Revert "Add Noise Direct connection shadowing via remote config"

Author: akonradi-signal

RELEASE_NOTES.md

@@ -1,3 +1,5 @@
 v0.81.1
 
 - Enable negotiating permessage-deflate support for chat websocket connections, if configured.
+
+- Net: remove Noise connection shadowing for staging Chat websocket connections.

rust/bridge/shared/testing/src/net_env.rs

@@ -81,7 +81,6 @@ pub(crate) fn localhost_test_env_with_ports(
             ports.chat_port,
             root_certificate_der,
         ),
-        chat_noise_config: None,
         chat_ws_config: RECOMMENDED_CHAT_WS_CONFIG,
         cdsi: EnclaveEndpoint {
             domain_config: localhost_test_domain_config_with_port_and_cert(

rust/bridge/shared/types/src/net/chat.rs

@@ -18,7 +18,6 @@ use http::uri::{InvalidUri, PathAndQuery};
 use http::{HeaderMap, HeaderName, HeaderValue};
 use libsignal_net::auth::Auth;
 use libsignal_net::chat::fake::FakeChatRemote;
-use libsignal_net::chat::noise::NoiseDirectConnectShadow;
 use libsignal_net::chat::server_requests::DisconnectCause;
 use libsignal_net::chat::ws::ListenerEvent;
 use libsignal_net::chat::{
@@ -32,7 +31,7 @@ use libsignal_net::infra::route::{
     UnresolvedHttpsServiceRoute,
 };
 use libsignal_net::infra::tcp_ssl::InvalidProxyConfig;
-use libsignal_net::infra::{Connection as _, EnableDomainFronting, EnforceMinimumTls};
+use libsignal_net::infra::{EnableDomainFronting, EnforceMinimumTls};
 use libsignal_net_chat::api::Unauth;
 use libsignal_protocol::Timestamp;
 use static_assertions::assert_impl_all;
@@ -144,7 +143,6 @@ impl AuthenticatedChatConnection {
             ),
         )
         .await?;
-
         Ok(Self {
             inner: MaybeChatConnection::WaitingForListener(
                 tokio::runtime::Handle::current(),
@@ -183,39 +181,6 @@ impl AuthenticatedChatConnection {
     }
 }
 
-fn maybe_shadow<'a>(
-    connection_manager: &'a ConnectionManager,
-    remote_config_key: RemoteConfigKey,
-    languages: &LanguageList,
-) -> Option<NoiseDirectConnectShadow<'a>> {
-    let ConnectionManager {
-        user_agent,
-        env,
-        remote_config,
-        connect,
-        dns_resolver,
-        ..
-    } = connection_manager;
-
-    let noise_config = env.chat_noise_config.as_ref()?.connect;
-
-    if !remote_config
-        .lock()
-        .expect("not poisoned")
-        .is_enabled(remote_config_key)
-    {
-        return None;
-    }
-
-    Some(NoiseDirectConnectShadow {
-        route_resolver: connect.lock().expect("not poisoned").route_resolver.clone(),
-        dns_resolver: dns_resolver.clone(),
-        noise_config,
-        language_list: languages.clone(),
-        user_agent,
-    })
-}
-
 impl AsRef<tokio::sync::RwLock<MaybeChatConnection>> for AuthenticatedChatConnection {
     fn as_ref(&self) -> &tokio::sync::RwLock<MaybeChatConnection> {
         &self.inner
@@ -357,21 +322,6 @@ async fn establish_chat_connection(
     connection_manager: &ConnectionManager,
     headers: Option<chat::ChatHeaders>,
 ) -> Result<chat::PendingChatConnection, ConnectError> {
-    let noise_shadow = headers.as_ref().and_then(|headers| {
-        let (languages, remote_config) = match headers {
-            chat::ChatHeaders::Auth(auth) => (
-                &auth.languages,
-                RemoteConfigKey::ShadowAuthChatWithNoiseDirect,
-            ),
-            chat::ChatHeaders::Unauth(unauth) => (
-                &unauth.languages,
-                RemoteConfigKey::ShadowUnauthChatWithNoiseDirect,
-            ),
-        };
-
-        maybe_shadow(connection_manager, remote_config, languages)
-    });
-
     let ConnectionManager {
         env,
         dns_resolver,
@@ -436,7 +386,7 @@ async fn establish_chat_connection(
         true => EnablePermessageDeflate::Yes,
         false => EnablePermessageDeflate::No,
     };
-    let connection = ChatConnection::start_connect_with(
+    ChatConnection::start_connect_with(
         connection_resources,
         route_provider,
         user_agent,
@@ -449,30 +399,7 @@ async fn establish_chat_connection(
         Ok(_) => log::info!("successfully connected {auth_type} chat"),
         Err(e) => log::warn!("failed to connect {auth_type} chat: {e}"),
     })
-    .await?;
-
-    let real_connection_info = connection.connection_info().route_info;
-    let real_connection_was_direct =
-        real_connection_info.proxy().is_none() && real_connection_info.domain_front().is_none();
-
-    if let Some(noise_shadow) = real_connection_was_direct.then_some(noise_shadow).flatten() {
-        log::info!("shadowing {auth_type} chat with Noise Direct");
-        let connect = noise_shadow.connect();
-        tokio::spawn(async move {
-            match connect.await {
-                Ok(stream) => {
-                    let ip_type = stream.transport_info().ip_version();
-                    log::info!(
-                        "{auth_type} shadow: Noise Direct connection succeeded over IP{ip_type}"
-                    );
-                    drop(stream);
-                }
-                Err(e) => log::info!("{auth_type} shadow: Noise Direct connection failed: {e}"),
-            }
-        });
-    }
-
-    Ok(connection)
+    .await
 }
 
 fn make_route_provider(

rust/bridge/shared/types/src/net/remote_config.rs

@@ -48,10 +48,6 @@ pub enum RemoteConfigKey {
     // TODO: Remove after enforcement has been enabled in production long enough without reported
     // issues.
     EnforceMinimumTls,
-    /// If enabled, tries to connect via Noise Direct after establishing an authenticated chat connection.
-    ShadowAuthChatWithNoiseDirect,
-    /// If enabled, tries to connect via Noise Direct after establishing an unauthenticated chat connection.
-    ShadowUnauthChatWithNoiseDirect,
     /// Determines whether a chat websocket connection attempts to negotiate permessage-deflate support.
     EnableChatPermessageDeflate,
 }
@@ -68,8 +64,6 @@ impl RemoteConfigKey {
                 "chatRequestConnectionCheckTimeoutMillis"
             }
             Self::EnforceMinimumTls => "enforceMinimumTls",
-            Self::ShadowAuthChatWithNoiseDirect => "shadowAuthChatWithNoise",
-            Self::ShadowUnauthChatWithNoiseDirect => "shadowUnauthChatWithNoise",
             Self::EnableChatPermessageDeflate => "chatPermessageDeflate",
         }
     }

rust/net/infra/src/noise/direct.rs

@@ -19,7 +19,6 @@ use prost::Message as _;
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use zerocopy::{FromBytes, IntoBytes};
 
-use crate::Connection;
 use crate::noise::{FrameType, HandshakeAuthKind, Transport};
 use crate::proto::noise_direct::CloseReason;
 use crate::proto::noise_direct::close_reason::Code;
@@ -45,12 +44,6 @@ impl<S> DirectStream<S> {
 
 static_assertions::assert_impl_all!(DirectStream<tokio::io::DuplexStream>: Transport);
 
-impl<S: Connection> Connection for DirectStream<S> {
-    fn transport_info(&self) -> crate::TransportInfo {
-        self.inner.transport_info()
-    }
-}
-
 /// State for the [`AsyncRead`] side of a [`DirectStream`].
 #[derive(Debug, Default)]
 enum Read {

rust/net/infra/src/noise/stream.rs

@@ -14,7 +14,6 @@ use futures_util::{SinkExt as _, StreamExt as _};
 use snow::TransportState;
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 
-use crate::Connection;
 use crate::noise::{FrameType, Transport};
 
 /// Stream abstraction that encrypts/decrypts with [Noise].
@@ -66,12 +65,6 @@ impl<S> NoiseStream<S> {
     }
 }
 
-impl<S: Connection> Connection for NoiseStream<S> {
-    fn transport_info(&self) -> crate::TransportInfo {
-        self.inner.transport_info()
-    }
-}
-
 impl<S: Transport + Unpin> AsyncRead for NoiseStream<S> {
     fn poll_read(
         self: Pin<&mut Self>,

rust/net/infra/src/route/describe.rs

@@ -134,14 +134,6 @@ impl std::fmt::Display for UnresolvedRouteDescription {
 }
 
 impl UnresolvedRouteDescription {
-    pub fn proxy(&self) -> Option<ConnectionProxyKind> {
-        self.proxy
-    }
-
-    pub fn domain_front(&self) -> Option<&'static str> {
-        self.front
-    }
-
     pub fn fake() -> Self {
         Self {
             front: None,

rust/net/src/chat/noise.rs

@@ -19,9 +19,6 @@ pub use encrypted_stream::{
     Authorization, ChatNoiseConnector, ConnectError, ConnectMeta, ServerPublicKey,
 };
 
-mod shadow;
-pub use shadow::NoiseDirectConnectShadow;
-
 pub type ChatNoiseFragment = (Authorization, ConnectMeta);
 
 #[derive(Clone, Debug, PartialEq)]

rust/net/src/chat/noise/encrypted_stream.rs

@@ -14,7 +14,6 @@ use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use uuid::Uuid;
 
 use crate::chat::noise::{ChatNoiseFragment, HandshakeAuth};
-use crate::infra::Connection;
 use crate::infra::errors::{LogSafeDisplay, TransportConnectError};
 use crate::infra::noise::{
     EPHEMERAL_KEY_LEN, NoiseConnector, NoiseStream, STATIC_KEY_LEN, SendError, Transport,
@@ -138,12 +137,6 @@ where
     }
 }
 
-impl<S: Connection> Connection for EncryptedStream<S> {
-    fn transport_info(&self) -> libsignal_net_infra::TransportInfo {
-        self.stream.transport_info()
-    }
-}
-
 impl<S: Transport + Unpin> AsyncRead for EncryptedStream<S> {
     fn poll_read(
         mut self: Pin<&mut Self>,

rust/net/src/connect_state.rs

@@ -16,15 +16,14 @@ use itertools::Itertools as _;
 use libsignal_net_infra::dns::DnsResolver;
 use libsignal_net_infra::errors::{LogSafeDisplay, TransportConnectError};
 use libsignal_net_infra::route::{
-    ComposedConnector, ConnectError, ConnectionOutcomeParams, ConnectionOutcomes,
-    ConnectionProxyKind, Connector, ConnectorFactory, DelayBasedOnTransport, DescribeForLog,
-    DescribedRouteConnector, DirectOrProxy, HttpRouteFragment, InterfaceChangedOr,
-    InterfaceMonitor, LoggingConnector, ResettingConnectionOutcomes, ResolveHostnames,
-    ResolveWithSavedDescription, ResolvedRoute, RouteProvider, RouteProviderContext,
-    RouteProviderExt as _, RouteResolver, StaticTcpTimeoutConnector, ThrottlingConnector,
-    TransportRoute, UnresolvedRouteDescription, UnresolvedTransportRoute,
-    UnresolvedWebsocketServiceRoute, UsePreconnect, UsesTransport, VariableTlsTimeoutConnector,
-    WebSocketRouteFragment, WebSocketServiceRoute,
+    ComposedConnector, ConnectError, ConnectionOutcomeParams, ConnectionOutcomes, Connector,
+    ConnectorFactory, DelayBasedOnTransport, DescribeForLog, DescribedRouteConnector,
+    DirectOrProxy, HttpRouteFragment, InterfaceChangedOr, InterfaceMonitor, LoggingConnector,
+    ResettingConnectionOutcomes, ResolveHostnames, ResolveWithSavedDescription, ResolvedRoute,
+    RouteProvider, RouteProviderContext, RouteProviderExt as _, RouteResolver,
+    StaticTcpTimeoutConnector, ThrottlingConnector, TransportRoute, UnresolvedRouteDescription,
+    UnresolvedTransportRoute, UnresolvedWebsocketServiceRoute, UsePreconnect, UsesTransport,
+    VariableTlsTimeoutConnector, WebSocketRouteFragment, WebSocketServiceRoute,
 };
 use libsignal_net_infra::tcp_ssl::{LONG_TCP_HANDSHAKE_THRESHOLD, LONG_TLS_HANDSHAKE_THRESHOLD};
 use libsignal_net_infra::timeouts::{
@@ -210,14 +209,6 @@ impl std::fmt::Display for RouteInfo {
 }
 
 impl RouteInfo {
-    pub fn proxy(&self) -> Option<ConnectionProxyKind> {
-        self.unresolved.proxy()
-    }
-
-    pub fn domain_front(&self) -> Option<&'static str> {
-        self.unresolved.domain_front()
-    }
-
     pub fn fake() -> Self {
         Self {
             unresolved: UnresolvedRouteDescription::fake(),