From 1e2bab44200081fdc3b22d6b410c9c96c5f165ec Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Mon, 23 Dec 2024 20:02:36 +0100
Subject: [PATCH] chore(snownet): log attributes on message integrity failure
 (#7577)

We are receiving multiple reports of message, especially error messages
from relays, where the message integrity check fails. To get more
information as to why, this patch extends this error message with the
attributes of the request and response message.
---
 rust/connlib/snownet/src/allocation.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/rust/connlib/snownet/src/allocation.rs b/rust/connlib/snownet/src/allocation.rs
index 980e64803..c1b5e35bb 100644
--- a/rust/connlib/snownet/src/allocation.rs
+++ b/rust/connlib/snownet/src/allocation.rs
@@ -309,7 +309,14 @@ impl Allocation {
         let passed_message_integrity_check = self.check_message_integrity(&message);
 
         if message.method() != BINDING && !passed_message_integrity_check {
-            tracing::warn!("Message integrity check failed");
+            // We don't want to `remove` the message here otherwise an attacker could change our state with unauthenticated messages.
+            let request = self
+                .sent_requests
+                .get(&transaction_id)
+                .map(|(_, r, _, _, _)| r.attributes().map(display_attr).collect::<Vec<_>>());
+            let response = message.attributes().map(display_attr).collect::<Vec<_>>();
+
+            tracing::warn!(?request, ?response, "Message integrity check failed");
             return true; // The message still indicated that it was for this `Allocation`.
         }