chore(boundary): salt_sharing canister implementation (dfinity#3650)

Provide all API boundary nodes with the same secret salt to anonymize
the IP addresses and the sender principals when logging the incoming
requests.

---------

Co-authored-by: IDX GitLab Automation <[email protected]>
Co-authored-by: r-birkner <[email protected]>

Author: 3 people

Cargo.lock

@@ -37,6 +37,8 @@ members = [
     "rs/boundary_node/rate_limits",
     "rs/boundary_node/rate_limits/api",
     "rs/boundary_node/rate_limits/canister_client",
+    "rs/boundary_node/salt_sharing",
+    "rs/boundary_node/salt_sharing/api",
     "rs/boundary_node/systemd_journal_gatewayd_shim",
     "rs/canister_client",
     "rs/canister_client/read_state_response_parser",

Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "salt"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+description.workspace = true
+documentation.workspace = true
+
+[dependencies]
+candid = { workspace = true }
+ic-canisters-http-types = { path = "../../rust_canisters/http_types" }
+ic-canister-log = { path = "../../rust_canisters/canister_log" }
+ic-cdk = { workspace = true }
+ic-cdk-macros = { workspace = true }
+ic-cdk-timers = { workspace = true }
+ic-stable-structures = { workspace = true }
+salt-api = { path = "./api" }
+serde = { workspace = true }
+serde_cbor = { workspace = true }
+serde_json = { workspace = true }
+time = { workspace = true }
+
+[dev-dependencies]
+
+[lib]
+crate-type = ["cdylib"]
+path = "canister/lib.rs"

rs/boundary_node/salt_sharing/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "salt-api"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+description.workspace = true
+documentation.workspace = true
+
+[dependencies]
+candid = { workspace = true }
+serde = { workspace = true }
+
+[dev-dependencies]
+
+[lib]
+path = "src/lib.rs"

rs/boundary_node/salt_sharing/api/Cargo.toml

@@ -0,0 +1,28 @@
+use candid::{CandidType, Deserialize};
+
+pub type GetSaltResponse = Result<SaltResponse, GetSaltError>;
+
+#[derive(CandidType, Deserialize, Debug, Clone)]
+pub enum SaltGenerationStrategy {
+    StartOfMonth,
+}
+
+#[derive(CandidType, Deserialize, Debug, Clone)]
+pub struct InitArg {
+    pub regenerate_now: bool,
+    pub salt_generation_strategy: SaltGenerationStrategy,
+    pub registry_polling_interval_secs: u64,
+}
+
+#[derive(CandidType, Deserialize, Debug, Clone)]
+pub struct SaltResponse {
+    pub salt: Vec<u8>,
+    pub salt_id: u64,
+}
+
+#[derive(CandidType, Deserialize, Debug, Clone)]
+pub enum GetSaltError {
+    SaltNotInitialized,
+    Unauthorized,
+    Internal(String),
+}

rs/boundary_node/salt_sharing/api/src/lib.rs

@@ -0,0 +1,163 @@
+use std::time::Duration;
+
+use crate::logs::{self, Log, LogEntry, Priority, P0};
+use crate::storage::{StorableSalt, SALT, SALT_SIZE};
+use crate::time::delay_till_next_month;
+use candid::Principal;
+use ic_canister_log::{export as export_logs, log};
+use ic_canisters_http_types::{HttpRequest, HttpResponse, HttpResponseBuilder};
+use ic_cdk::{api::time, spawn};
+use ic_cdk_macros::{init, post_upgrade, query};
+use ic_cdk_timers::set_timer;
+use salt_api::{GetSaltError, GetSaltResponse, InitArg, SaltGenerationStrategy, SaltResponse};
+use std::str::FromStr;
+
+// Runs when canister is first installed
+#[init]
+fn init(init_arg: InitArg) {
+    set_timer(Duration::ZERO, || {
+        spawn(async { init_async(init_arg).await });
+    });
+}
+
+// Runs on every canister upgrade
+#[post_upgrade]
+fn post_upgrade(init_arg: InitArg) {
+    // Run the same initialization logic
+    init(init_arg);
+}
+
+#[query]
+fn get_salt() -> GetSaltResponse {
+    get_salt_response()
+}
+
+#[query(decoding_quota = 10000)]
+fn http_request(request: HttpRequest) -> HttpResponse {
+    match request.path() {
+        "/logs" => {
+            use serde_json;
+
+            let max_skip_timestamp = match request.raw_query_param("time") {
+                Some(arg) => match u64::from_str(arg) {
+                    Ok(value) => value,
+                    Err(_) => {
+                        return HttpResponseBuilder::bad_request()
+                            .with_body_and_content_length("failed to parse the 'time' parameter")
+                            .build()
+                    }
+                },
+                None => 0,
+            };
+
+            let mut entries: Log = Default::default();
+
+            for entry in export_logs(&logs::P0) {
+                entries.entries.push(LogEntry {
+                    timestamp: entry.timestamp,
+                    counter: entry.counter,
+                    priority: Priority::P0,
+                    file: entry.file.to_string(),
+                    line: entry.line,
+                    message: entry.message,
+                });
+            }
+
+            for entry in export_logs(&logs::P1) {
+                entries.entries.push(LogEntry {
+                    timestamp: entry.timestamp,
+                    counter: entry.counter,
+                    priority: Priority::P1,
+                    file: entry.file.to_string(),
+                    line: entry.line,
+                    message: entry.message,
+                });
+            }
+
+            entries
+                .entries
+                .retain(|entry| entry.timestamp >= max_skip_timestamp);
+
+            HttpResponseBuilder::ok()
+                .header("Content-Type", "application/json; charset=utf-8")
+                .with_body_and_content_length(serde_json::to_string(&entries).unwrap_or_default())
+                .build()
+        }
+        _ => HttpResponseBuilder::not_found().build(),
+    }
+}
+
+async fn init_async(init_arg: InitArg) {
+    if !is_salt_init() || init_arg.regenerate_now {
+        if let Err(err) = try_regenerate_salt().await {
+            log!(P0, "[init_regenerate_salt_failed]: {err}");
+        }
+    }
+    // Start salt generation schedule based on the argument.
+    match init_arg.salt_generation_strategy {
+        SaltGenerationStrategy::StartOfMonth => schedule_monthly_salt_generation(),
+    }
+}
+
+// Sets an execution timer (delayed future task) and returns immediately.
+fn schedule_monthly_salt_generation() {
+    let delay = delay_till_next_month(time());
+    set_timer(delay, || {
+        spawn(async {
+            if let Err(err) = try_regenerate_salt().await {
+                log!(P0, "[scheduled_regenerate_salt_failed]: {err}");
+            }
+            // Function is called recursively to schedule next execution
+            schedule_monthly_salt_generation();
+        });
+    });
+}
+
+fn is_salt_init() -> bool {
+    SALT.with(|cell| cell.borrow().get(&())).is_some()
+}
+
+fn get_salt_response() -> Result<SaltResponse, GetSaltError> {
+    let stored_salt = SALT
+        .with(|cell| cell.borrow().get(&()))
+        .ok_or(GetSaltError::SaltNotInitialized)?;
+
+    Ok(SaltResponse {
+        salt: stored_salt.salt,
+        salt_id: stored_salt.salt_id,
+    })
+}
+
+// Regenerate salt and store it in the stable memory
+// Can only fail, if the calls to management canister fail.
+async fn try_regenerate_salt() -> Result<(), String> {
+    // Closure for getting random bytes from the IC.
+    let rnd_call = |attempt: u32| async move {
+        ic_cdk::call(Principal::management_canister(), "raw_rand", ())
+            .await
+            .map_err(|err| {
+                format!(
+                    "Call {attempt} to raw_rand failed: code={:?}, err={}",
+                    err.0, err.1
+                )
+            })
+    };
+
+    let (rnd_bytes_1,): ([u8; 32],) = rnd_call(1).await?;
+    let (rnd_bytes_2,): ([u8; 32],) = rnd_call(2).await?;
+
+    // Concatenate arrays to form an array of 64 random bytes.
+    let mut salt = [rnd_bytes_1, rnd_bytes_2].concat();
+    salt.truncate(SALT_SIZE);
+
+    let stored_salt = StorableSalt {
+        salt,
+        salt_id: time(),
+    };
+
+    SALT.with(|cell| {
+        cell.borrow_mut().insert((), stored_salt);
+    });
+
+    Ok(())
+}

rs/boundary_node/salt_sharing/canister/canister.rs

@@ -0,0 +1,10 @@
+#[cfg(any(target_family = "wasm", test))]
+mod canister;
+mod logs;
+#[allow(dead_code)]
+mod storage;
+#[allow(dead_code)]
+mod time;
+
+#[allow(dead_code)]
+fn main() {}

rs/boundary_node/salt_sharing/canister/lib.rs

@@ -0,0 +1,29 @@
+use candid::Deserialize;
+use ic_canister_log::declare_log_buffer;
+
+// High-priority messages.
+declare_log_buffer!(name = P0, capacity = 1000);
+
+// Low-priority info messages.
+declare_log_buffer!(name = P1, capacity = 1000);
+
+#[derive(Clone, Debug, Default, Deserialize, serde::Serialize)]
+pub struct Log {
+    pub entries: Vec<LogEntry>,
+}
+
+#[derive(Clone, Debug, Deserialize, serde::Serialize)]
+pub struct LogEntry {
+    pub timestamp: u64,
+    pub priority: Priority,
+    pub file: String,
+    pub line: u32,
+    pub message: String,
+    pub counter: u64,
+}
+
+#[derive(Clone, Debug, Deserialize, serde::Serialize)]
+pub enum Priority {
+    P0,
+    P1,
+}

rs/boundary_node/salt_sharing/canister/logs.rs

@@ -11,10 +11,12 @@ type GetSaltResponse = variant {
 
 // Comprehensive error for salt retrieval
 type GetSaltError = variant {
+    // Salt generation is still pending. Retry later
+    SaltNotInitialized;
     // Indicates an unauthorized attempt to get the salt
     Unauthorized;
     // Captures all unexpected internal errors during process
-    Internal: text;                 
+    Internal: text;
 };
 
 // Salt response containing salt itself and additional metadata
@@ -41,20 +43,14 @@ type SaltGenerationStrategy = variant {
   // Generates a new salt at 00:00:00 UTC on the first day of the next calendar month
   // Handles calendar edge cases including: transitions between months (December-January), leap years
   StartOfMonth;
-  // Generates a new salt at fixed intervals from an unspecified reference point
-  FixedIntervalSecs: nat64;
 };
 
 // Initialization arguments used when installing/upgrading/reinstalling the canister
 type InitArgs = record {
+    // If true salt is regenerated immediately and subsequently based on the chosen strategy
+    regenerate_now: bool;
     // Strategy defining salt generation
-    // If specified: 
-    //  - salt is regenerated immediately
-    //  - subsequent strategy is based on the variant
-    // If not specified:
-    //  - preserve previously configured strategy
-    //  - no immediate salt regeneration
-    salt_generation_strategy: opt SaltGenerationStrategy;
+    salt_generation_strategy: SaltGenerationStrategy;
     // Interval (in seconds) for polling API boundary node IDs from the registry
     // The first polling operation occurs immediately
     registry_polling_interval_secs: nat64;