derpmap telemetry clean

ethanndickson · ethanndickson · commit 09f375b58edf · 2024-06-28T07:23:50.000Z
diff --git a/tailnet/configmaps.go b/tailnet/configmaps.go
@@ -283,15 +283,17 @@ func (c *configMaps) getBlockEndpoints() bool {
 
 // setDERPMap sets the DERP map, triggering a configuration of the engine if it has changed.
 // c.L MUST NOT be held.
-func (c *configMaps) setDERPMap(derpMap *tailcfg.DERPMap) {
+// Returns if the derpMap is dirty.
+func (c *configMaps) setDERPMap(derpMap *tailcfg.DERPMap) bool {
 	c.L.Lock()
 	defer c.L.Unlock()
 	if CompareDERPMaps(c.derpMap, derpMap) {
-		return
+		return false
 	}
 	c.derpMap = derpMap
 	c.derpMapDirty = true
 	c.Broadcast()
+	return true
 }
 
 // derMapLocked returns the current DERPMap.  c.L must be held
diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -138,11 +138,11 @@ func NewConn(options *Options) (conn *Conn, err error) {
 
 	var (
 		logger           = newMultiLogger(options.Logger)
-		telemetryLogSink *bufferLogSink
+		telemetryLogSink *TelemetryStore
 	)
 	if options.TelemetrySink != nil {
 		var err error
-		telemetryLogSink, err = newBufferLogSink()
+		telemetryLogSink, err = newTelemetryStore()
 		if err != nil {
 			return nil, xerrors.Errorf("create telemetry log sink: %w", err)
 		}
@@ -352,7 +352,7 @@ type Conn struct {
 
 	telemetrySink TelemetrySink
 	// telemetryLogs will be nil if telemetrySink is nil.
-	telemetryLogs *bufferLogSink
+	telemetryLogs *TelemetryStore
 	telemetryWg   sync.WaitGroup
 
 	trafficStats *connstats.Statistics
@@ -388,7 +388,9 @@ func (c *Conn) SetNodeCallback(callback func(node *Node)) {
 
 // SetDERPMap updates the DERPMap of a connection.
 func (c *Conn) SetDERPMap(derpMap *tailcfg.DERPMap) {
-	c.configMaps.setDERPMap(derpMap)
+	if c.configMaps.setDERPMap(derpMap) && c.telemetryLogs != nil {
+		c.telemetryLogs.updateDerpMap(derpMap)
+	}
 }
 
 func (c *Conn) SetDERPForceWebSockets(v bool) {
@@ -512,6 +514,8 @@ func (c *Conn) AwaitReachable(ctx context.Context, ip netip.Addr) bool {
 	for {
 		select {
 		case <-completedCtx.Done():
+			// TODO(ethanndickson): For now, I'm interpreting 'connected' as when the
+			// agent is reachable.
 			_ = c.connectedTelemetryEvent()
 			return true
 		case <-t.C:
@@ -719,6 +723,7 @@ func (c *Conn) connectedTelemetryEvent() error {
 	return nil
 }
 
+// The returned telemetry event will not have it's status set.
 func (c *Conn) newTelemetryEvent() (*proto.TelemetryEvent, error) {
 	id, err := c.id.MarshalBinary()
 	if err != nil {
@@ -728,22 +733,22 @@ func (c *Conn) newTelemetryEvent() (*proto.TelemetryEvent, error) {
 	node := c.nodeUpdater.nodeLocked()
 	c.nodeUpdater.L.Unlock()
 
-	logs, ips := c.telemetryLogs.getLogs()
+	logs, ips, dm := c.telemetryLogs.getStore()
 	return &proto.TelemetryEvent{
 		Id:          id,
 		Time:        timestamppb.Now(),
 		ClientType:  c.clientType,
 		NodeIdSelf:  uint64(node.ID),
 		Logs:        logs,
 		LogIpHashes: ips,
+		DerpMap:     DERPMapToProto(dm),
 
 		// TODO:
 		Application:     "",
 		NodeIdRemote:    0,
 		P2PEndpoint:     &proto.TelemetryEvent_P2PEndpoint{},
 		ThroughputMbits: &wrapperspb.FloatValue{},
 		HomeDerp:        "",
-		DerpMap:         &proto.DERPMap{},
 		LatestNetcheck:  &proto.Netcheck{},
 		ConnectionAge:   &durationpb.Duration{},
 		ConnectionSetup: &durationpb.Duration{},
diff --git a/tailnet/logger_internal_test.go b/tailnet/logger_internal_test.go
@@ -6,26 +6,27 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/tailnet/proto"
 )
 
-func TestBufferLogSink(t *testing.T) {
+func TestTelemetryStore(t *testing.T) {
 	t.Parallel()
 
 	t.Run("NoIP", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
-		sink, err := newBufferLogSink()
+		sink, err := newTelemetryStore()
 		require.NoError(t, err)
 		logger := slog.Make(sink).Leveled(slog.LevelDebug)
 
 		logger.Debug(ctx, "line1")
 		logger.Debug(ctx, "line2 fe80")
 		logger.Debug(ctx, "line3 xxxx::x")
 
-		logs, hashes := sink.getLogs()
+		logs, hashes, _ := sink.getStore()
 		require.Len(t, logs, 3)
 		require.Len(t, hashes, 0)
 		require.Contains(t, logs[0], "line1")
@@ -103,7 +104,7 @@ func TestBufferLogSink(t *testing.T) {
 			t.Run(c.name, func(t *testing.T) {
 				t.Parallel()
 				ctx := context.Background()
-				sink, err := newBufferLogSink()
+				sink, err := newTelemetryStore()
 				require.NoError(t, err)
 				logger := slog.Make(sink).Leveled(slog.LevelDebug)
 
@@ -116,15 +117,15 @@ func TestBufferLogSink(t *testing.T) {
 				logger.Debug(ctx, fmt.Sprintf("line2: %s/24", c.ip))
 				logger.Debug(ctx, fmt.Sprintf("line3: %s foo (%s)", ipWithPort, c.ip))
 
-				logs, hashes := sink.getLogs()
+				logs, ips, _ := sink.getStore()
 				require.Len(t, logs, 3)
-				require.Len(t, hashes, 1)
+				require.Len(t, ips, 1)
 				for _, log := range logs {
 					t.Log(log)
 				}
 
 				// This only runs once since we only processed a single IP.
-				for expectedHash, ipFields := range hashes {
+				for expectedHash, ipFields := range ips {
 					hashedIPWithPort := expectedHash + ":8080"
 					if c.expectedVersion == 6 {
 						hashedIPWithPort = fmt.Sprintf("[%s]:8080", expectedHash)
@@ -141,4 +142,55 @@ func TestBufferLogSink(t *testing.T) {
 			})
 		}
 	})
+
+	t.Run("DerpMapClean", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		telemetry, err := newTelemetryStore()
+		require.NoError(t, err)
+		logger := slog.Make(telemetry).Leveled(slog.LevelDebug)
+
+		derpMap := &tailcfg.DERPMap{
+			Regions: make(map[int]*tailcfg.DERPRegion),
+		}
+		// Add a region and node that uses every single field.
+		derpMap.Regions[999] = &tailcfg.DERPRegion{
+			RegionID:      999,
+			EmbeddedRelay: true,
+			RegionCode:    "zzz",
+			RegionName:    "Cool Region",
+			Avoid:         true,
+
+			Nodes: []*tailcfg.DERPNode{
+				{
+					Name:       "zzz1",
+					RegionID:   999,
+					HostName:   "coolderp.com",
+					CertName:   "coolderpcert",
+					IPv4:       "1.2.3.4",
+					IPv6:       "2001:db8::1",
+					STUNTestIP: "5.6.7.8",
+				},
+			},
+		}
+		telemetry.updateDerpMap(derpMap)
+
+		logger.Debug(ctx, "line1 coolderp.com qwerty")
+		logger.Debug(ctx, "line2 1.2.3.4 asdf")
+		logger.Debug(ctx, "line3 2001:db8::1 foo")
+
+		logs, ips, dm := telemetry.getStore()
+		require.Len(t, logs, 3)
+		require.Len(t, ips, 3)
+		require.Len(t, dm.Regions[999].Nodes, 1)
+		node := dm.Regions[999].Nodes[0]
+		require.NotContains(t, node.HostName, "coolderp.com")
+		require.NotContains(t, node.IPv4, "1.2.3.4")
+		require.NotContains(t, node.IPv6, "2001:db8::1")
+		require.NotContains(t, node.STUNTestIP, "5.6.7.8")
+		require.Contains(t, logs[0], node.HostName)
+		require.Contains(t, ips, node.STUNTestIP)
+		require.Contains(t, ips, node.IPv6)
+		require.Contains(t, ips, node.IPv4)
+	})
 }
diff --git a/tailnet/telemetry.go b/tailnet/telemetry.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 
 	"golang.org/x/xerrors"
+	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
@@ -87,45 +88,81 @@ func (m multiLogger) With(fields ...slog.Field) multiLogger {
 
 // A logger sink that extracts (anonymized) IP addresses from logs for building
 // network telemetry events
-type bufferLogSink struct {
+type TelemetryStore struct {
+	// Always self-referential
 	sink slog.Sink
 	mu   sync.Mutex
 	// TODO: Store only useful logs
-	logs []string
-	// We use the same salt so the same IP hashes to the same value.
+	logs     []string
 	hashSalt string
-	// A cache to avoid hashing the same IP multiple times.
-	ipToHash  map[string]string
+	// A cache to avoid hashing the same IP or hostname multiple times.
+	hashCache map[string]string
 	hashedIPs map[string]*proto.IPFields
+
+	cleanDerpMap  *tailcfg.DERPMap
+	derpMapFilter *regexp.Regexp
 }
 
-var _ slog.Sink = &bufferLogSink{}
+var _ slog.Sink = &TelemetryStore{}
 
-var _ io.Writer = &bufferLogSink{}
+var _ io.Writer = &TelemetryStore{}
 
-func newBufferLogSink() (*bufferLogSink, error) {
+func newTelemetryStore() (*TelemetryStore, error) {
 	hashSalt, err := cryptorand.String(16)
 	if err != nil {
 		return nil, err
 	}
-	out := &bufferLogSink{
-		logs:      []string{},
-		hashSalt:  hashSalt,
-		ipToHash:  make(map[string]string),
-		hashedIPs: make(map[string]*proto.IPFields),
+	out := &TelemetryStore{
+		logs:          []string{},
+		hashSalt:      hashSalt,
+		hashCache:     make(map[string]string),
+		hashedIPs:     make(map[string]*proto.IPFields),
+		derpMapFilter: regexp.MustCompile(`^$`),
 	}
 	out.sink = sloghuman.Sink(out)
 	return out, nil
 }
 
-func (b *bufferLogSink) getLogs() ([]string, map[string]*proto.IPFields) {
+func (b *TelemetryStore) getStore() ([]string, map[string]*proto.IPFields, *tailcfg.DERPMap) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
-	return append([]string{}, b.logs...), b.hashedIPs
+	return append([]string{}, b.logs...), b.hashedIPs, b.cleanDerpMap.Clone()
+}
+
+// Given a DERPMap, anonymise all IPs and hostnames.
+// Keep track of seen hostnames/cert names to anonymize them from future logs.
+// b.mu must NOT be held.
+func (b *TelemetryStore) updateDerpMap(cur *tailcfg.DERPMap) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	var names []string
+	cleanMap := cur.Clone()
+	for _, r := range cleanMap.Regions {
+		for _, n := range r.Nodes {
+			escapedName := regexp.QuoteMeta(n.HostName)
+			escapedCertName := regexp.QuoteMeta(n.CertName)
+			names = append(names, escapedName, escapedCertName)
+
+			ipv4, _ := b.processIPLocked(n.IPv4)
+			n.IPv4 = ipv4
+			ipv6, _ := b.processIPLocked(n.IPv6)
+			n.IPv6 = ipv6
+			stunIP, _ := b.processIPLocked(n.STUNTestIP)
+			n.STUNTestIP = stunIP
+			hn := b.hashAddr(n.HostName)
+			n.HostName = hn
+			cn := b.hashAddr(n.CertName)
+			n.CertName = cn
+		}
+	}
+	if len(names) != 0 {
+		b.derpMapFilter = regexp.MustCompile((strings.Join(names, "|")))
+	}
+	b.cleanDerpMap = cleanMap
 }
 
 // Write implements io.Writer.
-func (b *bufferLogSink) Write(p []byte) (n int, err error) {
+func (b *TelemetryStore) Write(p []byte) (n int, err error) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
@@ -138,37 +175,39 @@ func (b *bufferLogSink) Write(p []byte) (n int, err error) {
 	if len(logLineAfterLevel) == 2 {
 		logLineAfterLevel = logLineSplit[1]
 	}
+	// Anonymize IP addresses
 	for _, match := range ipv4And6Regex.FindAllString(logLineAfterLevel, -1) {
 		hash, err := b.processIPLocked(match)
 		if err == nil {
 			logLine = strings.ReplaceAll(logLine, match, hash)
 		}
 	}
+	// Anonymize derp map host names
+	for _, match := range b.derpMapFilter.FindAllString(logLineAfterLevel, -1) {
+		hash := b.hashAddr(match)
+		logLine = strings.ReplaceAll(logLine, match, hash)
+	}
 
 	b.logs = append(b.logs, logLine)
 	return len(p), nil
 }
 
 // LogEntry implements slog.Sink.
-func (b *bufferLogSink) LogEntry(ctx context.Context, e slog.SinkEntry) {
+func (b *TelemetryStore) LogEntry(ctx context.Context, e slog.SinkEntry) {
 	// This will call (*bufferLogSink).Write
 	b.sink.LogEntry(ctx, e)
 }
 
 // Sync implements slog.Sink.
-func (b *bufferLogSink) Sync() {
+func (b *TelemetryStore) Sync() {
 	b.sink.Sync()
 }
 
 // processIPLocked will look up the IP in the cache, or hash and salt it and add
 // to the cache. It will also add it to hashedIPs.
 //
 // b.mu must be held.
-func (b *bufferLogSink) processIPLocked(ip string) (string, error) {
-	if hashStr, ok := b.ipToHash[ip]; ok {
-		return hashStr, nil
-	}
-
+func (b *TelemetryStore) processIPLocked(ip string) (string, error) {
 	addr, err := netip.ParseAddr(ip)
 	if err != nil {
 		return "", xerrors.Errorf("failed to parse IP %q: %w", ip, err)
@@ -190,12 +229,21 @@ func (b *bufferLogSink) processIPLocked(ip string) (string, error) {
 		class = proto.IPFields_PRIVATE
 	}
 
-	hash := sha256.Sum256([]byte(b.hashSalt + ip))
-	hashStr := hex.EncodeToString(hash[:])
-	b.ipToHash[ip] = hashStr
+	hashStr := b.hashAddr(ip)
 	b.hashedIPs[hashStr] = &proto.IPFields{
 		Version: version,
 		Class:   class,
 	}
 	return hashStr, nil
 }
+
+func (b *TelemetryStore) hashAddr(addr string) string {
+	if hashStr, ok := b.hashCache[addr]; ok {
+		return hashStr
+	}
+
+	hash := sha256.Sum256([]byte(b.hashSalt + addr))
+	hashStr := hex.EncodeToString(hash[:])
+	b.hashCache[addr] = hashStr
+	return hashStr
+}
