GitLab

at 2024-10-30T16:13:30+00:00

fixup! Lox integration

Bug 42597: Fix `#updatePubkeys`.

fixup! Lox integration

Bug 42597: Fix generateInvite.

We make sure to call handle_issue_invite to convert the response from
"issueinvite" into credentials.

We also stop stringifying the lox credentials, which are already a
string.

fixup! Lox integration

Bug 42597: Made sure we're always using `JSON.parse(request).request`
where `request` is generated by lox_wasm.

fixup! Lox integration

Bug 42597: Move duplicate logic into `#makeRequest`.

Moreover, we pass in the common fetch arguments into buildPostRequest
and treat the return value as a string instead of a JSON object.

fixup! Lox integration

Bug 42597: Refactor error handling.

A lot of the errors can be propagated to the caller.

fixup! Bug 40597: Implement TorSettings module

Bug 42597: Make buildPostRequest accept fetch arguments.

This allows the request to buildPostRequest in the Lox module use the
same arguments that would be passed to `fetch`.

Also, return the text stream, rather than JSON.

fixup! Lox integration

Bug 42597: Add note for missing trusted invites.

   set_panic_hook: "resource://gre/modules/lox_wasm.jsm",

   invitation_is_trusted: "resource://gre/modules/lox_wasm.jsm",

   issue_invite: "resource://gre/modules/lox_wasm.jsm",

+  handle_issue_invite: "resource://gre/modules/lox_wasm.jsm",

   prepare_invite: "resource://gre/modules/lox_wasm.jsm",

   get_invites_remaining: "resource://gre/modules/lox_wasm.jsm",

   get_trust_level: "resource://gre/modules/lox_wasm.jsm",

 export class LoxError extends Error {

   static BadInvite = "BadInvite";

   static LoxServerUnreachable = "LoxServerUnreachable";

+  static ErrorResponse = "ErrorResponse";

   /**

    * @param {string} message - The error message.

   }

   /**

-   * Update Lox credential after Lox key rotation

-   * Do not call directly, use #getPubKeys() instead to start the update only

-   * once

+   * Update Lox credential after Lox key rotation.

    *

-   * @param {string} prevkeys The public keys we are replacing

+   * Do not call directly, use #getPubKeys() instead to start the update only

+   * once.

    */

-  async #updatePubkeys(prevkeys) {

-    let pubKeys;

-    try {

-      pubKeys = await this.#makeRequest("pubkeys", []);

-    } catch (error) {

-      lazy.logger.debug("Failed to get pubkeys", error);

-      // Make the next call try again.

-      this.#pubKeyPromise = null;

-      if (!this.#pubKeys) {

-        throw error;

-      }

-      return;

-    }

+  async #updatePubkeys() {

+    let pubKeys = await this.#makeRequest("pubkeys", null);

     const prevKeys = this.#pubKeys;

     if (prevKeys !== null) {

       // check if the lox pubkeys have changed and update the lox

-      // credentials if so

-      let lox_cred_req;

-      try {

-        lox_cred_req = JSON.parse(

-          lazy.check_lox_pubkeys_update(

-            JSON.stringify(pubKeys),

-            prevkeys,

-            this.#getCredentials(this.#activeLoxId)

-          )

-        );

-      } catch (error) {

-        lazy.logger.debug("Check lox pubkey update failed", error);

-        // Make the next call try again.

-        this.#pubKeyPromise = null;

-        return;

-      }

-      if (lox_cred_req.updated) {

+      // credentials if so.

+      //

+      // The UpdateCredOption rust struct serializes to "req" rather than

+      // "request".

+      const { updated, req: request } = JSON.parse(

+        lazy.check_lox_pubkeys_update(

+          pubKeys,

+          prevKeys,

+          this.#getCredentials(this.#activeLoxId)

+        )

+      );

+      if (updated) {

+        // Try update credentials.

+        // NOTE: This should be re-callable if any step fails.

+        // TODO: Verify this.

         lazy.logger.debug(

           `Lox pubkey updated, update Lox credential "${this.#activeLoxId}"`

         );

-        let response;

-        try {

-          // TODO: If this call doesn't succeed due to a networking error, the Lox

-          // credential may be in an unusable state (spent but not updated)

-          // until this request can be completed successfully (and until Lox

-          // is refactored to send repeat responses:

-          // https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/74)

-          response = await this.#makeRequest("updatecred", lox_cred_req.req);

-        } catch (error) {

-          lazy.logger.debug("Lox cred update failed.", error);

-          // Make the next call try again.

-          this.#pubKeyPromise = null;

-          return;

-        }

-        if (response.hasOwnProperty("error")) {

-          lazy.logger.error(response.error);

-          this.#pubKeyPromise = null;

-          lazy.logger.debug(

-            `Error response to Lox pubkey update request: "${response.error}", reverting to old pubkeys`

-          );

-          return;

-        }

-        let cred;

-        try {

-          cred = lazy.handle_update_cred(

-            lox_cred_req.req,

-            JSON.stringify(response),

-            pubKeys

-          );

-        } catch (error) {

-          lazy.logger.debug("Unable to handle updated Lox cred", error);

-          // Make the next call try again.

-          this.#pubKeyPromise = null;

-          return;

-        }

+        // TODO: If this call doesn't succeed due to a networking error, the Lox

+        // credential may be in an unusable state (spent but not updated)

+        // until this request can be completed successfully (and until Lox

+        // is refactored to send repeat responses:

+        // https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/74)

+        let response = await this.#makeRequest("updatecred", request);

+        let cred = lazy.handle_update_cred(request, response, pubKeys);

         this.#changeCredentials(this.#activeLoxId, cred);

       }

     }

     // If we arrive here we haven't had other errors before, we can actually

     // store the new public key.

-    this.#pubKeys = JSON.stringify(pubKeys);

+    this.#pubKeys = pubKeys;

     this.#store();

   }

     // FIXME: We are always refetching #pubKeys, #encTable and #constants once

     // per session, but they may change more frequently. tor-browser#42502

     if (this.#pubKeyPromise === null) {

-      this.#pubKeyPromise = this.#updatePubkeys();

+      this.#pubKeyPromise = this.#updatePubkeys().catch(error => {

+        lazy.logger.debug("Failed to update pubKeys", error);

+        // Try again with the next call.

+        this.#pubKeyPromise = null;

+        if (!this.#pubKeys) {

+          // Re-throw if we have no pubKeys value for the caller.

+          throw error;

+        }

+      });

     }

     await this.#pubKeyPromise;

   }

   async #getEncTable() {

     if (this.#encTablePromise === null) {

-      this.#encTablePromise = this.#makeRequest("reachability", [])

+      this.#encTablePromise = this.#makeRequest("reachability", null)

         .then(encTable => {

-          this.#encTable = JSON.stringify(encTable);

+          this.#encTable = encTable;

           this.#store();

         })

         .catch(error => {

   async #getConstants() {

     if (this.#constantsPromise === null) {

       // Try to update first, but if that doesn't work fall back to stored data

-      this.#constantsPromise = this.#makeRequest("constants", [])

+      this.#constantsPromise = this.#makeRequest("constants", null)

         .then(constants => {

           const prevValue = this.#constants;

-          this.#constants = JSON.stringify(constants);

+          this.#constants = constants;

           this.#store();

           if (prevValue !== this.#constants) {

             Services.obs.notifyObservers(null, LoxTopics.UpdateNextUnlock);

    */

   async #backgroundTasks() {

     this.#assertInitialized();

-    let addedEvent = false;

     // Only run background tasks for the active lox ID.

     const loxId = this.#activeLoxId;

     if (!loxId) {

     // this should catch key rotations (ideally some days) prior to the next

     // credential update

     await this.#getPubKeys();

+    let levelup = false;

     try {

-      const levelup = await this.#attemptUpgrade(loxId);

-      if (levelup) {

-        const level = this.#getLevel(loxId);

-        const newEvent = {

-          type: "levelup",

-          newlevel: level,

-        };

-        this.#events.push(newEvent);

-        this.#store();

-        addedEvent = true;

-      }

-    } catch (err) {

-      lazy.logger.error(err);

+      levelup = await this.#attemptUpgrade(loxId);

+    } catch (error) {

+      lazy.logger.error(error);

     }

+    if (levelup) {

+      const level = this.#getLevel(loxId);

+      const newEvent = {

+        type: "levelup",

+        newlevel: level,

+      };

+      this.#events.push(newEvent);

+      this.#store();

+    }

+

+    let leveldown = false;

     try {

-      const leveldown = await this.#blockageMigration(loxId);

-      if (leveldown) {

-        let level = this.#getLevel(loxId);

-        const newEvent = {

-          type: "blockage",

-          newlevel: level,

-        };

-        this.#events.push(newEvent);

-        this.#store();

-        addedEvent = true;

-      }

-    } catch (err) {

-      lazy.logger.error(err);

+      leveldown = await this.#blockageMigration(loxId);

+    } catch (error) {

+      lazy.logger.error(error);

+    }

+    if (leveldown) {

+      let level = this.#getLevel(loxId);

+      const newEvent = {

+        type: "blockage",

+        newlevel: level,

+      };

+      this.#events.push(newEvent);

+      this.#store();

     }

-    if (addedEvent) {

+

+    if (levelup || leveldown) {

       Services.obs.notifyObservers(null, LoxTopics.UpdateEvents);

     }

   }

   // to issue open invitations for Lox bridges.

   async requestOpenInvite() {

     this.#assertInitialized();

-    let invite = await this.#makeRequest("invite", []);

+    let invite = JSON.parse(await this.#makeRequest("invite", null));

     lazy.logger.debug(invite);

     return invite;

   }

     // It's fine to get pubkey here without a delay since the user will not have a Lox

     // credential yet

     await this.#getPubKeys();

+    // NOTE: We currently only handle "open invites".

+    // "trusted invites" are not yet supported. tor-browser#42974.

     let request = await lazy.open_invite(JSON.parse(invite).invite);

-    let response = await this.#makeRequest(

-      "openreq",

-      JSON.parse(request).request

-    );

-    lazy.logger.debug("openreq response: ", response);

-    if (response.hasOwnProperty("error")) {

-      throw new LoxError(

-        `Error response to "openreq": ${response.error}`,

-        LoxError.BadInvite

-      );

+    let response;

+    try {

+      response = await this.#makeRequest("openreq", request);

+    } catch (error) {

+      if (error instanceof LoxError && error.code === LoxError.ErrorResponse) {

+        throw new LoxError("Error response to openreq", LoxError.BadInvite);

+      } else {

+        throw error;

+      }

     }

-    let cred = lazy.handle_new_lox_credential(

-      request,

-      JSON.stringify(response),

-      this.#pubKeys

-    );

+    let cred = lazy.handle_new_lox_credential(request, response, this.#pubKeys);

     // Generate an id that is not already in the #credentials map.

     let loxId;

     do {

       throw new LoxError(`Cannot generate invites at level ${level}`);

     }

     let request = lazy.issue_invite(

-      JSON.stringify(this.#getCredentials(loxId)),

+      this.#getCredentials(loxId),

       this.#encTable,

       this.#pubKeys

     );

-    let response = await this.#makeRequest(

-      "issueinvite",

-      JSON.parse(request).request

-    );

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error(response.error);

-      throw new LoxError(`Error response to "issueinvite": ${response.error}`);

-    } else {

-      const invite = lazy.prepare_invite(response);

-      this.#invites.push(invite);

-      // cap length of stored invites

-      if (this.#invites.len > 50) {

-        this.#invites.shift();

-      }

-      this.#store();

-      this.#changeCredentials(loxId, response);

-      Services.obs.notifyObservers(null, LoxTopics.NewInvite);

-      // Return a copy.

-      // Right now invite is just a string, but that might change in the future.

-      return structuredClone(invite);

+    let response = await this.#makeRequest("issueinvite", request);

+    // TODO: Do we ever expect handle_issue_invite to fail (beyond

+    // implementation bugs)?

+    // TODO: What happens if #pubkeys for `issue_invite` differs from the value

+    // when calling `handle_issue_invite`? Should we cache the value at the

+    // start of this method?

+    let cred = lazy.handle_issue_invite(request, response, this.#pubKeys);

+

+    // Store the new credentials as a priority.

+    this.#changeCredentials(loxId, cred);

+

+    const invite = lazy.prepare_invite(cred);

+    this.#invites.push(invite);

+    // cap length of stored invites

+    if (this.#invites.len > 50) {

+      this.#invites.shift();

     }

+    this.#store();

+    Services.obs.notifyObservers(null, LoxTopics.NewInvite);

+    // Return a copy.

+    // Right now invite is just a string, but that might change in the future.

+    return structuredClone(invite);

   }

   /**

       return false;

     }

     let response = await this.#makeRequest("checkblockage", request);

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error(response.error);

-      throw new LoxError(

-        `Error response to "checkblockage": ${response.error}`

-      );

-    }

+    // NOTE: If a later method fails, we should be ok to re-call "checkblockage"

+    // from the Lox authority. So there shouldn't be any adverse side effects to

+    // loosing migrationCred.

+    // TODO: Confirm this is safe to lose.

     const migrationCred = lazy.handle_check_blockage(

       this.#getCredentials(loxId),

-      JSON.stringify(response)

+      response

     );

     request = lazy.blockage_migration(

       this.#getCredentials(loxId),

       this.#pubKeys

     );

     response = await this.#makeRequest("blockagemigration", request);

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error(response.error);

-      throw new LoxError(

-        `Error response to "blockagemigration": ${response.error}`

-      );

-    }

     const cred = lazy.handle_blockage_migration(

       this.#getCredentials(loxId),

-      JSON.stringify(response),

+      response,

       this.#pubKeys

     );

     this.#changeCredentials(loxId, cred);

     return true;

   }

-  /** Attempts to upgrade the currently saved Lox credential.

-   *  If an upgrade is available, save an event in the event list.

+  /**

+   * Attempts to upgrade the currently saved Lox credential.

+   * If an upgrade is available, save an event in the event list.

    *

-   *  @param {string} loxId Lox ID

-   *  @returns {boolean} Whether a levelup event occurred.

+   * @param {string} loxId Lox ID

+   * @returns {boolean} Whether the credential was successfully migrated.

    */

   async #attemptUpgrade(loxId) {

     await this.#getEncTable();

       this.#encTable,

       this.#pubKeys

     );

-    const response = await this.#makeRequest("levelup", request);

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error(response.error);

-      throw new LoxError(`Error response to "levelup": ${response.error}`);

+    let response;

+    try {

+      response = await this.#makeRequest("levelup", request);

+    } catch (error) {

+      if (error instanceof LoxError && error.code === LoxError.ErrorResponse) {

+        // Not an error.

+        lazy.logger.debug("Not ready for level up", error);

+        return false;

+      }

+      throw error;

     }

-    const cred = lazy.handle_level_up(

-      request,

-      JSON.stringify(response),

-      this.#pubKeys

-    );

+    const cred = lazy.handle_level_up(request, response, this.#pubKeys);

     this.#changeCredentials(loxId, cred);

     return true;

   }

       this.#getPubKeys();

       return false;

     }

-    let request, response;

+    let request;

     try {

       request = lazy.trust_promotion(

         this.#getCredentials(loxId),

         this.#pubKeys

       );

     } catch (err) {

+      // This function is called routinely during the background tasks without

+      // previous checks on whether an upgrade is possible, so it is expected to

+      // fail with a certain frequency. Therefore, do not relay the error to the

+      // caller and just log the message for debugging.

       lazy.logger.debug("Not ready to upgrade", err);

       return false;

     }

-    try {

-      response = await this.#makeRequest(

-        "trustpromo",

-        JSON.parse(request).request

-      );

-    } catch (err) {

-      lazy.logger.error("Failed trust promotion", err);

-      return false;

-    }

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error("Error response from trustpromo", response.error);

-      return false;

-    }

-    lazy.logger.debug("Got promotion cred", response, request);

-    let promoCred;

-    try {

-      promoCred = lazy.handle_trust_promotion(

-        request,

-        JSON.stringify(response)

-      );

-      lazy.logger.debug("Formatted promotion cred");

-    } catch (err) {

-      lazy.logger.error(

-        "Unable to handle trustpromo response properly",

-        response.error

-      );

-      return false;

-    }

-    try {

-      request = lazy.trust_migration(

-        this.#getCredentials(loxId),

-        promoCred,

-        this.#pubKeys

-      );

-      lazy.logger.debug("Formatted migration request");

-    } catch (err) {

-      lazy.logger.error("Failed to generate trust migration request", err);

-      return false;

-    }

-    try {

-      response = await this.#makeRequest(

-        "trustmig",

-        JSON.parse(request).request

-      );

-    } catch (err) {

-      lazy.logger.error("Failed trust migration", err);

-      return false;

-    }

-    if (response.hasOwnProperty("error")) {

-      lazy.logger.error("Error response from trustmig", response.error);

-      return false;

-    }

-    lazy.logger.debug("Got new credential");

-    let cred;

-    try {

-      cred = lazy.handle_trust_migration(request, response);

-    } catch (err) {

-      lazy.logger.error("Failed to handle response from trustmig", err);

-      return false;

-    }

+

+    let response = await this.#makeRequest("trustpromo", request);

+    // FIXME: Store response to "trustpromo" in case handle_trust_promotion

+    // or "trustmig" fails. The Lox authority will not accept a re-request

+    // to "trustpromo" with the same credentials.

+    let promoCred = lazy.handle_trust_promotion(request, response);

+    lazy.logger.debug("Formatted promotion cred: ", promoCred);

+

+    request = lazy.trust_migration(

+      this.#getCredentials(loxId),

+      promoCred,

+      this.#pubKeys

+    );

+    response = await this.#makeRequest("trustmig", request);

+    lazy.logger.debug("Got new credential: ", response);

+

+    // FIXME: Store response to "trustmig" in case handle_trust_migration

+    // fails. The Lox authority will not accept a re-request to "trustmig" with

+    // the same credentials.

+    let cred = lazy.handle_trust_migration(request, response);

     this.#changeCredentials(loxId, cred);

     return true;

   }

     };

   }

-  async #makeRequest(procedure, args) {

+  /**

+   * Fetch from the Lox authority.

+   *

+   * @param {string} procedure - The request endpoint.

+   * @param {string} body - The arguments to send in the body, if any.

+   *

+   * @returns {string} - The response body.

+   */

+  async #fetch(procedure, body) {

     // TODO: Customize to for Lox

-    const serviceUrl = "https://lox.torproject.org";

-    const url = `${serviceUrl}/${procedure}`;

+    const url = `https://lox.torproject.org/${procedure}`;

+    const method = "POST";

+    const contentType = "application/vnd.api+json";

     if (lazy.TorConnect.state === lazy.TorConnectState.Bootstrapped) {

       let request;

       try {

         request = await fetch(url, {

-          method: "POST",

-          headers: {

-            "Content-Type": "application/vnd.api+json",

-          },

-          body: JSON.stringify(args),

+          method,

+          headers: { "Content-Type": contentType },

+          body,

         });

       } catch (error) {

-        lazy.logger.debug("fetch fail", url, args, error);

+        lazy.logger.debug("fetch fail", url, body, error);

         throw new LoxError(

           `fetch "${procedure}" from Lox authority failed: ${error?.message}`,

           LoxError.LoxServerUnreachable

         );

       }

       if (!request.ok) {

-        lazy.logger.debug("fetch response", url, args, request);

+        lazy.logger.debug("fetch response", url, body, request);

         // Do not treat as a LoxServerUnreachable type.

         throw new LoxError(

           `Lox authority responded to "${procedure}" with ${request.status}: ${request.statusText}`

         );

       }

-      return request.json();

+      return request.text();

     }

+    // TODO: Only make domain fronted requests with user permission.

+    // tor-browser#42606.

     if (this.#domainFrontedRequests === null) {

       this.#domainFrontedRequests = new Promise((resolve, reject) => {

         // TODO: Customize to the values for Lox

     }

     const builder = await this.#domainFrontedRequests;

     try {

-      return await builder.buildPostRequest(url, args);

+      return await builder.buildRequest(url, { method, contentType, body });

     } catch (error) {

-      lazy.logger.debug("Domain front request fail", url, args, error);

+      lazy.logger.debug("Domain front request fail", url, body, error);

       if (error instanceof lazy.DomainFrontRequestNetworkError) {

         throw new LoxError(

           `Domain front fetch "${procedure}" from Lox authority failed: ${error?.message}`,

       );

     }

   }

+

+  /**

+   * Make a request to the lox authority, check for an error response, and

+   * convert it to a string.

+   *

+   * @param {string} procedure - The request endpoint.

+   * @param {?string} request - The request data, as a JSON string containing a

+   *   "request" field. Or `null` to send no data.

+   *

+   * @returns {string} - The stringified JSON response.

+   */

+  async #makeRequest(procedure, request) {

+    // Verify that the response is valid json, by parsing.

+    const jsonResponse = JSON.parse(

+      await this.#fetch(

+        procedure,

+        request ? JSON.stringify(JSON.parse(request).request) : ""

+      )

+    );

+    lazy.logger.debug(`${procedure} response:`, jsonResponse);

+    if (Object.hasOwn(jsonResponse, "error")) {

+      // TODO: Figure out if any of the "error" responses should be treated as

+      // an error. I.e. which of the procedures have soft failures and hard

+      // failures.

+      throw LoxError(

+        `Error response to ${procedure}: ${jsonResponse.error}`,

+        LoxError.ErrorResponse

+      );

+    }

+    return JSON.stringify(jsonResponse);

+  }

 }

 export const Lox = new LoxImpl();
   }

   /**

-   * Make a POST request with a JSON body and a JSON response.

+   * Make a request.

    *

-   * @param {string} url The URL to load

-   * @param {object} args The arguments to send to the procedure. It will be

-   * serialized to JSON by this function and then set as POST body

-   * @returns {Promise<object>} A promise with the parsed response

+   * @param {string} url The URL to request.

+   * @param {object} args The arguments to send to the procedure.

+   * @param {string} args.method The request method.

+   * @param {string} args.body The request body.

+   * @param {string} args.contentType The "Content-Type" header to set.

+   * @returns {string} The response body.

    */

-  async buildPostRequest(url, args) {

+  async buildRequest(url, args) {

     const ch = this.buildHttpHandler(url);

-    const argsJson = JSON.stringify(args);

     const inStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance(

       Ci.nsIStringInputStream

     );

-    inStream.setData(argsJson, argsJson.length);

+    inStream.setData(args.body, args.body.length);

     const upChannel = ch.QueryInterface(Ci.nsIUploadChannel);

-    const contentType = "application/vnd.api+json";

-    upChannel.setUploadStream(inStream, contentType, argsJson.length);

-    ch.requestMethod = "POST";

+    upChannel.setUploadStream(inStream, args.contentType, args.body.length);

+    ch.requestMethod = args.method;

     // Make request

     const listener = new ResponseListener();

     await ch.asyncOpen(listener, ch);

     // wait for response

-    const responseJSON = await listener.response();

-

-    // parse that JSON

-    return JSON.parse(responseJSON);

+    return listener.response();

   }

 }
     const procedureURIString = `${Services.prefs.getStringPref(

       TorLauncherPrefs.moat_service

     )}/${procedure}`;

-    return this.#requestBuilder.buildPostRequest(procedureURIString, args);

+    return JSON.parse(

+      await this.#requestBuilder.buildRequest(procedureURIString, {

+        method: "POST",

+        contentType: "application/vnd.api+json",

+        body: JSON.stringify(args),

+      })

+    );

   }

   async testInternetConnection() {

Pier Angelo Vendrame pushed to branch tor-browser-128.4.0esr-14.5-1 at The Tor Project / Applications / Tor Browser

Commits:

3 changed files:

Changes: