canic-host 0.68.3

Host-side build, install, deployment, and fleet-template library for Canic workspaces
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

use super::state::{
    InstallState, RootVerificationStatus, deployment_install_state_path, write_install_state,
};
use crate::deployment_truth::{
    DeploymentRootVerificationReceiptV1, DeploymentRootVerificationReportV1,
    DeploymentRootVerificationStateTransitionV1, DeploymentRootVerificationStateV1,
    deployment_root_verification_receipt_digest, validate_deployment_root_verification_receipt,
};
use sha2::{Digest, Sha256};
use std::{fs, path::Path};

pub(super) struct RootVerificationReceiptInput {
    pub(super) deployment_name: String,
    pub(super) network: String,
    pub(super) fleet_template: String,
    pub(super) root_principal: String,
    pub(super) previous_root_verification: DeploymentRootVerificationStateV1,
    pub(super) state_transition: DeploymentRootVerificationStateTransitionV1,
    pub(super) report: DeploymentRootVerificationReportV1,
    pub(super) verified_at_unix_secs: u64,
    pub(super) local_state_path: String,
    pub(super) local_state_digest_before: String,
    pub(super) local_state_digest_after: String,
}

pub(super) fn root_verification_receipt_from_report(
    input: RootVerificationReceiptInput,
) -> Result<DeploymentRootVerificationReceiptV1, Box<dyn std::error::Error>> {
    let source_root_observation_source = input.report.observed_root_observation_source.ok_or(
        "deployment root verification report did not preserve observed root source evidence",
    )?;
    let source_observed_root_canister_id =
        input.report.observed_root_canister_id.clone().ok_or(
            "deployment root verification report did not preserve observed root canister id",
        )?;

    let mut receipt = DeploymentRootVerificationReceiptV1 {
        schema_version: crate::deployment_truth::DEPLOYMENT_TRUTH_SCHEMA_VERSION,
        receipt_id: format!(
            "local:{}:{}:root-verification-receipt",
            input.network, input.deployment_name
        ),
        receipt_digest: String::new(),
        deployment_name: input.deployment_name,
        network: input.network,
        fleet_template: input.fleet_template,
        root_principal: input.root_principal,
        previous_root_verification: input.previous_root_verification,
        new_root_verification: DeploymentRootVerificationStateV1::Verified,
        state_transition: input.state_transition,
        source_report_id: input.report.report_id,
        source_report_digest: input.report.report_digest,
        source_report_requested_at: input.report.requested_at,
        source_report_source: input.report.source,
        source_report_evidence_status: input.report.evidence_status,
        source_report_current_root_verification: input.report.current_root_verification,
        source_report_state_transition: input.report.state_transition,
        source_root_observation_source,
        source_observed_root_canister_id,
        source_check_id: input.report.source_check_id,
        source_check_digest: input.report.source_check_digest,
        source_deployment_plan_id: input.report.source_deployment_plan_id,
        source_deployment_plan_digest: input.report.source_deployment_plan_digest,
        source_inventory_id: input.report.source_inventory_id,
        source_inventory_digest: input.report.source_inventory_digest,
        verified_at_unix_secs: input.verified_at_unix_secs,
        local_state_path: input.local_state_path,
        local_state_digest_before: input.local_state_digest_before,
        local_state_digest_after: input.local_state_digest_after,
        warnings: input.report.warnings,
    };
    receipt.receipt_digest = deployment_root_verification_receipt_digest(&receipt);
    validate_deployment_root_verification_receipt(&receipt)?;
    Ok(receipt)
}

pub(super) const fn deployment_root_verification_state(
    status: &RootVerificationStatus,
) -> DeploymentRootVerificationStateV1 {
    match status {
        RootVerificationStatus::Verified => DeploymentRootVerificationStateV1::Verified,
        RootVerificationStatus::NotVerified => DeploymentRootVerificationStateV1::NotVerified,
    }
}

pub(super) const fn verified_root_state_transition(
    previous: DeploymentRootVerificationStateV1,
) -> DeploymentRootVerificationStateTransitionV1 {
    match previous {
        DeploymentRootVerificationStateV1::NotVerified => {
            DeploymentRootVerificationStateTransitionV1::PromotedNotVerifiedToVerified
        }
        DeploymentRootVerificationStateV1::Verified => {
            DeploymentRootVerificationStateTransitionV1::NoStateChange
        }
    }
}

pub(super) fn write_verified_root_state_if_unchanged(
    icp_root: &Path,
    network: &str,
    state: &InstallState,
    expected_digest_before: &str,
) -> Result<String, Box<dyn std::error::Error>> {
    let path = deployment_install_state_path(icp_root, network, &state.deployment_name);
    let current_digest = file_sha256_hex(&path)?;
    if current_digest != expected_digest_before {
        return Err(format!(
            "deployment root verification state changed before write: expected {expected_digest_before}, found {current_digest}"
        )
        .into());
    }
    write_install_state(icp_root, network, state)?;
    file_sha256_hex(&path)
}

pub(super) fn file_sha256_hex(path: &Path) -> Result<String, Box<dyn std::error::Error>> {
    Ok(bytes_sha256_hex(&fs::read(path)?))
}

fn bytes_sha256_hex(bytes: &[u8]) -> String {
    let digest = Sha256::digest(bytes);
    let mut hex = String::with_capacity(digest.len() * 2);
    for byte in digest {
        use std::fmt::Write as _;
        let _ = write!(&mut hex, "{byte:02x}");
    }
    hex
}