, "", " ")
	if err != nil {
	panic(fmt.Errorf("failed to marshal proposal: %w", err))
	}
	return string(raw)
	}
	// GenerateGovProposalContent creates proposal content ready to be used by `gov submit-proposal` command
	func GenerateGovProposalContent(title, summary, metadata, deposit, description string, expedited bool, msgs ...sdk.Msg) (string, error) {
	// Register the messages. Needed for correct type annotation in the resulting json
	modcodec := codec.NewProtoCodec(codectypes.NewInterfaceRegistry())
	modcodec.InterfaceRegistry().RegisterImplementations(
	(*sdk.Msg)(nil),
	msgs...,
	)
	proposal := GovernanceProposal{
	Metadata: metadata,
	Deposit: deposit,
	Title: title,
	Summary: summary,
	Expedited: expedited,
	}
	for _, msg := range msgs {
	msgJson, err := modcodec.MarshalInterfaceJSON(msg)
	if err != nil {
	return "", fmt.Errorf("failed marshalling message '%v' for gov proposal: err=%s", msg, err)
	}
	proposal.Messages = append(proposal.Messages, msgJson)
	}
	raw, err := json.MarshalIndent(proposal, "", " ")
	if err != nil {
	return "", fmt.Errorf("failed to marshal proposal: %w", err)
	}
	return string(raw), nil
	}

[coderabbitai]

Addition of the permissionless-ics test case.

The new test case permissionless-ics is added to the stepChoices map. However, there are static analysis failures indicating that the function stepsPermissionlessICS is undefined.

Ensure that the function stepsPermissionlessICS is defined and correctly implemented. This function is crucial for the execution of the permissionless-ics test case.

#!/bin/bash
# Description: Verify the definition of `stepsPermissionlessICS`.

# Test: Search for the function definition. Expect: Function definition should exist.
rg --type go -A 5 $'func stepsPermissionlessICS'

Tools

GitHub Check: test-e2e

[failure] 253-253:
undefined: stepsPermissionlessICS

GitHub Check: test-e2e-compatibility

[failure] 253-253:
undefined: stepsPermissionlessICS

[coderabbitai]

Potential security issue with unsafe quoting in JSON operations.

The method uses potentially unsafe quoting which could lead to security vulnerabilities if the JSON content contains single quotes. Consider using parameterized or properly escaped queries to mitigate injection risks.

Apply this diff to fix the unsafe quoting issue:

- "/bin/bash", "-c", fmt.Sprintf(`echo '%s' > %s`, content, jsonFile),
+ "/bin/bash", "-c", fmt.Sprintf(`echo '%s' > %s`, json.EscapeString(content), jsonFile),

Committable suggestion was skipped due to low confidence.

[coderabbitai]

Actionable comments posted: 2

Outside diff range, codebase verification and nitpick comments (4)

tests/e2e/state.go (2)

469-488: Approved: Enhanced handling of consumer-related messages in GetProposal.

The method now correctly handles MsgUpdateConsumer and MsgConsumerAddition, aligning with the enhanced consumer chain management. The logic for extracting parameters from the proposal's raw content and constructing the ConsumerAdditionProposal struct looks good.

Consider adding unit tests to cover these new scenarios and ensure they are handled correctly. Let me know if you would like assistance in writing these tests or if I should open a GitHub issue to track this task.

Tools

GitHub Check: CodeQL

[warning] 473-477: Iteration over map
Iteration over map may be a possible source of non-determinism

---

930-934: Potential non-determinism in map iteration, but acceptable in this case.

The code segment iterates over the chainConfigs map to find the chain ID corresponding to each consumer_chain_id returned by the query. While iterating over a map does not guarantee a consistent order, which could lead to non-deterministic behavior, in this specific case, the order of iteration does not appear to affect the correctness of the result.

The goal here is to find and append the matching chain IDs to the chains slice, and the order in which they are appended does not seem to matter.

If strict ordering of the resulting chains slice is required in the future, consider using an alternative data structure that preserves insertion order, such as a slice of structs containing both the ConsumerID and ChainID.

Tools

GitHub Check: CodeQL

[warning] 930-934: Iteration over map
Iteration over map may be a possible source of non-determinism

tests/e2e/actions.go (2)

278-315: Code looks good, with a minor nitpick.

The updateConsumerChain function correctly constructs an MsgUpdateConsumer message and executes the update.

Nitpick: Consider reordering the fields in UpdateConsumerChainAction struct to match the order in ConsumerInitializationParameters for better consistency, as suggested in a previous comment.

---

491-491: Clarify the scope of the TODO comment.

The TODO comment should specify whether introducing the waitForTx function is related to permissionless functionality or general improvements.

Update the TODO comment to reflect its specific context or link it to an issue tracker for better tracking and management:

// TODO (PERMISSIONLESS): introduce waitForTx 
// See GitHub issue: https://github.com/cosmos/interchain-security/issues/123

[coderabbitai]

Fix potentially unsafe JSON quoting.

The UpdateConsumer method looks good overall, but there is an issue with potentially unsafe JSON quoting on line 401. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

[coderabbitai]

Fix potentially unsafe JSON quoting.

Similar to the previous comment, the JSON quoting on line 456 is potentially unsafe. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

Use strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

[coderabbitai]

Actionable comments posted: 2

Outside diff range, codebase verification and nitpick comments (2)

tests/e2e/steps_partial_set_security.go (1)

Line range hint 448-685: Is the Top N feature supported in the core logic of permissionless?

The test assumes that the Top N feature is not supported in the core logic of permissionless at its first implementation, which is causing the test to fail.

If this feature is supported, please add a TODO to make this test pass. Let me know if you need any clarification or assistance.

tests/e2e/actions.go (1)

261-276: Looks good!

The UpdateConsumerChainAction struct definition is approved. It can be useful for updating consumer chains.

Consider reordering some fields to match the order in ConsumerInitializationParameters for consistency:

type UpdateConsumerChainAction struct {
    Chain               ChainID 
    From                ValidatorID
    ConsumerChain       ChainID
    NewOwner            string
    SpawnTime           uint
    InitialHeight       clienttypes.Height
    DistributionChannel string
    TopN                uint32
    ValidatorsPowerCap  uint32
    ValidatorSetCap     uint32
    Allowlist           []string
    Denylist            []string
    MinStake            uint64
    AllowInactiveVals   bool
}

[coderabbitai]

Looks good overall, but fix the potentially unsafe JSON quoting.

The UpdateConsumer method is approved. It properly marshals the update message, sends it to the provider chain, and checks the transaction response.

However, there is a potentially unsafe JSON quoting issue on line 401. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

[coderabbitai]

Looks good overall, but fix the potentially unsafe JSON quoting.

The CreateConsumer method is approved. It properly constructs the MsgCreateConsumer message, sends it to the provider chain, retrieves the consumer ID from the transaction events, and updates the chain config with the new consumer ID.

However, there is a potentially unsafe JSON quoting issue on line 456, similar to the previous method. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

[coderabbitai]

Actionable comments posted: 2

[coderabbitai]

Fix potentially unsafe JSON quoting.

The UpdateConsumer method looks good overall, but there is an issue with potentially unsafe JSON quoting on line 401. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

[coderabbitai]

Fix potentially unsafe JSON quoting.

The CreateConsumer method looks good overall. It properly constructs the MsgCreateConsumer message, sends it to the provider chain, retrieves the consumer ID from the transaction events, and updates the chain config with the new consumer ID.

However, there is a potentially unsafe JSON quoting issue on line 456, similar to the previous method. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

[insumity]

I left some additional comments (e.g., if we do not use Consumer2ChainID, can we remove it?).

Also, this PR's description has that happy-path has passed but in the PR tests it seems to fail. Is this expected?

It makes sense that the consumer-double-sign and consumer-misbehaviour fail because Hermes does not yet support consumerIds.
In this PR's description, it is written that the inactive-vals-topN is not passing. Can we have this passing as well before we merge this PR? At least, on a first sight, it should not fail due to permissionless.

[p-offtermatt]

Left a few comments. I don't have enough context on permissionless to feel confident approving, but it looks good to me in principle.

[coderabbitai]

Actionable comments posted: 3

Outside diff range, codebase verification and nitpick comments (5)

tests/e2e/steps_partial_set_security.go (1)

Line range hint 415-646: TODO PERMISSIONLESS: The stepsTopNChain test is failing.

The stepsTopNChain test is marked as "TODO PERMISSIONLESS" and is currently failing. This indicates that the test needs to be updated to work with the permissionless functionality.

Do you want me to update the test to work with the permissionless functionality? I can open a GitHub issue to track this task.

tests/e2e/actions.go (4)

261-276: Consider reordering some fields for consistency.

Suggest reordering the following fields to match the order in related types:

• Move SpawnTime before InitialHeight to match the order in ConsumerInitializationParameters.

Apply this diff to reorder the fields:

 type UpdateConsumerChainAction struct {
 	Chain               ChainID
 	From                ValidatorID
 	ConsumerChain       ChainID
 	NewOwner            string
+	SpawnTime           uint
 	InitialHeight       clienttypes.Height
-	SpawnTime           uint
 	DistributionChannel string
 	TopN                uint32
 	ValidatorsPowerCap  uint32
 	ValidatorSetCap     uint32
 	Allowlist           []string
 	Denylist            []string
 	MinStake            uint64
 	AllowInactiveVals   bool
 }

---

278-315: Use consistent naming conventions.

Suggest using camel case consistently for variable names:

• Rename consumerId to consumerID to match the naming convention used in other places.

---

Line range hint 543-660: Use consistent naming conventions.

The refactoring of the submitConsumerAdditionProposal method looks good. It improves clarity and maintainability by using the new message structures and proposal content generation.

Suggest renaming the following variables to start with lowercase letters for consistency with Go naming conventions:

• Rename Metadata to metadata.
• Rename InitializationParameters to initializationParameters.

Tools

Gitleaks

573-573: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

[failure] 613-613: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

---

Line range hint 879-939: Use consistent naming conventions.

The refactoring of the submitConsumerModificationProposal method looks good. It improves clarity and maintainability by using the new message structures and proposal content generation.

Suggest using camel case consistently for variable names:

• Rename consumerId to consumerID to match the naming convention used in other places.

Tools

Gitleaks

886-886: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

GitHub Check: CodeQL

[failure] 904-904: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

[coderabbitai]

Potential issue: Non-deterministic iteration over map.

The iteration over chainConfigs map to find the matching consumerChainId does not guarantee order, which could lead to non-deterministic behavior. If the order of chains is important, consider refactoring to use a slice or other data structure that maintains order.

Tools

GitHub Check: CodeQL

[warning] 472-477: Iteration over map
Iteration over map may be a possible source of non-determinism

[coderabbitai]

Actionable comments posted: 3

Outside diff range, codebase verification and nitpick comments (1)

tests/e2e/steps_partial_set_security.go (1)

Line range hint 437-642: Update the function to use the new consumer chain creation and update pattern.

The function still uses the old SubmitConsumerAdditionProposalAction and VoteGovProposalAction pattern. Please update it to use the new CreateConsumerChainAction and UpdateConsumerChainAction actions, similar to the changes made in the stepsOptInChain function.

[coderabbitai]

Approved: Enhanced handling of consumer-related messages in GetProposal.

The method now correctly handles MsgUpdateConsumer and MsgRemoveConsumer, aligning with the enhanced consumer chain management.

Suggestion: Refactor the code to reduce duplication and improve readability.

Consider extracting the common logic for finding the consumerChainId and chain into a separate function. This will reduce duplication and make the code more readable.

Also applies to: 526-539

Tools

GitHub Check: CodeQL

[warning] 472-477: Iteration over map
Iteration over map may be a possible source of non-determinism

[coderabbitai]

Looks good overall, but fix the potentially unsafe JSON quoting.

The CreateConsumer method is approved. It properly constructs the MsgCreateConsumer message, sends it to the provider chain, retrieves the consumer ID from the transaction events, and updates the chain config with the new consumer ID.

However, there is a potentially unsafe JSON quoting issue on line 456, similar to the previous method. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.

[coderabbitai]

Actionable comments posted: 2

[coderabbitai]

Fix potentially unsafe JSON quoting.

The UpdateConsumer method looks good overall, but there is an issue with potentially unsafe JSON quoting on line 401. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

[coderabbitai]

Fix potentially unsafe JSON quoting.

The CreateConsumer method looks good overall. It properly constructs the MsgCreateConsumer message, sends it to the provider chain, retrieves the consumer ID from the transaction events, and updates the chain config with the new consumer ID.

However, there is a potentially unsafe JSON quoting issue on line 456, similar to the previous method. If the content variable contains single quotes, it could break out of the enclosing single quotes and lead to injection vulnerabilities.

To fix this, consider using strconv.Quote to safely escape the content string before embedding it in the JSON:

"/bin/bash", "-c", fmt.Sprintf(`echo %s > %s`, strconv.Quote(string(content)), jsonFile),

Tools

GitHub Check: CodeQL

[failure] 456-456: Potentially unsafe quoting
If this JSON value contains a single quote, it could break out of the enclosing quotes.