Add LSPS5 DOS protections.

[martinsaposnic]

When handling an incoming LSPS5 request, the manager will check
if the counterparty is 'engaged' in some way before responding.
Engaged meaning = active channel | LSPS2 active operation | LSPS1 active operation.

Logic: If not engaged then reject request;

A single test is added only checking for the active channel condition,
because it's not super easy to get LSPS1-2 on the correct state to check this (yet).
Other tangential work is happening that will make this easier and more tests will come in the near future.

A few decisions that could be changed:

- the DOS protections are optional (default true). maybe this should not be configurable?
- I made the dos_protection_enforcer generic enough so it would be possible to add more behavior in the future. also some logic could be moved here like the ignored_peers logic from the manager, which could make sense to move to the dos enforcer

thoughts @tnull ?

[ldk-reviews-bot]

👋 I see @jkczyz was un-assigned.
If you'd like another reviewer assignment, please click here.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.87%. Comparing base (e1a31e1) to head (b522194).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3993      +/-   ##
==========================================
+ Coverage   88.84%   88.87%   +0.03%     
==========================================
  Files         175      175              
  Lines      127760   127790      +30     
  Branches   127760   127790      +30     
==========================================
+ Hits       113510   113579      +69     
+ Misses      11679    11641      -38     
+ Partials     2571     2570       -1     

Flag	Coverage Δ
fuzzing	21.74% <0.00%> (-0.02%)	⬇️
tests	88.71% <100.00%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[tnull]

Thanks for looking into this!

[tnull]

IMO this is over-engineering. We can just have a single method on LSPS5ServiceHandler that checks the necessary bools. I also don't think this warrants to be in a separate module right now.

[tnull]

Hmm, we'll also want to allow LSPS5 for any activity beyond this point, no? I think rather than adding helpers for each individual state, maybe we finally should expose the list of OutboundJITChannelStates at least pub(crate) and also implement Ord for OutboundJITChannelState? This would allow us to use comparison operators on the channel states.

Also, can we somehow enforce that for a pending payment, we'd always first process it and advance the LSPS2 state before evaluating whether we can notifiy the LSPS5 client?

[martinsaposnic]

what I thought here (and I didn't clarify, sorry) is that it should only check for the pending_channel_open. after that state, the channel will be opened and the LSPS5 service has_active_channels check will kick in, so there is no point on checking the other LSPS2 states. does that make sense?

[tnull]

"existing engagement" is pretty unclear terminology, would be good to find more intuitive wording.

[tnull]

Please don't log on on Info here.

[tnull]

Let's at least start out with enabling this by default, i.e., don't make it configurable.

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

[martinsaposnic]

@tnull thanks for the review! I think this is a much better

I pushed a fixup commit addressing all the comments ffe25e6

I still have my doubts regarding this:

can we somehow enforce that for a pending payment, we'd always first process it and advance the LSPS2 state before evaluating whether we can notifiy the LSPS5 client?

I think that maybe that's not necessary and I posted a question related to that: #3993 (comment)

thanks!

[tnull]

Thanks, much cleaner already! Some comments.

[tnull]

Why does this need to be Clone suddenly?

[martinsaposnic]

#3993 (comment)

[tnull]

Do we need this explicit implementation? Wouldn't derive(PartialOrd) do the ~the same thing?

[martinsaposnic]

this would need putting also the derive(Ord) and derive(PartialOrd) on PaymentQueue and InterceptId

happy to do it but wanted to minimize changes

[martinsaposnic]

seems like I can't define Ord but derive PartialOrd

from the linter:

error: you are implementing `Ord` explicitly but have derived `PartialOrd`
   --> lightning-liquidity/src/lsps2/service.rs:164:1
    |
164 | / impl Ord for OutboundJITChannelState {
165 | |     fn cmp(&self, other: &Self) -> core::cmp::Ordering {
166 | |         self.stage().cmp(&other.stage())
167 | |     }
168 | | }
    | |_^

[tnull]

Ah, sorry. Then I have to eat my words. I'd actually prefer the way you had vs. introducing the redundant ..Stage object. Sorry, mind reverting to explicitly implementing it?

[tnull]

I don't buy we need to clone here.

[martinsaposnic]

error[E0507]: cannot move out of `c.state` which is behind a shared reference
   --> lightning-liquidity/src/lsps2/service.rs:599:68
    |
599 |             peer_state.outbound_channels_by_intercept_scid.values().map(|c| c.state).max()
    |                                                                             ^^^^^^^ move occurs because `c.state` has type `OutboundJITChannelState`, which does not implement the `Copy` trait
    |
help: consider cloning the value if the performance cost is acceptable
    |
599 |             peer_state.outbound_channels_by_intercept_scid.values().map(|c| c.state.clone()).max()
    |                                                                                    ++++++++

[tnull]

Let me rephrase: we definitely can't clone the entire state, with all the HTLC data, etc each time we want to check whether a client reached a certain state. I still think handling all the state by reference should be doable, but it's probably easiest to mirror the fn has_active_requests(&self, counterparty_node_id: &PublicKey) -> bool above.

(While eventually we want to give users insight into the held state, it doesn't need to happen in this PR, so for now it's probably easiest to revert to having OutboundJITChannelState private, and just check the bool returned by the helper mentioned above)

[tnull]

Hmm, why not just use >= PendingChannelOpen now that we can?

[martinsaposnic]

this could not be done directly because I would need to create some dummy properties for the PendingChannelOpen struct for it to be able to compare:

|s| s >= OutboundJITChannelState::PendingChannelOpen { 
    payment_queue: PaymentQueue::new(), 
    opening_fee_msat: 0 
})

I prefer not to do this so went with something different:

• dropped the OutboundJITChannelState::ord_index()
• instead, I created a new enum OutboundJITStage that matches one to one with OutboundJITChannelState but has no properties. this new OutboundJITStage has Derive(ord, partialOrd) so it just grabs the declaration order for its ordering

with this, now we can do |s| s.stage() >= OutboundJITStage::PendingChannelOpen

[tnull]

Ah, see #3993 (comment)

I'd prefer not to introduce a redundant object here. Sorry for the noise.

[martinsaposnic]

I squashed the last fixup commit and created a new fixup commit addressing the latest comments

also responded to some of the comments that may need a follow up

thanks @tnull !

[martinsaposnic]

just pushed a fixup commit addressing the latest comments a74c585

• made the OutboundJITChannelState private again
• on lsps2/service, have a bool function that returns if the node_id has an opening or open channel
• use that new function on the manager and on lsps5/service

let me know what you think @tnull , thanks!!

[tnull]

Wait, how do we imagine this to work for the initial LSPS2 receive? If we only allow clients to even register for notifications once we already have a (pending) channel open, how would a first-time user's phone get notified to wake up and accept the channel when they receive the very first payment?

I think we'd need to extend this to also accept LSPS5 requests for PendingInitialPayment?

[martinsaposnic]

yeah, that makes sense. I will update this

[martinsaposnic]

@tnull let me know what you think 8f2805a. thanks!!

[tnull]

Alright, this should be good for a second reviewer.

In the meantime, it's gonna need a rebase.

[ldk-reviews-bot]

✅ Added second reviewer: @jkczyz

[martinsaposnic]

it's gonna need a rebase.

done ✅

[TheBlueMatt]

Hmmm, how are we thinking about whether pending_requests counts? I mean on the one hand not counting it is gonna cause issues cause users are gonna register a webhook quickly and see it fail (tho they should retry), on the other hand, a pending request that we haven't even responded to feels like it shouldn't count - it just means they've sent us a message and we haven't responded yet.

[TheBlueMatt]

Should we move all this logic to only running when we get a message that indicates we're allocating state, rather than ignoring all messages from a peer?