firewalldb: check that priv map session exists

ellemouton · ellemouton · commit 98c83aba60a6 · 2025-04-17T11:47:43.000+02:00
Here, we adjust the bbolt impl of the privacy mapper such that it first
checks that the referenced session group does in fact exist. We update
our unit tests accordingly. We do this because once we plug in the SQL
impl, the link will be explicit and the tests will error if the session
group does not exist.
diff --git a/firewalldb/privacy_mapper_kvdb.go b/firewalldb/privacy_mapper_kvdb.go
@@ -35,23 +35,48 @@ func (db *BoltDB) PrivacyDB(groupID session.ID) PrivacyMapDB {
 		db: db.DB,
 		wrapTx: func(tx *bbolt.Tx) PrivacyMapTx {
 			return &privacyMapTx{
-				boltTx:  tx,
-				groupID: groupID,
+				sessions: db.sessionIDIndex,
+				boltTx:   tx,
+				groupID:  groupID,
 			}
 		},
 	}
 }
 
 // privacyMapTx is an implementation of PrivacyMapTx.
 type privacyMapTx struct {
-	groupID session.ID
-	boltTx  *bbolt.Tx
+	sessions SessionDB
+	groupID  session.ID
+	boltTx   *bbolt.Tx
+}
+
+// asserGroupExists checks that the session group that the privacy mapper is
+// pointing to exists.
+//
+// NOTE: this is technically a DB transaction within another DB transaction.
+// But this is ok because:
+//  1. We only do this for the bbolt backends in which case the transactions are
+//     for _separate_ DB files.
+//  2. The aim is to completely remove this implementation in future.
+//  3. Currently, users cannot easily delete a session. And so the chances that
+//     users delete a session after having created a privacy map linked to it
+//     is small. In any case, even if they did delete the session, the linked
+//     privacy map would never be used. During the kvdb -> SQL migration, we
+//     will delete any privacy maps that link to sessions that cannot be found.
+func (p *privacyMapTx) assertGroupExists(ctx context.Context) error {
+	_, err := p.sessions.GetSessionIDs(ctx, p.groupID)
+
+	return err
 }
 
 // NewPair inserts a new real-pseudo pair into the db.
 //
 // NOTE: this is part of the PrivacyMapTx interface.
-func (p *privacyMapTx) NewPair(_ context.Context, real, pseudo string) error {
+func (p *privacyMapTx) NewPair(ctx context.Context, real, pseudo string) error {
+	if err := p.assertGroupExists(ctx); err != nil {
+		return err
+	}
+
 	privacyBucket, err := getBucket(p.boltTx, privacyBucketKey)
 	if err != nil {
 		return err
@@ -97,9 +122,13 @@ func (p *privacyMapTx) NewPair(_ context.Context, real, pseudo string) error {
 // it does then the real value is returned, else an error is returned.
 //
 // NOTE: this is part of the PrivacyMapTx interface.
-func (p *privacyMapTx) PseudoToReal(_ context.Context, pseudo string) (string,
+func (p *privacyMapTx) PseudoToReal(ctx context.Context, pseudo string) (string,
 	error) {
 
+	if err := p.assertGroupExists(ctx); err != nil {
+		return "", err
+	}
+
 	privacyBucket, err := getBucket(p.boltTx, privacyBucketKey)
 	if err != nil {
 		return "", err
@@ -127,9 +156,13 @@ func (p *privacyMapTx) PseudoToReal(_ context.Context, pseudo string) (string,
 // it does then the pseudo value is returned, else an error is returned.
 //
 // NOTE: this is part of the PrivacyMapTx interface.
-func (p *privacyMapTx) RealToPseudo(_ context.Context, real string) (string,
+func (p *privacyMapTx) RealToPseudo(ctx context.Context, real string) (string,
 	error) {
 
+	if err := p.assertGroupExists(ctx); err != nil {
+		return "", err
+	}
+
 	privacyBucket, err := getBucket(p.boltTx, privacyBucketKey)
 	if err != nil {
 		return "", err
@@ -156,9 +189,13 @@ func (p *privacyMapTx) RealToPseudo(_ context.Context, real string) (string,
 // FetchAllPairs loads and returns the real-to-pseudo pairs.
 //
 // NOTE: this is part of the PrivacyMapTx interface.
-func (p *privacyMapTx) FetchAllPairs(_ context.Context) (*PrivacyMapPairs,
+func (p *privacyMapTx) FetchAllPairs(ctx context.Context) (*PrivacyMapPairs,
 	error) {
 
+	if err := p.assertGroupExists(ctx); err != nil {
+		return nil, err
+	}
+
 	privacyBucket, err := getBucket(p.boltTx, privacyBucketKey)
 	if err != nil {
 		return nil, err
diff --git a/firewalldb/privacy_mapper_test.go b/firewalldb/privacy_mapper_test.go
@@ -4,7 +4,10 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"
 
+	"github.com/lightninglabs/lightning-terminal/session"
+	"github.com/lightningnetwork/lnd/clock"
 	"github.com/stretchr/testify/require"
 )
 
@@ -13,14 +16,42 @@ func TestPrivacyMapStorage(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	tmpDir := t.TempDir()
-	db, err := NewBoltDB(tmpDir, "test.db", nil)
+	sessions := session.NewTestDB(t, clock.NewDefaultClock())
+	db, err := NewBoltDB(t.TempDir(), "test.db", sessions)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		_ = db.Close()
 	})
 
-	pdb1 := db.PrivacyDB([4]byte{1, 1, 1, 1})
+	// First up, let's test that the correct error is returned if an
+	// attempt is made to write to a privacy map that is not linked to
+	// an existing session group.
+	pdb := db.PrivacyDB(session.ID{1, 2, 3, 4})
+	err = pdb.Update(ctx,
+		func(ctx context.Context, tx PrivacyMapTx) error {
+			_, err := tx.RealToPseudo(ctx, "real")
+			require.ErrorIs(t, err, session.ErrUnknownGroup)
+
+			_, err = tx.PseudoToReal(ctx, "pseudo")
+			require.ErrorIs(t, err, session.ErrUnknownGroup)
+
+			err = tx.NewPair(ctx, "real", "pseudo")
+			require.ErrorIs(t, err, session.ErrUnknownGroup)
+
+			_, err = tx.FetchAllPairs(ctx)
+			require.ErrorIs(t, err, session.ErrUnknownGroup)
+
+			return nil
+		},
+	)
+	require.NoError(t, err)
+
+	sess, err := sessions.NewSession(
+		ctx, "test", session.TypeAutopilot, time.Unix(1000, 0), "",
+	)
+	require.NoError(t, err)
+
+	pdb1 := db.PrivacyDB(sess.GroupID)
 
 	_ = pdb1.Update(ctx, func(ctx context.Context, tx PrivacyMapTx) error {
 		_, err = tx.RealToPseudo(ctx, "real")
@@ -50,7 +81,12 @@ func TestPrivacyMapStorage(t *testing.T) {
 		return nil
 	})
 
-	pdb2 := db.PrivacyDB([4]byte{2, 2, 2, 2})
+	sess2, err := sessions.NewSession(
+		ctx, "test", session.TypeAutopilot, time.Unix(1000, 0), "",
+	)
+	require.NoError(t, err)
+
+	pdb2 := db.PrivacyDB(sess2.GroupID)
 
 	_ = pdb2.Update(ctx, func(ctx context.Context, tx PrivacyMapTx) error {
 		_, err = tx.RealToPseudo(ctx, "real")
@@ -80,7 +116,12 @@ func TestPrivacyMapStorage(t *testing.T) {
 		return nil
 	})
 
-	pdb3 := db.PrivacyDB([4]byte{3, 3, 3, 3})
+	sess3, err := sessions.NewSession(
+		ctx, "test", session.TypeAutopilot, time.Unix(1000, 0), "",
+	)
+	require.NoError(t, err)
+
+	pdb3 := db.PrivacyDB(sess3.GroupID)
 
 	_ = pdb3.Update(ctx, func(ctx context.Context, tx PrivacyMapTx) error {
 		// Check that calling FetchAllPairs returns an empty map if
@@ -185,14 +226,19 @@ func TestPrivacyMapTxs(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	tmpDir := t.TempDir()
-	db, err := NewBoltDB(tmpDir, "test.db", nil)
+	sessions := session.NewTestDB(t, clock.NewDefaultClock())
+	db, err := NewBoltDB(t.TempDir(), "test.db", sessions)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		_ = db.Close()
 	})
 
-	pdb1 := db.PrivacyDB([4]byte{1, 1, 1, 1})
+	sess, err := sessions.NewSession(
+		ctx, "test", session.TypeAutopilot, time.Unix(1000, 0), "",
+	)
+	require.NoError(t, err)
+
+	pdb1 := db.PrivacyDB(sess.GroupID)
 
 	// Test that if an action fails midway through the transaction, then
 	// it is rolled back.
