goal: catchup without args prompts to continue

[algorandskiy]

Summary

Current goal node catchup without args command starts a fast catchup process without making sure user understands that happens.
This might give an illusion about security guarantees by assuming it is the same as downloading blocks and validating them.

Suggested fix

goal node catchup without args prompts user about possible security risk by using possible untrusted catchpoint and/or peers.
goal node catchup --force bypasses the prompt.
No changes to goal node catchup catchpoint-label

Test Plan

Tested manually

[codecov]

Codecov Report

Merging #5165 (0041b8a) into master (8a4012f) will decrease coverage by 0.05%.
The diff coverage is 11.11%.

@@            Coverage Diff             @@
##           master    #5165      +/-   ##
==========================================
- Coverage   53.58%   53.53%   -0.05%     
==========================================
  Files         439      439              
  Lines       54934    54942       +8     
==========================================
- Hits        29438    29415      -23     
- Misses      23212    23233      +21     
- Partials     2284     2294      +10     

Impacted Files	Coverage Δ
cmd/goal/node.go	11.91% <11.11%> (+0.01%)	⬆️
ledger/tracker.go	72.91% <0.00%> (-4.59%)	⬇️
ledger/blockqueue.go	82.25% <0.00%> (-2.69%)	⬇️
crypto/merkletrie/trie.go	66.42% <0.00%> (-2.19%)	⬇️
crypto/merkletrie/node.go	91.62% <0.00%> (-1.87%)	⬇️
ledger/testing/randomAccounts.go	55.65% <0.00%> (-1.23%)	⬇️
ledger/catchpointtracker.go	55.89% <0.00%> (-0.77%)	⬇️
network/wsNetwork.go	69.08% <0.00%> (+0.17%)	⬆️
catchup/service.go	70.35% <0.00%> (+0.70%)	⬆️
data/txHandler.go	72.07% <0.00%> (+1.20%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[winder]

Unfortunately, this change would break a lot of automation. At the very least, it breaks our new docker container and sandbox. I don't think it's reasonable to change the behavior at this point. My recommendation is to update the description to be clearer about the security implications.

Searching github, there are 500+ matches and they would all break as well:
https://github.com/search?q=%22goal+node+catchup%22&type=code

[algorandskiy]

Searching github, there are 500+ matches and they would all break as well:
https://github.com/search?q=%22goal+node+catchup%22&type=code

I checked first 4 pages and they all use explicit argument so no prompt for them.

At the very least, it breaks our new docker container and sandbox.

this is very easy to fix:
goal node catchup -> goal node catchup -y

[algorandskiy]

imo the current state of things create more problems than fixing automation in couple places.

[algonautshant]

I think you are simplifying the severity of this situation by simply asking for -y flag.
I think it should be more like: "Retype this phrase below to proceed: I understand that the source of the catchpoint could be a serious security risk...".

Even if someone is generating and using their own catchpoints, they should clearly understand that the security of that catchpoint handling/storage should be at the same level as their private keys.

Yes, one node's compromised catchpoint will not be as damaging to them as loosing their private keys, but the moment the catchpoint vulnerability crosses the threshold, all bets of off.

And just to put this risk into perspective, the blockchain security is distributed, but if the majority of the stake uses the same cloud storage, then the security is systemic/single point of failure.

[cce]

This is similar to the behavior of another goal command

$ goal account installpartkey --partkey blah.key
The installpartkey command deletes the input participation file on
successful installation.  Please acknowledge this by passing the
"--delete-input" flag to the installpartkey command.  You can make
a copy of the input file if needed, but please keep in mind that
participation keys must be securely deleted for each round, to ensure
forward security.  Storing old participation keys compromises overall
system security.

No --delete-input flag specified, exiting without installing key.

[algorandskiy]

Applied fixes as requested

[winder]

Could you add this warning to the command description as well?

	Long:    "Catchup allows making large jumps over round ranges without the need to incrementally validate each individual round. Using external catchpoints is not a secure practice and should not be done for consensus participating nodes.

If no catchpoint is provided, this command attempts to lookup the latest catchpoint from algorand-catchpoints.s3.us-east-2.amazonaws.com.",

[algorandskiy]

Could you add this warning to the command description as well?

done

[AlgoAxel]

would this be worth being a utility function for "get user input"?

[winder]

In the cmd directory we call ReadString in 5 places, there's probably some duplicate code there. Sounds like a fun little refactor, you should make a PR.