feat: Add better observability features for the anchor migration (dfinity#3567)

# Motivation

Observing exotic cases from the anchor migration.

# Changes

* Updates warning log messages to be more concise by removing
"protected" qualifier
* Adds filtering logic to only store the most exotic migration cases in
memory
* Adds pagination support to the special cases keys query function

# Tests

Not required.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: aterga

src/internet_identity/src/main.rs

@@ -90,8 +90,18 @@ fn get_anchor_migration_special_cases(anchor_number: AnchorNumber) -> Vec<Specia
 }
 
 #[query(hidden = true)]
-fn get_anchor_migration_special_cases_keys() -> Vec<AnchorNumber> {
-    ANCHOR_MIGRATION_SPECIAL_CASES.with_borrow(|cases| cases.keys().cloned().collect())
+fn get_anchor_migration_special_cases_keys(lo: usize, hi: usize) -> Vec<AnchorNumber> {
+    use std::cmp::{max, min};
+
+    let anchor_numbers: Vec<_> =
+        ANCHOR_MIGRATION_SPECIAL_CASES.with_borrow(|cases| cases.keys().cloned().collect());
+
+    let lo = max(0, lo);
+    let hi = min(anchor_numbers.len(), hi);
+
+    let (lo, hi) = (min(lo, hi), max(lo, hi));
+
+    anchor_numbers[lo..hi].to_vec()
 }
 
 /// Temporary function to list migration errors.

src/internet_identity/src/storage.rs

@@ -779,6 +779,15 @@ impl<M: Memory + Clone> Storage<M> {
         // Read unbounded stable structures anchor
         let storable_fixed_anchor = StorableFixedAnchor::from_bytes(Cow::Owned(buf));
         let storable_anchor = self.stable_anchor_memory.get(&anchor_number);
+
+        if storable_anchor.is_none() {
+            ic_cdk::println!(
+                "Warning: Anchor number {} has no corresponding StorableAnchor in stable memory. \
+                 Falling back to reading from legacy anchor memory.",
+                anchor_number,
+            );
+        }
+
         Ok(Anchor::from((
             anchor_number,
             storable_fixed_anchor,

src/internet_identity/src/storage/anchor.rs

@@ -206,8 +206,8 @@ impl From<Anchor> for (StorableFixedAnchor, StorableAnchor) {
                 ) => {
                     if protection == &DeviceProtection::Protected {
                         ic_cdk::println!(
-                            "Warning: Passkey with protected device protection found. \
-                             PubKey: {:?}, Anchor: {}",
+                            "Warning: Passkey with device protection found. PubKey: {:?}, \
+                             Anchor: {}",
                             hex::encode(&pubkey),
                             anchor_number,
                         );
@@ -230,8 +230,8 @@ impl From<Anchor> for (StorableFixedAnchor, StorableAnchor) {
                     )));
                     if protection == &DeviceProtection::Protected {
                         ic_cdk::println!(
-                            "Warning: Passkey without origin with protected device protection \
-                             found. PubKey: {:?}, Anchor: {}",
+                            "Warning: Passkey without origin with device protection found. \
+                             PubKey: {:?}, Anchor: {}",
                             hex::encode(&pubkey),
                             anchor_number,
                         );
@@ -254,6 +254,15 @@ impl From<Anchor> for (StorableFixedAnchor, StorableAnchor) {
                         origin,
                     )));
 
+                    if protection == &DeviceProtection::Protected {
+                        ic_cdk::println!(
+                            "Warning: Recovery passkey with device protection found. PubKey: {:?}, \
+                             Anchor: {}",
+                            hex::encode(&pubkey),
+                            anchor_number,
+                        );
+                    }
+
                     // No logging for a legitimate legacy recovery device.
 
                     (credential_id, special_device_migration)
@@ -303,12 +312,46 @@ impl From<Anchor> for (StorableFixedAnchor, StorableAnchor) {
 
             // Store special cases to aid observability (they will also be persisted in stable memory).
             if let Some(special_device_migration) = &special_device_migration {
-                ANCHOR_MIGRATION_SPECIAL_CASES.with_borrow_mut(|cases| {
-                    cases
-                        .entry(anchor_number)
-                        .or_default()
-                        .push(special_device_migration.clone())
-                })
+                // To avoid storing too much data on the heap, we filter this down to only contain
+                // the most exotic cases.
+
+                let is_valid_passkey_but_without_an_origin = matches!(
+                    (&credential_id, purpose, key_type, origin, protection),
+                    (
+                        Some(_),
+                        Purpose::Authentication,
+                        KeyType::Platform | KeyType::CrossPlatform | KeyType::Unknown,
+                        None,
+                        DeviceProtection::Unprotected,
+                    )
+                );
+
+                let is_recovery_passkey = matches!(
+                    (&credential_id, purpose, key_type, protection),
+                    (
+                        Some(_),
+                        Purpose::Recovery,
+                        KeyType::Platform | KeyType::CrossPlatform | KeyType::Unknown,
+                        DeviceProtection::Unprotected,
+                    )
+                );
+
+                let is_legacy_pin_flow = matches!(
+                    (&credential_id, purpose, key_type),
+                    (None, Purpose::Authentication, KeyType::BrowserStorageKey)
+                );
+
+                if !is_valid_passkey_but_without_an_origin
+                    && !is_recovery_passkey
+                    && !is_legacy_pin_flow
+                {
+                    ANCHOR_MIGRATION_SPECIAL_CASES.with_borrow_mut(|cases| {
+                        cases
+                            .entry(anchor_number)
+                            .or_default()
+                            .push(special_device_migration.clone())
+                    })
+                }
             }
 
             if let Some(credential_id) = credential_id {