Merge branch 'main' into rjb/manage-api-bns

dfinity · Jun 5, 2024 · 37f387a · 37f387a
2 parents b773435 + eb662e5
commit 37f387a
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 12 deletions.
diff --git a/Cargo.Bazel.lock b/Cargo.Bazel.lock
@@ -1,5 +1,5 @@
 {
-  "checksum": "9fc786f423c08cb67bfd86f1b1da73c6101907a6c2b6c7880874b41bbf3b4190",
+  "checksum": "b97b8310e75c5f925797aabacc2d960ca4bef6a8ca8e8631ae0a3d21d7a5779d",
   "crates": {
     "actix-codec 0.5.2": {
       "name": "actix-codec",
@@ -11475,6 +11475,10 @@
               "id": "ic-nns-governance 0.9.0",
               "target": "ic_nns_governance"
             },
+            {
+              "id": "ic-registry-keys 0.9.0",
+              "target": "ic_registry_keys"
+            },
             {
               "id": "url 2.5.0",
               "target": "url"

diff --git a/rs/cli/Cargo.toml b/rs/cli/Cargo.toml
@@ -80,6 +80,7 @@ ic-base-types = { workspace = true }
 ic-management-types = { workspace = true }
 url = { workspace = true }
 ic-nns-governance = { workspace = true }
+ic-registry-keys = { workspace = true }
 
 [[bin]]
 name = "dre"

diff --git a/rs/cli/src/cli.rs b/rs/cli/src/cli.rs
@@ -4,6 +4,7 @@ use clap::{Parser, Subcommand};
 use clap_num::maybe_hex;
 use ic_base_types::PrincipalId;
 use ic_management_types::Artifact;
+use ic_registry_keys::FirewallRulesScope;
 use url::Url;
 
 // For more info about the version setup, look at https://docs.rs/clap/latest/clap/struct.Command.html#method.version
@@ -156,6 +157,9 @@ pub enum Commands {
         title: Option<String>,
         #[clap(long, default_value = None, required = true)]
         summary: Option<String>,
+        /// Ruleset scope: "global", "replica_nodes", "api_boundary_nodes", "subnet(SUBNET_ID)", "node(NODE_ID)"
+        #[clap(long, default_value = None, required = true)]
+        rules_scope: FirewallRulesScope,
     },
 
     /// Proposal Listing

diff --git a/rs/cli/src/ic_admin.rs b/rs/cli/src/ic_admin.rs
@@ -11,7 +11,7 @@ use ic_management_backend::registry::{local_registry_path, RegistryFamilyEntries
 use ic_management_types::{Artifact, Network};
 use ic_protobuf::registry::firewall::v1::{FirewallRule, FirewallRuleSet};
 use ic_protobuf::registry::subnet::v1::SubnetRecord;
-use ic_registry_keys::make_firewall_rules_record_key;
+use ic_registry_keys::{make_firewall_rules_record_key, FirewallRulesScope};
 use ic_registry_local_registry::LocalRegistry;
 use itertools::Itertools;
 use log::{error, info, warn};
@@ -672,7 +672,13 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
         Ok(())
     }
 
-    pub async fn update_replica_nodes_firewall(&self, network: &Network, propose_options: ProposeOptions, simulate: bool) -> Result<(), Error> {
+    pub async fn update_firewall(
+        &self,
+        network: &Network,
+        propose_options: ProposeOptions,
+        firewall_rules_scope: &FirewallRulesScope,
+        simulate: bool,
+    ) -> Result<(), Error> {
         let local_registry_path = local_registry_path(network);
         let local_registry = LocalRegistry::new(local_registry_path, Duration::from_secs(10))
             .map_err(|e| anyhow::anyhow!("Error in creating local registry instance: {:?}", e))?;
@@ -683,10 +689,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
             .map_err(|e| anyhow::anyhow!("Error when syncing with NNS: {:?}", e))?;
 
         let value = local_registry
-            .get_value(
-                &make_firewall_rules_record_key(&ic_registry_keys::FirewallRulesScope::ReplicaNodes),
-                local_registry.get_latest_version(),
-            )
+            .get_value(&make_firewall_rules_record_key(firewall_rules_scope), local_registry.get_latest_version())
             .map_err(|e| anyhow::anyhow!("Error fetching firewall rules for replica nodes: {:?}", e))?;
 
         let rules = if let Some(value) = value {
@@ -762,6 +765,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
             admin_wrapper: &IcAdminWrapper,
             modifications: Vec<FirewallRuleModification>,
             propose_options: ProposeOptions,
+            firewall_rules_scope: &FirewallRulesScope,
             simulate: bool,
         ) -> anyhow::Result<()> {
             let positions = modifications.iter().map(|modif| modif.position).join(",");
@@ -772,7 +776,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
             let test_args = match change_type {
                 FirewallRuleModificationType::Removal => vec![
                     "--test".to_string(),
-                    "replica_nodes".to_string(),
+                    firewall_rules_scope.to_string(),
                     positions.to_string(),
                     "none".to_string(),
                 ],
@@ -783,7 +787,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
                         .map_err(|e| anyhow::anyhow!("Couldn't write to tempfile: {:?}", e))?;
                     vec![
                         "--test".to_string(),
-                        "replica_nodes".to_string(),
+                        firewall_rules_scope.to_string(),
                         file.path().to_str().unwrap().to_string(),
                         positions.to_string(),
                         "none".to_string(),
@@ -833,7 +837,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
 
         // no more than one rule mod implemented currenty -- FIXME
         match reverse_sorted.into_iter().last() {
-            Some((_, mods)) => submit_proposal(self, mods, propose_options.clone(), simulate).await,
+            Some((_, mods)) => submit_proposal(self, mods, propose_options.clone(), firewall_rules_scope, simulate).await,
             None => Err(anyhow::anyhow!("Expected to have one item for firewall rule modification")),
         }
     }

diff --git a/rs/cli/src/main.rs b/rs/cli/src/main.rs
@@ -447,16 +447,17 @@ async fn async_main() -> Result<(), anyhow::Error> {
                 incorrect_rewards,
             } => registry_dump::dump_registry(local_registry_path, &target_network, version, output, *incorrect_rewards).await,
 
-            cli::Commands::Firewall { title, summary } => {
+            cli::Commands::Firewall { title, summary, rules_scope } => {
                 runner_instance
                     .ic_admin
-                    .update_replica_nodes_firewall(
+                    .update_firewall(
                         &target_network,
                         ic_admin::ProposeOptions {
                             title: title.clone(),
                             summary: summary.clone(),
                             ..Default::default()
                         },
+                        rules_scope,
                         cli_opts.simulate,
                     )
                     .await