Add rpc wallet protection endpoints

[ghubstan]

Implemented lockwallet, unlockwallet, removewalletpassword, and setwalletpassword methods with basic error handling.

Also added basic error handling to the existing getbalance method, and removed unused BalancePresentation from CoreAPI.

Resolves #4198

Notes

I didn't spend time second-guessing maintainers about the ordering of rpc service defs & methods in grpc.proto and GrpcServer, so changes might need to be made in that regard. It makes sense to group wallet protection related methods together, but that is inconsistent with other alphabetically ordered service and method names.

There is also a getbalance error handling bug that needs fixing: Error: null is printed to the :cli console when the daemon is losing peers (SOCKET_TIMEOUT).

Bats test cases for these methods are ready to push in a new PR after (if) 4209 is merged.

[ghubstan]

There is a bug needing a fix and test case for CliMain at line 174:
if (nonOptionArgs.size() < 2) should be if (nonOptionArgs.size() < 3).
FIXED

[cbeams]

Note that I changed the description from "To close task list in #4198" to "Resolves #4198" so that this PR shows up as "linked" in #4198 and so that it will in fact close #4198 when merged. See https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword.

[cbeams]

NACK. @ghubstan, I have not comprehensively reviewed this yet, but it's clear so far that error handling will need some rework. You've built in success and error_message fields into the new *Reply definitions, but this is not idiomatic gRPC usage. gRPC provides a first-class Status object, which should be accessed via StatusRuntimeExceptions thrown from the server side and caught on the client. We're doing this already with invalid passwords, but we now need to do it more consistently from our services.

See https://grpc.io/docs/tutorials/basic/java/#calling-service-methods and https://github.com/grpc/grpc/blob/master/doc/statuscodes.md for details.

[cbeams]

Also, and it's my bad for not specifying this, we probably should have cut this up into multiple PRs implementing one endpoint at a time, or at least separate commits for each. I'm not suggesting that you re-do everything in separate PRs/commits here, but it does mean more re-work when we find something like the Status issue above. If we'd caught that in a single endpoint implementation, the other's wouldn't have needed rework. Another reason to do one PR per endpoint is from a security review perspective. The less code there is to look at, the more likely it is that we notice subtle problems.

[ghubstan]

Notes about commit 2a9d1f6 (WIP)

@cbeams,

I know you will look at all of the changes, but please review my use of the Tuple2 return type used in CoreApi? Wrapping the return value and an ApiStatus code in a single return value -- for void return types too, unfortunately -- seemed like a better idea than throwing Exceptions to be caught by GrpcServer, to then be transformed into gRPC StatusRuntimeExceptions for the client. I don't know what your preference is. I prefer to make the changes after you ask for them.

And there is a lot of redundant error handling code in GrpcServer:

if (!result.second.equals(ApiStatus.OK)) {
	StatusRuntimeException ex = new StatusRuntimeException(result.second.getGrpcStatus()
	        .withDescription(result.second.getDescription()));
	responseObserver.onError(ex);
	throw ex;
}

There are only service classes in GrpcServer, no private methods yet. I don't know if you want these duplicate code blocks factored out.

[cbeams]

@ghubstan, in preparation to more fully review the use of Tuple2 and the other things you've asked about above, I've committed 39c868f which refactors the way we're declaring wallet-related grpc services. Have a look, and I'll get back to my review here as soon as I can. In short, I do want to eliminate Tuple2 and go with exceptions, but I need to think about it / try things out a bit further myself.

[cbeams]

I doubt, by the way, @ghubstan, that the way we want to implement unlockwallet is by actually unencrypting the wallet with removewalletpassword. If the Bisq node were to be shut down before the timeout expires, it would be without a wallet password at all when it starts up again. I am not sure exactly how unlocking the wallet works when using the GUI, but I would guess it doesn't work this way. Perhaps you could look into that in the meantime, while I continue my review?

[cbeams]

@ghubstan, regarding error handling, I've landed on an exception-based solution I'm happy with so far, but not quite ready to commit. Just FYI.

[cbeams]

@ghubstan, have a look at what I've done in 163061a to change the return type of CoreWalletService#getAvailableBalance from Tuple2<Long, ApiStatus> back to long and how throwing IllegalStateException is now favored. The status of all StatusRuntimeExceptions is now set to UNKNOWN, as I don't see a requirement at this point for the client to differentiate between different gRPC status codes. We can introduce that later if need be. For now, this approach keeps CoreWalletService completely unaware of gRPC concepts (as if it were really located in bisq.core where we want it to be) and it its methods are left returning values and throwing exceptions in an idiomatic / plain old java fashion.

Could you refactor the remaining methods in CoreWalletService to follow suit? When finished, ApiStatus should be empty and therefore deleted, and there should no longer be any usage of Tuple2. Preferred is to refactor each method in its own commit. Thanks.

[ghubstan]

RE commit ab17b67: I was catching exceptions (indicating a bug or bugs to be fixed?) I've seen during testing this method. Otherwise they will bubble up to client.

RE commit 9164579: I don't think an extra line for an explicit return; is needed for methods that return void.

[cbeams]

RE commit ab17b67: I was catching exceptions (indicating a bug or bugs to be fixed?) I've seen during testing this method. Otherwise they will bubble up to client.

I don't see the value in wrapping and rethrowing there. I'd rather see the exception bubble up as-is to the client and then see specific error handling code put wherever it's most appropriate. Wrapping it in an IllegalStateException may not really reflect the nature of the problem, e.g. just a programmer error.

RE commit 9164579: I don't think an extra line for an explicit return; is needed for methods that return void.

If you don't explicitly return there, then the nextif block will return true and throw because you just finished encrypting the wallet. Prior to your refactoring, you did explicitly return from that block with a Tuple2. You either need to return or make the subsequent if an else if block; your call.

[ghubstan]

@cbeams , I am still figuring out how to ensure the wallet is encrypted in the event of a crash before unlockpassword timeout expiration. I think the intermediary commits fbb025a - 24248d4 above were necessary, but CoreWalletService still decrypts/encrypts in the unlock/lock wallet methods. This will be fixed.

I think an intermediate step in that direction is to decrypt and re-encrypt the wallet only inside the methods that need to temporarily unlock the wallet, instead of decrypting it in the unlockwallet method. unlockwallet would just cache the crypter+key, which would be used by getbalance to: decrypt wallet -> getbalance -> encrypt wallet -> return balance. The unlockwallet timeout task or the lockwallet method, whichever happens first, would clear the temp crypter+key variables (see commit 4262f29).

I don't think getbalance even requires wallet decryption to display an updated balance, but it would be the place to see if this is feasible until a better solution to the wallet protection unlock/lock problem is found, and new methods are implemented. (Then the wallet decrypt/encrypt code would be removed from getbalance.)

Tomorrow, I will run :desktop in regtest mode to see how wallet decryption/encryption works while trading and sending btc/bsq to and from other wallets. I realize maybe all that's needed to unlock the wallet is the aesKey, but so far, bitcoin core src tells me it decrypts the in-memory wallet in its walletpassphrasechange method, and Bisq / BitcoinJ src tells me unlockwallet will have to decrypt the wallet and save modified wallet files to disk (I could be and hope I'm wrong).

(On a related matter: the UI does have a removepassword function.)

EDIT: This comment is obsolete. See commit a79ae57.

[ghubstan]

The correctness of commit a79ae57 needs to be verified by implementing and testing wallet related methods requiring the aesKey cached in unlockwallet.

For example, a method analogous to bitcoin-cli's sendtoaddress "addr" amt, that performs the same operation as the Bisq UI's WithdrawalView #
doWithdraw(amount, fee, callback) -> sendFunds(amount, fee, aesKey, callback)

[cbeams]

@ghubstan, I just ran into the following scenario when testing everything locally:

1. spin up a daemon against a new data directory, e.g: ./bisq-daemon --appDataDir=/tmp/newbisqdatadir --apiPassword=xyz
2. run ./bisq-cli --password=xyz getbalance until you get a valid response of 0.00000000
3. set a wallet password with ./bisq-cli --password=xyz setwalletpassword foo
4. notice that ./bisq-cli --password=xyz getbalance errors out as expected
5. unlock the wallet with ./bisq-cli --password=xyz unlockwallet foo 60
6. notice that ./bisq-cli --password=xyz getbalance returns 0.00000000 once again
7. lock the wallet with ./bisq-cli --password=xyz lockwallet
8. notice that ./bisq-cli --password=xyz getbalance errors out as expected
9. unlock the wallet once again with ./bisq-cli --password=xyz unlockwallet foo 60
10. notice that ./bisq-cli --password=xyz getbalance does NOT return 0.00000000 as expected, but rather fails with a "balance is not yet available message"
11. notice that no matter how long you wait, the command above always fails with the same message.

It appears there is no way to recover from this state via the cli, and that the only way out is to spin up a fresh data directory. Stopping and starting the server makes no difference either.

[ghubstan]

It appears there is no way to recover from this state via the cli

@cbeams , I haven't been able to reproduce the error yet. I don't suppose you still have the server log, and could check if the balance is not yet available msgs on the cli correspond to lost peer connections and Tor layer log.errors?

I've seen this before and should have mentioned it. Fixing tor binaries is out of this PR's scope, but the daemon needs to return a meaningful msg to the cli when this happens.

I've been turning my net connection off & on trying to force the tor errors I think are related to the daemon bug. No success so far, but I'll leave daemon on in hopes tor starts failing.

[cbeams]

@ghubstan, I just tried reproducing this on my side and recorded my efforts in the video at keybase://team/bisq/2020-05-12%20repro%20grpc-api%204214%20bug. In the end, I was unable to reproduce it exactly as I reported it. Please have a look at the video, but I'm not sure if it makes sense to focus on this more if I can't reliably reproduce it myself.

[ghubstan]

@cbeams,

I will see the keybase video later today. But today I am seeing numerous unrecoverable balance is not yet available errors and am working on it now.

An interval of tor circuit breakdown during startup prevented the wallet balance from being updated.
When I see a series of tor debug statements like these:

CircuitStatus: 92 CLOSED
CircuitStatus: 92 CLOSED
CircuitStatus: 144 FAILED
CircuitStatus: 148 LAUNCHED
CircuitStatus: 94 CLOSED
CircuitStatus: 149 EXTENDED
CircuitStatus: 148 BUILT
CircuitStatus: 153 EXTENDED
.....
CircuitStatus: 153 BUILT
CircuitStatus: 134 CLOSED
...
...
Ending in many CLOSED statements
...
...
CircuitStatus: 134 CLOSED

the initial null wallet balance cannot be updated.

But you saw your balance change from a non-null value to null (then you saw balance is not yet available). I suspect the balance is set to null while the tor circuit is broken, but I haven't reproduced that scenario yet.

When the circuit if finally reconstructed -- however long it takes -- the wallet balance is updated (confirmed by hitting my breakpoint @ Balances#updateBalance), and the cli can show the balance. I think this is the problem you found. If it is, you would have seen your balance after the tor circuit problems resolved themselves. Eventually. (EDIT: But maybe not. Ever. The recovery of the balance after circuit rebuild I saw earlier is not happening now. I have to take back what I said about "eventual" recovery.)

I am discussing with @freimair about how this problem is or might be categorized, and how this state could be communicated to the :cli user.

This problem is related and possibly identical to the "3/4" problem described in issue 2547.

[chimp1984]

@ghubstan
Regarding wallet encryption (not sure if already resolved, have not read the full thread...):

If wallet is encrypted you need the aesKey (or generate it from the password) for certain wallet methods. Bisq does not decrypt/encrypt but requests from the user the password to get the aesKey. Encrypting and decrypting is only done when setting or removing the wallet password.
The wallet write operation has a certain risk for disk failure and when setting the password we delete all the rolling backups (as seed would be visible in unencrypted files), so that could be a critical problem if the write operation fails and causes a corrupted wallet (I read on BitcoinJ mailinglist that this happened sometimes). So the encryption/decryption operations should be done only when absolutely needed IMO.

Side note:
If the wallet is encrypted Bisq keeps the aesKey in memory to be able to sign a tx in case a taker takes an offer (which happenes non-interactive). This might be a bit of a security risk and it would be better if we do that only when absolutely needed (e.g. in case a maker has open offers).

I am not sure about your use cases for the API but passing the wallet password if required for the wallet operation seems to me the right way to deal with it.