fix: upgrade observed address to ip mapping

When an observed address with a publicly routable IPv4 host is
confirmed by autonat, and there's only one listener it could be
associated with, upgrade the observed address to an IP mapping,
this allows the DNS mapping to add SNI tuples to corresponding
transport addresses with a TLS tuple.

Fixes #2929

Author: achingbrain

packages/libp2p/src/address-manager/index.ts

@@ -3,7 +3,9 @@ import { isIPv4 } from '@chainsafe/is-ip'
 import { peerIdFromString } from '@libp2p/peer-id'
 import { debounce } from '@libp2p/utils/debounce'
 import { createScalableCuckooFilter } from '@libp2p/utils/filters'
+import { isPrivateIp } from '@libp2p/utils/private-ip'
 import { multiaddr } from '@multiformats/multiaddr'
+import { QUICV1, TCP, WebSockets, WebSocketsSecure } from '@multiformats/multiaddr-matcher'
 import { DNSMappings } from './dns-mappings.js'
 import { IPMappings } from './ip-mappings.js'
 import { ObservedAddresses } from './observed-addresses.js'
@@ -249,20 +251,42 @@ export class AddressManager implements AddressManagerInterface {
     addr = stripPeerId(addr, this.components.peerId)
     let startingConfidence = true
 
-    if (options?.type === 'observed' || this.observed.has(addr)) {
-      startingConfidence = this.observed.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
-    }
-
     if (options?.type === 'transport' || this.transportAddresses.has(addr)) {
-      startingConfidence = this.transportAddresses.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+      const transportStartingConfidence = this.transportAddresses.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+
+      if (!transportStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     if (options?.type === 'dns-mapping' || this.dnsMappings.has(addr)) {
-      startingConfidence = this.dnsMappings.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+      const dnsMapingStartingConfidence = this.dnsMappings.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+
+      if (!dnsMapingStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     if (options?.type === 'ip-mapping' || this.ipMappings.has(addr)) {
-      startingConfidence = this.ipMappings.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+      const ipMapingStartingConfidence = this.ipMappings.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+
+      if (!ipMapingStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
+    }
+
+    if (options?.type === 'observed' || this.observed.has(addr)) {
+      // try to match up observed address with local transport listener
+      if (this.maybeUpgradeToIPMapping(addr)) {
+        this.ipMappings.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+        startingConfidence = false
+      } else {
+        const observedStartingConfidence = this.observed.confirm(addr, options?.ttl ?? this.addressVerificationTTL)
+
+        if (!observedStartingConfidence && startingConfidence) {
+          startingConfidence = false
+        }
+      }
     }
 
     // only trigger the 'self:peer:update' event if our confidence in an address has changed
@@ -277,19 +301,35 @@ export class AddressManager implements AddressManagerInterface {
     let startingConfidence = false
 
     if (this.observed.has(addr)) {
-      startingConfidence = this.observed.remove(addr)
+      const observedStartingConfidence = this.observed.remove(addr)
+
+      if (!observedStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     if (this.transportAddresses.has(addr)) {
-      startingConfidence = this.transportAddresses.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+      const transportStartingConfidence = this.transportAddresses.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+
+      if (!transportStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     if (this.dnsMappings.has(addr)) {
-      startingConfidence = this.dnsMappings.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+      const dnsMapingStartingConfidence = this.dnsMappings.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+
+      if (!dnsMapingStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     if (this.ipMappings.has(addr)) {
-      startingConfidence = this.ipMappings.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+      const ipMapingStartingConfidence = this.ipMappings.unconfirm(addr, options?.ttl ?? this.addressVerificationRetry)
+
+      if (!ipMapingStartingConfidence && startingConfidence) {
+        startingConfidence = false
+      }
     }
 
     // only trigger the 'self:peer:update' event if our confidence in an address has changed
@@ -410,4 +450,82 @@ export class AddressManager implements AddressManagerInterface {
       this._updatePeerStoreAddresses()
     }
   }
+
+  /**
+   * Where an external service (router, gateway, etc) is forwarding traffic to
+   * us, attempt to add an IP mapping for the external address - this will
+   * include the observed mapping in the address list where we also have a DNS
+   * mapping for the external IP.
+   *
+   * Returns true if we added a new mapping
+   */
+  private maybeUpgradeToIPMapping (ma: Multiaddr): boolean {
+    // this address is already mapped
+    if (this.ipMappings.has(ma)) {
+      return false
+    }
+
+    const maOptions = ma.toOptions()
+
+    // only public IPv4 addresses
+    if (maOptions.family === 6 || maOptions.host === '127.0.0.1' || isPrivateIp(maOptions.host) === true) {
+      return false
+    }
+
+    const listeners = this.components.transportManager.getListeners()
+
+    const transportMatchers: Array<(ma: Multiaddr) => boolean> = [
+      (ma: Multiaddr) => WebSockets.exactMatch(ma) || WebSocketsSecure.exactMatch(ma),
+      (ma: Multiaddr) => TCP.exactMatch(ma),
+      (ma: Multiaddr) => QUICV1.exactMatch(ma)
+    ]
+
+    for (const matcher of transportMatchers) {
+      // is the incoming address the same type as the matcher
+      if (!matcher(ma)) {
+        continue
+      }
+
+      // get the listeners for this transport
+      const transportListeners = listeners.filter(listener => {
+        return listener.getAddrs().filter(ma => {
+          // only IPv4 addresses of the matcher type
+          return ma.toOptions().family === 4 && matcher(ma)
+        }).length > 0
+      })
+
+      // because the NAT mapping could be forwarding different external ports to
+      // internal ones, we can only be sure enough to add a mapping if there is
+      // a single listener
+      if (transportListeners.length !== 1) {
+        continue
+      }
+
+      // we have one listener which listens on one port so whatever the external
+      // NAT port mapping is, it should be for this listener
+      const linkLocalAddr = transportListeners[0].getAddrs().filter(ma => {
+        return ma.toOptions().host !== '127.0.0.1'
+      }).pop()
+
+      if (linkLocalAddr == null) {
+        continue
+      }
+
+      const linkLocalOptions = linkLocalAddr.toOptions()
+
+      // upgrade observed address to IP mapping
+      this.observed.remove(ma)
+      this.ipMappings.add(
+        linkLocalOptions.host,
+        linkLocalOptions.port,
+        maOptions.host,
+        maOptions.port,
+        maOptions.transport
+      )
+
+      return true
+    }
+
+    return false
+  }
 }

packages/libp2p/test/addresses/address-manager.spec.ts

@@ -1,7 +1,7 @@
 /* eslint-env mocha */
 
 import { generateKeyPair } from '@libp2p/crypto/keys'
-import { TypedEventEmitter, type TypedEventTarget, type Libp2pEvents, type PeerId, type PeerStore, type Peer } from '@libp2p/interface'
+import { TypedEventEmitter, type TypedEventTarget, type Libp2pEvents, type PeerId, type PeerStore, type Peer, type Listener } from '@libp2p/interface'
 import { defaultLogger } from '@libp2p/logger'
 import { peerIdFromPrivateKey } from '@libp2p/peer-id'
 import { multiaddr } from '@multiformats/multiaddr'
@@ -10,7 +10,7 @@ import delay from 'delay'
 import Sinon from 'sinon'
 import { type StubbedInstance, stubInterface } from 'sinon-ts'
 import { type AddressFilter, AddressManager } from '../../src/address-manager/index.js'
-import type { TransportManager } from '@libp2p/interface-internal'
+import type { NodeAddress, TransportManager } from '@libp2p/interface-internal'
 
 const listenAddresses = ['/ip4/127.0.0.1/tcp/15006/ws', '/ip4/127.0.0.1/tcp/15008/ws']
 const announceAddreses = ['/dns4/peer.io']
@@ -200,7 +200,8 @@ describe('Address Manager', () => {
     const am = new AddressManager({
       peerId,
       transportManager: stubInterface<TransportManager>({
-        getAddrs: Sinon.stub().returns([])
+        getAddrs: Sinon.stub().returns([]),
+        getListeners: Sinon.stub().returns([])
       }),
       peerStore,
       events,
@@ -714,4 +715,106 @@ describe('Address Manager', () => {
       multiaddr(`/ip6/${externalIp}/${protocol}/${externalPort}/p2p/${peerId.toString()}`)
     ])
   })
+
+  it('should upgrade an observed address to an IP mapping when confirming an observed address and there is only a single eligible listener', () => {
+    const am = new AddressManager({
+      peerId,
+      transportManager: stubInterface<TransportManager>({
+        getAddrs: Sinon.stub().returns([
+          multiaddr('/ip4/127.0.0.1/tcp/1234'),
+          multiaddr('/ip4/192.168.1.123/tcp/1234')
+        ]),
+        getListeners: Sinon.stub().returns([
+          stubInterface<Listener>({
+            getAddrs: Sinon.stub().returns([
+              multiaddr('/ip4/127.0.0.1/tcp/1234'),
+              multiaddr('/ip4/192.168.1.123/tcp/1234')
+            ])
+          }),
+          stubInterface<Listener>({
+            getAddrs: Sinon.stub().returns([
+              multiaddr('/ip6/::1/tcp/1234'),
+              multiaddr('/ip6/2b01:ab15:3c8:3300:10b8:170e:1087:3b0e/tcp/1234')
+            ])
+          })
+        ])
+      }),
+      peerStore,
+      events,
+      logger: defaultLogger()
+    })
+
+    expect(am.getObservedAddrs()).to.be.empty()
+
+    const ma = multiaddr('/ip4/123.123.123.123/tcp/39201')
+    am.addObservedAddr(ma)
+    am.confirmObservedAddr(ma)
+
+    expect(am.getAddressesWithMetadata().map(mapAddress)).to.include.deep.members([{
+      multiaddr: ma,
+      verified: true,
+      type: 'ip-mapping'
+    }])
+
+    expect(am.getAddressesWithMetadata().map(mapAddress)).to.not.include.deep.members([{
+      multiaddr: ma,
+      verified: true,
+      type: 'observed'
+    }])
+  })
+
+  it('should not upgrade an observed address to an IP mapping when confirming an observed address and there are multiple eligible listeners', () => {
+    const am = new AddressManager({
+      peerId,
+      transportManager: stubInterface<TransportManager>({
+        getAddrs: Sinon.stub().returns([
+          multiaddr('/ip4/127.0.0.1/tcp/1234'),
+          multiaddr('/ip4/192.168.1.123/tcp/1234')
+        ]),
+        getListeners: Sinon.stub().returns([
+          stubInterface<Listener>({
+            getAddrs: Sinon.stub().returns([
+              multiaddr('/ip4/127.0.0.1/tcp/1234'),
+              multiaddr('/ip4/192.168.1.123/tcp/1234')
+            ])
+          }),
+          stubInterface<Listener>({
+            getAddrs: Sinon.stub().returns([
+              multiaddr('/ip4/127.0.0.1/tcp/4567'),
+              multiaddr('/ip4/192.168.1.123/tcp/4567')
+            ])
+          })
+        ])
+      }),
+      peerStore,
+      events,
+      logger: defaultLogger()
+    })
+
+    expect(am.getObservedAddrs()).to.be.empty()
+
+    const ma = multiaddr('/ip4/123.123.123.123/tcp/39201')
+    am.addObservedAddr(ma)
+    am.confirmObservedAddr(ma)
+
+    expect(am.getAddressesWithMetadata().map(mapAddress)).to.not.include.deep.members([{
+      multiaddr: ma,
+      verified: true,
+      type: 'ip-mapping'
+    }])
+
+    expect(am.getAddressesWithMetadata().map(mapAddress)).to.include.deep.members([{
+      multiaddr: ma,
+      verified: true,
+      type: 'observed'
+    }])
+  })
 })
+
+function mapAddress (addr: NodeAddress): Pick<NodeAddress, 'multiaddr' | 'verified' | 'type'> {
+  return {
+    multiaddr: addr.multiaddr,
+    verified: addr.verified,
+    type: addr.type
+  }
+}