ic-response-verification 3.2.0

Client side response verification for the Internet Computer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

use ic_certification::{hash_tree::Hash, HashTree, LookupResult};

pub fn validate_body(tree: &HashTree, request_path: &str, body_sha: &Hash) -> bool {
    let asset_path = ["http_assets".as_bytes(), request_path.as_bytes()];
    let index_fallback_path = ["http_assets".as_bytes(), "/index.html".as_bytes()];

    let tree_sha = match tree.lookup_path(&asset_path) {
        LookupResult::Found(v) => v,

        // This is a strange fallback, but it is necessary for SPA routing at the moment.
        // https://internetcomputer.org/docs/references/ic-interface-spec/#http-gateway-certification
        //
        // It may be possible to remove this with a combination of asset canister redirect rules and v2 response verification.
        _ => match tree.lookup_path(&index_fallback_path) {
            LookupResult::Found(v) => v,
            _ => {
                return false;
            }
        },
    };

    body_sha == tree_sha
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::test_utils::{create_tree, CreateTreeOptions};
    use http::Uri;
    use ic_representation_independent_hash::hash;

    static CANISTER_ID: &str = "r7inp-6aaaa-aaaaa-aaabq-cai";

    #[test]
    fn validate_body_with_matching_sha() {
        let body: &[u8] = &[1, 2, 3, 4, 5, 6];
        let body_sha = hash(body);
        let uri = format!("https://ic0.dev/app.js?canisterId={CANISTER_ID}")
            .parse::<Uri>()
            .unwrap();
        let tree_options = CreateTreeOptions {
            path: Some(uri.path()),
            body_sha: Some(&body_sha),
        };
        let tree = create_tree(Some(tree_options));

        let result = validate_body(&tree, uri.path(), &body_sha);

        assert!(result);
    }

    /// This is a strange fallback, but it is necessary for SPA routing at the moment.
    /// https://internetcomputer.org/docs/references/ic-interface-spec/#http-gateway-certification
    ///
    /// It may be possible to remove this with a combination of asset canister redirect rules and v2 response verification.
    #[test]
    fn validate_body_with_index_fallback() {
        let body: &[u8] = &[1, 2, 3, 4, 5, 6];
        let body_sha = hash(body);
        let uri = format!("https://ic0.dev/garbage.js?canisterId={CANISTER_ID}")
            .parse::<Uri>()
            .unwrap();
        let tree_options = CreateTreeOptions {
            path: Some("/index.html"),
            body_sha: Some(&body_sha),
        };
        let tree = create_tree(Some(tree_options));

        let result = validate_body(&tree, uri.path(), &body_sha);

        assert!(result);
    }

    #[test]
    fn validate_body_without_index_fallback() {
        let body: &[u8] = &[1, 2, 3, 4, 5, 6];
        let body_sha = hash(body);
        let uri = format!("https://ic0.dev/app.js?canisterId={CANISTER_ID}")
            .parse::<Uri>()
            .unwrap();
        let tree_options = CreateTreeOptions {
            path: Some("/index.html"),
            body_sha: Some(&[9, 8, 7, 6, 5, 4, 3, 2, 1]),
        };
        let tree = create_tree(Some(tree_options));

        let result = validate_body(&tree, uri.path(), &body_sha);

        assert!(!result);
    }

    #[test]
    fn validate_body_without_matching_sha() {
        let body: &[u8] = &[1, 2, 3, 4, 5, 6];
        let body_sha = hash(body);
        let uri = format!("https://ic0.dev/app.js?canisterId={CANISTER_ID}")
            .parse::<Uri>()
            .unwrap();
        let tree_options = CreateTreeOptions {
            path: Some(uri.path()),
            body_sha: Some(&[9, 8, 7, 6, 5, 4, 3, 2, 1]),
        };
        let tree = create_tree(Some(tree_options));

        let result = validate_body(&tree, uri.path(), &body_sha);

        assert!(!result);
    }

    #[test]
    fn validate_body_without_any_matching_path() {
        let body: &[u8] = &[1, 2, 3, 4, 5, 6];
        let body_sha = hash(body);
        let uri = format!("https://ic0.dev/app.js?canisterId={CANISTER_ID}")
            .parse::<Uri>()
            .unwrap();
        let tree_options = CreateTreeOptions {
            path: Some("/garbage.js"),
            body_sha: Some(&body_sha),
        };
        let tree = create_tree(Some(tree_options));

        let result = validate_body(&tree, uri.path(), &body_sha);

        assert!(!result);
    }
}