Grcov report - protostatus.rs

1

//! Observe and enforce lists of recommended and required subprotocols.

2

//!

3

//! To prevent insecure clients from exposing themselves to attacks,

4

//! and to prevent obsolete clients from [inadvertently DoSing the network][fast-zombies]

5

//! by looking for relays with functionality that no longer exists,

6

//! we have a mechanism for ["recommended" and "required" subprotocols][recommended].

7

//!

8

//! When a subprotocol is recommended, we issue a warning whenever it is absent.

9

//! When a subprotocol is required, we (typically) shut down Arti whenever it is absent.

10

//!

11

//! While Arti is running, we check our subprotocols

12

//! whenever we find a new timely well-signed consensus.

13

//!

14

//! Additionally, we check our subprotocols at startup before any directory is received,

15

//! to ensure that we don't touch the network with invalid software.

16

//!

17

//! We ignore any list of required/recommended protocol

18

//! that is [older than the release date of this software].

19

//!

20

//! [fast-zombies]: https://spec.torproject.org/proposals/266-removing-current-obsolete-clients.html

21

//! [recommended]: https://spec.torproject.org/tor-spec/subprotocol-versioning.html#required-recommended

22

//! [older]: https://spec.torproject.org/proposals/297-safer-protover-shutdowns.html

23

24

use futures::{task::SpawnExt as _, Stream, StreamExt as _};

25

use std::{

26

    future::Future,

27

    sync::{Arc, Weak},

28

    time::SystemTime,

29

};

30

use tor_config::MutCfg;

31

use tor_dirmgr::DirProvider;

32

use tor_error::{into_internal, warn_report};

33

use tor_netdir::DirEvent;

34

use tor_netdoc::doc::netstatus::{ProtoStatuses, ProtocolSupportError};

35

use tor_protover::Protocols;

36

use tor_rtcompat::Runtime;

37

use tracing::{debug, error, info, warn};

38

39

use crate::{config::SoftwareStatusOverrideConfig, err::ErrorDetail};

40

41

/// Check whether we have any cached protocol recommendations,

42

/// and report about them or enforce them immediately.

43

///

44

/// Then, launch a task to run indefinitely, and continue to enforce protocol recommendations.

45

/// If that task encounters a fatal error, it should invoke `on_fatal`.

46

8

pub(crate) fn enforce_protocol_recommendations<R, F, Fut>(

47

8

    runtime: &R,

48

8

    netdir_provider: Arc<dyn DirProvider>,

49

8

    software_publication_time: SystemTime,

50

8

    software_protocols: Protocols,

51

8

    override_status: Arc<MutCfg<SoftwareStatusOverrideConfig>>,

52

8

    on_fatal: F,

53

8

) -> Result<(), ErrorDetail>

54

8

where

55

8

    R: Runtime,

56

8

    F: FnOnce(ErrorDetail) -> Fut + Send + 'static,

57

8

    Fut: Future<Output = ()> + Send + 'static,

58

8

59

8

    // We need to get this stream before we check the initial status, to avoid race conditions.

60

8

    let events = netdir_provider.events();

61

62

8

    let initial_evaluated_proto_status = match netdir_provider.protocol_statuses() {

63

        Some((timestamp, recommended)) if timestamp >= software_publication_time => {

64

            // Here we exit if the initial (cached) status is bogus.

65

            evaluate_protocol_status(

66

                timestamp,

67

                &recommended,

68

                &software_protocols,

69

                override_status.get().as_ref(),

70

)?;

71

72

            Some(recommended)

73

74

        Some((_, _)) => {

75

            // In this case, our software is newer than the consensus, so we don't enforce it.

76

            None

77

78

8

        None => None,

79

};

80

81

8

    runtime

82

8

        .spawn(watch_protocol_statuses(

83

8

            netdir_provider,

84

8

            events,

85

8

            initial_evaluated_proto_status,

86

8

            software_publication_time,

87

8

            software_protocols,

88

8

            override_status,

89

8

            on_fatal,

90

8

))

91

8

        .map_err(|e| ErrorDetail::from_spawn("protocol status monitor", e))?;

92

93

8

    Ok(())

94

8

95

96

/// Run indefinitely, checking for any protocol-recommendation issues.

97

///

98

/// In addition to the arguments of `enforce_protocol_recommendations,`

99

/// this function expects `events` (a stream of DirEvent),

100

/// and `last_evaluated_proto_status` (the last protocol status that we passed to evaluate_protocol_status).

101

///

102

/// On a fatal error, invoke `on_fatal` and return.

103

8

async fn watch_protocol_statuses<S, F, Fut>(

104

8

    netdir_provider: Arc<dyn DirProvider>,

105

8

    mut events: S,

106

8

    mut last_evaluated_proto_status: Option<Arc<ProtoStatuses>>,

107

8

    software_publication_time: SystemTime,

108

8

    software_protocols: Protocols,

109

8

    override_status: Arc<MutCfg<SoftwareStatusOverrideConfig>>,

110

8

    on_fatal: F,

111

8

) where

112

8

    S: Stream<Item = DirEvent> + Send + Unpin,

113

8

    F: FnOnce(ErrorDetail) -> Fut + Send,

114

8

    Fut: Future<Output = ()> + Send,

115

8

116

8

    let weak_netdir_provider = Arc::downgrade(&netdir_provider);

117

8

    drop(netdir_provider);

118

119

8

    while let Some(e) = events.next().await {

120

        if e != DirEvent::NewProtocolRecommendation {

121

            continue;

122

123

124

        let new_status = {

125

            let Some(provider) = Weak::upgrade(&weak_netdir_provider) else {

126

                break;

127

};

128

            provider.protocol_statuses()

129

};

130

        let Some((timestamp, new_status)) = new_status else {

131

            warn!("Bug: Got DirEvent::NewProtocolRecommendation, but protocol_statuses() returned None.");

132

            continue;

133

};

134

        // It information is older than this software, there is a good chance

135

        // that it has come from an invalid piece of data that somebody has cached.

136

        // We'll ignore it.

137

//

138

        // For more information about this behavior, see:

139

        // https://spec.torproject.org/tor-spec/subprotocol-versioning.html#required-recommended

140

        if timestamp < software_publication_time {

141

            continue;

142

143

        if last_evaluated_proto_status.as_ref() == Some(&new_status) {

144

            // We've already acted on this status information.

145

            continue;

146

147

148

        if let Err(fatal) = evaluate_protocol_status(

149

            timestamp,

150

            &new_status,

151

            &software_protocols,

152

            override_status.get().as_ref(),

153

) {

154

            on_fatal(fatal).await;

155

            return;

156

157

        last_evaluated_proto_status = Some(new_status);

158

159

160

    // If we reach this point,

161

    // either we failed to upgrade the weak reference (because the netdir provider went away)

162

    // or the event stream was closed.

163

    // Either of these cases implies a clean shutdown.

164

165

166

/// Check whether we should take action based on the protocol `recommendation`

167

/// from `recommendation_timestamp`,

168

/// given that our own supported subprotocols are `software_protocols`.

169

///

170

/// - If any required protocols are missing, log and return an error.

171

/// - If no required protocols are missing, but some recommended protocols are missing,

172

///   log and return `Ok(())`.

173

/// - If no protocols are missing, return `Ok(())`.

174

///

175

/// Note: This function should ONLY return an error when the error is fatal.

176

#[allow(clippy::cognitive_complexity)] // complexity caused by trace macros.

177

8

pub(crate) fn evaluate_protocol_status(

178

8

    recommendation_timestamp: SystemTime,

179

8

    recommendation: &ProtoStatuses,

180

8

    software_protocols: &Protocols,

181

8

    override_status: &SoftwareStatusOverrideConfig,

182

8

) -> Result<(), ErrorDetail> {

183

8

    let result = recommendation.client().check_protocols(software_protocols);

184

8

185

11

    let rectime = || humantime::format_rfc3339(recommendation_timestamp);

186

187

2

    match &result {

188

2

        Ok(()) => Ok(()),

189

2

        Err(ProtocolSupportError::MissingRecommended(missing))

190

2

            if missing.difference(&missing_recommended_ok()).is_empty() =>

191

192

            debug!("Recommended protocols ({}) are missing, but that's expected: we haven't built them them yet in Arti.",

193

                  missing);

194

            Ok(())

195

196

2

        Err(ProtocolSupportError::MissingRecommended(missing)) => {

197

2

            info!(

198

"At least one protocol not implemented by this version of Arti ({}) is listed as recommended for clients as of {}.

199

Please upgrade to a more recent version of Arti.",

200

                 missing, rectime());

201

202

2

            Ok(())

203

204

4

        Err(e @ ProtocolSupportError::MissingRequired(missing)) => {

205

4

            error!(

206

"At least one protocol not implemented by this version of Arti ({}) is listed as required for clients, as of {}.

207

This version of Arti may not work correctly on the Tor network; please upgrade.",

208

                  &missing, rectime());

209

4

            if missing

210

4

                .difference(&override_status.ignore_missing_required_protocols)

211

4

                .is_empty()

212

213

2

                warn!(

214

"(These protocols are listed in 'ignore_missing_required_protocols', so Arti won't exit now, but you should still upgrade.)");

215

2

                return Ok(());

216

2

217

2

218

2

            Err(ErrorDetail::MissingProtocol(e.clone()))

219

220

        Err(e) => {

221

            // Because ProtocolSupportError is non-exhaustive, we need this case.

222

            warn_report!(

223

e,

224

                "Unexpected problem while examining protocol recommendations"

225

);

226

            if e.should_shutdown() {

227

                return Err(ErrorDetail::Bug(into_internal!(

228

                    "Unexpected fatal protocol error"

229

                )(e.clone())));

230

231

            Ok(())

232

233

234

8

235

236

/// Return a list of the protocols which may be recommended,

237

/// and which we know are missing in Arti.

238

///

239

/// This function should go away in the future:

240

/// we use it to generate a slightly less alarming warning

241

/// when we have an _expected_ missing recommended protocol.

242

2

fn missing_recommended_ok() -> Protocols {

243

    // TODO: Remove this once congestion control is fully implemented.

244

    use tor_protover::named as n;

245

2

    [n::FLOWCTRL_CC].into_iter().collect()

246

2

247

248

#[cfg(test)]

249

mod test {

250

    // @@ begin test lint list maintained by maint/add_warning @@

251

    #![allow(clippy::bool_assert_comparison)]

252

    #![allow(clippy::clone_on_copy)]

253

    #![allow(clippy::dbg_macro)]

254

    #![allow(clippy::mixed_attributes_style)]

255

    #![allow(clippy::print_stderr)]

256

    #![allow(clippy::print_stdout)]

257

    #![allow(clippy::single_char_pattern)]

258

    #![allow(clippy::unwrap_used)]

259

    #![allow(clippy::unchecked_duration_subtraction)]

260

    #![allow(clippy::useless_vec)]

261

    #![allow(clippy::needless_pass_by_value)]

262

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

263

264

    use tracing_test::traced_test;

265

266

    use super::*;

267

268

    #[test]

269

    #[traced_test]

270

    fn evaluate() {

271

        let rec: ProtoStatuses = serde_json::from_str(

272

            r#"{

273

                "client": { "recommended" : "Relay=1-5", "required" : "Relay=3" },

274

                "relay": { "recommended": "", "required" : ""}

275

            }"#,

276

277

        .unwrap();

278

        let rec_date = humantime::parse_rfc3339("2025-03-08T10:16:00Z").unwrap();

279

        let no_override = SoftwareStatusOverrideConfig {

280

            ignore_missing_required_protocols: Protocols::default(),

281

};

282

        let override_relay_3_4 = SoftwareStatusOverrideConfig {

283

            ignore_missing_required_protocols: "Relay=3-4".parse().unwrap(),

284

};

285

286

        // nothing missing.

287

        let r =

288

            evaluate_protocol_status(rec_date, &rec, &"Relay=1-10".parse().unwrap(), &no_override);

289

        assert!(r.is_ok());

290

        assert!(!logs_contain("listed as required"));

291

        assert!(!logs_contain("listed as recommended"));

292

293

        // Missing recommended.

294

        let r =

295

            evaluate_protocol_status(rec_date, &rec, &"Relay=1-4".parse().unwrap(), &no_override);

296

        assert!(r.is_ok());

297

        assert!(!logs_contain("listed as required"));

298

        assert!(logs_contain("listed as recommended"));

299

300

        // Missing required, but override is there.

301

        let r = evaluate_protocol_status(

302

            rec_date,

303

            &rec,

304

            &"Relay=1".parse().unwrap(),

305

            &override_relay_3_4,

306

);

307

        assert!(r.is_ok());

308

        assert!(logs_contain("listed as required"));

309

        assert!(logs_contain("but you should still upgrade"));

310

311

        // Missing required, no override.

312

        let r = evaluate_protocol_status(rec_date, &rec, &"Relay=1".parse().unwrap(), &no_override);

313

        assert!(r.is_err());

314

315