feat(p2p): allowlist-only limits connection only to allowed nodes

[lklimek]

Issue being fixed or feature implemented

Introduce a p2p.allowlist-only configuration option that restricts P2P connections to peers listed in persistent-peers and bootstrap-peers, enforced by NodeID.

What was done?

• Added allowlist-only to P2PConfig with validation (requires at least one peer source).
• Extended the config.toml template with the new option.
• Implemented allowlist filtering by NodeID in the P2P router configuration.
• Added unit tests for the new router configuration logic.
• Updated P2P configuration documentation.

How Has This Been Tested?

• Unit tests: TestGetRouterConfigAllowlistOnlyFiltersByIDAndIP and TestGetRouterConfigAllowlistOnlyAcceptsOnlyNodeIDs in node/node_test.go.
• Tests were not executed locally.

Breaking Changes

None.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation

For repository code-owners and collaborators only

• I have assigned this pull request to a milestone

Summary by CodeRabbit

• New Features

  • Added an allowlist-only P2P option that restricts inbound/outbound connections to peers listed in persistent-peers and bootstrap-peers.
  • Configuration now validates that at least one persistent or bootstrap peer is provided when allowlist-only is enabled.

• Documentation

  • Node configuration docs and default config template updated to describe the allowlist-only option.

• Tests

  • Added tests validating allowlist-only acceptance and rejection behavior.

[coderabbitai]

Warning

Rate limit exceeded

@lklimek has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 59 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds an "allowlist-only" P2P mode that restricts inbound/outbound connections to peers listed in PersistentPeers or BootstrapPeers, with config field, TOML/docs entry, validation, router filtering logic, and tests.

Changes

Cohort / File(s)	Summary
Configuration config/config.go, config/config_test.go	Added AllowlistOnly bool to P2PConfig, initialized in DefaultP2PConfig(), and validated to require at least one of PersistentPeers or BootstrapPeers when enabled; tests updated to cover the validation path.
TOML / Docs config/toml.go, docs/nodes/configuration.md	Added allowlist-only option to default TOML output and documented the option in node configuration docs.
Router & Filtering node/node.go, node/node_test.go	Changed getRouterConfig to return (RouterOptions, error); added buildAllowlist() to parse NodeIDs from peers, chainFilterByID() to compose ID filters, integrated allowlist-based FilterPeerByID (including optional ABCI-based filter), and added tests validating allowlist behavior.
Router Initialization node/setup.go	Updated createRouter to call and validate getRouterConfig once and propagate errors before constructing the router.

Sequence Diagram(s)

sequenceDiagram
  participant Node as Node (startup)
  participant Conf as Config (P2P)
  participant Builder as buildAllowlist()
  participant App as AppClient (ABCI)
  participant Router as Router (constructor)

  Node->>Conf: read P2P config (AllowlistOnly=true)
  Conf->>Builder: parse PersistentPeers & BootstrapPeers
  Builder-->>Conf: allowed NodeID set (or error)
  alt AppClient present
    Node->>App: request ABCI peer filter
    App-->>Node: abciFilterByID
    Node->>Router: chainFilterByID(allowlist, abciFilter)
  else no AppClient
    Node->>Router: set FilterPeerByID = allowlist
  end
  Router-->>Node: constructed with FilterPeerByID

Loading

(Note: rectangle styling omitted for clarity.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through peers both near and far,
I sniff the list and guard each spar,
Only named friends may enter my glade,
No stray IDs nor shadows invade,
Hooray — connections by trusted parade! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing an allowlist-only feature that restricts P2P connections to allowed nodes, which is the central feature of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/node-whitelist

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@node/node.go`:
- Around line 808-837: buildAllowlist currently returns an empty map when peers
lack NodeIDs, which combined with AllowlistOnly=true effectively isolates the
node; update buildAllowlist to detect when allowedIDs is empty after processing
conf.P2P.PersistentPeers and conf.P2P.BootstrapPeers and return an explicit
error (or at minimum log a clear warning) explaining that no NodeIDs were found
and advising to include NodeID@host:port entries or disable AllowlistOnly;
reference the buildAllowlist function and the
conf.P2P.PersistentPeers/conf.P2P.BootstrapPeers inputs so the caller can handle
the error at startup.

🧹 Nitpick comments (1)

node/node_test.go (1)

143-161: Misleading test name: no IP filtering is tested or implemented.

TestGetRouterConfigAllowlistOnlyFiltersByIDAndIP suggests IP-based filtering is covered, but the test and the implementation only filter by NodeID. Consider renaming to something like TestGetRouterConfigAllowlistOnlyFiltersByID to accurately reflect what is tested.

[shumkov]

👍