Merge branch 'main' into dev

victorshevtsov · victorshevtsov · commit 9ea3ea68341c · 2025-11-14T08:54:17.000Z
diff --git a/.github/scripts/check_published.sh b/.github/scripts/check_published.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CRATE_NAME="${1:?crate name is required}"
+
+# Resolve the version using cargo metadata (works with workspace versioning)
+TARGET_VERSION=$(cargo metadata --format-version 1 --no-deps \
+  | jq -r --arg N "$CRATE_NAME" '.packages[] | select(.name==$N) | .version')
+
+if [ -z "$TARGET_VERSION" ] || [ "$TARGET_VERSION" = "null" ]; then
+  echo "Could not resolve version for $CRATE_NAME" >&2
+  exit 1
+fi
+
+echo "Target version for $CRATE_NAME: $TARGET_VERSION"
+
+# Query crates.io for existing versions
+EXISTING=$(curl -fsSL "https://crates.io/api/v1/crates/$CRATE_NAME" \
+  | jq -r --arg V "$TARGET_VERSION" '.versions[] | select(.num==$V) | .num' \
+  | head -n1 || true)
+
+if [ "$EXISTING" = "$TARGET_VERSION" ]; then
+  echo "already=true" >> "$GITHUB_OUTPUT"
+  echo "Version $TARGET_VERSION already published for $CRATE_NAME; will skip."
+else
+  echo "already=false" >> "$GITHUB_OUTPUT"
+  echo "Version $TARGET_VERSION not yet published for $CRATE_NAME; will publish."
+fi
+
+
diff --git a/.github/scripts/detect_changed_crates.sh b/.github/scripts/detect_changed_crates.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${CRATES:?CRATES env is required}"
+
+# Ensure tags are available
+git fetch --tags --force || true
+
+# Determine base ref to diff against (previous tag or repo root commit)
+if PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null); then
+  BASE_REF="$PREV_TAG"
+else
+  BASE_REF=$(git rev-list --max-parents=0 HEAD | tail -n1)
+fi
+echo "Using BASE_REF=$BASE_REF -> HEAD=${GITHUB_SHA:-HEAD}"
+
+# Build JSON matrix with a changed flag per crate
+JSON='{"include":['
+SEP=""
+ANY_CHANGED=false
+while IFS= read -r entry; do
+  [ -z "$entry" ] && continue
+  name="${entry%%|*}"
+  path="${entry##*|}"
+  if git diff --quiet "$BASE_REF" "${GITHUB_SHA:-HEAD}" -- "$path"; then
+    changed=false
+  else
+    changed=true
+    ANY_CHANGED=true
+  fi
+  JSON+="$SEP{\"name\":\"$name\",\"path\":\"$path\",\"changed\":$changed}"
+  SEP="," 
+done <<< "${CRATES}"
+JSON+=']}'
+
+echo "matrix=$JSON" >> "$GITHUB_OUTPUT"
+echo "any_changed=$ANY_CHANGED" >> "$GITHUB_OUTPUT"
+echo "Computed matrix: $JSON"
+
+
diff --git a/.github/scripts/publish_crate.sh b/.github/scripts/publish_crate.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cargo package --allow-dirty
+cargo publish --allow-dirty
+
+
diff --git a/rs/verity-client/tests/mock_prover.rs b/rs/verity-client/tests/mock_prover.rs
@@ -0,0 +1,212 @@
+use std::time::Duration;
+
+use axum::response::sse::{Event as SseEvent, Sse};
+use axum::{
+    extract::Path,
+    http::{HeaderMap, HeaderValue, StatusCode},
+    response::IntoResponse,
+    routing::{get, post},
+    Json, Router,
+};
+use futures_util::stream;
+use std::convert::Infallible;
+use tokio::net::TcpListener;
+use tokio::task::JoinHandle;
+
+use verity_client::client::{NotaryInformation, VerityClient, VerityClientConfig};
+
+async fn spawn_mock_server() -> (String, JoinHandle<()>) {
+    // Bind to a random local port
+    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    let app = Router::new()
+        .route(
+            "/notaryinfo",
+            get(|| async {
+                let info = NotaryInformation {
+                    version: "test".to_string(),
+                    public_key: "-----BEGIN PUBLIC KEY---...".to_string(),
+                    git_commit_hash: "0000000000000000000000000000000000000000".to_string(),
+                };
+                Json(info)
+            }),
+        )
+        .route("/proxy", post(proxy_handler).get(proxy_handler))
+        .route("/proof/:id", get(proof_handler));
+
+    let handle = tokio::spawn(async move {
+        axum::serve(listener, app.into_make_service())
+            .await
+            .unwrap();
+    });
+
+    (format!("http://{}", addr), handle)
+}
+
+async fn proxy_handler() -> impl IntoResponse {
+    // Return a response header to indicate proof will arrive on SSE
+    let mut headers = HeaderMap::new();
+    headers.insert("T-PROOF-ID", HeaderValue::from_static("1"));
+    (StatusCode::OK, headers, "ok")
+}
+
+async fn proof_handler(Path(id): Path<String>) -> impl IntoResponse {
+    // Simulate SSE stream. For simplicity, send a single event and close.
+    // Format: notary_pub_key|proof
+    let body = format!(
+        "data: {}|proof-for-{}\n\n",
+        "-----BEGIN PUBLIC KEY---...", id
+    );
+    let headers = {
+        let mut h = HeaderMap::new();
+        h.insert(
+            "content-type",
+            HeaderValue::from_static("text/event-stream"),
+        );
+        h
+    };
+    (headers, body)
+}
+
+#[tokio::test]
+async fn get_notary_info_works() {
+    let (base, _server) = spawn_mock_server().await;
+    let client = VerityClient::new(
+        VerityClientConfig::new(base.clone()).with_proof_timeout(Duration::from_millis(3000)),
+    );
+
+    let info = client.get_notary_info().await.unwrap();
+    assert_eq!(info.git_commit_hash.len(), 40);
+    assert!(info.public_key.starts_with("-----BEGIN PUBLIC KEY"));
+}
+
+#[tokio::test]
+async fn get_and_post_request_with_proof() {
+    let (base, _server) = spawn_mock_server().await;
+    let client = VerityClient::new(
+        VerityClientConfig::new(base.clone()).with_proof_timeout(Duration::from_millis(3000)),
+    );
+
+    // GET
+    let res = client
+        .get("https://jsonplaceholder.typicode.com/posts")
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(res.subject.status(), StatusCode::OK);
+    assert!(res.notary_pub_key.starts_with("-----BEGIN PUBLIC KEY"));
+    assert!(res.proof.starts_with("proof-for-"));
+
+    // POST
+    let res = client
+        .post("https://jsonplaceholder.typicode.com/posts")
+        .json(&serde_json::json!({"title":"foo","body":"bar","userId":1}))
+        .send()
+        .await
+        .unwrap();
+    assert_eq!(res.subject.status(), StatusCode::OK);
+    assert!(res.notary_pub_key.starts_with("-----BEGIN PUBLIC KEY"));
+    assert!(res.proof.starts_with("proof-for-"));
+}
+
+#[tokio::test]
+async fn no_proof_header_returns_immediately() {
+    use axum::routing::get as axget;
+    use axum::Router as AxRouter;
+    use tokio::net::TcpListener as TokioListener;
+
+    // Custom server where /proxy does NOT include T-PROOF-ID
+    let listener = TokioListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    async fn proxy_no_proof() -> impl IntoResponse {
+        (StatusCode::OK, "ok")
+    }
+
+    async fn proof_never() -> impl IntoResponse {
+        // Never send SSE events; keep the connection open
+        let pending = stream::pending::<Result<SseEvent, Infallible>>();
+        Sse::new(pending)
+    }
+
+    let app = AxRouter::new()
+        .route("/proxy", axget(proxy_no_proof).post(proxy_no_proof))
+        .route("/proof/:id", axget(proof_never))
+        .route(
+            "/notaryinfo",
+            axget(|| async {
+                Json(NotaryInformation {
+                    version: "test".to_string(),
+                    public_key: "-----BEGIN PUBLIC KEY---...".to_string(),
+                    git_commit_hash: "0000000000000000000000000000000000000000".to_string(),
+                })
+            }),
+        );
+
+    let _handle = tokio::spawn(async move {
+        axum::serve(listener, app.into_make_service())
+            .await
+            .unwrap()
+    });
+
+    let client = VerityClient::new(
+        VerityClientConfig::new(format!("http://{}", addr))
+            .with_proof_timeout(Duration::from_millis(500)),
+    );
+
+    let res = client.get("https://example.com/").send().await.unwrap();
+
+    assert_eq!(res.subject.status(), StatusCode::OK);
+    assert_eq!(res.notary_pub_key, "");
+    assert_eq!(res.proof, "");
+}
+
+#[tokio::test]
+async fn proof_timeout_errors() {
+    // Server that sets T-PROOF-ID but never emits SSE
+    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = listener.local_addr().unwrap();
+
+    async fn proxy_with_proof_header(mut headers: HeaderMap) -> impl IntoResponse {
+        headers.insert("T-PROOF-ID", HeaderValue::from_static("1"));
+        (StatusCode::OK, headers, "ok")
+    }
+
+    async fn proof_never() -> impl IntoResponse {
+        // Never send SSE events; keep the connection open so client times out
+        let pending = stream::pending::<Result<SseEvent, Infallible>>();
+        Sse::new(pending)
+    }
+
+    let app = Router::new()
+        .route(
+            "/proxy",
+            get(proxy_with_proof_header).post(proxy_with_proof_header),
+        )
+        .route(
+            "/notaryinfo",
+            get(|| async {
+                Json(NotaryInformation {
+                    version: "test".to_string(),
+                    public_key: "-----BEGIN PUBLIC KEY---...".to_string(),
+                    git_commit_hash: "0000000000000000000000000000000000000000".to_string(),
+                })
+            }),
+        )
+        .route("/proof/:id", get(proof_never));
+
+    let _handle = tokio::spawn(async move {
+        axum::serve(listener, app.into_make_service())
+            .await
+            .unwrap()
+    });
+
+    let client = VerityClient::new(
+        VerityClientConfig::new(format!("http://{}", addr))
+            .with_proof_timeout(Duration::from_millis(200)),
+    );
+
+    let res = client.get("https://example.com/").send().await;
+    assert!(res.is_err());
+}
