canic-core 0.26.3

Canic — a canister orchestration and management toolkit for the Internet Computer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

use crate::{
    dto::{
        auth::AttestationKeySet,
        error::{Error, ErrorCode},
    },
    ops::{
        auth::DelegatedTokenOps,
        rpc::RpcOps,
        runtime::{env::EnvOps, timer::TimerId},
    },
    protocol,
    workflow::{
        config::WORKFLOW_ATTESTATION_KEY_REFRESH_INTERVAL, prelude::*,
        runtime::timer::TimerWorkflow,
    },
};
use std::{cell::RefCell, time::Duration};

thread_local! {
    static TIMER: RefCell<Option<TimerId>> = const { RefCell::new(None) };
}

const REFRESH_INTERVAL: Duration = WORKFLOW_ATTESTATION_KEY_REFRESH_INTERVAL;

///
/// AttestationKeyCacheWorkflow
///

pub struct AttestationKeyCacheWorkflow;

impl AttestationKeyCacheWorkflow {
    // Start the periodic root attestation-key refresh loop for non-root canisters.
    pub fn start() {
        let _ = TimerWorkflow::set_guarded_interval(
            &TIMER,
            Duration::ZERO,
            "attestation_keys:init",
            || async {
                Self::refresh_once().await;
            },
            REFRESH_INTERVAL,
            "attestation_keys:interval",
            || async {
                Self::refresh_once().await;
            },
        );
    }

    // Refresh the locally cached root attestation key set once.
    async fn refresh_once() {
        if EnvOps::is_root() {
            return;
        }

        let root_pid = match EnvOps::root_pid() {
            Ok(pid) => pid,
            Err(err) => {
                log!(
                    Topic::Auth,
                    Warn,
                    "attestation key refresh skipped: root pid unavailable: {err}"
                );
                return;
            }
        };

        match RpcOps::call_rpc_result::<AttestationKeySet>(
            root_pid,
            protocol::CANIC_ATTESTATION_KEY_SET,
            (),
        )
        .await
        {
            Ok(key_set) => {
                let count = key_set.keys.len();
                DelegatedTokenOps::replace_attestation_key_set(key_set);
                log!(
                    Topic::Auth,
                    Info,
                    "attestation key refresh ok: keys={count}"
                );
            }
            Err(err) => {
                if should_stop_refresh_loop(&err) {
                    let stopped = TimerWorkflow::clear_guarded(&TIMER);
                    log!(
                        Topic::Auth,
                        Info,
                        "attestation key refresh stopped: caller is no longer registered on the subnet registry (timer_cleared={stopped})"
                    );
                    return;
                }

                log!(Topic::Auth, Warn, "attestation key refresh failed: {err}");
            }
        }
    }
}

// Stop retrying when root explicitly denies this canister as no longer registered.
fn should_stop_refresh_loop(err: &crate::InternalError) -> bool {
    let public = err
        .public_error()
        .cloned()
        .unwrap_or_else(|| Error::from(err));

    public.code == ErrorCode::Unauthorized
        && public
            .message
            .contains("not registered on the subnet registry")
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::{InternalError, InternalErrorOrigin, access::AccessError};

    #[test]
    fn stop_refresh_loop_on_unregistered_subnet_denial() {
        let err: InternalError = AccessError::Denied(
            "authentication error: caller 'aaaaa-aa' is not registered on the subnet registry"
                .to_string(),
        )
        .into();

        assert!(should_stop_refresh_loop(&err));
    }

    #[test]
    fn keep_refresh_loop_running_for_other_errors() {
        let err = InternalError::ops(InternalErrorOrigin::Ops, "transient failure");

        assert!(!should_stop_refresh_loop(&err));
    }
}