Details

Reviewers

• karol
tomek
ashoat
• jim

Commits

rCOMMce2048252dd4: [services] Tunnelbroker - Handle SessionID collision without erroring, using…

Summary

This is the fix for the follow-up task ENG-621

Context from the task:

At the moment for sessionID creation, we rely on boost::uuids::random_generator() which instance creates every gRPC handler request that affects the random generator internal counter. We need to fix this by moving the generator out of the function or not using an internal counter.

Solution:
By default boost::uuids::random_generator() uses mt19937 which is not cryptographically secure. By switching to use std::random_device we will produce enough secure results because it uses /dev/(u)random and no need to move it outside the function.

When the unique SessionID has a collision with the already existing in the Database we are falling into the error instead of generating a new one.

Solution:
In case we already have a record with the same sessionID in the database we generate a new sessionID until we have not the record with the same sessionID (in case of multiple collisions).

Dependencies
Depends on D3124

Test Plan

Does the session successfully created in case we have no collision.
Does the session creation recover when we have a collision (by adding to the database record with the same sessionID).

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

• max created this revision.Feb 3 2022, 7:02 PM

Herald added subscribers: • karol, atul, • adrian and 2 others. · View Herald TranscriptFeb 3 2022, 7:02 PM

Harbormaster completed remote builds in B6536: Diff 9274.Feb 3 2022, 7:07 PM

• max requested review of this revision.Feb 3 2022, 7:07 PM

Herald added a reviewer: • karol. · View Herald TranscriptFeb 3 2022, 7:07 PM

• max edited the summary of this revision. (Show Details)Feb 3 2022, 7:11 PM

• max edited the test plan for this revision. (Show Details)

• max added a reviewer: tomek.

tomek requested changes to this revision.Feb 4 2022, 2:28 AM

tomek added inline comments.

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
82–83 ↗	(On Diff #9274)	I don't think this is the best approach. If you check https://en.cppreference.com/w/cpp/numeric/random/random_device, there's a note: note: demo only: the performance of many implementations of random_device degrades sharply once the entropy pool is exhausted. For practical use random_device is generally only used to seed a PRNG such as mt19937 So in our case we need to construct an instance of `mt19937` generator, seed it with the result of `random_device` and store as an instance variable. The current approach might have serious performance issues when the entropy is depleted
94–96 ↗	(On Diff #9274)	It is technically a collision, but not something which we should worry about. If you think we need to log it, I would at least delete `warning`.

This revision now requires changes to proceed.Feb 4 2022, 2:28 AM

• max planned changes to this revision.Feb 4 2022, 6:19 AM

Moved uuid generation to Tools and separate function.

Harbormaster completed remote builds in B6563: Diff 9308.Feb 4 2022, 5:44 PM

• max marked 2 inline comments as done.Feb 4 2022, 5:52 PM

• max added inline comments.

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
82–83 ↗	(On Diff #9274)	I don't think this is the best approach. If you check https://en.cppreference.com/w/cpp/numeric/random/random_device, there's a note: note: demo only: the performance of many implementations of random_device degrades sharply once the entropy pool is exhausted. For practical use random_device is generally only used to seed a PRNG such as mt19937 So in our case we need to construct an instance of `mt19937` generator, seed it with the result of `random_device` and store as an instance variable. The current approach might have serious performance issues when the entropy is depleted Moved generation code to the `generateUUID` function in Tools, using the suggested approach to generate it using seeded mt19937 and make them `thread_local static`.
94–96 ↗	(On Diff #9274)	It is technically a collision, but not something which we should worry about. If you think we need to log it, I would at least delete `warning`. Yes, but we definitely need to know this in server logs. If these collisions will repeatedly occur that will indicate that something is wrong or needs to be improved in a random generation.

tomek accepted this revision.Feb 7 2022, 1:49 AM

tomek added inline comments.

services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp
58 ↗	(On Diff #9308)	We should probably use just `thread_local` to be consistent with the codebase. Also in https://en.cppreference.com/w/cpp/language/storage_duration it is said that It can be combined with static or extern to specify internal or external linkage (except for static data members which always have external linkage), respectively, but that additional static doesn't affect the storage duration. So we don't need to specify the static.

This revision is now accepted and ready to land.Feb 7 2022, 1:49 AM

Herald added a reviewer: ashoat. · View Herald TranscriptFeb 7 2022, 1:49 AM

Herald added a subscriber: • benschac. · View Herald Transcript

This revision now requires review to proceed.Feb 7 2022, 1:49 AM

Please address the thread_local static issue. What is it for?

Thanks @palys-swm for the thoughtfulness around usecases for PRNGs. This situation is the opposite of the issue we had in October, where we were using a PRNG when we shouldn't have. Here it makes perfect sense to use a PRNG to avoid depleting the entropy pool.

It's not extremely clear to me how necessary this change is (what's the probability of a collision occurring, anyways?) but I guess it doesn't hurt to have this code.

This revision is now accepted and ready to land.Feb 7 2022, 6:54 PM

I don't understand the problem here.

boost::uuids::random_generator is secure and uses OS entropy (/dev/urandom) according to the docs. And the synchronization isn't an issue because in the current version of the code all instances are local, not global/static. Are you seeing collisions in practice? If used correctly, that should *never* happen statistically. The only reason not to use random_generator and random_device would be performance, but that doesn't seem like a likely issue.

Synced with @jimpo offline and he offered some clarification. Seems like the use cases for calling a PRNG such as mt19937 directly from C++ in 2022 are very limited, and we should generally be relying on the CSPRNG from the OS instead.

Screen Shot 2022-02-07 at 11.42.09 PM.png (1×2 px, 821 KB)

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
80–89 ↗	(On Diff #9308)	We should probably just leave this as-is, and undo the changes
services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp
15–16 ↗	(On Diff #9308)	We should probably switch to using something that sources from `/dev/urandom` here too?

This revision now requires changes to proceed.Feb 7 2022, 8:46 PM

For session keys and things like that, std::random_device is fine. If perf is an issue we could make a using Crypto++ primitives.

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
81 ↗	(On Diff #9308)	Use `boost::uuids::to_string` here instead. https://www.boost.org/doc/libs/1_78_0/libs/uuid/doc/uuid.html#to_string It's more clear IMO.
services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp
15–16 ↗	(On Diff #9308)	Yeah, just drop the mt19937 generator. std::random_device generator; Making it thread-local might help performance a little bit so it keeps the same file descriptor.

• max planned changes to this revision.Feb 8 2022, 10:55 AM

• max marked 2 inline comments as done.

Update random generator to drop mt19937.

Harbormaster failed remote builds in B6657: Diff 9423!Feb 8 2022, 5:10 PM

• max marked 5 inline comments as done.Feb 8 2022, 5:15 PM

• max added inline comments.

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
80–89 ↗	(On Diff #9308)	We should probably just leave this as-is, and undo the changes I think we should stay with the `generateUUID()` as a function in Tools. The function code is small but it will be reused in different places. Now we used it once in sessions, but I plan to use it to generate message IDs, and maybe in future updates too. In case we want to change something in the generator it would be much easier to refactor and don't repeat the same code right now.
81 ↗	(On Diff #9308)	Use `boost::uuids::to_string` here instead. https://www.boost.org/doc/libs/1_78_0/libs/uuid/doc/uuid.html#to_string It's more clear IMO. Already used it on the updates, find it after the first update, but thanks anyway ;) we don't need the cast here.
services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp
15–16 ↗	(On Diff #9308)	We should probably switch to using something that sources from /dev/urandom here too? Yeah, just drop the mt19937 generator. All that makes sense to me so switched to std::random_device here.
58 ↗	(On Diff #9308)	We should probably use just `thread_local` to be consistent with the codebase. Also in https://en.cppreference.com/w/cpp/language/storage_duration it is said that It can be combined with static or extern to specify internal or external linkage (except for static data members which always have external linkage), respectively, but that additional static doesn't affect the storage duration. So we don't need to specify the static. Switched to `thread_local` only.

In D3103#82115, @karol-bisztyga wrote:

Please address the thread_local static issue. What is it for?

thread_local is used to refer to data that is seemingly global or static storage duration (from the viewpoint of the functions using it) but in actual fact, there is one copy per thread.

In D3103#82475, @jimpo wrote:

I don't understand the problem here.

boost::uuids::random_generator is secure and uses OS entropy (/dev/urandom) according to the docs. And the synchronization isn't an issue because in the current version of the code all instances are local, not global/static. Are you seeing collisions in practice? If used correctly, that should *never* happen statistically. The only reason not to use random_generator and random_device would be performance, but that doesn't seem like a likely issue.

I agree that collision in our case looks almost impossible. In the case of performance, we create sessions very rarely, and even if we have thousands of devices the new session requests will be rare.

• jim added inline comments.Feb 8 2022, 5:23 PM

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
81 ↗	(On Diff #9423)	I say skip the database lookup and the while loop. Since the UUID is truly random now, a collision won't happen.

• max planned changes to this revision.Feb 8 2022, 5:32 PM

Remove sessionID collision loop check.

• max planned changes to this revision.Feb 8 2022, 6:12 PM

Harbormaster failed remote builds in B6659: Diff 9425!Feb 8 2022, 6:13 PM

Make the newSessionID const. Stacked on top of D3124 to refactor the code.

• max edited the summary of this revision. (Show Details)Feb 8 2022, 6:20 PM

Harbormaster failed remote builds in B6660: Diff 9426!Feb 8 2022, 6:23 PM

• jim accepted this revision.Feb 8 2022, 6:24 PM

Now in this diff we have only moved the generation function to the Tools and changed the generator.
Maybe I should change the diff title and description. What do you think @ashoat ?

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp
81 ↗	(On Diff #9423)	I say skip the database lookup and the while loop. Since the UUID is truly random now, a collision won't happen. That makes sense. I've removed the DB fetch.

• max edited the summary of this revision. (Show Details)Feb 8 2022, 6:26 PM

• max added a parent revision: D3124: [services][refactoring] Tunnelbroker - Switch from 'Id' to 'ID' in the codebase..

ashoat accepted this revision.Feb 8 2022, 9:42 PM

This revision is now accepted and ready to land.Feb 8 2022, 9:42 PM

Rebasing.

Harbormaster completed remote builds in B6760: Diff 9581.Feb 11 2022, 1:32 PM

Rebase.

Harbormaster completed remote builds in B6788: Diff 9611.Feb 14 2022, 5:53 AM

Closed by commit rCOMMce2048252dd4: [services] Tunnelbroker - Handle SessionID collision without erroring, using… (authored by • max). · Explain WhyFeb 14 2022, 5:53 AM

This revision was automatically updated to reflect the committed changes.

• max added a commit: rCOMMce2048252dd4: [services] Tunnelbroker - Handle SessionID collision without erroring, using….

[services] Tunnelbroker - Handle SessionID collision without erroring, using random device to generate it.
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 9612

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp

services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.h

services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp

[services] Tunnelbroker - Handle SessionID collision without erroring, using random device to generate it.ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 9612

services/tunnelbroker/docker-server/contents/server/src/Service/TunnelbrokerServiceImpl.cpp

services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.h

services/tunnelbroker/docker-server/contents/server/src/Tools/Tools.cpp

[services] Tunnelbroker - Handle SessionID collision without erroring, using random device to generate it.
ClosedPublic
Actions

Revision Contents
Changeset List