Skip to content

Commit

Permalink
Merge branch 'master' into vincent/SDK-1844
Browse files Browse the repository at this point in the history
  • Loading branch information
@vincent-dfinity
vincent-dfinity authored Oct 9, 2024
2 parents 95f32db + 7618065 commit aac434b
Show file tree
Hide file tree
Showing 35 changed files with 964 additions and 313 deletions.
31 changes: 28 additions & 3 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,47 @@

# UNRELEASED

### feat: Support canister log allowed viewer list

Added support for the canister log allowed viewer list, enabling specified users to access a canister's logs without needing to be set as the canister's controller.
Valid settings are:
- `--add-log-viewer`, `--remove-log-viewer` and `--set-log-viewer` flags with `dfx canister update-settings`
- `--log-viewer` flag with `dfx canister create`
- `canisters[].initialization_values.log_visibility.allowed_viewers` in `dfx.json`

# 0.24.1

### feat: More PocketIC flags supported

`dfx start --pocketic` is now compatible with `--artificial-delay` and the `subnet_type` configuration option, and enables `--enable-canister-http` by default.

## Dependencies

### Frontend canister

#### feat: Better error messages when proposing a batch

Add the batch id in the error messages of `propose_commit_batch`.

Module hash: 2c9e30df9be951a6884c702a97bbb8c0b438f33d4208fa612b1de6fb1752db76

### Motoko

Updated Motoko to [0.13.0](https://github.com/dfinity/motoko/releases/tag/0.13.0)

### Replica

Updated replica to elected commit 179973553248415fc85679d853b48b0e0ec231c6.

This incorporates the following elected proposals:
Updated replica to elected commit c43a4880199c00135c8415957851e823b3fb769e.
This incorporates the following executed proposals:

- [133144](https://dashboard.internetcomputer.org/proposal/133144)
- [133143](https://dashboard.internetcomputer.org/proposal/133143)
- [133142](https://dashboard.internetcomputer.org/proposal/133142)
- [133063](https://dashboard.internetcomputer.org/proposal/133063)
- [133062](https://dashboard.internetcomputer.org/proposal/133062)
- [133061](https://dashboard.internetcomputer.org/proposal/133061)
- [132548](https://dashboard.internetcomputer.org/proposal/132548)
- [132547](https://dashboard.internetcomputer.org/proposal/132547)
- [132507](https://dashboard.internetcomputer.org/proposal/132507)
- [132482](https://dashboard.internetcomputer.org/proposal/132482)
- [132481](https://dashboard.internetcomputer.org/proposal/132481)
Expand Down
2 changes: 1 addition & 1 deletion Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 5 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ The `IC SDK` installation script installs several components in default location
| Component | Description | Default location |
|--------------|----------------------------------------------------------------------------------------------------|-----------------------------------------------|
| dfx | Command-line interface (CLI) | `/usr/local/bin/dfx` |
| dfxvm | Command-line interface, version manager | `/usr/local/bin/dfxvm` |
| moc | Motoko runtime compiler | `~/.cache/dfinity/versions/<VERSION>/moc` |
| replica | Internet Computer local network binary | `~/.cache/dfinity/versions/<VERSION>/replica` |
| uninstall.sh | Script to remove the SDK and all of its components | `~/.cache/dfinity/uninstall.sh` |
Expand All @@ -28,8 +29,10 @@ There are a few components above worth expanding on:

1. **dfx** - `dfx` is the command-line interface for the `IC SDK`. This is why many commands for the IC SDK start with the command "`dfx ..`" such as `dfx new` or `dfx stop`.

2. **Canister Development Kit (CDK)** - A CDK is an adapter used by the IC SDK so a programming language has the features needed to create and manage canisters.
The IC SDK comes with a few CDKs already installed for you so you can use them in the language of yoru choice. That is why there is a [Rust CDK](https://github.com/dfinity/cdk-rs), [Python CDK](https://demergent-labs.github.io/kybra/),
2. **dfxvm** - `dfxvm` is the version manager for `dfx`, i.e. a CLI for selecting and managing installed `dfx` versions.

3. **Canister Development Kit (CDK)** - A CDK is an adapter used by the IC SDK so a programming language has the features needed to create and manage canisters.
The IC SDK comes with a few CDKs already installed for you so you can use them in the language of your choice. That is why there is a [Rust CDK](https://github.com/dfinity/cdk-rs), [Python CDK](https://demergent-labs.github.io/kybra/),
[TypeScript CDK](https://demergent-labs.github.io/azle/), etc... Since CDKs are components used the SDK, some developer choose to use the CDK directly (without the `IC SDK`),
but typically are used as part of the whole `IC SDK`.

Expand Down
8 changes: 6 additions & 2 deletions docs/cli-reference/dfx-canister.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,8 @@ You can use the following options with the `dfx canister create` command.
| `--memory-allocation <memory>` | Specifies how much memory the canister is allowed to use in total. This should be a value in the range [0..12 GiB]. A setting of 0 means the canister will have access to memory on a “best-effort” basis: It will only be charged for the memory it uses, but at any point in time may stop running if it tries to allocate more memory when there isn’t space available on the subnet. |
| `--reserved-cycles-limit <limit>` | Specifies the upper limit for the canister's reserved cycles. |
| `--wasm-memory-limit <limit>` | Specifies a soft upper limit for the canister's heap memory. |
| `--log-visibility <visibility>` | Specifies who is allowed to read the canister's logs. Can be either "controllers" or "public". |
| `--log-viewer <principal>` | Specifies the principal as an allowed viewers. Can be specified more than once. Cannot be used with `--log-visibility`. |
| `--log-visibility <visibility>` | Specifies who can read the canister's logs: "controllers" or "public". For custom allowed viewers, use `--log-viewer`. |
| `--no-wallet` | Performs the call with the user Identity as the Sender of messages. Bypasses the Wallet canister. Enabled by default. |
| `--with-cycles <number-of-cycles>` | Specifies the initial cycle balance to deposit into the newly created canister. The specified amount needs to take the canister create fee into account. This amount is deducted from the wallet's cycle balance. |
| `--specified-id <PRINCIPAL>` | Attempts to create the canister with this Canister ID |
Expand Down Expand Up @@ -1137,14 +1138,17 @@ You can specify the following options for the `dfx canister update-settings` com
| Option | Description |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--add-controller <principal>` | Add a principal to the list of controllers of the canister. |
| `--add-log-viewer <principal>` | Add a principal to the list of log viewers of the canister. Can be specified more than once to add multiple log viewers. If current log visibility is `public` or `controllers`, it will be changed to the custom allowed viewer list. |
| `-c`, `--compute-allocation <allocation>` | Specifies the canister's compute allocation. This should be a percent in the range [0..100]. |
| `--confirm-very-long-freezing-threshold` | Freezing thresholds above ~1.5 years require this option as confirmation. |
| `--set-controller <principal>` | Specifies the identity name or the principal of the new controller. Can be specified more than once, indicating the canister will have multiple controllers. If any controllers are set with this parameter, any other controllers will be removed. |
| `--set-log-viewer <principal>` | Specifies the the principal of the log viewer of the canister. Can be specified more than once, indicating the canister will have multiple log viewers. If any log viewers are set with this parameter, any other log viewers will be removed. If current log visibility is `public` or `controllers`, it will be changed to the custom allowed viewer list. |
| `--memory-allocation <allocation>` | Specifies how much memory the canister is allowed to use in total. This should be a value in the range [0..12 GiB]. A setting of 0 means the canister will have access to memory on a “best-effort” basis: It will only be charged for the memory it uses, but at any point in time may stop running if it tries to allocate more memory when there isn’t space available on the subnet. |
| `--reserved-cycles-limit <limit>` | Specifies the upper limit of the canister's reserved cycles. |
| `--wasm-memory-limit <limit>` | Specifies a soft upper limit for the canister's heap memory. |
| `--log-visibility <visibility>` | Specifies who is allowed to read the canister's logs. Can be either "controllers" or "public". |
| `--log-visibility <visibility>` | Specifies who is allowed to read the canister's logs. Can be either "controllers" or "public". For custom allowed viewers, use `--set-log-viewer` or `--add-log-viewer`. |
| `--remove-controller <principal>` | Removes a principal from the list of controllers of the canister. |
| `--remove-log-viewer <principal>` | Removes a principal from the list of log viewers of the canister. Can be specified more than once to remove multiple log viewers. |
| `--freezing-threshold <seconds>` | Set the [freezing threshold](https://internetcomputer.org/docs/current/references/ic-interface-spec/#ic-create_canister) in seconds for a canister. This should be a value in the range [0..2^64^-1]. Very long thresholds require the `--confirm-very-long-freezing-threshold` option. |
| `-y`, `--yes` | Skips yes/no checks by answering 'yes'. Such checks can result in loss of control, so this is not recommended outside of CI. |

Expand Down
8 changes: 8 additions & 0 deletions docs/cli-reference/dfx-envars.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,11 @@ DFX_VERSION=0.13.1 dfx deploy --network ic
## DFX_DISABLE_QUERY_VERIFICATION

Set this to a non-empty value to disable verification of replica-signed queries.

## DFX_REPLICA_PATH

Use the `DFX_REPLICA_PATH` environment variable to specify a file path to a local version of the replica. If this option is used, `canister_sandbox` and `sandbox_launcher` must be in the same directory with the desired replica version.

## DFX_IC_STARTER_PATH

Use the `DFX_IC_STARTER_PATH` environment variable to specify a file path to a local version of `ic-starter`.
29 changes: 24 additions & 5 deletions docs/dfx-json-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,10 +137,29 @@
}
},
"CanisterLogVisibility": {
"type": "string",
"enum": [
"controllers",
"public"
"oneOf": [
{
"type": "string",
"enum": [
"controllers",
"public"
]
},
{
"type": "object",
"required": [
"allowed_viewers"
],
"properties": {
"allowed_viewers": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
]
},
"CanisterMetadataSection": {
Expand Down Expand Up @@ -947,7 +966,7 @@
},
"log_visibility": {
"title": "Log Visibility",
"description": "Specifies who is allowed to read the canister's logs.\n\nCan be \"public\" or \"controllers\".",
"description": "Specifies who is allowed to read the canister's logs.\n\nCan be \"public\", \"controllers\" or \"allowed_viewers\" with a list of principals.",
"anyOf": [
{
"$ref": "#/definitions/CanisterLogVisibility"
Expand Down
26 changes: 26 additions & 0 deletions e2e/tests-dfx/canister_logs.bash
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,29 @@ dfx_canister_logs_tail_n_1() {
assert_not_contains "Alice"
assert_contains "Bob"
}

@test "canister logs only visible to allowed viewers." {
install_asset logs
dfx_start
dfx canister create --all
dfx build
dfx canister install e2e_project
dfx canister call e2e_project hello Alice
sleep 2

assert_command dfx canister logs e2e_project
assert_contains "Hello, Alice!"

# Create identity for viewers.
assert_command dfx identity new --storage-mode plaintext alice
ALICE_PRINCIPAL=$(dfx identity get-principal --identity alice)

assert_command_fail dfx canister logs e2e_project --identity alice

assert_command dfx canister update-settings --add-log-viewer="${ALICE_PRINCIPAL}" e2e_project
assert_command dfx canister status e2e_project
assert_contains "${ALICE_PRINCIPAL}"

assert_command dfx canister logs e2e_project --identity alice
assert_contains "Hello, Alice!"
}
Loading

0 comments on commit aac434b

Please sign in to comment.