SecretStore: administrative sessions prototypes (#6605)

* generate random channel encryption key on restart

* session-level nonces

* fixed warning after rebase

* session_nonce -> nonce

* full_generation_math_session_with_refreshing_shares && full_generation_math_session_with_adding_new_node

* add serveral secret shares at once

* SecretStore: initial ShareAdd session prototype

* SecretStore: ServersSetChange jobs

* SecretStore: servers set change session continued

* SecretStore: servers set change session continued

* SecretStore: servers set change session continued

* SecretStore: known_sessions iterator

* SecretStore: implemented SessionsQueue

* SecretStore: UnknownSessionsJobTransport

* SecretStore: node_added_using_servers_set_change almost done

* SecretStore: continue adding tests

* SecretStore: node_added_using_servers_set_change + node_added_using_share_add

* SecretStore: node_added_using_server_set_change_from_this_node

* SecretStore: node_moved_using_share_move

* SecretStore: node_moved_using_servers_set_change

* SecretStore: node_removed_using_share_remove

* SecretStore: node_removed_using_servers_set_change

* SecretStore: different folders for client && admin sessions

* SecretStore: started adding share change consensus (flush)

* SecretStore: fixed spurious tests failures

* enum JobPartialRequestAction

* SecretStore: started adding consensus layer to ShareAdd session

* SecretStore: starting external consensus for ShareAdd

* SecretStore: started restoring node_added_using_servers_set_change

* SecretStore: node_added_using_servers_set_change works with external consensus

* SecretStore: node_added_using_server_set_change_from_this_node works with external consensus

* removed debug comments/printlns

* SecretStore: share move session supports consensus

* SecretStore: share remove with external consensus

* SecretStore: started adding basic ShareAdd tests

* SecretStore: added ShareAdd tests

* SecretStore: added ShareAdd session to cluster

* SecretStore: added share move && remove sessions to cluster

* SecretStore: ShareMove session tests cleanup

* SecretStore: ShareRemove session tests cleanup

* SecretStore: added check_secret_is_preserved check

* SecretStore: added servers set change to cluster

* SecretStore: cleaned up ServersSetChange session tests

* SecretStore: cleaning + added tests for ShareRemove

* SecretStore: cleaning up

* SecretStore: propagated admin_public

* SecretStore: fixed persistent_key_storage test

* SecretStore: upgrade_db_from_1

* SecretStore: fixed ServersSetChange session completion

* SecretStore: check polynom1 in ShareAdd sessions (error for pre-v2 shares)

* SecretStore: fixing TODOs

* SecretStore: fixing TODOs

* SecretStore: check share change plan on 'old' slave nodes

* SecretStore: fixing TODOs

* SecretStore: store all admin sessions in single container to avoid overlaps

* SecretStore: do not update nodes set during admin sessions

* SecretStore: moved TODOs to appropriate methods

* SecretStore: TODOs

* SecretStore: added admin_public arg && fixed warnigs

* SecretStore: added shares_to_move_reversed to ShareMove session

* SecretStore: additional checks during consensus establishing

* license

* SecretStore: added TODO about starting ServersSetChange session

* SecretStore: redundant clones + docs + lsot unimplemented-s

* SecretStore: generation_session_completion_signalled_if_failed_on_master

* SecretStore: updated obsolete comment

* SecretStore: added type alias for current DocumentKeyShare serialization format

* SecretStore: fixed typo

* SecretStore; fixed warnings for futures 0.1.15

* fixed warning

parity/cli/mod.rs

@@ -591,6 +591,10 @@ usage! {
 			"--secretstore-secret=[SECRET]",
 			"Hex-encoded secret key of this node.",
 
+			ARG arg_secretstore_admin_public: (Option<String>) = None, or |c: &Config| otry!(c.secretstore).admin_public.clone(),
+			"--secretstore-admin-public=[PUBLIC]",
+			"Hex-encoded public key of secret store administrator.",
+
 		["Sealing/Mining options"]
 			FLAG flag_force_sealing: (bool) = false, or |c: &Config| otry!(c.mining).force_sealing.clone(),
 			"--force-sealing",
@@ -1089,6 +1093,7 @@ struct SecretStore {
 	disable_http: Option<bool>,
 	disable_acl_check: Option<bool>,
 	self_secret: Option<String>,
+	admin_public: Option<String>,
 	nodes: Option<Vec<String>>,
 	interface: Option<String>,
 	port: Option<u16>,
@@ -1445,6 +1450,7 @@ mod tests {
 			flag_no_secretstore_http: false,
 			flag_no_secretstore_acl_check: false,
 			arg_secretstore_secret: None,
+			arg_secretstore_admin_public: None,
 			arg_secretstore_nodes: "".into(),
 			arg_secretstore_interface: "local".into(),
 			arg_secretstore_port: 8083u16,
@@ -1684,6 +1690,7 @@ mod tests {
 				disable_http: None,
 				disable_acl_check: None,
 				self_secret: None,
+				admin_public: None,
 				nodes: None,
 				interface: None,
 				port: Some(8083),

parity/configuration.rs

@@ -626,6 +626,7 @@ impl Configuration {
 			http_interface: self.secretstore_http_interface(),
 			http_port: self.args.arg_ports_shift + self.args.arg_secretstore_http_port,
 			data_path: self.directories().secretstore,
+			admin_public: self.secretstore_admin_public()?,
 		})
 	}
 
@@ -1037,6 +1038,13 @@ impl Configuration {
 		}
 	}
 
+	fn secretstore_admin_public(&self) -> Result<Option<Public>, String> {
+		match self.args.arg_secretstore_admin_public.as_ref() {
+			Some(admin_public) => Ok(Some(admin_public.parse().map_err(|e| format!("Invalid secret store admin public: {}", e))?)),
+			None => Ok(None),
+		}
+	}
+
 	fn secretstore_nodes(&self) -> Result<BTreeMap<Public, (String, u16)>, String> {
 		let mut nodes = BTreeMap::new();
 		for node in self.args.arg_secretstore_nodes.split(',').filter(|n| n != &"") {

parity/secretstore.rs

@@ -55,6 +55,8 @@ pub struct Configuration {
 	pub http_port: u16,
 	/// Data directory path for secret store
 	pub data_path: String,
+	/// Administrator public key.
+	pub admin_public: Option<Public>,
 }
 
 /// Secret store dependencies
@@ -145,6 +147,7 @@ mod server {
 						port: port,
 					})).collect(),
 					allow_connecting_to_higher_nodes: true,
+					admin_public: conf.admin_public,
 				},
 			};
 
@@ -170,6 +173,7 @@ impl Default for Configuration {
 			http_enabled: true,
 			acl_check_enabled: true,
 			self_secret: None,
+			admin_public: None,
 			nodes: BTreeMap::new(),
 			interface: "127.0.0.1".to_owned(),
 			port: 8083,