Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(boundary): add inspect_message hook to canister #2554

Merged
merged 3 commits into from
Nov 13, 2024
Merged

feat(boundary): add inspect_message hook to canister #2554

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
af008b2
feat: add inspect_message to reject early
Nov 11, 2024
dd1c4a2
fix: comment
Nov 11, 2024
223fa1f
chore: disallow replicated queries except get_config
Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 32 additions & 1 deletion rs/boundary_node/rate_limits/canister/canister.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use crate::storage::API_BOUNDARY_NODE_PRINCIPALS;
use candid::Principal;
use ic_canisters_http_types::{HttpRequest, HttpResponse, HttpResponseBuilder};
use ic_cdk::api::call::call;
use ic_cdk_macros::{init, post_upgrade, query, update};
use ic_cdk_macros::{init, inspect_message, post_upgrade, query, update};
use rate_limits_api::{
AddConfigResponse, ApiBoundaryNodeIdRecord, DiscloseRulesArg, DiscloseRulesResponse,
GetApiBoundaryNodeIdsRequest, GetConfigResponse, GetRuleByIdResponse, InitArg, InputConfig,
Expand All @@ -22,6 +22,37 @@ use rate_limits_api::{
const REGISTRY_CANISTER_ID: &str = "rwlgt-iiaaa-aaaaa-aaaaa-cai";
const REGISTRY_CANISTER_METHOD: &str = "get_api_boundary_node_ids";

const CANISTER_UPDATE_METHODS: [&str; 2] = ["add_config", "disclose_rules"];

#[inspect_message]
fn inspect_message() {
// In order for this hook to succeed, accept_message() must be invoked.
let caller_id: Principal = ic_cdk::api::caller();
let called_method = ic_cdk::api::call::method_name();

// If the called method is not an update method, accept the message.
if !CANISTER_UPDATE_METHODS.contains(&called_method.as_str()) {
nikolay-komarevskiy marked this conversation as resolved.
Show resolved Hide resolved
ic_cdk::api::call::accept_message();
} else {
// For the update methods:
// - Check if the canister's authorized principal is set
// - Check caller_id matches the authorized principal
with_canister_state(|state| {
if let Some(authorized_principal) = state.get_authorized_principal() {
if caller_id == authorized_principal {
ic_cdk::api::call::accept_message();
} else {
ic_cdk::api::trap("inspect_message_failed: unauthorized caller");
}
} else {
ic_cdk::api::trap(
"inspect_message_failed: authorized principal for canister is not set",
);
}
});
}
}

#[init]
fn init(init_arg: InitArg) {
ic_cdk::println!("Starting canister init");
Expand Down
7 changes: 4 additions & 3 deletions rs/boundary_node/rate_limits/integration_tests/tests/rate_limit_canister_tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,11 @@ async fn main() {
Principal::anonymous(),
input_config.clone(),
)
.await
.unwrap();
.await;

let err_msg = response.unwrap_err();

assert!(response.unwrap_err().contains("Unauthorized"));
assert!(err_msg.contains("inspect_message_failed: unauthorized caller"));

// Try add config using authorized principal as sender, assert success
let response: AddConfigResponse = canister_call(
Expand Down