feat: Check subnet admins in deterministic state machine

[dsarlis]

This PR builds on top of #8731 to add the checks related to the new subnet admins field and actions they can perform on canisters. Specifically, the subnet admins can stop, start, uninstall, delete and get the status of canisters but they cannot for example install_code on them.

The field is read from the registry and stored in the NetworkTopology which can then be read by the Deterministic State Machine to perform any necessary checks. A new function validate_controller_or_subnet_admin is added that performs the required checks. This function replaces the old one in the endpoints that are allowed to be called by subnet admins. In case the subnet admins field is empty, this function returns the same error as before (for backward compatibility), otherwise a new error is returned that captures the fact that the caller is neither a controller or subnet admin.

Given that the ability to update the admins list is still under development (see #8911), this PR should currently act a no-op as all subnets have an empty subnet admins list.

[github-actions]

Run on 439faf6 URL: https://github.com/dfinity/ic/actions/runs/22133702477

[dsarlis]

Related spec change: dfinity/portal#6196.

[mraszyk]

I'd introduce a dedicated CanisterManagerError (since the subnet record is public anyway) and harden the unit test. Otherwise LGTM

[dsarlis]

Note that I had to move the subnet_admins field from RegistryExecutionSettings to NetworkTopology since we need access to it in the query handler (for canister_status query calls). It comes with the usual set of changes in protobuf structs and what not.

One thing I do not recall, is whether this change requires a new version of canonical state -- no tests failed there which would seem to indicate that we don't need one?

[mraszyk]

One thing I do not recall, is whether this change requires a new version of canonical state -- no tests failed there which would seem to indicate that we don't need one?

We are not mapping anything new in the state tree so no new version is needed.

[mraszyk]

I also realized we don't have tests that subnet admins could use the query endpoint for canister status, but I don't have a strong opinion on the necessity of such a test.

[dsarlis]

I also realized in a live discussion with @nathanosdev that I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender. I'll also fix that.

[mraszyk]

I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender

Don't you need to relax this:

                        match canister.controllers().contains(&sender.get()) {
                            true => Ok(()),
                            false => Err(UserError::new(
                                ErrorCode::CanisterInvalidController,
                                format!(
                                    "Only controllers of canister {canister_id} can call ic00 method {method_name}",
                                ),
                            )),
                        }

[dsarlis]

I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender

Don't you need to relax this:

                        match canister.controllers().contains(&sender.get()) {
                            true => Ok(()),
                            false => Err(UserError::new(
                                ErrorCode::CanisterInvalidController,
                                format!(
                                    "Only controllers of canister {canister_id} can call ic00 method {method_name}",
                                ),
                            )),
                        }

Yes, I meant I'll need to update the check to be "controller or subnet admin is allowed" for the methods that this applies to.

[github-actions]

Run on 9084d9a URL: https://github.com/dfinity/ic/actions/runs/22230355388

[github-actions]

Run on 09566bd URL: https://github.com/dfinity/ic/actions/runs/22231331879