Add support for public extensions in Reports. #754
Conversation
jhoyla
requested review from
armfazh,
bhalleycf,
cjpatton,
fisherdarling,
cbranch,
lbaquerofierro,
mendess and
RageKnify
as code owners
So the spec says: Which I take to mean a conflict between the public and private extensions is allowed. |
The intent of the text is: "if the same extension appears twice, then the report MUST be rejected - regardless of what fields the extensions appear in." In particular, if the taskprov extension appears in the public and private fields, then reject. |
jhoyla
force-pushed
the
jhoyla/public-extensions
branch
4 times, most recently
from
eda9b3c to
5078b99
Compare
| @@ -533,6 +537,150 @@ async fn leader_upload_taskprov_wrong_version(version: DapVersion) { | |||
|
|
|||
| async_test_versions!(leader_upload_taskprov_wrong_version); | |||
|
|
|||
| #[tokio::test] | |||
There was a problem hiding this comment.
I think the test coverage in the daphne::roles module is high enough that we could just as easily move theses tests there. You can call leader::handle_upload_req() on the mock aggregator, just as you already do in a new test in that module.
Any code path that can be tested without the e2e setup ought to be moved to a unit test, since unit tests are easier to run.
There was a problem hiding this comment.
Can we move these tests to the daphne crate?
crates/daphne/src/error/aborts.rs
Outdated
| task_id: &TaskId, | ||
| unknown_extensions: &[u16], | ||
| ) -> Result<Self, DapError> { | ||
| let detail = serde_json::to_string(&unknown_extensions); |
There was a problem hiding this comment.
Unnecessary reference
| let detail = serde_json::to_string(&unknown_extensions); | |
| let detail = serde_json::to_string(unknown_extensions); |
There was a problem hiding this comment.
Why use json here? We don't expect anyone to parse the detail, you could just use
| let detail = serde_json::to_string(&unknown_extensions); | |
| let detail = format!("{unknown_extensions:?}"); |
which I think will output exactly the same thing in this case
crates/daphne/src/error/aborts.rs
Outdated
| detail: s, | ||
| task_id: *task_id, | ||
| }), | ||
| Err(x) => Err(fatal_error!(err = %x,)), |
There was a problem hiding this comment.
| Err(x) => Err(fatal_error!(err = %x,)), | |
| Err(x) => Err(fatal_error!(err = %x)), |
crates/daphne/src/error/aborts.rs
Outdated
| task_id: &TaskId, | ||
| unknown_extensions: &[u16], | ||
| ) -> Result<Self, DapError> { | ||
| let detail = serde_json::to_string(&unknown_extensions); |
There was a problem hiding this comment.
More Rusty
| let detail = serde_json::to_string(&unknown_extensions); | |
| let detail = serde_json::to_string(&unknown_extensions).map_err(|e| fatal_error!(err = e))?; |
crates/daphne/src/protocol/client.rs
Outdated
| public_extensions: match version { | ||
| DapVersion::Draft09 => None, | ||
| DapVersion::Latest => Some(Vec::new()), | ||
| }, |
There was a problem hiding this comment.
Since the extensions are replicated between the Leader and Helper, perhaps it makes more sense to include them in the public extensions field rather than in the private extension fields.
If you take this suggestion, let's also rename extensions to public_extensions.
crates/daphne/src/protocol/mod.rs
Outdated
| } | ||
| ); | ||
| } | ||
| test_versions! {handle_unknown_public_extensions_in_report} |
There was a problem hiding this comment.
Note: This creates the test for all versions of DAP, including draft 09.
| ) { | ||
| (Some(extensions), DapVersion::Latest) => { | ||
| let mut unknown_extensions = Vec::<u16>::new(); | ||
| if crate::protocol::no_duplicates(extensions.iter()).is_err() { |
There was a problem hiding this comment.
And use crate::protocol;. Also, we should rename no_duplicates to something more distinctive.
| if crate::protocol::no_duplicates(extensions.iter()).is_err() { | |
| if protocol::no_duplicates(extensions.iter()).is_err() { |
| (Some(_), DapVersion::Draft09) => { | ||
| return Err(DapError::Abort(DapAbort::version_mismatch( | ||
| DapVersion::Draft09, | ||
| DapVersion::Latest, | ||
| ))) | ||
| } | ||
| (None, DapVersion::Latest) => { | ||
| return Err(DapError::Abort(DapAbort::version_mismatch( | ||
| DapVersion::Latest, | ||
| DapVersion::Draft09, | ||
| ))) | ||
| } |
There was a problem hiding this comment.
I'm not sure either of these arms could ever be reached, assuming the code that sets public_extensions is correct. If I were you, I would use the public_extension.is_some() to deduce which version was negotiated. Tnen we could replace this big ugly match with:
if let Some(public_extensions) = &report.report_metadata.public_extensions {
... // check for duplicates, unorecgonized values, and so on
}| @@ -1348,6 +1496,116 @@ async fn leader_selected() { | |||
| .unwrap(); | |||
| } | |||
|
|
|||
| #[tokio::test] | |||
| async fn leader_collect_taskprov_repeated_abort() { | |||
There was a problem hiding this comment.
What does this new test do?
There was a problem hiding this comment.
It checks that the Leader aborts if the taskprov extension appears in both the public and private extensions.
There was a problem hiding this comment.
I fixed a bug in it too.
There was a problem hiding this comment.
Can we move this to the unit tests in the daphne crate. or does exercise a behavior that's not implemented by InMemoryAggregator?
jhoyla
force-pushed
the
jhoyla/public-extensions
branch
from
2728fcd to
28ff330
Compare
jhoyla
force-pushed
the
jhoyla/public-extensions
branch
from
28ff330 to
0287417
Compare
| @@ -533,6 +537,150 @@ async fn leader_upload_taskprov_wrong_version(version: DapVersion) { | |||
|
|
|||
| async_test_versions!(leader_upload_taskprov_wrong_version); | |||
|
|
|||
| #[tokio::test] | |||
There was a problem hiding this comment.
Can we move these tests to the daphne crate?
| @@ -1348,6 +1496,116 @@ async fn leader_selected() { | |||
| .unwrap(); | |||
| } | |||
|
|
|||
| #[tokio::test] | |||
| async fn leader_collect_taskprov_repeated_abort() { | |||
There was a problem hiding this comment.
Can we move this to the unit tests in the daphne crate. or does exercise a behavior that's not implemented by InMemoryAggregator?
| (DapVersion::Latest, Some(extensions)) => { | ||
| encode_u16_items(bytes, version, extensions.as_slice())?; | ||
| } | ||
| _ => return Err(CodecError::UnexpectedValue), |
There was a problem hiding this comment.
We usually use this for encoding. How about his:
| _ => return Err(CodecError::UnexpectedValue), | |
| _ => return Err(CodecError::Other("encountered incorrectly set public extensions".into()))s |
| return Err(DapError::ReportError( | ||
| crate::messages::ReportError::InvalidMessage, | ||
| )) |
There was a problem hiding this comment.
I would actually go with a fatal error here
| return Err(DapError::ReportError( | |
| crate::messages::ReportError::InvalidMessage, | |
| )) | |
| return Err(fatal_error!( | |
| err = format!("public extensions not set correctly for {version:?}") | |
| )); |
| crate::messages::ReportError::InvalidMessage, | ||
| )) | ||
| } | ||
| _ => (), |
There was a problem hiding this comment.
nit: you can avoid having to specify this arm using if let:F
if let (Some(_), DapVersion::Draft09) | (None, DapVersion::Latest) =
(&public_extensions, version)
{
...
}| @@ -223,6 +226,34 @@ pub async fn handle_upload_req<A: DapLeader>( | |||
| .into()); | |||
| } | |||
|
|
|||
| if let Some(public_extensions) = &report.report_metadata.public_extensions { | |||
| // We can be sure at this point that the ReportMetadata is well formed (as | |||
| // the decoding / error checking happens in the extractor). | |||
There was a problem hiding this comment.
| // the decoding / error checking happens in the extractor). | |
| // the decoding / error checking happens in the extractor. |
| if protocol::check_no_duplicates(public_extensions.iter()).is_err() { | ||
| return Err(DapError::Abort(DapAbort::InvalidMessage { | ||
| detail: "Repeated public extension".into(), | ||
| task_id, | ||
| })); | ||
| }; |
There was a problem hiding this comment.
IF the metdata "well-formed" (see above comment), then do we need to check for repeats here?
| let mut report = task_config | ||
| .vdaf | ||
| .produce_report( | ||
| &hpke_config_list, | ||
| t.now + 1, | ||
| &task_id, | ||
| DapMeasurement::U32Vec(vec![1; 10]), | ||
| version, | ||
| ) | ||
| .unwrap(); | ||
| report.report_metadata.public_extensions = Some(vec![Extension::Taskprov, Extension::Taskprov]); |
There was a problem hiding this comment.
Overwriting exetensions causes an HPKE decryption failure, which isn't what we intend to test here. Modify produce_report() to take in public extensions and set them as you've set them here.
| report.report_metadata.public_extensions = Some(vec![ | ||
| Extension::Taskprov, | ||
| Extension::NotImplemented { | ||
| typ: 3, | ||
| payload: b"ignore".to_vec(), | ||
| }, | ||
| ]); |
There was a problem hiding this comment.
Same thing here: don't override
| @@ -533,6 +549,150 @@ async fn leader_upload_taskprov_wrong_version(version: DapVersion) { | |||
|
|
|||
| async_test_versions!(leader_upload_taskprov_wrong_version); | |||
|
|
|||
| #[tokio::test] | |||
| async fn leader_upload_taskprov_public() { | |||
There was a problem hiding this comment.
Remove this test (already covered by unit tests).
| @@ -1348,6 +1508,116 @@ async fn leader_selected() { | |||
| .unwrap(); | |||
| } | |||
|
|
|||
| #[tokio::test] | |||
| async fn leader_collect_taskprov_repeated_abort() { | |||
There was a problem hiding this comment.
Make sure there's a unit test for this and delete.
| let mut report = t.gen_test_report(task_id).await; | ||
| report.report_metadata.public_extensions = Some(vec![Extension::NotImplemented { | ||
| typ: 0x01, | ||
| payload: vec![0x01], | ||
| }]); |
There was a problem hiding this comment.
Don't override, as this causes hpke decryption to fail. Here and below.
Draft 13 adds mandatory support for public extensions in the ReportMetadata, but doesn't define any (Taskprov is (for now) a private extension). This PR adds support for rejecting unknown extensions, which is all of them.