Log RPC parameters (arguments) if -debug=rpcparams

[LarryRuane]

When a developer is examining debug.log (or client terminal output), it's often useful to know which RPCs have been submitted to the client; this can be enabled with the -debug=rpc configuration option. But this prints only the method name. This PR adds -debug=rpcparams to enable the logging of each RPC's parameters (arguments). The parameters of certain RPCs are keys or passwords; these should not be logged.

[maflcko]

Looks like this list is incomplete. Would be nice if it can be deduplicated with the existing QStringList historyFilter

[fqlx]

This blacklist should be pulled out of a config rather than buried in the code.

[LarryRuane]

What do you mean by "config"? Are you referring to ~/.bitcoin/bitcoin.conf?

[maflcko]

I mean that it should go into a common module, probably ./src/util/ or similar.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #22736 (log, sync: change lock contention from preprocessor directive to log category by jonatack)
• #20487 (Add syscall sandboxing using seccomp-bpf (Linux secure computing mode) by practicalswift)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[promag]

How about private keys?

[LarryRuane]

Rebased, addressed review comments, force-pushed.

[LarryRuane]

I'm undecided if a new category is needed, or just enable this additional logging with rpc. We don't have many of the 32 category bits remaining (although we could easily change to use a uint64_t).

[LarryRuane]

Could print each param on a separate line.

[promag]

IMO the blacklist doesn't look a great option.

How about disallow -debug=rpcparams in mainnet and drop the blacklist?

[instagibbs]

concept NACK, someone is going to forget when adding a new RPC and start logging secrets in production.

I think @promag suggestion is better.

[promag]

Another approach is to add a sensitive options/flag (false by default) to RPCHelpMan RPCArg.

[LarryRuane]

@promag, interesting idea, I like that it would allow specific arguments to be designated as sensitive, rather than the entire method. Also, it would be nice not to have to touch so many lines of code (as my latest commit does). But @instagibbs's concern, #16365 (comment), which I was attempted to overcome with my latest commit, becomes live again.

[LarryRuane]

Rebased, replaced functional (python) test with a proper unit test.

[LarryRuane]

I had an idea for what may be an improvement. It's in a separate commit, "replace sensitive bool with more general flags". Please let me know what you think; this commit is optional.

Modifying all of the lines of the static const CRPCCommand commands[] tables is disruptive, and all that's being done is to add a boolean value (to indicate whether to log the RPC's params or not). As long as we're touching all these lines anyway, why not implement a more general flags bitfield, of which DONTLOG is just the first bit. There may be other future attributes that would be useful to add to RPC methods. With this commit, adding them would touch only the lines corresponding to the affected RPCs, rather than all of them.

[LarryRuane]

Force-pushed (diff) a different approach that does not require changing each of the 149 per-rpc CRPCCommand initializers. This new way is much less invasive and more manageable. I finally decided it's best to go with an "allow" list (hard to beat simplicity). If someone adds a new RPC later without being aware of this form of logging, its arguments will not be logged. That makes this approach very safe against accidentally leaking secret information to the log file. I incorporated some of the review comments as well.

Here are some examples (without showing the RPC output):

$ bitcoin-cli getnetworkinfo
$ bitcoin-cli getblockhash 0
$ bitcoin-cli logging '["rpcparams"]' '["rpc","mempool"]'
$ bitcoin-cli encryptwallet WALLET-PASSWORD-SECRET

Here's what appears in debug.log:

2020-09-29T05:58:50Z rpc=getnetworkinfo()
2020-09-29T05:59:00Z rpc=getblockhash(0)
2020-09-29T06:02:51Z rpc=logging([rpcparams],[rpc,mempool])
2020-09-29T06:02:55Z rpc=encryptwallet(****)

[LarryRuane]

This allow list came from listing all the RPCs and then removing the following:

signmessagewithprivkey
signrawtransactionwithkey
signrawtransactionwithwallet
signmessage
createwallet
encryptwallet
importmulti
importprivkey
sethdseed
walletpassphrase
walletpassphrasechange

As far as I can tell, these are the RPCs whose arguments shouldn't be logged.

[jonatack]

Maintainence of this list seems like a drawback. It would be nice if a test fails somewhere when an RPC is added or removed without the allow list being updated, e.g. with a list of structs of all the RPCs with an associated safe/unsafe bool value, or something like CRPCConvertParam. Feel to ignore if unrealistic.

[jonatack]

Tested almost-ACK 7d22a6f rebased to current master, modulo the comments below

[jonatack]

test/functional/rpc_misc.py::L60 needs to be updated: AssertionError: not(25 == 24)

[jonatack]

This list seems to need an update for new RPCS (restorewallet comes to mind, not sure if there are others)

[jonatack]

Maintainence of this list seems like a drawback. It would be nice if a test fails somewhere when an RPC is added or removed without the allow list being updated, e.g. with a list of structs of all the RPCs with an associated safe/unsafe bool value, or something like CRPCConvertParam. Feel to ignore if unrealistic.

[jonatack]

Maybe replace this loop with a call to util/string.h::Join()

[jonatack]

Some (tested) ideas, feel free to pick/choose/ignore

-    FILE* file = fsbridge::fopen(LogInstance().m_file_path, "rb");
+    FILE* file{fsbridge::fopen(LogInstance().m_file_path, "rb")};
     fseek(file, 0, SEEK_END);
     std::vector<char> vch(ftell(file), 0);
     fseek(file, 0, SEEK_SET);
-    size_t nbytes = fread(vch.data(), 1, vch.size(), file);
+    const size_t nbytes{fread(vch.data(), 1, vch.size(), file)};
     fclose(file);
 
     // This checks the test (not the code being tested).
     BOOST_CHECK_EQUAL(nbytes, vch.size());
 
     // Check that what should appear does, and what shouldn't doesn't.
-    std::string str(vch.begin(), vch.end());
+    const std::string str{vch.begin(), vch.end()};
@@ -512,8 +512,8 @@ BOOST_AUTO_TEST_CASE(rpc_logparams)
-    BOOST_CHECK(str.find("some-key") == std::string::npos);
-    BOOST_CHECK(str.find("some-message") == std::string::npos);
+    BOOST_CHECK_EQUAL(str.find("some-key"), std::string::npos);
+    BOOST_CHECK_EQUAL(str.find("some-message"), std::string::npos);

[jonatack]

Not sure here, perhaps separate the params with ", " (comma + space)

now

2021-08-19T11:45:46Z rpc=getmempoolancestors(b6a5ed05bc71c8ccc5316,true)

comma+space

2021-08-19T11:45:46Z rpc=getmempoolancestors(b6a5ed05bc71c8ccc5316, true)

[LarryRuane]

Maintenance of this list seems like a drawback

I agree, I'm going to convert this PR to draft because I think there's a better way to do this that doesn't require a separate list. I'll also pick up your other suggestions. Thanks for taking the time to look it over!

[DrahtBot]

🐙 This pull request conflicts with the target branch and needs rebase.

_{Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft".}

[DrahtBot]

There hasn't been much activity lately and the patch still needs rebase. What is the status here?

• Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
• Is it no longer relevant? ➡️ Please close.
• Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.

[fanquake]

I'm going to convert this PR to draft because I think there's a better way to do this that doesn't require a separate list. I'll also pick up your other suggestions.

Given it's been 16 months this statement, I'm going to close this for now. Feel free to comment / ping if you're going to work on this again and need the PR reopened.