feat(p2p): Add new whitelist policy

[msbrogli]

Co-Author: LFRezende lfsrsprofessional@gmail.com

Motivation

The previous peer whitelist implementation was tightly coupled across HathorManager, ConnectionsManager, and HathorSettings, mixing concerns and making it difficult to change the whitelist source (URL, local file) or policy at runtime. The whitelist was controlled by a global ENABLE_PEER_WHITELIST setting with special-case logic for sync-v1 vs. sync-v2, and the peer ID list lived on HathorManager. This refactor extracts the whitelist into a self-contained, pluggable module (hathor.p2p.whitelist) that supports multiple backends (URL-based, file-based), configurable policies (allow-all vs. only-whitelisted-peers), runtime switching via sysctl, and a grace period for bootstrap peers before the first successful fetch completes. It also removes the now-unused SyncVersion.V1_1 variant and the ENABLE_PEER_WHITELIST setting.

Acceptance Criteria

• The whitelist is modeled as an abstract PeersWhitelist base class with two concrete implementations: URLPeersWhitelist (fetches from a remote URL) and FilePeersWhitelist (reads from a local file), both supporting periodic refresh with exponential backoff on failure

• Whitelist files support an optional policy: directive that controls connection behavior: allow-all permits any peer, only-whitelisted-peers (default) restricts connections to listed peer IDs only

• A factory function (create_peers_whitelist) and CLI argument --x-p2p-whitelist allow selecting the whitelist source at startup: default/hathorlabs (uses settings URL), none/disabled (no whitelist), a file path, or a custom URL

• Before the first successful whitelist fetch, a grace period allows only bootstrap-discovered peers to connect, preventing connections to arbitrary peers while the whitelist is still loading

• The ENABLE_PEER_WHITELIST setting and SyncVersion.V1_1 are removed; whitelist capability is now always required in the HELLO handshake, and the whitelist is enabled/disabled purely by whether a PeersWhitelist instance is provided to ConnectionsManager

• Whitelist state is owned by ConnectionsManager.peers_whitelist instead of HathorManager.peers_whitelist, and peer_id.py's _is_peer_allowed simply delegates to the whitelist object

• The sysctl interface exposes whitelist (get/set the active whitelist source, or toggle on/off to suspend/resume) and whitelist.status (returns structured state, policy, peer count, and source)

• When a new whitelist is set at runtime, peers not in the updated list are immediately disconnected

Checklist

• If you are requesting a merge into master, confirm this code is production-ready and can be included in future releases as soon as it gets merged

[msbrogli]

Replaces: #1269

[github-actions]

Bencher Report

Branch	feat/new-whitelist-policy
Testbed	ubuntu-22.04

Click to view all benchmark results

Benchmark	Latency	Benchmark Result minutes (m) (Result Δ%)	Lower Boundary minutes (m) (Limit %)	Upper Boundary minutes (m) (Limit %)
sync-v2 (up to 20000 blocks)	📈 view plot 🚷 view threshold	1.71 m (-0.10%) Baseline: 1.71 m	1.54 m (90.09%)	2.06 m (83.25%)

🐰 View full continuous benchmarking report in Bencher

[msbrogli]

Should suspended whitelists keep updating?

[msbrogli]

No, but require a refresh when reactivating.

[codecov]

Codecov Report

❌ Patch coverage is 73.93484% with 104 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.67%. Comparing base (82ac020) to head (30a7cac).

Files with missing lines	Patch %	Lines
hathor/sysctl/p2p/manager.py	36.53%	33 Missing ⚠️
hathor/p2p/whitelist/url_whitelist.py	62.31%	25 Missing and 1 partial ⚠️
hathor/p2p/whitelist/file_whitelist.py	75.00%	10 Missing and 1 partial ⚠️
hathor/p2p/whitelist/peers_whitelist.py	88.04%	7 Missing and 4 partials ⚠️
hathor/p2p/whitelist/parsing.py	84.09%	4 Missing and 3 partials ⚠️
hathor/builder/builder.py	64.28%	4 Missing and 1 partial ⚠️
hathor/p2p/manager.py	90.24%	2 Missing and 2 partials ⚠️
hathor/p2p/whitelist/factory.py	85.18%	3 Missing and 1 partial ⚠️
hathor/p2p/states/hello.py	0.00%	1 Missing and 1 partial ⚠️
hathor/p2p/sync_version.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1544      +/-   ##
==========================================
+ Coverage   85.65%   85.67%   +0.02%     
==========================================
  Files         439      445       +6     
  Lines       33515    33817     +302     
  Branches     5264     5302      +38     
==========================================
+ Hits        28707    28974     +267     
- Misses       3797     3831      +34     
- Partials     1011     1012       +1     

Flag	Coverage Δ
test-lib	85.67% <73.93%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[LFRezende]

Review - Luis Felipe/LFRezende

Core:

1. Possible oversight which does not add bootstrap peers at connect_with_bootstrap_registration, lines 268-275
2. Discussion and further recommendation to delete --x-p2p-whitelist-only flag.
3. Discussion on expanding mechanism of suspended_peers.

The rest are smaller refactor suggestions.

[LFRezende]

Perhaps a spec = whitelist_spec.lower().strip() to eliminate any accidental whitespaces and forcing it into default by accident.

[msbrogli]

Done! Thanks!

[LFRezende]

Same as before - perhaps .lower().strip() would add a further caution to detail.

[msbrogli]

Done! Thanks!

[LFRezende]

At the beginning of the bootstrap, when peers_whitelist = set(), each entrypoint provided for bootstrapping peers will connect, but it will not add the peer_id of that entrypoint to peers_whitelist.

peers_whitelist AND entrypoint.peer_id is not None --> At the beginning, peers_whitelist == None, hence bootstrap will not add peerId to the set, hence none will be added, just have its entrypoint connected via connect_to_endpoint.

[LFRezende]

Perhaps we could do something like:

def connect_with_bootstrap_registration(entrypoint: PeerEndpoint) -> None:

         if not self.peers_whitelist:
              return # Or raise exception

         if entrypoint.peer_id is not None:
                self.peers_whitelist.add_bootstrap_peer(entrypoint.peer_id)
                self.connect_to_endpoint(entrypoint)

It ensures that, if no whitelist, there will be no connection, since there are no peers to bootstrap to.
And if there is, check whether they yield an entrypoint peer id. If so, then, and only then shall you add them to the bootstrap peer.

If you want only to connect to entrypoints with a peer_id, then connect to them.

If not, just put self.connect_to_endpoint(entrypoint) out of the if clause.

Makes sense?

[msbrogli]

I fixed it using another approach: All bootstrap nodes skip the whitelist verification. Can you review it again, please?

[LFRezende]

Just did - seems fair: bootstrap peer ids are ones we are completely knowable about, so it makes sense to skip whitelist verification. Additionally, the flag "has_successful_fetch" was ingenious as it blocks unintended peers from connecting before bootstrap peers have connected.

[LFRezende]

Small suggestion: perhaps whitelist = self.peers_whitelist would make the function less verbose.

--> if not whitelist;
--> if not whitelist.is_peer_whitelisted(peer_id)

[msbrogli]

Done! Thanks!

[LFRezende]

So the mechanism proposed is to put the whitelist peers in suspension and turn the whitelist None (Off) and then take these peers from the "suspended set" to whitelist if ON? Interesting.

Perhaps we could expand on this idea and suspend peers in general (not just whitelist) in case we detect misbehavior from other peers - like a "blacklist" or "quarantine" of sorts.

[luislhl]

I have a PR open for this blacklist, if this is what you were thinking about: #1554

It's a manual blacklist, we need to add peers there on demand.

My PR actually only adds support in sysctl to a blacklist logic we had already implemented in hathor-core.

[msbrogli]

Blacklisting can help when a specific full node is misbehaving. However, it’s not very effective against targeted attacks. Generating new peer IDs is extremely cheap, so an attacker can simply create a new identity and reconnect to your node almost immediately.

[LFRezende]

Small nitpick: perhaps connections = self.connections would reduce verbose, as it is a term used frequently.

[msbrogli]

Done! Thanks!

[LFRezende]

Since we're removing --x-p2p-whitelist-only flag from cli, we may delete them here.

[msbrogli]

Done! Thanks!

[LFRezende]

Last changes on bootstrap peers and their derived tests seem reasonable.

Ran linter and tests locally:

1. All linters work fine
2. Two tests failed, and the last one seems to be connected to bootstrap (already communicated msbrogli).

It seems to be flaking - I'll approve.

[glevco]

Why --x?

[glevco]

Create a StrEnum?

[glevco]

Why are you passing mainnet=True in the constructors? Also it would be better if those args were kw only.

[glevco]

This comment is wrong, use doctests instead.

[glevco]

Why this split?

[glevco]

Should assert instead

[glevco]

It looks like this is only used in a test, it could be removed.

[glevco]

Should this come from a setting in HathorSettings instead of hardcoding it for mainnet?

[glevco]

This should be checked even for non-mainnet, right?

[glevco]

Use succeed