Log cases where an onion failure cannot be attributed or interpreted

[joostjager]

Create more visibility into these edge cases. The non-attributable failure in particular can be used to disrupt sender operation and it is therefore good to at least log these cases clearly.

Additionally a bug is fixed where an unreadable failure with valid hmac wasn't properly attributed to a node.

[joostjager]

Check hmac first to distinguish between unreadable failures and hmac mismatches.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.17%. Comparing base (eaeed77) to head (1d40811).

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #3629    +/-   ##
========================================
  Coverage   89.16%   89.17%            
========================================
  Files         152      152            
  Lines      118791   118947   +156     
  Branches   118791   118947   +156     
========================================
+ Hits       105921   106068   +147     
- Misses      10312    10316     +4     
- Partials     2558     2563     +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[joostjager]

Coverage reports suggests more test coverage needed...

[joostjager]

This is a bug fix. Previously unreadable failures weren't attributable even though the hmac checked out.

[joostjager]

rustfmt wanted this

[joostjager]

it is a move, but just these short_channel_id's made unique to make it easier to test things for attr errors

[joostjager]

Tests added

[TheBlueMatt]

IIRC is_permanent NodeFailures result in removing the node from the graph entirely, which seems a bit harsh, I think?

[joostjager]

The same was already done for a missing failure code, so it seemed reasonable to apply the same penalty for the more severe case where the message cannot even be decoded?

[joostjager]

I think the node is removed for a week? That seems fine to me because in this case there must be a bug in the remote node software.

[TheBlueMatt]

Hmmmmmmmm, I guess okay if only because we don't have a way to punish all of a node's channels. It does seem like we should find a way to do that, though, without outright graph removal. I know some other stuff does that, but I'd call that legacy needs-updating too :)

Indeed, after a while we'd accept fresh announcements of that node's channels, but generally we don't resync so we'd most likely only get them on restart (or when the node opens new channels).

[arik-so]

I almost wonder whether it's one of those instances where in-place processing is what largely contributes to confusion. Getting a result back with the decrypted packet or with the decryption error, without worrying about the input argument getting changed, seems preferable.

[joostjager]

The confusion was mainly that this used to be a function that returned a value and still had a side effect too. A side effect that was also needed, because the decrypted packet needs to be processed for the next hop.

Could have returned a decrypted copy in addition to the decoded failure to make it a pure function, probably with some performance implications. But I think now that this function has no return value anymore and only decrypts in-place, it's already a lot better.