[FINAL] feat: [EXC-1676] add allowed viewers variant to canister's log visibility (#326)

maksymar · Dfinity-Bjoern · mraszyk · web-flow · commit 9a5077e7f90f · 2024-11-01T16:37:28.000+01:00
* add log_visibility allowlist

* .

* add limit

* wording

* no opt

* allowed_viewers

* rm canister_log_allowlist

* AllowedViewers

* AllowedViewers

* .

* .

* wording

* canister_log_visibility =

* formatting

* change variants order

* Update spec/index.md

Co-authored-by: mraszyk &lt;31483726+mraszyk@users.noreply.github.com&gt;

* Update spec/index.md

* wording

* changelog

---------

Co-authored-by: Björn Tackmann &lt;54846571+Dfinity-Bjoern@users.noreply.github.com&gt;
Co-authored-by: mraszyk &lt;31483726+mraszyk@users.noreply.github.com&gt;
Co-authored-by: Martin Raszyk &lt;martin.raszyk@dfinity.org&gt;
diff --git a/spec/_attachments/ic.did b/spec/_attachments/ic.did
@@ -5,6 +5,7 @@ type snapshot_id = blob;
 type log_visibility = variant {
     controllers;
     public;
+    allowed_viewers : vec principal;
 };
 
 type canister_settings = record {
diff --git a/spec/_attachments/interface-spec-changelog.md b/spec/_attachments/interface-spec-changelog.md
@@ -2,6 +2,7 @@
 
 ### ∞ (unreleased)
 * Allow anonymous query and read state requests with invalid `ingress_expiry`.
+* Add allowed viewers variant to canister log visibility.
 
 ### 0.28.0 (2024-10-11) {#0_28_0}
 * Add new management canister methods for canister snapshot support.
diff --git a/spec/index.md b/spec/index.md
@@ -2617,7 +2617,12 @@ The canister logs are *not* collected in canister methods running in non-replica
 The total size of all returned logs does not exceed 4KiB.
 If new logs are added resulting in exceeding the maximum total log size of 4KiB, the oldest logs will be removed.
 Logs persist across canister upgrades and they are deleted if the canister is reinstalled or uninstalled.
-The log visibility is defined in the `log_visibility` field of `canister_settings`: logs can be either public (visible to everyone) or only visible to the canister's controllers (by default).
+
+The log visibility is defined in the `log_visibility` field of `canister_settings` and can be one of the following variants:
+
+- `controllers`: only the canister's controllers can fetch logs (default);
+- `public`: everyone can fetch logs;
+- `allowed_viewers` (`vec principal`): only principals in the provided list and the canister's controllers can fetch logs, the maximum length of the list is 10.
 
 A single log is a record with the following fields:
 
@@ -3389,6 +3394,7 @@ CanisterHistory = {
 CanisterLogVisibility
   = Controllers
   | Public
+  | AllowedViewers [Principal]
 CanisterLog = {
   idx : Nat;
   timestamp_nanos : Nat;
@@ -6147,7 +6153,11 @@ Q.canister_id = ic_principal
 Q.method_name = 'fetch_canister_logs'
 Q.arg = candid(A)
 A.canister_id = effective_canister_id
-S[A.canister_id].canister_log_visibility = Public or Q.sender in S[A.canister_id].controllers
+(S[A.canister_id].canister_log_visibility = Public)
+  or
+  (S[A.canister_id].canister_log_visibility = Controllers and Q.sender in S[A.canister_id].controllers)
+  or
+  (S[A.canister_id].canister_log_visibility = AllowedViewers Principals and (Q.sender in S[A.canister_id].controllers or Q.sender in Principals))
 
 ```
 
