Grcov report - reactor.rs

1

//! The onion service publisher reactor.

2

//!

3

//! Generates and publishes hidden service descriptors in response to various events.

4

//!

5

//! [`Reactor::run`] is the entry-point of the reactor. It starts the reactor,

6

//! and runs until [`Reactor::run_once`] returns [`ShutdownStatus::Terminate`]

7

//! or a fatal error occurs. `ShutdownStatus::Terminate` is returned if

8

//! any of the channels the reactor is receiving events from is closed

9

//! (i.e. when the senders are dropped).

10

//!

11

//! ## Publisher status

12

//!

13

//! The publisher has an internal [`PublishStatus`], distinct from its [`State`],

14

//! which is used for onion service status reporting.

15

//!

16

//! The main loop of the reactor reads the current `PublishStatus` from `publish_status_rx`,

17

//! and responds by generating and publishing a new descriptor if needed.

18

//!

19

//! See [`PublishStatus`] and [`Reactor::publish_status_rx`] for more details.

20

//!

21

//! ## When do we publish?

22

//!

23

//! We generate and publish a new descriptor if

24

//!   * the introduction points have changed

25

//!   * the onion service configuration has changed in a meaningful way (for example,

26

//!     if the `restricted_discovery` configuration or its [`Anonymity`](crate::Anonymity)

27

//!     has changed. See [`OnionServiceConfigPublisherView`]).

28

//!   * there is a new consensus

29

//!   * it is time to republish the descriptor (after we upload a descriptor,

30

//!     we schedule it for republishing at a random time between 60 minutes and 120 minutes

31

//!     in the future)

32

//!

33

//! ## Onion service status

34

//!

35

//! With respect to [`OnionServiceStatus`] reporting,

36

//! the following state transitions are possible:

37

//!

38

//!

39

//! ```ignore

40

//!

41

//!                 update_publish_status(UploadScheduled|AwaitingIpts|RateLimited)

42

//!                +---------------------------------------+

43

//!                |                                       |

44

//!                |                                       v

45

//!                |                               +---------------+

46

//!                |                               | Bootstrapping |

47

//!                |                               +---------------+

48

//!                |                                       |

49

//!                |                                       |           uploaded to at least

50

//!                |  not enough HsDir uploads succeeded   |        some HsDirs from each ring

51

//!                |         +-----------------------------+-----------------------+

52

//!                |         |                             |                       |

53

//!                |         |              all HsDir uploads succeeded            |

54

//!                |         |                             |                       |

55

//!                |         v                             v                       v

56

//!                |  +---------------------+         +---------+        +---------------------+

57

//!                |  | DegradedUnreachable |         | Running |        |  DegradedReachable  |

58

//! +----------+   |  +---------------------+         +---------+        +---------------------+

59

//! | Shutdown |-- |         |                           |                        |

60

//! +----------+   |         |                           |                        |

61

//!                |         |                           |                        |

62

//!                |         |                           |                        |

63

//!                |         +---------------------------+------------------------+

64

//!                |                                     |   invalid authorized_clients

65

//!                |                                     |      after handling config change

66

//!                |                                     |

67

//!                |                                     v

68

//!                |     run_once() returns an error +--------+

69

//!                +-------------------------------->| Broken |

70

//!                                                  +--------+

71

//! ```

72

//!

73

//! We can also transition from `Broken`, `DegradedReachable`, or `DegradedUnreachable`

74

//! back to `Bootstrapping` (those transitions were omitted for brevity).

75

76

use tor_config::file_watcher::{

77

    self, Event as FileEvent, FileEventReceiver, FileEventSender, FileWatcher, FileWatcherBuilder,

78

};

79

use tor_config_path::{CfgPath, CfgPathResolver};

80

use tor_dirclient::SourceInfo;

81

use tor_netdir::{DirEvent, NetDir};

82

83

use crate::config::restricted_discovery::{

84

    DirectoryKeyProviderList, RestrictedDiscoveryConfig, RestrictedDiscoveryKeys,

85

};

86

use crate::config::OnionServiceConfigPublisherView;

87

use crate::status::{DescUploadRetryError, Problem};

88

89

use super::*;

90

91

// TODO-CLIENT-AUTH: perhaps we should add a separate CONFIG_CHANGE_REPUBLISH_DEBOUNCE_INTERVAL

92

// for rate-limiting the publish jobs triggered by a change in the config?

93

//

94

// Currently the descriptor publish tasks triggered by changes in the config

95

// are rate-limited via the usual rate limiting mechanism

96

// (which rate-limits the uploads for 1m).

97

//

98

// I think this is OK for now, but we might need to rethink this if it becomes problematic

99

// (for example, we might want an even longer rate-limit, or to reset any existing rate-limits

100

// each time the config is modified).

101

102

/// The upload rate-limiting threshold.

103

///

104

/// Before initiating an upload, the reactor checks if the last upload was at least

105

/// `UPLOAD_RATE_LIM_THRESHOLD` seconds ago. If so, it uploads the descriptor to all HsDirs that

106

/// need it. If not, it schedules the upload to happen `UPLOAD_RATE_LIM_THRESHOLD` seconds from the

107

/// current time.

108

//

109

// TODO: We may someday need to tune this value; it was chosen more or less arbitrarily.

110

const UPLOAD_RATE_LIM_THRESHOLD: Duration = Duration::from_secs(60);

111

112

/// The maximum number of concurrent upload tasks per time period.

113

//

114

// TODO: this value was arbitrarily chosen and may not be optimal.  For now, it

115

// will have no effect, since the current number of replicas is far less than

116

// this value.

117

//

118

// The uploads for all TPs happen in parallel.  As a result, the actual limit for the maximum

119

// number of concurrent upload tasks is multiplied by a number which depends on the TP parameters

120

// (currently 2, which means the concurrency limit will, in fact, be 32).

121

//

122

// We should try to decouple this value from the TP parameters.

123

const MAX_CONCURRENT_UPLOADS: usize = 16;

124

125

/// The maximum time allowed for uploading a descriptor to a single HSDir,

126

/// across all attempts.

127

pub(crate) const OVERALL_UPLOAD_TIMEOUT: Duration = Duration::from_secs(5 * 60);

128

129

/// A reactor for the HsDir [`Publisher`]

130

///

131

/// The entrypoint is [`Reactor::run`].

132

#[must_use = "If you don't call run() on the reactor, it won't publish any descriptors."]

133

pub(super) struct Reactor<R: Runtime, M: Mockable> {

134

    /// The immutable, shared inner state.

135

    imm: Arc<Immutable<R, M>>,

136

    /// A source for new network directories that we use to determine

137

    /// our HsDirs.

138

    dir_provider: Arc<dyn NetDirProvider>,

139

    /// The mutable inner state,

140

    inner: Arc<Mutex<Inner>>,

141

    /// A channel for receiving IPT change notifications.

142

    ipt_watcher: IptsPublisherView,

143

    /// A channel for receiving onion service config change notifications.

144

    config_rx: watch::Receiver<Arc<OnionServiceConfig>>,

145

    /// A channel for receiving restricted discovery key_dirs change notifications.

146

    key_dirs_rx: FileEventReceiver,

147

    /// A channel for sending restricted discovery key_dirs change notifications.

148

///

149

    /// A copy of this sender is handed out to every `FileWatcher` created.

150

    key_dirs_tx: FileEventSender,

151

    /// A channel for receiving updates regarding our [`PublishStatus`].

152

///

153

    /// The main loop of the reactor watches for updates on this channel.

154

///

155

    /// When the [`PublishStatus`] changes to [`UploadScheduled`](PublishStatus::UploadScheduled),

156

    /// we can start publishing descriptors.

157

///

158

    /// If the [`PublishStatus`] is [`AwaitingIpts`](PublishStatus::AwaitingIpts), publishing is

159

    /// paused until we receive a notification on `ipt_watcher` telling us the IPT manager has

160

    /// established some introduction points.

161

    publish_status_rx: watch::Receiver<PublishStatus>,

162

    /// A sender for updating our [`PublishStatus`].

163

///

164

    /// When our [`PublishStatus`] changes to [`UploadScheduled`](PublishStatus::UploadScheduled),

165

    /// we can start publishing descriptors.

166

    publish_status_tx: watch::Sender<PublishStatus>,

167

    /// A channel for sending upload completion notifications.

168

///

169

    /// This channel is polled in the main loop of the reactor.

170

    upload_task_complete_rx: mpsc::Receiver<TimePeriodUploadResult>,

171

    /// A channel for receiving upload completion notifications.

172

///

173

    /// A copy of this sender is handed to each upload task.

174

    upload_task_complete_tx: mpsc::Sender<TimePeriodUploadResult>,

175

    /// A sender for notifying any pending upload tasks that the reactor is shutting down.

176

///

177

    /// Receivers can use this channel to find out when reactor is dropped.

178

///

179

    /// This is currently only used in [`upload_for_time_period`](Reactor::upload_for_time_period).

180

    /// Any future background tasks can also use this channel to detect if the reactor is dropped.

181

///

182

    /// Closing this channel will cause any pending upload tasks to be dropped.

183

    shutdown_tx: broadcast::Sender<Void>,

184

    /// Path resolver for configuration files.

185

    path_resolver: Arc<CfgPathResolver>,

186

    /// Queue on which we receive messages from the [`PowManager`] telling us that a seed has

187

    /// rotated and thus we need to republish the descriptor for a particular time period.

188

    update_from_pow_manager_rx: mpsc::Receiver<TimePeriod>,

189

190

191

/// The immutable, shared state of the descriptor publisher reactor.

192

#[derive(Clone)]

193

struct Immutable<R: Runtime, M: Mockable> {

194

    /// The runtime.

195

    runtime: R,

196

    /// Mockable state.

197

///

198

    /// This is used for launching circuits and for obtaining random number generators.

199

    mockable: M,

200

    /// The service for which we're publishing descriptors.

201

    nickname: HsNickname,

202

    /// The key manager,

203

    keymgr: Arc<KeyMgr>,

204

    /// A sender for updating the status of the onion service.

205

    status_tx: PublisherStatusSender,

206

    /// Proof-of-work state.

207

    pow_manager: Arc<PowManager<R>>,

208

209

210

impl<R: Runtime, M: Mockable> Immutable<R, M> {

211

    /// Create an [`AesOpeKey`] for generating revision counters for the descriptors associated

212

    /// with the specified [`TimePeriod`].

213

///

214

    /// If the onion service is not running in offline mode, the key of the returned `AesOpeKey` is

215

    /// the private part of the blinded identity key. Otherwise, the key is the private part of the

216

    /// descriptor signing key.

217

///

218

    /// Returns an error if the service is running in offline mode and the descriptor signing

219

    /// keypair of the specified `period` is not available.

220

//

221

    // TODO (#1194): we don't support "offline" mode (yet), so this always returns an AesOpeKey

222

    // built from the blinded id key

223

    fn create_ope_key(&self, period: TimePeriod) -> Result<AesOpeKey, FatalError> {

224

        let ope_key = match read_blind_id_keypair(&self.keymgr, &self.nickname, period)? {

225

            Some(key) => {

226

                let key: ed25519::ExpandedKeypair = key.into();

227

                key.to_secret_key_bytes()[0..32]

228

                    .try_into()

229

                    .expect("Wrong length on slice")

230

231

            None => {

232

                // TODO (#1194): we don't support externally provisioned keys (yet), so this branch

233

                // is unreachable (for now).

234

                let desc_sign_key_spec =

235

                    DescSigningKeypairSpecifier::new(self.nickname.clone(), period);

236

                let key: ed25519::Keypair = self

237

                    .keymgr

238

                    .get::<HsDescSigningKeypair>(&desc_sign_key_spec)?

239

                    // TODO (#1194): internal! is not the right type for this error (we need an

240

                    // error type for the case where a hidden service running in offline mode has

241

                    // run out of its pre-previsioned keys).

242

//

243

                    // This will be addressed when we add support for offline hs_id mode

244

                    .ok_or_else(|| internal!("identity keys are offline, but descriptor signing key is unavailable?!"))?

245

                    .into();

246

                key.to_bytes()

247

248

};

249

250

        Ok(AesOpeKey::from_secret(&ope_key))

251

252

253

    /// Generate a revision counter for a descriptor associated with the specified

254

    /// [`TimePeriod`].

255

///

256

    /// Returns a revision counter generated according to the [encrypted time in period] scheme.

257

///

258

    /// [encrypted time in period]: https://spec.torproject.org/rend-spec/revision-counter-mgt.html#encrypted-time

259

    fn generate_revision_counter(

260

        &self,

261

        params: &HsDirParams,

262

        now: SystemTime,

263

    ) -> Result<RevisionCounter, FatalError> {

264

        // TODO: in the future, we might want to compute ope_key once per time period (as oppposed

265

        // to each time we generate a new descriptor), for performance reasons.

266

        let ope_key = self.create_ope_key(params.time_period())?;

267

268

        // TODO: perhaps this should be moved to a new HsDirParams::offset_within_sr() function

269

        let srv_start = params.start_of_shard_rand_period();

270

        let offset = params.offset_within_srv_period(now).ok_or_else(|| {

271

            internal!(

272

                "current wallclock time not within SRV range?! (now={:?}, SRV_start={:?})",

273

                now,

274

                srv_start

275

276

        })?;

277

        let rev = ope_key.encrypt(offset);

278

279

        Ok(RevisionCounter::from(rev))

280

281

282

283

/// Mockable state for the descriptor publisher reactor.

284

///

285

/// This enables us to mock parts of the [`Reactor`] for testing purposes.

286

#[async_trait]

287

pub(crate) trait Mockable: Clone + Send + Sync + Sized + 'static {

288

    /// The type of random number generator.

289

    type Rng: rand::Rng + rand::CryptoRng;

290

291

    /// The type of client circuit.

292

    type ClientCirc: MockableClientCirc;

293

294

    /// Return a random number generator.

295

    fn thread_rng(&self) -> Self::Rng;

296

297

    /// Create a circuit of the specified `kind` to `target`.

298

    async fn get_or_launch_specific<T>(

299

        &self,

300

        netdir: &NetDir,

301

        kind: HsCircKind,

302

        target: T,

303

    ) -> Result<Arc<Self::ClientCirc>, tor_circmgr::Error>

304

    where

305

        T: CircTarget + Send + Sync;

306

307

    /// Return an estimate-based value for how long we should allow a single

308

    /// directory upload operation to complete.

309

///

310

    /// Includes circuit construction, stream opening, upload, and waiting for a

311

    /// response.

312

    fn estimate_upload_timeout(&self) -> Duration;

313

314

315

/// Mockable client circuit

316

#[async_trait]

317

pub(crate) trait MockableClientCirc: Send + Sync {

318

    /// The data stream type.

319

    type DataStream: AsyncRead + AsyncWrite + Send + Unpin;

320

321

    /// Start a new stream to the last relay in the circuit, using

322

    /// a BEGIN_DIR cell.

323

    async fn begin_dir_stream(self: Arc<Self>) -> Result<Self::DataStream, tor_proto::Error>;

324

325

    /// Try to get a SourceInfo for this circuit, for using it in a directory request.

326

    fn source_info(&self) -> tor_proto::Result<Option<SourceInfo>>;

327

328

329

#[async_trait]

330

impl MockableClientCirc for ClientCirc {

331

    type DataStream = tor_proto::stream::DataStream;

332

333

    async fn begin_dir_stream(self: Arc<Self>) -> Result<Self::DataStream, tor_proto::Error> {

334

        ClientCirc::begin_dir_stream(self).await

335

336

337

    fn source_info(&self) -> tor_proto::Result<Option<SourceInfo>> {

338

        SourceInfo::from_circuit(self)

339

340

341

342

/// The real version of the mockable state of the reactor.

343

#[derive(Clone, From, Into)]

344

pub(crate) struct Real<R: Runtime>(Arc<HsCircPool<R>>);

345

346

#[async_trait]

347

impl<R: Runtime> Mockable for Real<R> {

348

    type Rng = rand::rngs::ThreadRng;

349

    type ClientCirc = ClientCirc;

350

351

    fn thread_rng(&self) -> Self::Rng {

352

        rand::rng()

353

354

355

    async fn get_or_launch_specific<T>(

356

        &self,

357

        netdir: &NetDir,

358

        kind: HsCircKind,

359

        target: T,

360

    ) -> Result<Arc<ClientCirc>, tor_circmgr::Error>

361

    where

362

        T: CircTarget + Send + Sync,

363

364

        self.0.get_or_launch_specific(netdir, kind, target).await

365

366

367

    fn estimate_upload_timeout(&self) -> Duration {

368

        use tor_circmgr::timeouts::Action;

369

        let est_build = self.0.estimate_timeout(&Action::BuildCircuit { length: 4 });

370

        let est_roundtrip = self.0.estimate_timeout(&Action::RoundTrip { length: 4 });

371

        // We assume that in the worst case we'll have to wait for an entire

372

        // circuit construction and two round-trips to the hsdir.

373

        let est_total = est_build + est_roundtrip * 2;

374

        // We always allow _at least_ this much time, in case our estimate is

375

        // ridiculously low.

376

        let min_timeout = Duration::from_secs(30);

377

        max(est_total, min_timeout)

378

379

380

381

/// The mutable state of a [`Reactor`].

382

struct Inner {

383

    /// The onion service config.

384

    config: Arc<OnionServiceConfigPublisherView>,

385

    /// Watcher for key_dirs.

386

///

387

    /// Set to `None` if the reactor is not running, or if `watch_configuration` is false.

388

///

389

    /// The watcher is recreated whenever the `restricted_discovery.key_dirs` change.

390

    file_watcher: Option<FileWatcher>,

391

    /// The relevant time periods.

392

///

393

    /// This includes the current time period, as well as any other time periods we need to be

394

    /// publishing descriptors for.

395

///

396

    /// This is empty until we fetch our first netdir in [`Reactor::run`].

397

    time_periods: Vec<TimePeriodContext>,

398

    /// Our most up to date netdir.

399

///

400

    /// This is initialized in [`Reactor::run`].

401

    netdir: Option<Arc<NetDir>>,

402

    /// The timestamp of our last upload.

403

///

404

    /// This is the time when the last update was _initiated_ (rather than completed), to prevent

405

    /// the publisher from spawning multiple upload tasks at once in response to multiple external

406

    /// events happening in quick succession, such as the IPT manager sending multiple IPT change

407

    /// notifications in a short time frame (#1142), or an IPT change notification that's

408

    /// immediately followed by a consensus change. Starting two upload tasks at once is not only

409

    /// inefficient, but it also causes the publisher to generate two different descriptors with

410

    /// the same revision counter (the revision counter is derived from the current timestamp),

411

    /// which ultimately causes the slower upload task to fail (see #1142).

412

///

413

    /// Note: This is only used for deciding when to reschedule a rate-limited upload. It is _not_

414

    /// used for retrying failed uploads (these are handled internally by

415

    /// [`Reactor::upload_descriptor_with_retries`]).

416

    last_uploaded: Option<Instant>,

417

    /// A max-heap containing the time periods for which we need to reupload the descriptor.

418

    // TODO: we are currently reuploading more than nececessary.

419

    // Ideally, this shouldn't contain contain duplicate TimePeriods,

420

    // because we only need to retain the latest reupload time for each time period.

421

//

422

    // Currently, if, for some reason, we upload the descriptor multiple times for the same TP,

423

    // we will end up with multiple ReuploadTimer entries for that TP,

424

    // each of which will (eventually) result in a reupload.

425

//

426

    // TODO: maybe this should just be a HashMap<TimePeriod, Instant>

427

//

428

    // See https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1971#note_2994950

429

    reupload_timers: BinaryHeap<ReuploadTimer>,

430

    /// The restricted discovery authorized clients.

431

///

432

    /// `None`, unless the service is running in restricted discovery mode.

433

    authorized_clients: Option<Arc<RestrictedDiscoveryKeys>>,

434

435

436

/// The part of the reactor state that changes with every time period.

437

struct TimePeriodContext {

438

    /// The HsDir params.

439

    params: HsDirParams,

440

    /// The HsDirs to use in this time period.

441

///

442

    // We keep a list of `RelayIds` because we can't store a `Relay<'_>` inside the reactor

443

    // (the lifetime of a relay is tied to the lifetime of its corresponding `NetDir`. To

444

    // store `Relay<'_>`s in the reactor, we'd need a way of atomically swapping out both the

445

    // `NetDir` and the cached relays, and to convince Rust what we're doing is sound)

446

    hs_dirs: Vec<(RelayIds, DescriptorStatus)>,

447

    /// The revision counter of the last successful upload, if any.

448

    last_successful: Option<RevisionCounter>,

449

    /// The outcome of the last upload, if any.

450

    upload_results: Vec<HsDirUploadStatus>,

451

452

453

impl TimePeriodContext {

454

    /// Create a new `TimePeriodContext`.

455

///

456

    /// Any of the specified `old_hsdirs` also present in the new list of HsDirs

457

    /// (returned by `NetDir::hs_dirs_upload`) will have their `DescriptorStatus` preserved.

458

    fn new<'r>(

459

        params: HsDirParams,

460

        blind_id: HsBlindId,

461

        netdir: &Arc<NetDir>,

462

        old_hsdirs: impl Iterator<Item = &'r (RelayIds, DescriptorStatus)>,

463

        old_upload_results: Vec<HsDirUploadStatus>,

464

    ) -> Result<Self, FatalError> {

465

        let period = params.time_period();

466

        let hs_dirs = Self::compute_hsdirs(period, blind_id, netdir, old_hsdirs)?;

467

        let upload_results = old_upload_results

468

            .into_iter()

469

            .filter(|res|

470

                // Check if the HsDir of this result still exists

471

                hs_dirs

472

                    .iter()

473

                    .any(|(relay_ids, _status)| relay_ids == &res.relay_ids))

474

            .collect();

475

476

        Ok(Self {

477

            params,

478

            hs_dirs,

479

            last_successful: None,

480

            upload_results,

481

})

482

483

484

    /// Recompute the HsDirs for this time period.

485

    fn compute_hsdirs<'r>(

486

        period: TimePeriod,

487

        blind_id: HsBlindId,

488

        netdir: &Arc<NetDir>,

489

        mut old_hsdirs: impl Iterator<Item = &'r (RelayIds, DescriptorStatus)>,

490

    ) -> Result<Vec<(RelayIds, DescriptorStatus)>, FatalError> {

491

        let hs_dirs = netdir.hs_dirs_upload(blind_id, period)?;

492

493

        Ok(hs_dirs

494

            .map(|hs_dir| {

495

                let mut builder = RelayIds::builder();

496

                if let Some(ed_id) = hs_dir.ed_identity() {

497

                    builder.ed_identity(*ed_id);

498

499

500

                if let Some(rsa_id) = hs_dir.rsa_identity() {

501

                    builder.rsa_identity(*rsa_id);

502

503

504

                let relay_id = builder.build().unwrap_or_else(|_| RelayIds::empty());

505

506

                // Have we uploaded the descriptor to thiw relay before? If so, we don't need to

507

                // reupload it unless it was already dirty and due for a reupload.

508

                let status = match old_hsdirs.find(|(id, _)| *id == relay_id) {

509

                    Some((_, status)) => *status,

510

                    None => DescriptorStatus::Dirty,

511

};

512

513

                (relay_id, status)

514

})

515

            .collect::<Vec<_>>())

516

517

518

    /// Mark the descriptor dirty for all HSDirs of this time period.

519

    fn mark_all_dirty(&mut self) {

520

        self.hs_dirs

521

            .iter_mut()

522

            .for_each(|(_relay_id, status)| *status = DescriptorStatus::Dirty);

523

524

525

    /// Update the upload result for this time period.

526

    fn set_upload_results(&mut self, upload_results: Vec<HsDirUploadStatus>) {

527

        self.upload_results = upload_results;

528

529

530

531

/// An error that occurs while trying to upload a descriptor.

532

#[derive(Clone, Debug, thiserror::Error)]

533

#[non_exhaustive]

534

pub enum UploadError {

535

    /// An error that has occurred after we have contacted a directory cache and made a circuit to it.

536

    #[error("descriptor upload request failed: {}", _0.error)]

537

    Request(#[from] RequestFailedError),

538

539

    /// Failed to establish circuit to hidden service directory

540

    #[error("could not build circuit to HsDir")]

541

    Circuit(#[from] tor_circmgr::Error),

542

543

    /// Failed to establish stream to hidden service directory

544

    #[error("failed to establish directory stream to HsDir")]

545

    Stream(#[source] tor_proto::Error),

546

547

    /// An internal error.

548

    #[error("Internal error")]

549

    Bug(#[from] tor_error::Bug),

550

551

define_asref_dyn_std_error!(UploadError);

552

553

impl UploadError {

554

    /// Return true if this error is one that we should report as a suspicious event,

555

    /// along with the dirserver, and description of the relevant document.

556

    pub(crate) fn should_report_as_suspicious(&self) -> bool {

557

        match self {

558

            UploadError::Request(e) => e.error.should_report_as_suspicious_if_anon(),

559

            UploadError::Circuit(_) => false, // TODO prop360

560

            UploadError::Stream(_) => false,  // TODO prop360

561

            UploadError::Bug(_) => false,

562

563

564

565

566

impl<R: Runtime, M: Mockable> Reactor<R, M> {

567

    /// Create a new `Reactor`.

568

    #[allow(clippy::too_many_arguments)]

569

    pub(super) fn new(

570

        runtime: R,

571

        nickname: HsNickname,

572

        dir_provider: Arc<dyn NetDirProvider>,

573

        mockable: M,

574

        config: &OnionServiceConfig,

575

        ipt_watcher: IptsPublisherView,

576

        config_rx: watch::Receiver<Arc<OnionServiceConfig>>,

577

        status_tx: PublisherStatusSender,

578

        keymgr: Arc<KeyMgr>,

579

        path_resolver: Arc<CfgPathResolver>,

580

        pow_manager: Arc<PowManager<R>>,

581

        update_from_pow_manager_rx: mpsc::Receiver<TimePeriod>,

582

    ) -> Self {

583

        /// The maximum size of the upload completion notifier channel.

584

///

585

        /// The channel we use this for is a futures::mpsc channel, which has a capacity of

586

        /// `UPLOAD_CHAN_BUF_SIZE + num-senders`. We don't need the buffer size to be non-zero, as

587

        /// each sender will send exactly one message.

588

        const UPLOAD_CHAN_BUF_SIZE: usize = 0;

589

590

        // Internally-generated instructions, no need for mq.

591

        let (upload_task_complete_tx, upload_task_complete_rx) =

592

            mpsc_channel_no_memquota(UPLOAD_CHAN_BUF_SIZE);

593

594

        let (publish_status_tx, publish_status_rx) = watch::channel();

595

        // Setting the buffer size to zero here is OK,

596

        // since we never actually send anything on this channel.

597

        let (shutdown_tx, _shutdown_rx) = broadcast::channel(0);

598

599

        let authorized_clients =

600

            Self::read_authorized_clients(&config.restricted_discovery, &path_resolver);

601

602

        // Create a channel for watching for changes in the configured

603

        // restricted_discovery.key_dirs.

604

        let (key_dirs_tx, key_dirs_rx) = file_watcher::channel();

605

606

        let imm = Immutable {

607

            runtime,

608

            mockable,

609

            nickname,

610

            keymgr,

611

            status_tx,

612

            pow_manager,

613

};

614

615

        let inner = Inner {

616

            time_periods: vec![],

617

            config: Arc::new(config.into()),

618

            file_watcher: None,

619

            netdir: None,

620

            last_uploaded: None,

621

            reupload_timers: Default::default(),

622

            authorized_clients,

623

};

624

625

        Self {

626

            imm: Arc::new(imm),

627

            inner: Arc::new(Mutex::new(inner)),

628

            dir_provider,

629

            ipt_watcher,

630

            config_rx,

631

            key_dirs_rx,

632

            key_dirs_tx,

633

            publish_status_rx,

634

            publish_status_tx,

635

            upload_task_complete_rx,

636

            upload_task_complete_tx,

637

            shutdown_tx,

638

            path_resolver,

639

            update_from_pow_manager_rx,

640

641

642

643

    /// Start the reactor.

644

///

645

    /// Under normal circumstances, this function runs indefinitely.

646

///

647

    /// Note: this also spawns the "reminder task" that we use to reschedule uploads whenever an

648

    /// upload fails or is rate-limited.

649

    pub(super) async fn run(mut self) -> Result<(), FatalError> {

650

        debug!(nickname=%self.imm.nickname, "starting descriptor publisher reactor");

651

652

653

            let netdir = self

654

                .dir_provider

655

                .wait_for_netdir(Timeliness::Timely)

656

                .await?;

657

            let time_periods = self.compute_time_periods(&netdir, &[])?;

658

659

            let mut inner = self.inner.lock().expect("poisoned lock");

660

661

            inner.netdir = Some(netdir);

662

            inner.time_periods = time_periods;

663

664

665

        // Create the initial key_dirs watcher.

666

        self.update_file_watcher();

667

668

        loop {

669

            match self.run_once().await {

670

                Ok(ShutdownStatus::Continue) => continue,

671

                Ok(ShutdownStatus::Terminate) => {

672

                    debug!(nickname=%self.imm.nickname, "descriptor publisher is shutting down!");

673

674

                    self.imm.status_tx.send_shutdown();

675

                    return Ok(());

676

677

                Err(e) => {

678

                    error_report!(

679

e,

680

                        "HS service {}: descriptor publisher crashed!",

681

                        self.imm.nickname

682

);

683

684

                    self.imm.status_tx.send_broken(e.clone());

685

686

                    return Err(e);

687

688

689

690

691

692

    /// Run one iteration of the reactor loop.

693

    #[allow(clippy::cognitive_complexity)] // TODO: Refactor

694

    async fn run_once(&mut self) -> Result<ShutdownStatus, FatalError> {

695

        let mut netdir_events = self.dir_provider.events();

696

697

        // Note: TrackingNow tracks the values it is compared with.

698

        // This is equivalent to sleeping for (until - now) units of time,

699

        let upload_rate_lim: TrackingNow = TrackingNow::now(&self.imm.runtime);

700

        if let PublishStatus::RateLimited(until) = self.status() {

701

            if upload_rate_lim > until {

702

                // We are no longer rate-limited

703

                self.expire_rate_limit().await?;

704

705

706

707

        let reupload_tracking = TrackingNow::now(&self.imm.runtime);

708

        let mut reupload_periods = vec![];

709

710

            let mut inner = self.inner.lock().expect("poisoned lock");

711

            let inner = &mut *inner;

712

            while let Some(reupload) = inner.reupload_timers.peek().copied() {

713

                // First, extract all the timeouts that already elapsed.

714

                if reupload.when <= reupload_tracking {

715

                    inner.reupload_timers.pop();

716

                    reupload_periods.push(reupload.period);

717

                } else {

718

                    // We are not ready to schedule any more reuploads.

719

//

720

                    // How much we need to sleep is implicitly

721

                    // tracked in reupload_tracking (through

722

                    // the TrackingNow implementation)

723

                    break;

724

725

726

727

728

        // Check if it's time to schedule any reuploads.

729

        for period in reupload_periods {

730

            if self.mark_dirty(&period) {

731

                debug!(

732

                    time_period=?period,

733

                    "descriptor reupload timer elapsed; scheduling reupload",

734

);

735

                self.update_publish_status_unless_rate_lim(PublishStatus::UploadScheduled)

736

                    .await?;

737

738

739

740

        select_biased! {

741

            res = self.upload_task_complete_rx.next().fuse() => {

742

                let Some(upload_res) = res else {

743

                    return Ok(ShutdownStatus::Terminate);

744

};

745

746

                self.handle_upload_results(upload_res);

747

                self.upload_result_to_svc_status()?;

748

},

749

            () = upload_rate_lim.wait_for_earliest(&self.imm.runtime).fuse() => {

750

                self.expire_rate_limit().await?;

751

},

752

            () = reupload_tracking.wait_for_earliest(&self.imm.runtime).fuse() => {

753

                // Run another iteration, executing run_once again. This time, we will remove the

754

                // expired reupload from self.reupload_timers, mark the descriptor dirty for all

755

                // relevant HsDirs, and schedule the upload by setting our status to

756

                // UploadScheduled.

757

                return Ok(ShutdownStatus::Continue);

758

},

759

            netdir_event = netdir_events.next().fuse() => {

760

                let Some(netdir_event) = netdir_event else {

761

                    debug!("netdir event stream ended");

762

                    return Ok(ShutdownStatus::Terminate);

763

};

764

765

                if !matches!(netdir_event, DirEvent::NewConsensus) {

766

                    return Ok(ShutdownStatus::Continue);

767

};

768

769

                // The consensus changed. Grab a new NetDir.

770

                let netdir = match self.dir_provider.netdir(Timeliness::Timely) {

771

                    Ok(y) => y,

772

                    Err(e) => {

773

                        error_report!(e, "HS service {}: netdir unavailable. Retrying...", self.imm.nickname);

774

                        // Hopefully a netdir will appear in the future.

775

                        // in the meantime, suspend operations.

776

//

777

                        // TODO (#1218): there is a bug here: we stop reading on our inputs

778

                        // including eg publish_status_rx, but it is our job to log some of

779

                        // these things.  While we are waiting for a netdir, all those messages

780

                        // are "stuck"; they'll appear later, with misleading timestamps.

781

//

782

                        // Probably this should be fixed by moving the logging

783

                        // out of the reactor, where it won't be blocked.

784

                        self.dir_provider.wait_for_netdir(Timeliness::Timely)

785

                            .await?

786

787

};

788

                let relevant_periods = netdir.hs_all_time_periods();

789

                self.handle_consensus_change(netdir).await?;

790

                expire_publisher_keys(

791

                    &self.imm.keymgr,

792

                    &self.imm.nickname,

793

                    &relevant_periods,

794

                ).unwrap_or_else(|e| {

795

                    error_report!(e, "failed to remove expired keys");

796

});

797

798

            update = self.ipt_watcher.await_update().fuse() => {

799

                if self.handle_ipt_change(update).await? == ShutdownStatus::Terminate {

800

                    return Ok(ShutdownStatus::Terminate);

801

802

},

803

            config = self.config_rx.next().fuse() => {

804

                let Some(config) = config else {

805

                    return Ok(ShutdownStatus::Terminate);

806

};

807

808

                self.handle_svc_config_change(&config).await?;

809

},

810

            res = self.key_dirs_rx.next().fuse() => {

811

                let Some(event) = res else {

812

                    return Ok(ShutdownStatus::Terminate);

813

};

814

815

                while let Some(_ignore) = self.key_dirs_rx.try_recv() {

816

                    // Discard other events, so that we only reload once.

817

818

819

                self.handle_key_dirs_change(event).await?;

820

821

            should_upload = self.publish_status_rx.next().fuse() => {

822

                let Some(should_upload) = should_upload else {

823

                    return Ok(ShutdownStatus::Terminate);

824

};

825

826

                // Our PublishStatus changed -- are we ready to publish?

827

                if should_upload == PublishStatus::UploadScheduled {

828

                    self.update_publish_status_unless_waiting(PublishStatus::Idle).await?;

829

                    self.upload_all().await?;

830

831

832

            update_tp_pow_seed = self.update_from_pow_manager_rx.next().fuse() => {

833

                debug!("Update PoW seed for TP!");

834

                let Some(time_period) = update_tp_pow_seed else {

835

                    return Ok(ShutdownStatus::Terminate);

836

};

837

                self.mark_dirty(&time_period);

838

                self.upload_all().await?;

839

840

841

842

        Ok(ShutdownStatus::Continue)

843

844

845

    /// Returns the current status of the publisher

846

    fn status(&self) -> PublishStatus {

847

        *self.publish_status_rx.borrow()

848

849

850

    /// Handle a batch of upload outcomes,

851

    /// possibly updating the status of the descriptor for the corresponding HSDirs.

852

    fn handle_upload_results(&self, results: TimePeriodUploadResult) {

853

        let mut inner = self.inner.lock().expect("poisoned lock");

854

        let inner = &mut *inner;

855

856

        // Check which time period these uploads pertain to.

857

        let period = inner

858

            .time_periods

859

            .iter_mut()

860

            .find(|ctx| ctx.params.time_period() == results.time_period);

861

862

        let Some(period) = period else {

863

            // The uploads were for a time period that is no longer relevant, so we

864

            // can ignore the result.

865

            return;

866

};

867

868

        // We will need to reupload this descriptor at at some point, so we pick

869

        // a random time between 60 minutes and 120 minutes in the future.

870

//

871

        // See https://spec.torproject.org/rend-spec/deriving-keys.html#WHEN-HSDESC

872

        let mut rng = self.imm.mockable.thread_rng();

873

        // TODO SPEC: Control republish period using a consensus parameter?

874

        let minutes = rng.gen_range_checked(60..=120).expect("low > high?!");

875

        let duration = Duration::from_secs(minutes * 60);

876

        let reupload_when = self.imm.runtime.now() + duration;

877

        let time_period = period.params.time_period();

878

879

        info!(

880

            time_period=?time_period,

881

            "reuploading descriptor in {}",

882

            humantime::format_duration(duration),

883

);

884

885

        inner.reupload_timers.push(ReuploadTimer {

886

            period: time_period,

887

            when: reupload_when,

888

});

889

890

        let mut upload_results = vec![];

891

        for upload_res in results.hsdir_result {

892

            let relay = period

893

                .hs_dirs

894

                .iter_mut()

895

                .find(|(relay_ids, _status)| relay_ids == &upload_res.relay_ids);

896

897

            let Some((_relay, status)): Option<&mut (RelayIds, _)> = relay else {

898

                // This HSDir went away, so the result doesn't matter.

899

                // Continue processing the rest of the results

900

                continue;

901

};

902

903

            if upload_res.upload_res.is_ok() {

904

                let update_last_successful = match period.last_successful {

905

                    None => true,

906

                    Some(counter) => counter <= upload_res.revision_counter,

907

};

908

909

                if update_last_successful {

910

                    period.last_successful = Some(upload_res.revision_counter);

911

                    // TODO (#1098): Is it possible that this won't update the statuses promptly

912

                    // enough. For example, it's possible for the reactor to see a Dirty descriptor

913

                    // and start an upload task for a descriptor has already been uploaded (or is

914

                    // being uploaded) in another task, but whose upload results have not yet been

915

                    // processed.

916

//

917

                    // This is probably made worse by the fact that the statuses are updated in

918

                    // batches (grouped by time period), rather than one by one as the upload tasks

919

                    // complete (updating the status involves locking the inner mutex, and I wanted

920

                    // to minimize the locking/unlocking overheads). I'm not sure handling the

921

                    // updates in batches was the correct decision here.

922

                    *status = DescriptorStatus::Clean;

923

924

925

926

            upload_results.push(upload_res);

927

928

929

        period.set_upload_results(upload_results);

930

931

932

    /// Maybe update our list of HsDirs.

933

    async fn handle_consensus_change(&mut self, netdir: Arc<NetDir>) -> Result<(), FatalError> {

934

        trace!("the consensus has changed; recomputing HSDirs");

935

936

        let _old: Option<Arc<NetDir>> = self.replace_netdir(netdir);

937

938

        self.recompute_hs_dirs()?;

939

        self.update_publish_status_unless_waiting(PublishStatus::UploadScheduled)

940

            .await?;

941

942

        // If the time period has changed, some of our upload results may now be irrelevant,

943

        // so we might need to update our status (for example, if our uploads are

944

        // for a no-longer-relevant time period, it means we might be able to update

945

        // out status from "degraded" to "running")

946

        self.upload_result_to_svc_status()?;

947

948

        Ok(())

949

950

951

    /// Recompute the HsDirs for all relevant time periods.

952

    fn recompute_hs_dirs(&self) -> Result<(), FatalError> {

953

        let mut inner = self.inner.lock().expect("poisoned lock");

954

        let inner = &mut *inner;

955

956

        let netdir = Arc::clone(

957

            inner

958

                .netdir

959

                .as_ref()

960

                .ok_or_else(|| internal!("started upload task without a netdir"))?,

961

);

962

963

        // Update our list of relevant time periods.

964

        let new_time_periods = self.compute_time_periods(&netdir, &inner.time_periods)?;

965

        inner.time_periods = new_time_periods;

966

967

        Ok(())

968

969

970

    /// Compute the [`TimePeriodContext`]s for the time periods from the specified [`NetDir`].

971

///

972

    /// The specified `time_periods` are used to preserve the `DescriptorStatus` of the

973

    /// HsDirs where possible.

974

    fn compute_time_periods(

975

        &self,

976

        netdir: &Arc<NetDir>,

977

        time_periods: &[TimePeriodContext],

978

    ) -> Result<Vec<TimePeriodContext>, FatalError> {

979

        netdir

980

            .hs_all_time_periods()

981

            .iter()

982

            .map(|params| {

983

                let period = params.time_period();

984

                let blind_id_kp =

985

                    read_blind_id_keypair(&self.imm.keymgr, &self.imm.nickname, period)?

986

                        // Note: for now, read_blind_id_keypair cannot return Ok(None).

987

                        // It's supposed to return Ok(None) if we're in offline hsid mode,

988

                        // but that might change when we do #1194

989

                        .ok_or_else(|| internal!("offline hsid mode not supported"))?;

990

991

                let blind_id: HsBlindIdKey = (&blind_id_kp).into();

992

993

                // If our previous `TimePeriodContext`s also had an entry for `period`, we need to

994

                // preserve the `DescriptorStatus` of its HsDirs. This helps prevent unnecessarily

995

                // publishing the descriptor to the HsDirs that already have it (the ones that are

996

                // marked with DescriptorStatus::Clean).

997

//

998

                // In other words, we only want to publish to those HsDirs that

999

                //   * are part of a new time period (which we have never published the descriptor

1000

                //   for), or

1001

                //   * have just been added to the ring of a time period we already knew about

1002

                if let Some(ctx) = time_periods

1003

                    .iter()

1004

                    .find(|ctx| ctx.params.time_period() == period)

1005

1006

                    TimePeriodContext::new(

1007

                        params.clone(),

1008

                        blind_id.into(),

1009

                        netdir,

1010

                        ctx.hs_dirs.iter(),

1011

                        ctx.upload_results.clone(),

1012

1013

                } else {

1014

                    // Passing an empty iterator here means all HsDirs in this TimePeriodContext

1015

                    // will be marked as dirty, meaning we will need to upload our descriptor to them.

1016

                    TimePeriodContext::new(

1017

                        params.clone(),

1018

                        blind_id.into(),

1019

                        netdir,

1020

                        iter::empty(),

1021

                        vec![],

1022

1023

1024

})

1025

            .collect::<Result<Vec<TimePeriodContext>, FatalError>>()

1026

1027

1028

    /// Replace the old netdir with the new, returning the old.

1029

    fn replace_netdir(&self, new_netdir: Arc<NetDir>) -> Option<Arc<NetDir>> {

1030

        self.inner

1031

            .lock()

1032

            .expect("poisoned lock")

1033

            .netdir

1034

            .replace(new_netdir)

1035

1036

1037

    /// Replace our view of the service config with `new_config` if `new_config` contains changes

1038

    /// that would cause us to generate a new descriptor.

1039

    fn replace_config_if_changed(&self, new_config: Arc<OnionServiceConfigPublisherView>) -> bool {

1040

        let mut inner = self.inner.lock().expect("poisoned lock");

1041

        let old_config = &mut inner.config;

1042

1043

        // The fields we're interested in haven't changed, so there's no need to update

1044

        // `inner.config`.

1045

        if *old_config == new_config {

1046

            return false;

1047

1048

1049

        let log_change = match (

1050

            old_config.restricted_discovery.enabled,

1051

            new_config.restricted_discovery.enabled,

1052

) {

1053

            (true, false) => Some("Disabling restricted discovery mode"),

1054

            (false, true) => Some("Enabling restricted discovery mode"),

1055

            _ => None,

1056

};

1057

1058

        if let Some(msg) = log_change {

1059

            info!(nickname=%self.imm.nickname, "{}", msg);

1060

1061

1062

        let _old: Arc<OnionServiceConfigPublisherView> = std::mem::replace(old_config, new_config);

1063

1064

        true

1065

1066

1067

    /// Recreate the FileWatcher for watching the restricted discovery key_dirs.

1068

    fn update_file_watcher(&self) {

1069

        let mut inner = self.inner.lock().expect("poisoned lock");

1070

        if inner.config.restricted_discovery.watch_configuration() {

1071

            debug!("The restricted_discovery.key_dirs have changed, updating file watcher");

1072

            let mut watcher = FileWatcher::builder(self.imm.runtime.clone());

1073

1074

            let dirs = inner.config.restricted_discovery.key_dirs().clone();

1075

1076

            watch_dirs(&mut watcher, &dirs, &self.path_resolver);

1077

1078

            let watcher = watcher

1079

                .start_watching(self.key_dirs_tx.clone())

1080

                .map_err(|e| {

1081

                    // TODO: update the publish status (see also the module-level TODO about this).

1082

                    error_report!(e, "Cannot set file watcher");

1083

})

1084

                .ok();

1085

            inner.file_watcher = watcher;

1086

        } else {

1087

            if inner.file_watcher.is_some() {

1088

                debug!("removing key_dirs watcher");

1089

1090

            inner.file_watcher = None;

1091

1092

1093

1094

    /// Read the intro points from `ipt_watcher`, and decide whether we're ready to start

1095

    /// uploading.

1096

    fn note_ipt_change(&self) -> PublishStatus {

1097

        let mut ipts = self.ipt_watcher.borrow_for_publish();

1098

        match ipts.ipts.as_mut() {

1099

            Some(_ipts) => PublishStatus::UploadScheduled,

1100

            None => PublishStatus::AwaitingIpts,

1101

1102

1103

1104

    /// Update our list of introduction points.

1105

    async fn handle_ipt_change(

1106

        &mut self,

1107

        update: Option<Result<(), crate::FatalError>>,

1108

    ) -> Result<ShutdownStatus, FatalError> {

1109

        trace!(nickname=%self.imm.nickname, "received IPT change notification from IPT manager");

1110

        match update {

1111

            Some(Ok(())) => {

1112

                let should_upload = self.note_ipt_change();

1113

                debug!(nickname=%self.imm.nickname, "the introduction points have changed");

1114

1115

                self.mark_all_dirty();

1116

                self.update_publish_status_unless_rate_lim(should_upload)

1117

                    .await?;

1118

                Ok(ShutdownStatus::Continue)

1119

1120

            Some(Err(e)) => Err(e),

1121

            None => {

1122

                debug!(nickname=%self.imm.nickname, "received shut down signal from IPT manager");

1123

                Ok(ShutdownStatus::Terminate)

1124

1125

1126

1127

1128

    /// Update the `PublishStatus` of the reactor with `new_state`,

1129

    /// unless the current state is `AwaitingIpts`.

1130

    async fn update_publish_status_unless_waiting(

1131

        &mut self,

1132

        new_state: PublishStatus,

1133

    ) -> Result<(), FatalError> {

1134

        // Only update the state if we're not waiting for intro points.

1135

        if self.status() != PublishStatus::AwaitingIpts {

1136

            self.update_publish_status(new_state).await?;

1137

1138

1139

        Ok(())

1140

1141

1142

    /// Update the `PublishStatus` of the reactor with `new_state`,

1143

    /// unless the current state is `RateLimited`.

1144

    async fn update_publish_status_unless_rate_lim(

1145

        &mut self,

1146

        new_state: PublishStatus,

1147

    ) -> Result<(), FatalError> {

1148

        // We can't exit this state until the rate-limit expires.

1149

        if !matches!(self.status(), PublishStatus::RateLimited(_)) {

1150

            self.update_publish_status(new_state).await?;

1151

1152

1153

        Ok(())

1154

1155

1156

    /// Unconditionally update the `PublishStatus` of the reactor with `new_state`.

1157

    async fn update_publish_status(&mut self, new_state: PublishStatus) -> Result<(), Bug> {

1158

        let onion_status = match new_state {

1159

            PublishStatus::Idle => None,

1160

            PublishStatus::UploadScheduled

1161

            | PublishStatus::AwaitingIpts

1162

            | PublishStatus::RateLimited(_) => Some(State::Bootstrapping),

1163

};

1164

1165

        if let Some(onion_status) = onion_status {

1166

            self.imm.status_tx.send(onion_status, None);

1167

1168

1169

        trace!(

1170

            "publisher reactor status change: {:?} -> {:?}",

1171

            self.status(),

1172

            new_state

1173

);

1174

1175

        self.publish_status_tx.send(new_state).await.map_err(

1176

            |_: postage::sink::SendError<_>| internal!("failed to send upload notification?!"),

1177

)?;

1178

1179

        Ok(())

1180

1181

1182

    /// Update the onion svc status based on the results of the last descriptor uploads.

1183

    fn upload_result_to_svc_status(&self) -> Result<(), FatalError> {

1184

        let inner = self.inner.lock().expect("poisoned lock");

1185

        let netdir = inner

1186

            .netdir

1187

            .as_ref()

1188

            .ok_or_else(|| internal!("handling upload results without netdir?!"))?;

1189

1190

        let (state, err) = upload_result_state(netdir, &inner.time_periods);

1191

        self.imm.status_tx.send(state, err);

1192

1193

        Ok(())

1194

1195

1196

    /// Update the descriptors based on the config change.

1197

    async fn handle_svc_config_change(

1198

        &mut self,

1199

        config: &OnionServiceConfig,

1200

    ) -> Result<(), FatalError> {

1201

        let new_config = Arc::new(config.into());

1202

        if self.replace_config_if_changed(Arc::clone(&new_config)) {

1203

            self.update_file_watcher();

1204

            self.update_authorized_clients_if_changed().await?;

1205

1206

            info!(nickname=%self.imm.nickname, "Config has changed, generating a new descriptor");

1207

            self.mark_all_dirty();

1208

1209

            // Schedule an upload, unless we're still waiting for IPTs.

1210

            self.update_publish_status_unless_waiting(PublishStatus::UploadScheduled)

1211

                .await?;

1212

1213

1214

        Ok(())

1215

1216

1217

    /// Update the descriptors based on a restricted discovery key_dirs change.

1218

///

1219

    /// If the authorized clients from the [`RestrictedDiscoveryConfig`] have changed,

1220

    /// this marks the descriptor as dirty for all time periods,

1221

    /// and schedules a reupload.

1222

    async fn handle_key_dirs_change(&mut self, event: FileEvent) -> Result<(), FatalError> {

1223

        debug!("The configured key_dirs have changed");

1224

        match event {

1225

            FileEvent::Rescan | FileEvent::FileChanged => {

1226

                // These events are handled in the same way, by re-reading the keys from disk

1227

                // and republishing the descriptor if necessary

1228

1229

            _ => return Err(internal!("file watcher event {event:?}").into()),

1230

};

1231

1232

        // Update the file watcher, in case the change was triggered by a key_dir move.

1233

        self.update_file_watcher();

1234

1235

        if self.update_authorized_clients_if_changed().await? {

1236

            self.mark_all_dirty();

1237

1238

            // Schedule an upload, unless we're still waiting for IPTs.

1239

            self.update_publish_status_unless_waiting(PublishStatus::UploadScheduled)

1240

                .await?;

1241

1242

1243

        Ok(())

1244

1245

1246

    /// Recreate the authorized_clients based on the current config.

1247

///

1248

    /// Returns `true` if the authorized clients have changed.

1249

    async fn update_authorized_clients_if_changed(&mut self) -> Result<bool, FatalError> {

1250

        let mut inner = self.inner.lock().expect("poisoned lock");

1251

        let authorized_clients =

1252

            Self::read_authorized_clients(&inner.config.restricted_discovery, &self.path_resolver);

1253

1254

        let clients = &mut inner.authorized_clients;

1255

        let changed = clients.as_ref() != authorized_clients.as_ref();

1256

1257

        if changed {

1258

            info!("The restricted discovery mode authorized clients have changed");

1259

            *clients = authorized_clients;

1260

1261

1262

        Ok(changed)

1263

1264

1265

    /// Read the authorized `RestrictedDiscoveryKeys` from `config`.

1266

    fn read_authorized_clients(

1267

        config: &RestrictedDiscoveryConfig,

1268

        path_resolver: &CfgPathResolver,

1269

    ) -> Option<Arc<RestrictedDiscoveryKeys>> {

1270

        let authorized_clients = config.read_keys(path_resolver);

1271

1272

        if matches!(authorized_clients.as_ref(), Some(c) if c.is_empty()) {

1273

            warn!(

1274

                "Running in restricted discovery mode, but we have no authorized clients. Service will be unreachable"

1275

);

1276

1277

1278

        authorized_clients.map(Arc::new)

1279

1280

1281

    /// Mark the descriptor dirty for all time periods.

1282

    fn mark_all_dirty(&self) {

1283

        trace!("marking the descriptor dirty for all time periods");

1284

1285

        self.inner

1286

            .lock()

1287

            .expect("poisoned lock")

1288

            .time_periods

1289

            .iter_mut()

1290

            .for_each(|tp| tp.mark_all_dirty());

1291

1292

1293

    /// Mark the descriptor dirty for the specified time period.

1294

///

1295

    /// Returns `true` if the specified period is still relevant, and `false` otherwise.

1296

    fn mark_dirty(&self, period: &TimePeriod) -> bool {

1297

        let mut inner = self.inner.lock().expect("poisoned lock");

1298

        let period_ctx = inner

1299

            .time_periods

1300

            .iter_mut()

1301

            .find(|tp| tp.params.time_period() == *period);

1302

1303

        match period_ctx {

1304

            Some(ctx) => {

1305

                trace!(time_period=?period, "marking the descriptor dirty");

1306

                ctx.mark_all_dirty();

1307

                true

1308

1309

            None => false,

1310

1311

1312

1313

    /// Try to upload our descriptor to the HsDirs that need it.

1314

///

1315

    /// If we've recently uploaded some descriptors, we return immediately and schedule the upload

1316

    /// to happen after [`UPLOAD_RATE_LIM_THRESHOLD`].

1317

///

1318

    /// Failed uploads are retried

1319

    /// (see [`upload_descriptor_with_retries`](Reactor::upload_descriptor_with_retries)).

1320

///

1321

    /// If restricted discovery mode is enabled and there are no authorized clients,

1322

    /// we abort the upload and set our status to [`State::Broken`].

1323

//

1324

    // Note: a broken restricted discovery config won't prevent future uploads from being scheduled

1325

    // (for example if the IPTs change),

1326

    // which can can cause the publisher's status to oscillate between `Bootstrapping` and `Broken`.

1327

    // TODO: we might wish to refactor the publisher to be more sophisticated about this.

1328

//

1329

    /// For each current time period, we spawn a task that uploads the descriptor to

1330

    /// all the HsDirs on the HsDir ring of that time period.

1331

    /// Each task shuts down on completion, or when the reactor is dropped.

1332

///

1333

    /// Each task reports its upload results (`TimePeriodUploadResult`)

1334

    /// via the `upload_task_complete_tx` channel.

1335

    /// The results are received and processed in the main loop of the reactor.

1336

///

1337

    /// Returns an error if it fails to spawn a task, or if an internal error occurs.

1338

    #[allow(clippy::cognitive_complexity)] // TODO #2010: Refactor

1339

    async fn upload_all(&mut self) -> Result<(), FatalError> {

1340

        trace!("starting descriptor upload task...");

1341

1342

        // Abort the upload entirely if we have an empty list of authorized clients

1343

        let authorized_clients = match self.authorized_clients() {

1344

            Ok(authorized_clients) => authorized_clients,

1345

            Err(e) => {

1346

                error_report!(e, "aborting upload");

1347

                self.imm.status_tx.send_broken(e.clone());

1348

1349

                // Returning an error would shut down the reactor, so we have to return Ok here.

1350

                return Ok(());

1351

1352

};

1353

1354

        let last_uploaded = self.inner.lock().expect("poisoned lock").last_uploaded;

1355

        let now = self.imm.runtime.now();

1356

        // Check if we should rate-limit this upload.

1357

        if let Some(ts) = last_uploaded {

1358

            let duration_since_upload = now.duration_since(ts);

1359

1360

            if duration_since_upload < UPLOAD_RATE_LIM_THRESHOLD {

1361

                return Ok(self.start_rate_limit(UPLOAD_RATE_LIM_THRESHOLD).await?);

1362

1363

1364

1365

        let mut inner = self.inner.lock().expect("poisoned lock");

1366

        let inner = &mut *inner;

1367

1368

        let _ = inner.last_uploaded.insert(now);

1369

1370

        for period_ctx in inner.time_periods.iter_mut() {

1371

            let upload_task_complete_tx = self.upload_task_complete_tx.clone();

1372

1373

            // Figure out which HsDirs we need to upload the descriptor to (some of them might already

1374

            // have our latest descriptor, so we filter them out).

1375

            let hs_dirs = period_ctx

1376

                .hs_dirs

1377

                .iter()

1378

                .filter_map(|(relay_id, status)| {

1379

                    if *status == DescriptorStatus::Dirty {

1380

                        Some(relay_id.clone())

1381

                    } else {

1382

                        None

1383

1384

})

1385

                .collect::<Vec<_>>();

1386

1387

            if hs_dirs.is_empty() {

1388

                trace!("the descriptor is clean for all HSDirs. Nothing to do");

1389

                return Ok(());

1390

1391

1392

            let time_period = period_ctx.params.time_period();

1393

            // This scope exists because rng is not Send, so it needs to fall out of scope before we

1394

            // await anything.

1395

            let netdir = Arc::clone(

1396

                inner

1397

                    .netdir

1398

                    .as_ref()

1399

                    .ok_or_else(|| internal!("started upload task without a netdir"))?,

1400

);

1401

1402

            let imm = Arc::clone(&self.imm);

1403

            let ipt_upload_view = self.ipt_watcher.upload_view();

1404

            let config = Arc::clone(&inner.config);

1405

            let authorized_clients = authorized_clients.clone();

1406

1407

            trace!(nickname=%self.imm.nickname, time_period=?time_period,

1408

                "spawning upload task"

1409

);

1410

1411

            let params = period_ctx.params.clone();

1412

            let shutdown_rx = self.shutdown_tx.subscribe();

1413

1414

            // Spawn a task to upload the descriptor to all HsDirs of this time period.

1415

//

1416

            // This task will shut down when the reactor is dropped (i.e. when shutdown_rx is

1417

            // dropped).

1418

            let _handle: () = self

1419

                .imm

1420

                .runtime

1421

                .spawn(async move {

1422

                    if let Err(e) = Self::upload_for_time_period(

1423

                        hs_dirs,

1424

                        &netdir,

1425

                        config,

1426

                        params,

1427

                        Arc::clone(&imm),

1428

                        ipt_upload_view.clone(),

1429

                        authorized_clients.clone(),

1430

                        upload_task_complete_tx,

1431

                        shutdown_rx,

1432

1433

                    .await

1434

1435

                        error_report!(

1436

e,

1437

                            "descriptor upload failed for HS service {} and time period {:?}",

1438

                            imm.nickname,

1439

                            time_period

1440

);

1441

1442

})

1443

                .map_err(|e| FatalError::from_spawn("upload_for_time_period task", e))?;

1444

1445

1446

        Ok(())

1447

1448

1449

    /// Upload the descriptor for the time period specified in `params`.

1450

///

1451

    /// Failed uploads are retried

1452

    /// (see [`upload_descriptor_with_retries`](Reactor::upload_descriptor_with_retries)).

1453

    #[allow(clippy::too_many_arguments)] // TODO: refactor

1454

    #[allow(clippy::cognitive_complexity)] // TODO: Refactor

1455

    async fn upload_for_time_period(

1456

        hs_dirs: Vec<RelayIds>,

1457

        netdir: &Arc<NetDir>,

1458

        config: Arc<OnionServiceConfigPublisherView>,

1459

        params: HsDirParams,

1460

        imm: Arc<Immutable<R, M>>,

1461

        ipt_upload_view: IptsPublisherUploadView,

1462

        authorized_clients: Option<Arc<RestrictedDiscoveryKeys>>,

1463

        mut upload_task_complete_tx: mpsc::Sender<TimePeriodUploadResult>,

1464

        shutdown_rx: broadcast::Receiver<Void>,

1465

    ) -> Result<(), FatalError> {

1466

        let time_period = params.time_period();

1467

        trace!(time_period=?time_period, "uploading descriptor to all HSDirs for this time period");

1468

1469

        let hsdir_count = hs_dirs.len();

1470

1471

        /// An error returned from an upload future.

1472

//

1473

        // Exhaustive, because this is a private type.

1474

        #[derive(Clone, Debug, thiserror::Error)]

1475

        enum PublishError {

1476

            /// The upload was aborted because there are no IPTs.

1477

///

1478

            /// This happens because of an inevitable TOCTOU race, where after being notified by

1479

            /// the IPT manager that the IPTs have changed (via `self.ipt_watcher.await_update`),

1480

            /// we find out there actually are no IPTs, so we can't build the descriptor.

1481

///

1482

            /// This is a special kind of error that interrupts the current upload task, and is

1483

            /// logged at `debug!` level rather than `warn!` or `error!`.

1484

///

1485

            /// Ideally, this shouldn't happen very often (if at all).

1486

            #[error("No IPTs")]

1487

            NoIpts,

1488

1489

            /// The reactor has shut down

1490

            #[error("The reactor has shut down")]

1491

            Shutdown,

1492

1493

            /// An fatal error.

1494

            #[error("{0}")]

1495

            Fatal(#[from] FatalError),

1496

1497

1498

        let max_hsdesc_len: usize = netdir

1499

            .params()

1500

            .hsdir_max_desc_size

1501

            .try_into()

1502

            .expect("Unable to convert positive int32 to usize!?");

1503

1504

        let upload_results = futures::stream::iter(hs_dirs)

1505

            .map(|relay_ids| {

1506

                let netdir = netdir.clone();

1507

                let config = Arc::clone(&config);

1508

                let imm = Arc::clone(&imm);

1509

                let ipt_upload_view = ipt_upload_view.clone();

1510

                let authorized_clients = authorized_clients.clone();

1511

                let params = params.clone();

1512

                let mut shutdown_rx = shutdown_rx.clone();

1513

1514

                let ed_id = relay_ids

1515

                    .rsa_identity()

1516

                    .map(|id| id.to_string())

1517

                    .unwrap_or_else(|| "unknown".into());

1518

                let rsa_id = relay_ids

1519

                    .rsa_identity()

1520

                    .map(|id| id.to_string())

1521

                    .unwrap_or_else(|| "unknown".into());

1522

1523

                async move {

1524

                    let run_upload = |desc| async {

1525

                        let Some(hsdir) = netdir.by_ids(&relay_ids) else {

1526

                            // This should never happen (all of our relay_ids are from the stored

1527

                            // netdir).

1528

                            let err =

1529

                                "tried to upload descriptor to relay not found in consensus?!";

1530

                            warn!(

1531

                                nickname=%imm.nickname, hsdir_id=%ed_id, hsdir_rsa_id=%rsa_id,

1532

                                "{err}"

1533

);

1534

                            return Err(internal!("{err}").into());

1535

};

1536

1537

                        Self::upload_descriptor_with_retries(

1538

                            desc,

1539

                            &netdir,

1540

                            &hsdir,

1541

                            &ed_id,

1542

                            &rsa_id,

1543

                            Arc::clone(&imm),

1544

1545

                        .await

1546

};

1547

1548

                    // How long until we're supposed to time out?

1549

                    let worst_case_end = imm.runtime.now() + OVERALL_UPLOAD_TIMEOUT;

1550

                    // We generate a new descriptor before _each_ HsDir upload. This means each

1551

                    // HsDir could, in theory, receive a different descriptor (not just in terms of

1552

                    // revision-counters, but also with a different set of IPTs). It may seem like

1553

                    // this could lead to some HsDirs being left with an outdated descriptor, but

1554

                    // that's not the case: after the upload completes, the publisher will be

1555

                    // notified by the ipt_watcher of the IPT change event (if there was one to

1556

                    // begin with), which will trigger another upload job.

1557

                    let hsdesc = {

1558

                        // This scope is needed because the ipt_set MutexGuard is not Send, so it

1559

                        // needs to fall out of scope before the await point below

1560

                        let mut ipt_set = ipt_upload_view.borrow_for_publish();

1561

1562

                        // If there are no IPTs, we abort the upload. At this point, we might have

1563

                        // uploaded the descriptor to some, but not all, HSDirs from the specified

1564

                        // time period.

1565

//

1566

                        // Returning an error here means the upload completion task is never

1567

                        // notified of the outcome of any of these uploads (which means the

1568

                        // descriptor is not marked clean). This is OK, because if we suddenly find

1569

                        // out we have no IPTs, it means our built `hsdesc` has an outdated set of

1570

                        // IPTs, so we need to go back to the main loop to wait for IPT changes,

1571

                        // and generate a fresh descriptor anyway.

1572

//

1573

                        // Ideally, this shouldn't happen very often (if at all).

1574

                        let Some(ipts) = ipt_set.ipts.as_mut() else {

1575

                            return Err(PublishError::NoIpts);

1576

};

1577

1578

                        let hsdesc = {

1579

                            trace!(

1580

                                nickname=%imm.nickname, time_period=?time_period,

1581

                                "building descriptor"

1582

);

1583

                            let mut rng = imm.mockable.thread_rng();

1584

                            let mut key_rng = tor_llcrypto::rng::CautiousRng;

1585

1586

                            // We're about to generate a new version of the descriptor,

1587

                            // so let's generate a new revision counter.

1588

                            let now = imm.runtime.wallclock();

1589

                            let revision_counter = imm.generate_revision_counter(&params, now)?;

1590

1591

                            build_sign(

1592

                                &imm.keymgr,

1593

                                &imm.pow_manager,

1594

                                &config,

1595

                                authorized_clients.as_deref(),

1596

                                ipts,

1597

                                time_period,

1598

                                revision_counter,

1599

                                &mut rng,

1600

                                &mut key_rng,

1601

                                imm.runtime.wallclock(),

1602

                                max_hsdesc_len,

1603

)?

1604

};

1605

1606

                        if let Err(e) =

1607

                            ipt_set.note_publication_attempt(&imm.runtime, worst_case_end)

1608

1609

                            let wait = e.log_retry_max(&imm.nickname)?;

1610

                            // TODO (#1226): retry instead of this

1611

                            return Err(FatalError::Bug(internal!(

1612

                                "ought to retry after {wait:?}, crashing instead"

1613

))

1614

                            .into());

1615

1616

1617

                        hsdesc

1618

};

1619

1620

                    let VersionedDescriptor {

1621

                        desc,

1622

                        revision_counter,

1623

                    } = hsdesc;

1624

1625

                    trace!(

1626

                        nickname=%imm.nickname, time_period=?time_period,

1627

                        revision_counter=?revision_counter,

1628

                        "generated new descriptor for time period",

1629

);

1630

1631

                    // (Actually launch the upload attempt. No timeout is needed

1632

                    // here, since the backoff::Runner code will handle that for us.)

1633

                    let upload_res: UploadResult = select_biased! {

1634

                        shutdown = shutdown_rx.next().fuse() => {

1635

                            // This will always be None, since Void is uninhabited.

1636

                            let _: Option<Void> = shutdown;

1637

1638

                            // It looks like the reactor has shut down,

1639

                            // so there is no point in uploading the descriptor anymore.

1640

//

1641

                            // Let's shut down the upload task too.

1642

                            trace!(

1643

                                nickname=%imm.nickname, time_period=?time_period,

1644

                                "upload task received shutdown signal"

1645

);

1646

1647

                            return Err(PublishError::Shutdown);

1648

},

1649

                        res = run_upload(desc.clone()).fuse() => res,

1650

};

1651

1652

                    // Note: UploadResult::Failure is only returned when

1653

                    // upload_descriptor_with_retries fails, i.e. if all our retry

1654

                    // attempts have failed

1655

                    Ok(HsDirUploadStatus {

1656

                        relay_ids,

1657

                        upload_res,

1658

                        revision_counter,

1659

})

1660

1661

})

1662

            // This fails to compile unless the stream is boxed. See https://github.com/rust-lang/rust/issues/104382

1663

            .boxed()

1664

            .buffer_unordered(MAX_CONCURRENT_UPLOADS)

1665

            .try_collect::<Vec<_>>()

1666

            .await;

1667

1668

        let upload_results = match upload_results {

1669

            Ok(v) => v,

1670

            Err(PublishError::Fatal(e)) => return Err(e),

1671

            Err(PublishError::NoIpts) => {

1672

                debug!(

1673

                    nickname=%imm.nickname, time_period=?time_period,

1674

                     "no introduction points; skipping upload"

1675

);

1676

1677

                return Ok(());

1678

1679

            Err(PublishError::Shutdown) => {

1680

                debug!(

1681

                    nickname=%imm.nickname, time_period=?time_period,

1682

                     "the reactor has shut down; aborting upload"

1683

);

1684

1685

                return Ok(());

1686

1687

};

1688

1689

        let (succeeded, _failed): (Vec<_>, Vec<_>) = upload_results

1690

            .iter()

1691

            .partition(|res| res.upload_res.is_ok());

1692

1693

        debug!(

1694

            nickname=%imm.nickname, time_period=?time_period,

1695

            "descriptor uploaded successfully to {}/{} HSDirs",

1696

            succeeded.len(), hsdir_count

1697

);

1698

1699

        if upload_task_complete_tx

1700

            .send(TimePeriodUploadResult {

1701

                time_period,

1702

                hsdir_result: upload_results,

1703

})

1704

            .await

1705

            .is_err()

1706

1707

            return Err(internal!(

1708

                "failed to notify reactor of upload completion (reactor shut down)"

1709

1710

            .into());

1711

1712

1713

        Ok(())

1714

1715

1716

    /// Upload a descriptor to the specified HSDir.

1717

///

1718

    /// If an upload fails, this returns an `Err`. This function does not handle retries. It is up

1719

    /// to the caller to retry on failure.

1720

///

1721

    /// This function does not handle timeouts.

1722

    async fn upload_descriptor(

1723

        hsdesc: String,

1724

        netdir: &Arc<NetDir>,

1725

        hsdir: &Relay<'_>,

1726

        imm: Arc<Immutable<R, M>>,

1727

    ) -> Result<(), UploadError> {

1728

        let request = HsDescUploadRequest::new(hsdesc);

1729

1730

        trace!(nickname=%imm.nickname, hsdir_id=%hsdir.id(), hsdir_rsa_id=%hsdir.rsa_id(),

1731

            "starting descriptor upload",

1732

);

1733

1734

        let circuit = imm

1735

            .mockable

1736

            .get_or_launch_specific(

1737

                netdir,

1738

                HsCircKind::SvcHsDir,

1739

                OwnedCircTarget::from_circ_target(hsdir),

1740

1741

            .await?;

1742

        let source: Option<SourceInfo> = circuit

1743

            .source_info()

1744

            .map_err(into_internal!("Couldn't get SourceInfo for circuit"))?;

1745

        let mut stream = circuit

1746

            .begin_dir_stream()

1747

            .await

1748

            .map_err(UploadError::Stream)?;

1749

1750

        let _response: String = send_request(&imm.runtime, &request, &mut stream, source)

1751

            .await

1752

            .map_err(|dir_error| -> UploadError {

1753

                match dir_error {

1754

                    DirClientError::RequestFailed(e) => e.into(),

1755

                    DirClientError::CircMgr(e) => into_internal!(

1756

                        "tor-dirclient complains about circmgr going wrong but we gave it a stream"

1757

                    )(e)

1758

                    .into(),

1759

                    e => into_internal!("unexpected error")(e).into(),

1760

1761

})?

1762

            .into_output_string()?; // This returns an error if we received an error response

1763

1764

        Ok(())

1765

1766

1767

    /// Upload a descriptor to the specified HSDir, retrying if appropriate.

1768

///

1769

    /// Any failed uploads are retried according to a [`PublisherBackoffSchedule`].

1770

    /// Each failed upload is retried until it succeeds, or until the overall timeout specified

1771

    /// by [`BackoffSchedule::overall_timeout`] elapses. Individual attempts are timed out

1772

    /// according to the [`BackoffSchedule::single_attempt_timeout`].

1773

    /// This function gives up after the overall timeout elapses,

1774

    /// declaring the upload a failure, and never retrying it again.

1775

///

1776

    /// See also [`BackoffSchedule`].

1777

    async fn upload_descriptor_with_retries(

1778

        hsdesc: String,

1779

        netdir: &Arc<NetDir>,

1780

        hsdir: &Relay<'_>,

1781

        ed_id: &str,

1782

        rsa_id: &str,

1783

        imm: Arc<Immutable<R, M>>,

1784

    ) -> UploadResult {

1785

        /// The base delay to use for the backoff schedule.

1786

        const BASE_DELAY_MSEC: u32 = 1000;

1787

        let schedule = PublisherBackoffSchedule {

1788

            retry_delay: RetryDelay::from_msec(BASE_DELAY_MSEC),

1789

            mockable: imm.mockable.clone(),

1790

};

1791

1792

        let runner = Runner::new(

1793

            "upload a hidden service descriptor".into(),

1794

            schedule.clone(),

1795

            imm.runtime.clone(),

1796

);

1797

1798

        let fallible_op = || async {

1799

            let r = Self::upload_descriptor(hsdesc.clone(), netdir, hsdir, Arc::clone(&imm)).await;

1800

1801

            if let Err(e) = &r {

1802

                if e.should_report_as_suspicious() {

1803

                    // Note that not every protocol violation is suspicious:

1804

                    // we only warn on the protocol violations that look like attempts

1805

                    // to do a traffic tagging attack via hsdir inflation.

1806

                    // (See proposal 360.)

1807

                    warn_report!(

1808

                        &e.clone(),

1809

                        "Suspicious error while uploading descriptor to {}/{}",

1810

                        ed_id,

1811

                        rsa_id

1812

);

1813

1814

1815

1816

};

1817

1818

        let outcome: Result<(), BackoffError<UploadError>> = runner.run(fallible_op).await;

1819

        match outcome {

1820

            Ok(()) => {

1821

                debug!(

1822

                    nickname=%imm.nickname, hsdir_id=%ed_id, hsdir_rsa_id=%rsa_id,

1823

                    "successfully uploaded descriptor to HSDir",

1824

);

1825

1826

                Ok(())

1827

1828

            Err(e) => {

1829

                warn_report!(

1830

e,

1831

                    "failed to upload descriptor for service {} (hsdir_id={}, hsdir_rsa_id={})",

1832

                    imm.nickname,

1833

                    ed_id,

1834

                    rsa_id

1835

);

1836

1837

                Err(e.into())

1838

1839

1840

1841

1842

    /// Stop publishing descriptors until the specified delay elapses.

1843

    async fn start_rate_limit(&mut self, delay: Duration) -> Result<(), Bug> {

1844

        if !matches!(self.status(), PublishStatus::RateLimited(_)) {

1845

            debug!(

1846

                "We are rate-limited for {}; pausing descriptor publication",

1847

                humantime::format_duration(delay)

1848

);

1849

            let until = self.imm.runtime.now() + delay;

1850

            self.update_publish_status(PublishStatus::RateLimited(until))

1851

                .await?;

1852

1853

1854

        Ok(())

1855

1856

1857

    /// Handle the upload rate-limit being lifted.

1858

    async fn expire_rate_limit(&mut self) -> Result<(), Bug> {

1859

        debug!("We are no longer rate-limited; resuming descriptor publication");

1860

        self.update_publish_status(PublishStatus::UploadScheduled)

1861

            .await?;

1862

        Ok(())

1863

1864

1865

    /// Return the authorized clients, if restricted mode is enabled.

1866

///

1867

    /// Returns `Ok(None)` if restricted discovery mode is disabled.

1868

///

1869

    /// Returns an error if restricted discovery mode is enabled, but the client list is empty.

1870

    #[cfg_attr(

1871

        not(feature = "restricted-discovery"),

1872

        allow(clippy::unnecessary_wraps)

1873

)]

1874

    fn authorized_clients(&self) -> Result<Option<Arc<RestrictedDiscoveryKeys>>, FatalError> {

1875

        cfg_if::cfg_if! {

1876

            if #[cfg(feature = "restricted-discovery")] {

1877

                let authorized_clients = self

1878

                    .inner

1879

                    .lock()

1880

                    .expect("poisoned lock")

1881

                    .authorized_clients

1882

                    .clone();

1883

1884

                if authorized_clients.as_ref().as_ref().map(|v| v.is_empty()).unwrap_or_default() {

1885

                    return Err(FatalError::RestrictedDiscoveryNoClients);

1886

1887

1888

                Ok(authorized_clients)

1889

            } else {

1890

                Ok(None)

1891

1892

1893

1894

1895

1896

/// Try to expand a path, logging a warning on failure.

1897

fn maybe_expand_path(p: &CfgPath, r: &CfgPathResolver) -> Option<PathBuf> {

1898

    // map_err returns unit for clarity

1899

    #[allow(clippy::unused_unit, clippy::semicolon_if_nothing_returned)]

1900

    p.path(r)

1901

        .map_err(|e| {

1902

            tor_error::warn_report!(e, "invalid path");

1903

()

1904

})

1905

        .ok()

1906

1907

1908

/// Add `path` to the specified `watcher`.

1909

macro_rules! watch_path {

1910

    ($watcher:expr, $path:expr, $watch_fn:ident, $($watch_fn_args:expr,)*) => {{

1911

        if let Err(e) = $watcher.$watch_fn(&$path, $($watch_fn_args)*) {

1912

            warn_report!(e, "failed to watch path {:?}", $path);

1913

        } else {

1914

            debug!("watching path {:?}", $path);

1915

1916

}}

1917

1918

1919

/// Add the specified directories to the watcher.

1920

#[allow(clippy::cognitive_complexity)]

1921

fn watch_dirs<R: Runtime>(

1922

    watcher: &mut FileWatcherBuilder<R>,

1923

    dirs: &DirectoryKeyProviderList,

1924

    path_resolver: &CfgPathResolver,

1925

) {

1926

    for path in dirs {

1927

        let path = path.path();

1928

        let Some(path) = maybe_expand_path(path, path_resolver) else {

1929

            warn!("failed to expand key_dir path {:?}", path);

1930

            continue;

1931

};

1932

1933

        // If the path doesn't exist, the notify watcher will return an error if we attempt to watch it,

1934

        // so we skip over paths that don't exist at this time

1935

        // (this obviously suffers from a TOCTOU race, but most of the time,

1936

        // it is good enough at preventing the watcher from failing to watch.

1937

        // If the race *does* happen it is not disastrous, i.e. the reactor won't crash,

1938

        // but it will fail to set the watcher).

1939

        if matches!(path.try_exists(), Ok(true)) {

1940

            watch_path!(watcher, &path, watch_dir, "auth",);

1941

1942

        // FileWatcher::watch_path causes the parent dir of the path to be watched.

1943

        if matches!(path.parent().map(|p| p.try_exists()), Some(Ok(true))) {

1944

            watch_path!(watcher, &path, watch_path,);

1945

1946

1947

1948

1949

/// Try to read the blinded identity key for a given `TimePeriod`.

1950

///

1951

/// Returns `None` if the service is running in "offline" mode.

1952

///

1953

// TODO (#1194): we don't currently have support for "offline" mode so this can never return

1954

// `Ok(None)`.

1955

pub(super) fn read_blind_id_keypair(

1956

    keymgr: &Arc<KeyMgr>,

1957

    nickname: &HsNickname,

1958

    period: TimePeriod,

1959

) -> Result<Option<HsBlindIdKeypair>, FatalError> {

1960

    let svc_key_spec = HsIdKeypairSpecifier::new(nickname.clone());

1961

    let hsid_kp = keymgr

1962

        .get::<HsIdKeypair>(&svc_key_spec)?

1963

        .ok_or_else(|| FatalError::MissingHsIdKeypair(nickname.clone()))?;

1964

1965

    let blind_id_key_spec = BlindIdKeypairSpecifier::new(nickname.clone(), period);

1966

1967

    // TODO: make the keystore selector configurable

1968

    let keystore_selector = Default::default();

1969

    match keymgr.get::<HsBlindIdKeypair>(&blind_id_key_spec)? {

1970

        Some(kp) => Ok(Some(kp)),

1971

        None => {

1972

            let (_hs_blind_id_key, hs_blind_id_kp, _subcredential) = hsid_kp

1973

                .compute_blinded_key(period)

1974

                .map_err(|_| internal!("failed to compute blinded key"))?;

1975

1976

            // Note: we can't use KeyMgr::generate because this key is derived from the HsId

1977

            // (KeyMgr::generate uses the tor_keymgr::Keygen trait under the hood,

1978

            // which assumes keys are randomly generated, rather than derived from existing keys).

1979

1980

            keymgr.insert(hs_blind_id_kp, &blind_id_key_spec, keystore_selector, true)?;

1981

1982

            let arti_path = |spec: &dyn KeySpecifier| {

1983

                spec.arti_path()

1984

                    .map_err(into_internal!("invalid key specifier?!"))

1985

};

1986

1987

            Ok(Some(

1988

                keymgr.get::<HsBlindIdKeypair>(&blind_id_key_spec)?.ok_or(

1989

                    FatalError::KeystoreRace {

1990

                        action: "read",

1991

                        path: arti_path(&blind_id_key_spec)?,

1992

},

1993

)?,

1994

))

1995

1996

1997

1998

1999

/// Determine the [`State`] of the publisher based on the upload results

2000

/// from the current `time_periods`.

2001

16

fn upload_result_state(

2002

16

    netdir: &NetDir,

2003

16

    time_periods: &[TimePeriodContext],

2004

16

) -> (State, Option<Problem>) {

2005

16

    let current_period = netdir.hs_time_period();

2006

16

    let current_period_res = time_periods

2007

16

        .iter()

2008

24

        .find(|ctx| ctx.params.time_period() == current_period);

2009

16

2010

16

    let succeeded_current_tp = current_period_res

2011

16

        .iter()

2012

24

        .flat_map(|res| &res.upload_results)

2013

132

        .filter(|res| res.upload_res.is_ok())

2014

16

        .collect_vec();

2015

16

2016

16

    let secondary_tp_res = time_periods

2017

16

        .iter()

2018

36

        .filter(|ctx| ctx.params.time_period() != current_period)

2019

16

        .collect_vec();

2020

16

2021

16

    let succeeded_secondary_tp = secondary_tp_res

2022

16

        .iter()

2023

22

        .flat_map(|res| &res.upload_results)

2024

108

        .filter(|res| res.upload_res.is_ok())

2025

16

        .collect_vec();

2026

16

2027

16

    // All of the failed uploads (for all TPs)

2028

16

    let failed = time_periods

2029

16

        .iter()

2030

36

        .flat_map(|res| &res.upload_results)

2031

232

        .filter(|res| res.upload_res.is_err())

2032

16

        .collect_vec();

2033

16

    let problems: Vec<DescUploadRetryError> = failed

2034

16

        .iter()

2035

108

        .flat_map(|e| e.upload_res.as_ref().map_err(|e| e.clone()).err())

2036

16

        .collect();

2037

2038

16

    let err = match problems.as_slice() {

2039

16

        [_, ..] => Some(problems.into()),

2040

8

        [] => None,

2041

};

2042

2043

16

    if time_periods.len() < 2 {

2044

        // We need at least TP contexts (one for the primary TP,

2045

        // and another for the secondary one).

2046

//

2047

        // If either is missing, we are unreachable for some or all clients.

2048

4

        return (State::DegradedUnreachable, err);

2049

12

2050

2051

12

    let state = match (

2052

12

        succeeded_current_tp.as_slice(),

2053

12

        succeeded_secondary_tp.as_slice(),

2054

12

) {

2055

12

        (&[], &[..]) | (&[..], &[]) if failed.is_empty() => {

2056

            // We don't have any upload results for one or both TPs.

2057

            // We are still bootstrapping.

2058

6

            State::Bootstrapping

2059

2060

4

        (&[_, ..], &[_, ..]) if failed.is_empty() => {

2061

2

            // We have uploaded the descriptor to one or more HsDirs from both

2062

2

            // HsDir rings (primary and secondary), and none of the uploads failed.

2063

2

            // We are fully reachable.

2064

2

            State::Running

2065

2066

        (&[_, ..], &[_, ..]) => {

2067

            // We have uploaded the descriptor to one or more HsDirs from both

2068

            // HsDir rings (primary and secondary), but some of the uploads failed.

2069

            // We are reachable, but we failed to upload the descriptor to all the HsDirs

2070

            // that were supposed to have it.

2071

2

            State::DegradedReachable

2072

2073

        (&[..], &[]) | (&[], &[..]) => {

2074

            // We have either

2075

            //   * uploaded the descriptor to some of the HsDirs from one of the rings,

2076

            //   but haven't managed to upload it to any of the HsDirs on the other ring, or

2077

            //   * all of the uploads failed

2078

//

2079

            // Either way, we are definitely not reachable by all clients.

2080

2

            State::DegradedUnreachable

2081

2082

};

2083

2084

12

    (state, err)

2085

16

2086

2087

/// Whether the reactor should initiate an upload.

2088

#[derive(Copy, Clone, Debug, Default, PartialEq)]

2089

enum PublishStatus {

2090

    /// We need to call upload_all.

2091

    UploadScheduled,

2092

    /// We are rate-limited until the specified [`Instant`].

2093

///

2094

    /// We have tried to schedule multiple uploads in a short time span,

2095

    /// and we are rate-limited. We are waiting for a signal from the schedule_upload_tx

2096

    /// channel to unblock us.

2097

    RateLimited(Instant),

2098

    /// We are idle and waiting for external events.

2099

///

2100

    /// We have enough information to build the descriptor, but since we have already called

2101

    /// upload_all to upload it to all relevant HSDirs, there is nothing for us to do right nbow.

2102

    Idle,

2103

    /// We are waiting for the IPT manager to establish some introduction points.

2104

///

2105

    /// No descriptors will be published until the `PublishStatus` of the reactor is changed to

2106

    /// `UploadScheduled`.

2107

    #[default]

2108

    AwaitingIpts,

2109

2110

2111

/// The backoff schedule for the task that publishes descriptors.

2112

#[derive(Clone, Debug)]

2113

struct PublisherBackoffSchedule<M: Mockable> {

2114

    /// The delays

2115

    retry_delay: RetryDelay,

2116

    /// The mockable reactor state, needed for obtaining an rng.

2117

    mockable: M,

2118

2119

2120

impl<M: Mockable> BackoffSchedule for PublisherBackoffSchedule<M> {

2121

    fn max_retries(&self) -> Option<usize> {

2122

        None

2123

2124

2125

    fn overall_timeout(&self) -> Option<Duration> {

2126

        Some(OVERALL_UPLOAD_TIMEOUT)

2127

2128

2129

    fn single_attempt_timeout(&self) -> Option<Duration> {

2130

        Some(self.mockable.estimate_upload_timeout())

2131

2132

2133

    fn next_delay<E: RetriableError>(&mut self, _error: &E) -> Option<Duration> {

2134

        Some(self.retry_delay.next_delay(&mut self.mockable.thread_rng()))

2135

2136

2137

2138

impl RetriableError for UploadError {

2139

    fn should_retry(&self) -> bool {

2140

        match self {

2141

            UploadError::Request(_) | UploadError::Circuit(_) | UploadError::Stream(_) => true,

2142

            UploadError::Bug(_) => false,

2143

2144

2145

2146

2147

/// The outcome of uploading a descriptor to the HSDirs from a particular time period.

2148

#[derive(Debug, Clone)]

2149

struct TimePeriodUploadResult {

2150

    /// The time period.

2151

    time_period: TimePeriod,

2152

    /// The upload results.

2153

    hsdir_result: Vec<HsDirUploadStatus>,

2154

2155

2156

/// The outcome of uploading a descriptor to a particular HsDir.

2157

#[derive(Clone, Debug)]

2158

struct HsDirUploadStatus {

2159

    /// The identity of the HsDir we attempted to upload the descriptor to.

2160

    relay_ids: RelayIds,

2161

    /// The outcome of this attempt.

2162

    upload_res: UploadResult,

2163

    /// The revision counter of the descriptor we tried to upload.

2164

    revision_counter: RevisionCounter,

2165

2166

2167

/// The outcome of uploading a descriptor.

2168

type UploadResult = Result<(), DescUploadRetryError>;

2169

2170

impl From<BackoffError<UploadError>> for DescUploadRetryError {

2171

    fn from(e: BackoffError<UploadError>) -> Self {

2172

        use BackoffError as BE;

2173

        use DescUploadRetryError as DURE;

2174

2175

        match e {

2176

            BE::FatalError(e) => DURE::FatalError(e),

2177

            BE::MaxRetryCountExceeded(e) => DURE::MaxRetryCountExceeded(e),

2178

            BE::Timeout(e) => DURE::Timeout(e),

2179

            BE::ExplicitStop(_) => {

2180

                DURE::Bug(internal!("explicit stop in publisher backoff schedule?!"))

2181

2182

2183

2184

2185

2186

// NOTE: the rest of the publisher tests live in publish.rs

2187

#[cfg(test)]

2188

mod test {

2189

    // @@ begin test lint list maintained by maint/add_warning @@

2190

    #![allow(clippy::bool_assert_comparison)]

2191

    #![allow(clippy::clone_on_copy)]

2192

    #![allow(clippy::dbg_macro)]

2193

    #![allow(clippy::mixed_attributes_style)]

2194

    #![allow(clippy::print_stderr)]

2195

    #![allow(clippy::print_stdout)]

2196

    #![allow(clippy::single_char_pattern)]

2197

    #![allow(clippy::unwrap_used)]

2198

    #![allow(clippy::unchecked_duration_subtraction)]

2199

    #![allow(clippy::useless_vec)]

2200

    #![allow(clippy::needless_pass_by_value)]

2201

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

2202

    use super::*;

2203

    use tor_netdir::testnet;

2204

2205

    /// Create a `TimePeriodContext` from the specified upload results.

2206

    fn create_time_period_ctx(

2207

        params: &HsDirParams,

2208

        upload_results: Vec<HsDirUploadStatus>,

2209

    ) -> TimePeriodContext {

2210

        TimePeriodContext {

2211

            params: params.clone(),

2212

            hs_dirs: vec![],

2213

            last_successful: None,

2214

            upload_results,

2215

2216

2217

2218

    /// Create a single `HsDirUploadStatus`

2219

    fn create_upload_status(upload_res: UploadResult) -> HsDirUploadStatus {

2220

        HsDirUploadStatus {

2221

            relay_ids: RelayIds::empty(),

2222

            upload_res,

2223

            revision_counter: RevisionCounter::from(13),

2224

2225

2226

2227

    /// Create a bunch of results, all with the specified `upload_res`.

2228

    fn create_upload_results(upload_res: UploadResult) -> Vec<HsDirUploadStatus> {

2229

        std::iter::repeat_with(|| create_upload_status(upload_res.clone()))

2230

            .take(10)

2231

            .collect()

2232

2233

2234

    fn construct_netdir() -> NetDir {

2235

        const SRV1: [u8; 32] = *b"The door refused to open.       ";

2236

        const SRV2: [u8; 32] = *b"It said, 'Five cents, please.'  ";

2237

2238

        let dir = testnet::construct_custom_netdir(|_, _, bld| {

2239

            bld.shared_rand_prev(7, SRV1.into(), None)

2240

                .shared_rand_prev(7, SRV2.into(), None);

2241

})

2242

        .unwrap();

2243

2244

        dir.unwrap_if_sufficient().unwrap()

2245

2246

2247

    #[test]

2248

    fn upload_result_status_bootstrapping() {

2249

        let netdir = construct_netdir();

2250

        let all_params = netdir.hs_all_time_periods();

2251

        let current_period = netdir.hs_time_period();

2252

        let primary_params = all_params

2253

            .iter()

2254

            .find(|param| param.time_period() == current_period)

2255

            .unwrap();

2256

        let results = [

2257

            (vec![], vec![]),

2258

            (vec![], create_upload_results(Ok(()))),

2259

            (create_upload_results(Ok(())), vec![]),

2260

];

2261

2262

        for (primary_result, secondary_result) in results {

2263

            let primary_ctx = create_time_period_ctx(primary_params, primary_result);

2264

2265

            let secondary_params = all_params

2266

                .iter()

2267

                .find(|param| param.time_period() != current_period)

2268

                .unwrap();

2269

            let secondary_ctx = create_time_period_ctx(secondary_params, secondary_result.clone());

2270

2271

            let (status, err) = upload_result_state(&netdir, &[primary_ctx, secondary_ctx]);

2272

            assert_eq!(status, State::Bootstrapping);

2273

            assert!(err.is_none());

2274

2275

2276

2277

    #[test]

2278

    fn upload_result_status_running() {

2279

        let netdir = construct_netdir();

2280

        let all_params = netdir.hs_all_time_periods();

2281

        let current_period = netdir.hs_time_period();

2282

        let primary_params = all_params

2283

            .iter()

2284

            .find(|param| param.time_period() == current_period)

2285

            .unwrap();

2286

2287

        let secondary_result = create_upload_results(Ok(()));

2288

        let secondary_params = all_params

2289

            .iter()

2290

            .find(|param| param.time_period() != current_period)

2291

            .unwrap();

2292

        let secondary_ctx = create_time_period_ctx(secondary_params, secondary_result.clone());

2293

2294

        let primary_result = create_upload_results(Ok(()));

2295

        let primary_ctx = create_time_period_ctx(primary_params, primary_result);

2296

        let (status, err) = upload_result_state(&netdir, &[primary_ctx, secondary_ctx]);

2297

        assert_eq!(status, State::Running);

2298

        assert!(err.is_none());

2299

2300

2301

    #[test]

2302

    fn upload_result_status_reachable() {

2303

        let netdir = construct_netdir();

2304

        let all_params = netdir.hs_all_time_periods();

2305

        let current_period = netdir.hs_time_period();

2306

        let primary_params = all_params

2307

            .iter()

2308

            .find(|param| param.time_period() == current_period)

2309

            .unwrap();

2310

2311

        let primary_result = create_upload_results(Ok(()));

2312

        let primary_ctx = create_time_period_ctx(primary_params, primary_result.clone());

2313

        let failed_res = create_upload_results(Err(DescUploadRetryError::Bug(internal!("test"))));

2314

        let secondary_result = create_upload_results(Ok(()))

2315

            .into_iter()

2316

            .chain(failed_res.iter().cloned())

2317

            .collect();

2318

        let secondary_params = all_params

2319

            .iter()

2320

            .find(|param| param.time_period() != current_period)

2321

            .unwrap();

2322

        let secondary_ctx = create_time_period_ctx(secondary_params, secondary_result);

2323

        let (status, err) = upload_result_state(&netdir, &[primary_ctx, secondary_ctx]);

2324

2325

        // Degraded but reachable (because some of the secondary HsDir uploads failed).

2326

        assert_eq!(status, State::DegradedReachable);

2327

        assert!(matches!(err, Some(Problem::DescriptorUpload(_))));

2328

2329

2330

    #[test]

2331

    fn upload_result_status_unreachable() {

2332

        let netdir = construct_netdir();

2333

        let all_params = netdir.hs_all_time_periods();

2334

        let current_period = netdir.hs_time_period();

2335

        let primary_params = all_params

2336

            .iter()

2337

            .find(|param| param.time_period() == current_period)

2338

            .unwrap();

2339

        let mut primary_result =

2340

            create_upload_results(Err(DescUploadRetryError::Bug(internal!("test"))));

2341

        let primary_ctx = create_time_period_ctx(primary_params, primary_result.clone());

2342

        // No secondary TP (we are unreachable).

2343

        let (status, err) = upload_result_state(&netdir, &[primary_ctx]);

2344

        assert_eq!(status, State::DegradedUnreachable);

2345

        assert!(matches!(err, Some(Problem::DescriptorUpload(_))));

2346

2347

        // Add a successful result

2348

        primary_result.push(create_upload_status(Ok(())));

2349

        let primary_ctx = create_time_period_ctx(primary_params, primary_result.clone());

2350

        let (status, err) = upload_result_state(&netdir, &[primary_ctx]);

2351

        // Still degraded, and unreachable (because we don't have a TimePeriodContext

2352

        // for the secondary TP)

2353

        assert_eq!(status, State::DegradedUnreachable);

2354

        assert!(matches!(err, Some(Problem::DescriptorUpload(_))));

2355

2356

        // If we add another time period where none of the uploads were successful,

2357

        // we're *still* unreachable

2358

        let secondary_result =

2359

            create_upload_results(Err(DescUploadRetryError::Bug(internal!("test"))));

2360

        let secondary_params = all_params

2361

            .iter()

2362

            .find(|param| param.time_period() != current_period)

2363

            .unwrap();

2364

        let secondary_ctx = create_time_period_ctx(secondary_params, secondary_result.clone());

2365

        let primary_ctx = create_time_period_ctx(primary_params, primary_result.clone());

2366

        let (status, err) = upload_result_state(&netdir, &[primary_ctx, secondary_ctx]);

2367

        assert_eq!(status, State::DegradedUnreachable);

2368

        assert!(matches!(err, Some(Problem::DescriptorUpload(_))));

2369

2370