-
-
Notifications
You must be signed in to change notification settings - Fork 11.1k
[stealth 08/11] Harden stealth logging and telemetry defaults #8785
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
1822607
Harden stealth logging and telemetry defaults
reflog 001b747
Address review feedback for stealth defaults
reflog b0b11bf
fix: pass stealth flags to Go builds
reflog 6ac22ee
fix: let Linux stealth daemon use log default
reflog 0167296
fix: keep daemon ldflags scoped
reflog 73b80a2
fix: pass stealth log level to daemon installers
reflog 6b2ee80
fix: write Windows daemon log level portably
reflog 541e2a8
fix: harden telemetry consent and fix gofmt alignment
reflog File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| package lanterncore | ||
|
|
||
| import ( | ||
| "os" | ||
| "strings" | ||
| ) | ||
|
|
||
| const ( | ||
| // DefaultLogLevel preserves the existing non-stealth production behavior. | ||
| DefaultLogLevel = "trace" | ||
|
|
||
| safeStealthLogLevel = "warn" | ||
| ) | ||
|
|
||
| var ( | ||
| // StealthBuild is set by release tooling with: | ||
| // | ||
| // -X github.com/getlantern/lantern/lantern-core.StealthBuild=true | ||
| // | ||
| // Runtime env fallbacks are kept for local validation until the full | ||
| // native stealth profile plumbing lands in getlantern/lantern#8763. | ||
| StealthBuild = "false" | ||
|
reflog marked this conversation as resolved.
|
||
|
|
||
| // StealthLogLevel is the Go/Radiance fallback log level for stealth builds. | ||
| // Empty and trace-level defaults are deliberately replaced by | ||
| // EffectiveLogLevel. | ||
| StealthLogLevel = safeStealthLogLevel | ||
| ) | ||
|
|
||
| func IsStealthBuild() bool { | ||
| if buildBool(StealthBuild) { | ||
| return true | ||
| } | ||
| return buildBool(firstNonEmpty( | ||
| os.Getenv("LANTERN_STEALTH_BUILD"), | ||
| os.Getenv("STEALTH_BUILD"), | ||
| )) | ||
|
reflog marked this conversation as resolved.
|
||
| } | ||
|
|
||
| func EffectiveLogLevel(configured string) string { | ||
| configured = strings.ToLower(strings.TrimSpace(configured)) | ||
| if !IsStealthBuild() { | ||
| if configured == "" { | ||
| return DefaultLogLevel | ||
| } | ||
| return configured | ||
| } | ||
|
|
||
| if configured == "" || configured == "trace" { | ||
| return effectiveStealthLogLevel() | ||
| } | ||
| return configured | ||
| } | ||
|
|
||
| // EffectiveTelemetryConsent returns the telemetry consent that should be used | ||
| // after applying stealth-build policy. | ||
| // | ||
| // For stealth builds telemetry is unconditionally disabled regardless of any | ||
| // prior user opt-in: telemetry is a deanonymization surface and must not be | ||
| // emitted from a stealth artifact. For normal builds the caller-supplied | ||
| // consent value is returned unchanged. | ||
| func EffectiveTelemetryConsent(configured bool) bool { | ||
| if IsStealthBuild() { | ||
| return false | ||
| } | ||
| return configured | ||
| } | ||
|
|
||
| func effectiveStealthLogLevel() string { | ||
| level := strings.ToLower(strings.TrimSpace(firstNonEmpty( | ||
| os.Getenv("LANTERN_STEALTH_LOG_LEVEL"), | ||
| os.Getenv("STEALTH_LOG_LEVEL"), | ||
| StealthLogLevel, | ||
| ))) | ||
| if level == "" || level == "trace" { | ||
| return safeStealthLogLevel | ||
| } | ||
| return level | ||
| } | ||
|
|
||
| func firstNonEmpty(values ...string) string { | ||
| for _, value := range values { | ||
| if strings.TrimSpace(value) != "" { | ||
| return value | ||
| } | ||
| } | ||
| return "" | ||
| } | ||
|
|
||
| func buildBool(value string) bool { | ||
| switch strings.ToLower(strings.TrimSpace(value)) { | ||
| case "1", "true", "yes", "y", "on": | ||
| return true | ||
| default: | ||
| return false | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| package lanterncore | ||
|
|
||
| import "testing" | ||
|
|
||
| func clearStealthEnv(t *testing.T) { | ||
| t.Setenv("LANTERN_STEALTH_BUILD", "") | ||
| t.Setenv("STEALTH_BUILD", "") | ||
| t.Setenv("LANTERN_STEALTH_LOG_LEVEL", "") | ||
| t.Setenv("STEALTH_LOG_LEVEL", "") | ||
| t.Setenv("LANTERN_STEALTH_TELEMETRY_DEFAULT_ENABLED", "") | ||
| t.Setenv("STEALTH_TELEMETRY_DEFAULT_ENABLED", "") | ||
| } | ||
|
|
||
| func TestEffectiveLogLevelNonStealthPreservesDefaultTrace(t *testing.T) { | ||
| clearStealthEnv(t) | ||
| origStealthBuild := StealthBuild | ||
| StealthBuild = "false" | ||
| t.Cleanup(func() { StealthBuild = origStealthBuild }) | ||
|
|
||
| if got := EffectiveLogLevel(""); got != DefaultLogLevel { | ||
| t.Fatalf("EffectiveLogLevel(\"\") = %q, want %q", got, DefaultLogLevel) | ||
| } | ||
| if got := EffectiveLogLevel("debug"); got != "debug" { | ||
| t.Fatalf("EffectiveLogLevel(\"debug\") = %q, want debug", got) | ||
| } | ||
| } | ||
|
|
||
| func TestEffectiveLogLevelStealthReplacesTraceDefault(t *testing.T) { | ||
| clearStealthEnv(t) | ||
| t.Setenv("STEALTH_BUILD", "true") | ||
| t.Setenv("STEALTH_LOG_LEVEL", "") | ||
|
reflog marked this conversation as resolved.
|
||
| origStealthBuild := StealthBuild | ||
| origStealthLogLevel := StealthLogLevel | ||
| StealthBuild = "false" | ||
| StealthLogLevel = "warn" | ||
| t.Cleanup(func() { | ||
| StealthBuild = origStealthBuild | ||
| StealthLogLevel = origStealthLogLevel | ||
| }) | ||
|
|
||
| for _, configured := range []string{"", "trace", "TRACE"} { | ||
| if got := EffectiveLogLevel(configured); got != safeStealthLogLevel { | ||
| t.Fatalf("EffectiveLogLevel(%q) = %q, want %q", configured, got, safeStealthLogLevel) | ||
| } | ||
| } | ||
| if got := EffectiveLogLevel("error"); got != "error" { | ||
| t.Fatalf("EffectiveLogLevel(\"error\") = %q, want error", got) | ||
| } | ||
| } | ||
|
|
||
| func TestEffectiveLogLevelStealthRejectsTraceFallback(t *testing.T) { | ||
| clearStealthEnv(t) | ||
| t.Setenv("STEALTH_BUILD", "true") | ||
| t.Setenv("STEALTH_LOG_LEVEL", "trace") | ||
|
reflog marked this conversation as resolved.
|
||
| origStealthBuild := StealthBuild | ||
| origStealthLogLevel := StealthLogLevel | ||
| StealthBuild = "false" | ||
| StealthLogLevel = "trace" | ||
| t.Cleanup(func() { | ||
| StealthBuild = origStealthBuild | ||
| StealthLogLevel = origStealthLogLevel | ||
| }) | ||
|
|
||
| if got := EffectiveLogLevel(""); got != safeStealthLogLevel { | ||
| t.Fatalf("EffectiveLogLevel(\"\") = %q, want %q", got, safeStealthLogLevel) | ||
| } | ||
| } | ||
|
|
||
| func TestIsStealthBuildLinkedValueCannotBeDisabledByEnv(t *testing.T) { | ||
| clearStealthEnv(t) | ||
| t.Setenv("LANTERN_STEALTH_BUILD", "false") | ||
| t.Setenv("STEALTH_BUILD", "false") | ||
| origStealthBuild := StealthBuild | ||
| StealthBuild = "true" | ||
| t.Cleanup(func() { StealthBuild = origStealthBuild }) | ||
|
|
||
| if !IsStealthBuild() { | ||
| t.Fatal("linked stealth build should remain enabled despite false env fallbacks") | ||
| } | ||
| } | ||
|
|
||
| func TestEffectiveTelemetryConsent(t *testing.T) { | ||
| clearStealthEnv(t) | ||
| origStealthBuild := StealthBuild | ||
| t.Cleanup(func() { | ||
| StealthBuild = origStealthBuild | ||
| }) | ||
|
|
||
| // Non-stealth: caller value passes through unchanged. | ||
| StealthBuild = "false" | ||
|
reflog marked this conversation as resolved.
|
||
| if got := EffectiveTelemetryConsent(false); got { | ||
| t.Fatal("non-stealth false consent should remain false") | ||
| } | ||
| if got := EffectiveTelemetryConsent(true); !got { | ||
| t.Fatal("non-stealth true consent should remain true") | ||
| } | ||
|
|
||
| // Stealth: telemetry hard-disabled regardless of caller value. | ||
| StealthBuild = "true" | ||
| if got := EffectiveTelemetryConsent(false); got { | ||
| t.Fatal("stealth false consent should remain false") | ||
| } | ||
| if got := EffectiveTelemetryConsent(true); got { | ||
| t.Fatal("stealth prior opt-in must be overridden to false (telemetry is a deanonymization surface)") | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,5 @@ | ||
| #!/bin/sh | ||
| set -e | ||
|
|
||
| /usr/lib/lantern/lanternd install --log-level=trace >/dev/null 2>&1 || true | ||
| LOG_LEVEL="$(cat /usr/lib/lantern/lanternd-log-level 2>/dev/null || printf '%s' trace)" | ||
| /usr/lib/lantern/lanternd install --log-level="$LOG_LEVEL" >/dev/null 2>&1 || true |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.