Skip to content

Commit

Permalink
Merge branch 'main' into rjb/manage-api-bns
Browse files Browse the repository at this point in the history
  • Loading branch information
r-birkner authored Jun 5, 2024
2 parents b773435 + eb662e5 commit 37f387a
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 12 deletions.
6 changes: 5 additions & 1 deletion Cargo.Bazel.lock
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"checksum": "9fc786f423c08cb67bfd86f1b1da73c6101907a6c2b6c7880874b41bbf3b4190",
"checksum": "b97b8310e75c5f925797aabacc2d960ca4bef6a8ca8e8631ae0a3d21d7a5779d",
"crates": {
"actix-codec 0.5.2": {
"name": "actix-codec",
Expand Down Expand Up @@ -11475,6 +11475,10 @@
"id": "ic-nns-governance 0.9.0",
"target": "ic_nns_governance"
},
{
"id": "ic-registry-keys 0.9.0",
"target": "ic_registry_keys"
},
{
"id": "url 2.5.0",
"target": "url"
Expand Down
1 change: 1 addition & 0 deletions rs/cli/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ ic-base-types = { workspace = true }
ic-management-types = { workspace = true }
url = { workspace = true }
ic-nns-governance = { workspace = true }
ic-registry-keys = { workspace = true }

[[bin]]
name = "dre"
Expand Down
4 changes: 4 additions & 0 deletions rs/cli/src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ use clap::{Parser, Subcommand};
use clap_num::maybe_hex;
use ic_base_types::PrincipalId;
use ic_management_types::Artifact;
use ic_registry_keys::FirewallRulesScope;
use url::Url;

// For more info about the version setup, look at https://docs.rs/clap/latest/clap/struct.Command.html#method.version
Expand Down Expand Up @@ -156,6 +157,9 @@ pub enum Commands {
title: Option<String>,
#[clap(long, default_value = None, required = true)]
summary: Option<String>,
/// Ruleset scope: "global", "replica_nodes", "api_boundary_nodes", "subnet(SUBNET_ID)", "node(NODE_ID)"
#[clap(long, default_value = None, required = true)]
rules_scope: FirewallRulesScope,
},

/// Proposal Listing
Expand Down
22 changes: 13 additions & 9 deletions rs/cli/src/ic_admin.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ use ic_management_backend::registry::{local_registry_path, RegistryFamilyEntries
use ic_management_types::{Artifact, Network};
use ic_protobuf::registry::firewall::v1::{FirewallRule, FirewallRuleSet};
use ic_protobuf::registry::subnet::v1::SubnetRecord;
use ic_registry_keys::make_firewall_rules_record_key;
use ic_registry_keys::{make_firewall_rules_record_key, FirewallRulesScope};
use ic_registry_local_registry::LocalRegistry;
use itertools::Itertools;
use log::{error, info, warn};
Expand Down Expand Up @@ -672,7 +672,13 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
Ok(())
}

pub async fn update_replica_nodes_firewall(&self, network: &Network, propose_options: ProposeOptions, simulate: bool) -> Result<(), Error> {
pub async fn update_firewall(
&self,
network: &Network,
propose_options: ProposeOptions,
firewall_rules_scope: &FirewallRulesScope,
simulate: bool,
) -> Result<(), Error> {
let local_registry_path = local_registry_path(network);
let local_registry = LocalRegistry::new(local_registry_path, Duration::from_secs(10))
.map_err(|e| anyhow::anyhow!("Error in creating local registry instance: {:?}", e))?;
Expand All @@ -683,10 +689,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
.map_err(|e| anyhow::anyhow!("Error when syncing with NNS: {:?}", e))?;

let value = local_registry
.get_value(
&make_firewall_rules_record_key(&ic_registry_keys::FirewallRulesScope::ReplicaNodes),
local_registry.get_latest_version(),
)
.get_value(&make_firewall_rules_record_key(firewall_rules_scope), local_registry.get_latest_version())
.map_err(|e| anyhow::anyhow!("Error fetching firewall rules for replica nodes: {:?}", e))?;

let rules = if let Some(value) = value {
Expand Down Expand Up @@ -762,6 +765,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
admin_wrapper: &IcAdminWrapper,
modifications: Vec<FirewallRuleModification>,
propose_options: ProposeOptions,
firewall_rules_scope: &FirewallRulesScope,
simulate: bool,
) -> anyhow::Result<()> {
let positions = modifications.iter().map(|modif| modif.position).join(",");
Expand All @@ -772,7 +776,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
let test_args = match change_type {
FirewallRuleModificationType::Removal => vec![
"--test".to_string(),
"replica_nodes".to_string(),
firewall_rules_scope.to_string(),
positions.to_string(),
"none".to_string(),
],
Expand All @@ -783,7 +787,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa
.map_err(|e| anyhow::anyhow!("Couldn't write to tempfile: {:?}", e))?;
vec![
"--test".to_string(),
"replica_nodes".to_string(),
firewall_rules_scope.to_string(),
file.path().to_str().unwrap().to_string(),
positions.to_string(),
"none".to_string(),
Expand Down Expand Up @@ -833,7 +837,7 @@ must be identical, and must match the SHA256 from the payload of the NNS proposa

// no more than one rule mod implemented currenty -- FIXME
match reverse_sorted.into_iter().last() {
Some((_, mods)) => submit_proposal(self, mods, propose_options.clone(), simulate).await,
Some((_, mods)) => submit_proposal(self, mods, propose_options.clone(), firewall_rules_scope, simulate).await,
None => Err(anyhow::anyhow!("Expected to have one item for firewall rule modification")),
}
}
Expand Down
5 changes: 3 additions & 2 deletions rs/cli/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -447,16 +447,17 @@ async fn async_main() -> Result<(), anyhow::Error> {
incorrect_rewards,
} => registry_dump::dump_registry(local_registry_path, &target_network, version, output, *incorrect_rewards).await,

cli::Commands::Firewall { title, summary } => {
cli::Commands::Firewall { title, summary, rules_scope } => {
runner_instance
.ic_admin
.update_replica_nodes_firewall(
.update_firewall(
&target_network,
ic_admin::ProposeOptions {
title: title.clone(),
summary: summary.clone(),
..Default::default()
},
rules_scope,
cli_opts.simulate,
)
.await
Expand Down

0 comments on commit 37f387a

Please sign in to comment.