fix(API): report unknown trust when chia config is unavailable

TheLastCicada · TheLastCicada · commit b003033f8d39 · 2026-06-04T13:15:24.000-07:00
When CADT cannot read the chia config.yaml (e.g. CADT and chia run in
separate containers), it has no trusted_peers/trusted_cidrs to evaluate.
Report non-localhost peers as trusted "unknown" instead of false and
suppress the "severely degraded" warning in that case, so a split
deployment is not falsely flagged. Localhost peers stay trusted since
that is determinable without the config.

Also harden trusted_cidrs parsing to mirror chia: reject non-decimal
prefixes (an empty prefix like "10.0.0.0/" was misread as /0 and trusted
every peer) and treat a bare IP as a /32 or /128 host route. Treat an
unreadable wallet get_connections as unknown rather than untrusted.
diff --git a/src/routes/diagnostics.js b/src/routes/diagnostics.js
@@ -362,12 +362,29 @@ const isTrustedCidr = (peerHost, trustedCidrs) => {
   const hostFamily = hostType === 6 ? 'ipv6' : 'ipv4';
 
   for (const cidr of trustedCidrs) {
-    const slash = String(cidr).lastIndexOf('/');
-    if (slash === -1) continue;
-    const network = String(cidr).slice(0, slash);
-    const prefix = Number(String(cidr).slice(slash + 1));
+    const cidrStr = String(cidr);
+    const slash = cidrStr.lastIndexOf('/');
+    let network;
+    let prefix;
+    if (slash === -1) {
+      // Bare IP, no prefix. chia's ip_network() treats this as a host route
+      // (/32 for IPv4, /128 for IPv6), so trust an exact-match peer.
+      network = cidrStr;
+      const bareType = net.isIP(network);
+      if (bareType === 0) continue;
+      prefix = bareType === 6 ? 128 : 32;
+    } else {
+      network = cidrStr.slice(0, slash);
+      const prefixStr = cidrStr.slice(slash + 1);
+      // Require an explicit decimal prefix. Number('') and Number(' ') both
+      // coerce to 0, which would silently widen a typo'd CIDR like "10.0.0.0/"
+      // into /0 and trust every peer; hex/float forms ("/0x10", "/1.5") would
+      // also be misread. chia's ipaddress parser rejects all of these.
+      if (!/^\d+$/.test(prefixStr)) continue;
+      prefix = Number(prefixStr);
+    }
     const netType = net.isIP(network);
-    if (netType === 0 || !Number.isInteger(prefix)) continue;
+    if (netType === 0) continue;
     try {
       const blockList = new net.BlockList();
       blockList.addSubnet(network, prefix, netType === 6 ? 'ipv6' : 'ipv4');
@@ -386,15 +403,23 @@ const isTrustedCidr = (peerHost, trustedCidrs) => {
  *
  *   trusted = is_localhost(host) OR node_id in trusted_peers OR is_trusted_cidr
  *
- * Returns the matched reason so the diagnostics output explains *why* a peer
- * is trusted (e.g. a localhost full node is trusted even when trusted_peers
- * still holds the default placeholder node id).
+ * Returns `{ trusted, reason }` where `trusted` is true / false / 'unknown'.
+ * Localhost is detectable from the peer host alone, so it is evaluated even
+ * without the chia config. The trusted_peers / trusted_cidrs rules require
+ * the config, so when it is unavailable (`configReadable === false`) a
+ * non-localhost peer is 'unknown' rather than false -- CADT and chia can run
+ * in separate containers where CADT has no access to the chia config.yaml,
+ * and reporting 'untrusted' there would be wrong (the peer may well be
+ * trusted via trusted_cidrs we simply can't see).
  */
-const classifyTrust = (peerHost, nodeId, normalizedTrustedSet, trustedCidrs) => {
-  if (isLocalhost(peerHost)) return 'localhost';
-  if (normalizedTrustedSet && normalizedTrustedSet.has(normalizeNodeId(nodeId))) return 'configured';
-  if (isTrustedCidr(peerHost, trustedCidrs)) return 'cidr';
-  return null;
+const classifyTrust = (peerHost, nodeId, normalizedTrustedSet, trustedCidrs, configReadable) => {
+  if (isLocalhost(peerHost)) return { trusted: true, reason: 'localhost' };
+  if (!configReadable) return { trusted: 'unknown', reason: 'chia-config-unavailable' };
+  if (normalizedTrustedSet && normalizedTrustedSet.has(normalizeNodeId(nodeId))) {
+    return { trusted: true, reason: 'configured' };
+  }
+  if (isTrustedCidr(peerHost, trustedCidrs)) return { trusted: true, reason: 'cidr' };
+  return { trusted: false, reason: null };
 };
 
 /**
@@ -409,11 +434,17 @@ const buildTrustedPeerView = (connectionsResult, chiaConfigResult) => {
     configuredTrustedCidrs: [],
     connected: [],
     hasTrustedConnection: false,
+    // True when trust could not be determined -- either the chia config was
+    // unavailable (so trusted_peers/trusted_cidrs can't be checked) or the
+    // wallet connections couldn't be enumerated at all. Distinguishes "known
+    // untrusted" from "can't tell" so callers don't raise a false alarm.
+    trustUnknown: false,
   };
 
+  const configReadable = chiaConfigResult?.ok === true;
   let normalizedTrustedSet = null;
   let trustedCidrs = [];
-  if (chiaConfigResult?.ok) {
+  if (configReadable) {
     const trustedPeerMap = _.get(chiaConfigResult.value, 'wallet.trusted_peers', null);
     if (trustedPeerMap && typeof trustedPeerMap === 'object') {
       // trusted_peers is `{ <peer_node_id>: <cert_path or 'Does_not_matter'> }`
@@ -435,20 +466,43 @@ const buildTrustedPeerView = (connectionsResult, chiaConfigResult) => {
   if (connectionsResult?.ok && connectionsResult.value?.success !== false) {
     const connections = connectionsResult.value?.connections || [];
     view.connected = connections.map((c) => {
-      const trustedReason = classifyTrust(c.peerHost, c.nodeId, normalizedTrustedSet, trustedCidrs);
-      const trusted = trustedReason !== null;
-      if (trusted) view.hasTrustedConnection = true;
-      return { peerHost: c.peerHost, peerPort: c.peerPort, type: c.type, trusted, trustedReason };
+      const { trusted, reason } = classifyTrust(
+        c.peerHost,
+        c.nodeId,
+        normalizedTrustedSet,
+        trustedCidrs,
+        configReadable,
+      );
+      if (trusted === true) view.hasTrustedConnection = true;
+      if (trusted === 'unknown') view.trustUnknown = true;
+      return { peerHost: c.peerHost, peerPort: c.peerPort, type: c.type, trusted, trustedReason: reason };
     });
   } else if (connectionsResult) {
     view.connectionsError = connectionsResult.ok
       ? connectionsResult.value?.error || 'wallet connections unavailable'
       : connectionsResult.error;
+    // Connections couldn't be enumerated -- we can't tell whether a trusted
+    // peer exists, so treat it as unknown rather than "definitively untrusted".
+    view.trustUnknown = true;
   }
 
   return view;
 };
 
+/**
+ * Whether to warn that the wallet is not connected to a trusted full-node
+ * peer. Only warn when we can *definitively* say there is no trusted peer:
+ * the wallet is reachable, nothing is trusted, and no peer's trust is
+ * unknown. When trust is unknown (chia config unreadable, e.g. split
+ * CADT/chia containers) we stay silent rather than raise a false warning.
+ */
+const shouldWarnNoTrustedPeer = (walletReachable, trustedFullNodePeers) => {
+  if (!walletReachable || !trustedFullNodePeers) return false;
+  if (trustedFullNodePeers.hasTrustedConnection) return false;
+  if (trustedFullNodePeers.trustUnknown) return false;
+  return true;
+};
+
 /**
  * Build the full /diagnostics response payload.
  *
@@ -899,7 +953,7 @@ export const getDiagnosticsResponse = async () => {
       }
     }
 
-    if (walletReachable && walletSection.trustedFullNodePeers?.hasTrustedConnection === false) {
+    if (shouldWarnNoTrustedPeer(walletReachable, walletSection.trustedFullNodePeers)) {
       walletStatus.escalate(
         'warning',
         'Performance is severely degraded when the Chia wallet is not connected to a trusted full node peer',
@@ -946,6 +1000,7 @@ export const __test = {
   isLocalhost,
   isTrustedCidr,
   classifyTrust,
+  shouldWarnNoTrustedPeer,
   collectOwnedStoreExpectations,
   escalateLostOwnedStores,
   StatusAccumulator,
diff --git a/tests/v2/integration/diagnostics.spec.js b/tests/v2/integration/diagnostics.spec.js
@@ -298,8 +298,113 @@ describe('/diagnostics endpoint', function () {
         expect(view.connected[0].trusted).to.equal(true);
         expect(view.connected[0].trustedReason).to.equal('cidr');
         expect(view.connected[1].trusted).to.equal(false);
+        expect(view.connected[1].trustedReason).to.equal(null);
         expect(view.configuredTrustedCidrs).to.deep.equal(['10.0.0.0/24']);
       });
+
+      it('marks trust unknown when wallet connections cannot be enumerated', function () {
+        // Wallet reachable but get_connections failed: we can't tell whether a
+        // trusted peer exists, so trust is unknown rather than untrusted.
+        const view = diagnostics.__test.buildTrustedPeerView(
+          { ok: false, error: 'wallet RPC refused connection' },
+          { ok: true, value: { wallet: { trusted_cidrs: ['10.0.0.0/8'] } } },
+        );
+        expect(view.connected).to.deep.equal([]);
+        expect(view.hasTrustedConnection).to.equal(false);
+        expect(view.trustUnknown).to.equal(true);
+        expect(view.connectionsError).to.be.a('string').and.not.empty;
+      });
+
+      it('reports unknown (not untrusted) for non-localhost peers when chia config is unreadable', function () {
+        // Split-deployment case: CADT and chia run in separate containers and
+        // CADT cannot read the chia config.yaml, so trusted_peers/trusted_cidrs
+        // are unavailable. A non-localhost peer's trust is unknown, not false.
+        const view = diagnostics.__test.buildTrustedPeerView(
+          {
+            ok: true,
+            value: {
+              connections: [
+                { peerHost: '10.48.83.174', peerPort: 58444, type: 1, nodeId: 'a676d602' },
+              ],
+            },
+          },
+          { ok: false, error: "ENOENT: no such file or directory, open '/root/.chia/mainnet/config/config.yaml'" },
+        );
+        expect(view.connected[0].trusted).to.equal('unknown');
+        expect(view.connected[0].trustedReason).to.equal('chia-config-unavailable');
+        expect(view.hasTrustedConnection).to.equal(false);
+        expect(view.trustUnknown).to.equal(true);
+        expect(view.chiaConfigError).to.be.a('string').and.not.empty;
+      });
+
+      it('still trusts a localhost peer when chia config is unreadable', function () {
+        // Localhost is determinable from the peer host alone, so an
+        // unreadable config does not make a localhost peer unknown.
+        const view = diagnostics.__test.buildTrustedPeerView(
+          {
+            ok: true,
+            value: {
+              connections: [
+                { peerHost: '127.0.0.1', peerPort: 58444, type: 1, nodeId: 'aa' },
+              ],
+            },
+          },
+          { ok: false, error: 'ENOENT' },
+        );
+        expect(view.connected[0].trusted).to.equal(true);
+        expect(view.connected[0].trustedReason).to.equal('localhost');
+        expect(view.hasTrustedConnection).to.equal(true);
+        expect(view.trustUnknown).to.equal(false);
+      });
+    });
+
+    describe('shouldWarnNoTrustedPeer', function () {
+      it('warns only when trust is known and no peer is trusted', function () {
+        expect(
+          diagnostics.__test.shouldWarnNoTrustedPeer(true, { hasTrustedConnection: false, trustUnknown: false }),
+        ).to.equal(true);
+      });
+
+      it('does not warn when a trusted connection exists', function () {
+        expect(
+          diagnostics.__test.shouldWarnNoTrustedPeer(true, { hasTrustedConnection: true, trustUnknown: false }),
+        ).to.equal(false);
+      });
+
+      it('does not warn when trust is unknown (config unreadable)', function () {
+        expect(
+          diagnostics.__test.shouldWarnNoTrustedPeer(true, { hasTrustedConnection: false, trustUnknown: true }),
+        ).to.equal(false);
+      });
+
+      it('does not warn when the wallet is unreachable', function () {
+        expect(
+          diagnostics.__test.shouldWarnNoTrustedPeer(false, { hasTrustedConnection: false, trustUnknown: false }),
+        ).to.equal(false);
+      });
+    });
+
+    describe('classifyTrust', function () {
+      it('returns unknown for a non-localhost peer when config is not readable', function () {
+        expect(diagnostics.__test.classifyTrust('1.2.3.4', 'aa', null, [], false)).to.deep.equal({
+          trusted: 'unknown',
+          reason: 'chia-config-unavailable',
+        });
+      });
+
+      it('returns localhost trust even when config is not readable', function () {
+        expect(diagnostics.__test.classifyTrust('127.0.0.1', 'aa', null, [], false)).to.deep.equal({
+          trusted: true,
+          reason: 'localhost',
+        });
+      });
+
+      it('returns false for an untrusted peer when config is readable', function () {
+        expect(diagnostics.__test.classifyTrust('1.2.3.4', 'aa', new Set(['bb']), [], true)).to.deep.equal({
+          trusted: false,
+          reason: null,
+        });
+      });
     });
 
     describe('isLocalhost', function () {
@@ -323,13 +428,38 @@ describe('/diagnostics endpoint', function () {
         expect(isTrustedCidr('2001:db8::1', ['2001:db8::/32'])).to.equal(true);
       });
 
+      it('treats a host-bits-set CIDR like chia (strict=False masks host bits)', function () {
+        // chia uses ip_network(cidr, strict=False); "10.0.0.5/24" masks to
+        // 10.0.0.0/24 rather than being rejected.
+        const { isTrustedCidr } = diagnostics.__test;
+        expect(isTrustedCidr('10.0.0.1', ['10.0.0.5/24'])).to.equal(true);
+      });
+
+      it('treats a bare IP as a host route (/32 or /128) like chia', function () {
+        const { isTrustedCidr } = diagnostics.__test;
+        expect(isTrustedCidr('10.0.0.5', ['10.0.0.5'])).to.equal(true);
+        expect(isTrustedCidr('10.0.0.6', ['10.0.0.5'])).to.equal(false);
+        expect(isTrustedCidr('2001:db8::1', ['2001:db8::1'])).to.equal(true);
+      });
+
       it('never throws on malformed input', function () {
         const { isTrustedCidr } = diagnostics.__test;
         expect(isTrustedCidr('not-an-ip', ['10.0.0.0/24'])).to.equal(false);
         expect(isTrustedCidr('10.0.0.5', ['garbage', '10.0.0.0/99', '10.0.0.0'])).to.equal(false);
         expect(isTrustedCidr('10.0.0.5', [])).to.equal(false);
         expect(isTrustedCidr('10.0.0.5', null)).to.equal(false);
       });
+
+      it('does not treat a malformed prefix as /0 (must not trust every peer)', function () {
+        // Number('')===0 and Number('0x10')===16 would silently widen a
+        // typo'd CIDR; the prefix must be an explicit decimal or be skipped.
+        const { isTrustedCidr } = diagnostics.__test;
+        expect(isTrustedCidr('8.8.8.8', ['10.0.0.0/'])).to.equal(false);
+        expect(isTrustedCidr('8.8.8.8', ['10.0.0.0/ '])).to.equal(false);
+        expect(isTrustedCidr('10.0.255.1', ['10.0.0.0/0x10'])).to.equal(false);
+        // A genuine /0 written explicitly still matches everything.
+        expect(isTrustedCidr('8.8.8.8', ['0.0.0.0/0'])).to.equal(true);
+      });
     });
 
     describe('StatusAccumulator', function () {
