feat: configure protected topics via cli (#1696)

apps/wakunode2/app.nim

@@ -547,19 +547,20 @@ proc setupProtocols(node: WakuNode, conf: WakuNodeConf,
     peerExchangeHandler = some(handlePeerExchange)
 
   if conf.relay:
+    let pubsubTopics = conf.topics.split(" ")
     try:
-      let pubsubTopics = conf.topics.split(" ")
       await mountRelay(node, pubsubTopics, peerExchangeHandler = peerExchangeHandler)
     except CatchableError:
       return err("failed to mount waku relay protocol: " & getCurrentExceptionMsg())
 
-    # TODO: Get this from cli
-    var topicsPublicKeys = initTable[string, SkPublicKey]()
     # Add validation keys to protected topics
-    for topic, publicKey in topicsPublicKeys.pairs:
-      info "routing only signed traffic", topic=topic, publicKey=publicKey
-      node.wakuRelay.addSignedTopicValidator(Pubsubtopic(topic), publicKey)
-
+    for topicKey in conf.protectedTopics:
+      if topicKey.topic notin pubsubTopics:
+        warn "protected topic not in subscribed pubsub topics, skipping adding validator",
+              protectedTopic=topicKey.topic, subscribedTopics=pubsubTopics
+        continue
+      notice "routing only signed traffic", protectedTopic=topicKey.topic, publicKey=topicKey.key
+      node.wakuRelay.addSignedTopicValidator(Pubsubtopic(topicKey.topic), topicKey.key)
 
   # Keepalive mounted on all nodes
   try:

apps/wakunode2/config.nim

@@ -11,7 +11,8 @@ import
   libp2p/crypto/crypto,
   libp2p/crypto/secp,
   libp2p/multiaddress,
-  nimcrypto/utils
+  nimcrypto/utils,
+  secp256k1
 import
   ../../waku/common/confutils/envvar/defs as confEnvvarDefs,
   ../../waku/common/confutils/envvar/std/net as confEnvvarNet,
@@ -25,6 +26,9 @@ export
 
 
 type ConfResult*[T] = Result[T, string]
+type ProtectedTopic* = object
+  topic*: string
+  key*: secp256k1.SkPublicKey
 
 type
   WakuNodeConf* = object
@@ -32,6 +36,12 @@ type
       desc: "Loads configuration from a TOML file (cmd-line parameters take precedence)"
       name: "config-file" }: Option[InputFile]
 
+    ##  Application-level configuration
+    protectedTopics* {.
+      desc: "Topics and its public key to be used for message validation, topic:pubkey. Argument may be repeated."
+      defaultValue: newSeq[ProtectedTopic](0)
+      name: "protected-topic" .}: seq[ProtectedTopic]
+
 
     ## Log configuration
     logLevel* {.
@@ -457,6 +467,19 @@ proc parseCmdArg*(T: type crypto.PrivateKey, p: string): T =
 proc completeCmdArg*(T: type crypto.PrivateKey, val: string): seq[string] =
   return @[]
 
+proc parseCmdArg*(T: type ProtectedTopic, p: string): T =
+  let elements = p.split(":")
+  if elements.len != 2:
+    raise newException(ConfigurationError, "Invalid format for protected topic expected topic:publickey")
+
+  let publicKey = secp256k1.SkPublicKey.fromHex(elements[1])
+  if publicKey.isErr:
+    raise newException(ConfigurationError, "Invalid public key")
+
+  return ProtectedTopic(topic: elements[0], key: publicKey.get())
+
+proc completeCmdArg*(T: type ProtectedTopic, val: string): seq[string] =
+  return @[]
 
 proc parseCmdArg*(T: type ValidIpAddress, p: string): T =
   try:
@@ -533,6 +556,17 @@ proc readValue*(r: var EnvvarReader, value: var crypto.PrivateKey) {.raises: [Se
   except CatchableError:
     raise newException(SerializationError, getCurrentExceptionMsg())
 
+proc readValue*(r: var TomlReader, value: var ProtectedTopic) {.raises: [SerializationError].} =
+  try:
+    value = parseCmdArg(ProtectedTopic, r.readValue(string))
+  except CatchableError:
+    raise newException(SerializationError, getCurrentExceptionMsg())
+
+proc readValue*(r: var EnvvarReader, value: var ProtectedTopic) {.raises: [SerializationError].} =
+  try:
+    value = parseCmdArg(ProtectedTopic, r.readValue(string))
+  except CatchableError:
+    raise newException(SerializationError, getCurrentExceptionMsg())
 
 {.push warning[ProveInit]: off.}