feat(backend): create controller guard for old update calls (#5028)

AntonioVentilii · github-actions[bot] · web-flow · commit 10dae19ed7ec · 2025-03-04T15:06:08.000Z
# Motivation

Some `update` calls in the `backend` do not necessary require
`allowed_users` to access them. Mainly they are related to migration.

So, we allow just the controllers to access them, until the time comes
that we totally deprecate them.

# Changes

- Create guard caller_is_controller just for controllers.
- Use new guard in `update` calls:
  - `top_up_cycles_ledger`
  - `set_guards`
  - `bulk_up`
  - `migrate_user_data_to`
  - `migration_stop_timer`
  - `step_migration`

# Tests

Current tests are sufficient.

---------

Co-authored-by: github-actions &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/src/backend/src/guards.rs b/src/backend/src/guards.rs
@@ -11,6 +11,15 @@ pub fn caller_is_not_anonymous() -> Result<(), String> {
     }
 }
 
+pub fn caller_is_controller() -> Result<(), String> {
+    let caller = caller();
+    if is_controller(&caller) {
+        Ok(())
+    } else {
+        Err("Caller is not a controller.".to_string())
+    }
+}
+
 pub fn caller_is_allowed() -> Result<(), String> {
     let caller = caller();
     if read_config(|s| s.allowed_callers.contains(&caller)) || is_controller(&caller) {
diff --git a/src/backend/src/lib.rs b/src/backend/src/lib.rs
@@ -51,7 +51,7 @@ use user_profile_model::UserProfileModel;
 
 use crate::{
     assertions::{assert_token_enabled_is_some, assert_token_symbol_length},
-    guards::{caller_is_allowed, may_read_user_data, may_write_user_data},
+    guards::{caller_is_allowed, caller_is_controller, may_read_user_data, may_write_user_data},
     oisy_user::oisy_user_creation_timestamps,
     token::{add_to_user_token, remove_from_user_token},
     user_profile::add_hidden_dapp_id,
@@ -216,14 +216,14 @@ pub fn post_upgrade(arg: Option<Arg>) {
 #[query(guard = "caller_is_allowed")]
 #[must_use]
 pub fn config() -> Config {
-    read_config(std::clone::Clone::clone)
+    read_config(Clone::clone)
 }
 
 /// Adds cycles to the cycles ledger, if it is below a certain threshold.
 ///
 /// # Errors
 /// Error conditions are enumerated by: `TopUpCyclesLedgerError`
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 pub async fn top_up_cycles_ledger(
     request: Option<TopUpCyclesLedgerRequest>,
 ) -> TopUpCyclesLedgerResult {
@@ -656,7 +656,7 @@ pub fn migration() -> Option<MigrationReport> {
 
 /// Sets the lock state of the canister APIs.  This can be used to enable or disable the APIs, or to
 /// enable an API in read-only mode.
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 pub fn set_guards(guards: Guards) {
     mutate_state(|state| modify_state_config(state, |config| config.api = Some(guards)));
 }
@@ -675,7 +675,7 @@ pub fn stats() -> Stats {
 ///
 /// Note: In case of conflict, existing data is overwritten.  This situation is expected to occur
 /// only if a migration failed and had to be restarted.
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 #[allow(clippy::needless_pass_by_value)]
 pub fn bulk_up(data: Vec<u8>) {
     migrate::bulk_up(&data);
@@ -685,7 +685,7 @@ pub fn bulk_up(data: Vec<u8>) {
 ///
 /// # Errors
 /// - There is a current migration in progress to a different canister.
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 pub fn migrate_user_data_to(to: Principal) -> Result<MigrationReport, String> {
     mutate_state(|s| {
         if let Some(migration) = &s.migration {
@@ -713,7 +713,7 @@ pub fn migrate_user_data_to(to: Principal) -> Result<MigrationReport, String> {
 ///
 /// # Errors
 /// - There is no migration in progress.
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 pub fn migration_stop_timer() -> Result<(), String> {
     mutate_state(|s| {
         if let Some(migration) = &s.migration {
@@ -728,7 +728,7 @@ pub fn migration_stop_timer() -> Result<(), String> {
 /// Steps the migration.
 ///
 /// On error, the migration is marked as failed and the timer is cleared.
-#[update(guard = "caller_is_allowed")]
+#[update(guard = "caller_is_controller")]
 pub async fn step_migration() {
     let result = migrate::step_migration().await;
     eprintln!("Stepped migration: {:?}", result);
diff --git a/src/backend/tests/it/signer.rs b/src/backend/tests/it/signer.rs
@@ -12,14 +12,14 @@ use crate::utils::{
 };
 
 #[test]
-fn test_topup_cannot_be_called_if_not_allowed() {
+fn test_topup_cannot_be_called_if_not_controller() {
     let pic_setup = setup();
     // A random unauthorized user.
     let caller = Principal::from_text(VC_HOLDER).unwrap();
 
     let response = pic_setup.update::<TopUpCyclesLedgerResult>(caller, "top_up_cycles_ledger", ());
 
-    assert_eq!(response, Err("Caller is not allowed.".to_string()));
+    assert_eq!(response, Err("Caller is not a controller.".to_string()));
 }
 
 #[test]
