Fix decoding of Hydra keys and ignore problematic head init

CHANGELOG.md

@@ -10,6 +10,11 @@ changes.
 
 ## [0.20.1] - UNRELEASED
 
+- Fix a bug where decoding `Party` information from chain would crash the node
+  or chain observer. A problematic transaction will now be ignored and not
+  deemed a valid head protocol transaction. An example was if the datum would
+  contain CBOR instead of just hex encoded bytes.
+
 - Stream historical data from disk in the hydra-node API server.
 
 - Record used and free memory when running `bench-e2e` benchmark.

hydra-tx/src/Hydra/Tx/Crypto.hs

@@ -56,6 +56,7 @@ import Hydra.Cardano.Api (
   Key (..),
   SerialiseAsCBOR,
   SerialiseAsRawBytes (..),
+  SerialiseAsRawBytesError (..),
   serialiseToRawBytesHexText,
  )
 import Hydra.Contract.HeadState qualified as OnChain
@@ -83,7 +84,10 @@ instance SerialiseAsRawBytes (Hash HydraKey) where
   serialiseToRawBytes (HydraKeyHash vkh) = hashToBytes vkh
 
   deserialiseFromRawBytes (AsHash AsHydraKey) bs =
-    maybe (error "TODO: SerialiseAsRawBytesError, but constructor not exported") (Right . HydraKeyHash) (hashFromBytes bs)
+    maybe
+      (Left $ SerialiseAsRawBytesError "invalid length when deserializing Hash HydraKey")
+      (Right . HydraKeyHash)
+      (hashFromBytes bs)
 
 instance Key HydraKey where
   -- Hydra verification key, which can be used to 'verify' signed messages.
@@ -140,7 +144,10 @@ instance SerialiseAsRawBytes (VerificationKey HydraKey) where
     rawSerialiseVerKeyDSIGN vk
 
   deserialiseFromRawBytes (AsVerificationKey AsHydraKey) bs =
-    maybe (error "TODO: SerialiseAsRawBytesError, but constructor not exported") (Right . HydraVerificationKey) (rawDeserialiseVerKeyDSIGN bs)
+    maybe
+      (Left $ SerialiseAsRawBytesError "invalid length when deserializing VerificationKey HydraKey")
+      (Right . HydraVerificationKey)
+      (rawDeserialiseVerKeyDSIGN bs)
 
 instance ToJSON (VerificationKey HydraKey) where
   toJSON = toJSON . serialiseToRawBytesHexText

hydra-tx/src/Hydra/Tx/Init.hs

@@ -99,6 +99,7 @@ data InitObservation = InitObservation
 data NotAnInitReason
   = NoHeadOutput
   | NotAHeadDatum
+  | InvalidPartyInDatum
   | NoSTFound
   | NotAHeadPolicy
   deriving stock (Show, Eq, Generic)
@@ -131,14 +132,18 @@ observeInitTx tx = do
   unless (pid == HeadTokens.headPolicyId seedTxIn) $
     Left NotAHeadPolicy
 
+  parties <-
+    maybe (Left InvalidPartyInDatum) Right $
+      traverse partyFromChain onChainParties
+
   pure $
     InitObservation
       { headId = mkHeadId pid
       , seedTxIn
       , initialThreadUTxO = (mkTxIn tx ix, toCtxUTxOTxOut headOut)
       , initials
       , contestationPeriod
-      , parties = mapMaybe partyFromChain onChainParties
+      , parties
       , participants = assetNameToOnChainId <$> mintedTokenNames pid
       }
  where

hydra-tx/src/Hydra/Tx/Observe.hs

@@ -53,6 +53,10 @@ data HeadObservation
 -- | Observe any Hydra head transaction.
 observeHeadTx :: NetworkId -> UTxO -> Tx -> HeadObservation
 observeHeadTx networkId utxo tx =
+  -- XXX: This is throwing away valuable information! We should be collecting
+  -- all "not an XX" reasons here in case we fall through and want that
+  -- diagnostic information in the call site of this function. Collecting errors
+  -- could be done with 'validation' or a similar package.
   fromMaybe NoHeadTx $
     either (const Nothing) (Just . Init) (observeInitTx tx)
       <|> Abort <$> observeAbortTx utxo tx