chore: Log HTTP request body on signature verification failure (#3239)

There have been reports both internally and in support channels of ingress messages failing signature verification. So far these have not been reproducible, and the cause is unknown. To assist debugging, if verification fails log the HTTP request body.
dfinity · Jan 13, 2025 · 4a7957b · 4a7957b
1 parent a23113f
commit 4a7957b
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 7 deletions.
diff --git a/rs/http_endpoints/public/src/call.rs b/rs/http_endpoints/public/src/call.rs
@@ -251,7 +251,7 @@ impl IngressValidator {
             message: "".into(),
         })?
         .map_err(|validation_error| {
-            validation_error_to_http_error(message_id, validation_error, &log)
+            validation_error_to_http_error(msg.as_ref(), validation_error, &log)
         })?;
 
         let ingress_filter = ingress_filter.lock().unwrap().clone();

diff --git a/rs/http_endpoints/public/src/common.rs b/rs/http_endpoints/public/src/common.rs
@@ -20,7 +20,7 @@ use ic_replicated_state::ReplicatedState;
 use ic_types::{
     crypto::threshold_sig::ThresholdSigPublicKey,
     malicious_flags::MaliciousFlags,
-    messages::{HttpRequest, HttpRequestContent, MessageId},
+    messages::{HttpRequest, HttpRequestContent},
     RegistryVersion, SubnetId, Time,
 };
 use ic_validator::{
@@ -246,12 +246,22 @@ impl IntoResponse for CborUserError {
     }
 }
 
-pub(crate) fn validation_error_to_http_error(
-    message_id: MessageId,
+pub(crate) fn validation_error_to_http_error<C: std::fmt::Debug + HttpRequestContent>(
+    request: &HttpRequest<C>,
     err: RequestValidationError,
     log: &ReplicaLogger,
 ) -> HttpError {
-    info!(log, "msg_id: {}, err: {}", message_id, err);
+    let message_id = request.id();
+    match err {
+        RequestValidationError::InvalidSignature(_) => {
+            info!(
+                log,
+                "msg_id: {}, err: {}, request: {:?}", message_id, err, request
+            )
+        }
+        _ => info!(log, "msg_id: {}, err: {}", message_id, err),
+    }
+
     HttpError {
         status: StatusCode::BAD_REQUEST,
         message: format!("{err}"),

diff --git a/rs/http_endpoints/public/src/query.rs b/rs/http_endpoints/public/src/query.rs
@@ -194,7 +194,7 @@ pub(crate) async fn query(
     {
         Ok(Ok(_)) => {}
         Ok(Err(err)) => {
-            let http_err = validation_error_to_http_error(request.id(), err, &log);
+            let http_err = validation_error_to_http_error(&request, err, &log);
             return (http_err.status, http_err.message).into_response();
         }
         Err(_) => {

diff --git a/rs/http_endpoints/public/src/read_state/canister.rs b/rs/http_endpoints/public/src/read_state/canister.rs
@@ -169,7 +169,7 @@ pub(crate) async fn canister_read_state(
             match validator.validate_request(&request_c, current_time(), &root_of_trust_provider) {
                 Ok(targets) => targets,
                 Err(err) => {
-                    let http_err = validation_error_to_http_error(request.id(), err, &log);
+                    let http_err = validation_error_to_http_error(&request, err, &log);
                     return (http_err.status, http_err.message).into_response();
                 }
             };