firewall: session-dependent privacy flags #746
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bitromortac
force-pushed
the
privacy-flags
branch
from
a0161f2 to
d7617ad
Compare
bitromortac
force-pushed
the
privacy-flags
branch
from
d7617ad to
689b39c
Compare
ViktorTigerstrom
approved these changes
Apr 18, 2024
ellemouton
reviewed
Apr 22, 2024
bitromortac
force-pushed
the
privacy-flags
branch
from
689b39c to
42a3dd8
Compare
bitromortac
force-pushed
the
privacy-flags
branch
2 times, most recently
from
1e4d710 to
2601af8
Compare
Fixes the timeout keyword. Also enable speedups by mounting go caches as well as a golangci-lint cache that caches linter data accross runs.
We add a privacy flag type that can be used to serialize/deserialize from a uint64. This is the source for which privacy flags are available.
Privacy flags are stored within the session.
SessionDB is an interface that gives helper methods for how privacy mapping should be done. A mock for SessionDB is added to save on some code repetition, the privacy flags functionality is used in a later test.
We change the rule mapping to accept the newly added privacy flags. Peer and channel restrictions can be controlled with privacy flags.
We change the rule mapping to accept the newly added privacy flags. Peer and channel restrictions can be controlled with privacy flags.
gRPC message interception depends now on privacy flags.
* to Features to know about default privacy flags in `autopilot features` * to RegisterAutopilotSession in order to communicate to the autopilot which privacy flags are being used after `autopilot add`
* to sessions in order to get details when running `autopilot list` * to the autopilot rpc to be able to register features with privacy flags via cli `autopilot add`
For autopilot session registration, we accept default recommendations from autopilot in order to weaken privacy obfuscation for the requested features. Default privacy flags are supplied by ListFeatures and by flags passed to the AddAutopilotSession request. Privacy flags are ORed to combine to the weakest aggregated privacy obfuscation in order to allow for multiple feature registration. In order to preserve high privacy settings for a feature it should be registered in an isolated manner.
Adds support for overriding defaul privacy flags for non-default feature configurations.
bitromortac
force-pushed
the
privacy-flags
branch
2 times, most recently
from
25e5811 to
497e42c
Compare
This is to tolerate unknown rules sent from the autopilot for the `autopilot features` command. Otherwise, when trying to register a feature that requires an upgrade, a more user friendly error is returned.
bitromortac
force-pushed
the
privacy-flags
branch
from
497e42c to
5129b95
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds functionality for the autopilot privacy mapper that enables to selectively reveal data that otherwise is obfuscated by default. This is necessary in order to support more advanced autopilot features, such as the soon to be added automatic channel open service. In this case it is necessary to communicate litd's node pubkey to the service (via
GetInfo) in order for it to be able to make high-quality node suggestions, taking the nodes's position within the graph into account. Uncovering pubkeys will also be necessary in order to know the peers with which force closes have happened, to not open new channels, or to check whether channels with liquidity already exist. It is nevertheless important to still obfuscate precise channel balances and other information. This is why privacy flags are introduced (in the auto open example it is theClearPubkeysflag), which define the precise deobfuscation within a session for the following interaction points:Feature configuration:
Features can be configured (not used yet by any feature) to define algorithmic behavior, for example one can imagine to specify peers to preferentially open channels with. Currently, those node ids are obfuscated, but for automatic channel opens it will be important to know the identity of the nodes in order to respect the user's preference.
Feature rules:
Feature rules define the boundaries within which autopilot is allowed to operate. This includes a peer restriction rule. In the example of automatic channel opens, the service needs to know the pubkeys for nodes not to open channels with.
Firewall intercepted calls from autopilot to litd:
As explained above, certain APIs need to reveal the pubkeys of peers in order for the autopilot to function correctly.
Privacy obfuscation remains on by default and
AutoFee's privacy properties remain unaltered. Features can be registered together in a single session, whereby the session's privacy flags will be the union of privacy flags of all the features (which is why feature registration is recommended to be done in individual sessions). When linking sessions, privacy flags must be preserved accross the linked sessions, which is checked by autopilot.