chore(node): chip_id invariant check (#9218)

andrewbattat · web-flow · commit dbae8febce14 · 2026-03-10T21:45:55.000Z
NODE-1896 Adds an invariant to the registry to ensure that each node's chip ID is unique.
diff --git a/rs/registry/canister/src/invariants/node_record.rs b/rs/registry/canister/src/invariants/node_record.rs
@@ -1,20 +1,39 @@
-use crate::invariants::common::{InvariantCheckError, RegistrySnapshot, get_all_node_records};
+use std::collections::{BTreeMap, HashMap};
+
+use ic_base_types::NodeId;
 use ic_nns_common::registry::MAX_NUM_SSH_KEYS;
+use ic_protobuf::registry::node::v1::NodeRecord;
+
+use crate::invariants::common::{
+    InvariantCheckError, RegistrySnapshot, get_node_records_from_snapshot,
+};
 
 pub(crate) fn check_node_record_invariants(
     snapshot: &RegistrySnapshot,
 ) -> Result<(), InvariantCheckError> {
-    for node_record in get_all_node_records(snapshot) {
+    let node_records = get_node_records_from_snapshot(snapshot);
+
+    check_ssh_key_limits(&node_records)?;
+    check_chip_ids_are_unique(&node_records)?;
+
+    Ok(())
+}
+
+fn check_ssh_key_limits(
+    node_records: &BTreeMap<NodeId, NodeRecord>,
+) -> Result<(), InvariantCheckError> {
+    for node_record in node_records.values() {
         // Enforce that the ssh_node_state_write_access field does not have too many elements.
         if node_record.ssh_node_state_write_access.len() > MAX_NUM_SSH_KEYS {
             return Err(InvariantCheckError {
                 msg: format!(
-                    "The `ssh_node_state_write_access` field of a `NodeReocrd` has too many elements. \
-                     {MAX_NUM_SSH_KEYS} is the maximum allowed; whereas, the `NodeRecord` with `chip_id`=\
+                    "The `ssh_node_state_write_access` field of a `NodeRecord` has too many elements. \
+                     {MAX_NUM_SSH_KEYS} is the maximum allowed; whereas, the `NodeRecord` with `http`=\
                      {} had {} elements \
                      in this field.",
                     node_record
                         .http
+                        .as_ref()
                         .map(|http| format!("{http:?}"))
                         .unwrap_or_else(|| "?-UNKNOWN-?".to_string()),
                     node_record.ssh_node_state_write_access.len()
@@ -27,5 +46,37 @@ pub(crate) fn check_node_record_invariants(
     Ok(())
 }
 
+fn check_chip_ids_are_unique(
+    node_records: &BTreeMap<NodeId, NodeRecord>,
+) -> Result<(), InvariantCheckError> {
+    let mut chip_id_to_node: HashMap<Vec<u8>, NodeId> = HashMap::new();
+
+    for (node_id, node_record) in node_records {
+        // Skip nodes without a chip_id (non-SEV nodes), or with an empty one.
+        // Rejecting a malformed (empty) chip_id is not this check's job; here
+        // we only care about uniqueness among meaningful values.
+        let chip_id = match node_record.chip_id {
+            Some(ref id) if !id.is_empty() => id,
+            _ => continue,
+        };
+
+        if let Some(prev_node_id) = chip_id_to_node.get(chip_id) {
+            return Err(InvariantCheckError {
+                msg: format!(
+                    "chip_id {} is assigned to multiple nodes: {} and {}",
+                    hex::encode(chip_id),
+                    prev_node_id,
+                    node_id,
+                ),
+                source: None,
+            });
+        }
+
+        chip_id_to_node.insert(chip_id.clone(), *node_id);
+    }
+
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests;
diff --git a/rs/registry/canister/src/invariants/node_record/tests.rs b/rs/registry/canister/src/invariants/node_record/tests.rs
@@ -54,3 +54,58 @@ fn test_ssh_node_state_write_access_not_too_long() {
         assert!(message.contains(key_word), "{err:?}");
     }
 }
+
+#[test]
+fn test_chip_id_uniqueness_distinct_chip_ids() {
+    let mut snapshot = RegistrySnapshot::new();
+
+    snapshot.insert(
+        make_node_record_key(NodeId::from(PrincipalId::new_user_test_id(1))).into_bytes(),
+        NodeRecord {
+            chip_id: Some(vec![0xAA; 64]),
+            ..Default::default()
+        }
+        .encode_to_vec(),
+    );
+    snapshot.insert(
+        make_node_record_key(NodeId::from(PrincipalId::new_user_test_id(2))).into_bytes(),
+        NodeRecord {
+            chip_id: Some(vec![0xBB; 64]),
+            ..Default::default()
+        }
+        .encode_to_vec(),
+    );
+
+    check_node_record_invariants(&snapshot).unwrap();
+}
+
+#[test]
+fn test_chip_id_uniqueness_duplicate_chip_ids() {
+    let mut snapshot = RegistrySnapshot::new();
+    let duplicate_chip_id = vec![0xCC; 64];
+
+    snapshot.insert(
+        make_node_record_key(NodeId::from(PrincipalId::new_user_test_id(1))).into_bytes(),
+        NodeRecord {
+            chip_id: Some(duplicate_chip_id.clone()),
+            ..Default::default()
+        }
+        .encode_to_vec(),
+    );
+    snapshot.insert(
+        make_node_record_key(NodeId::from(PrincipalId::new_user_test_id(2))).into_bytes(),
+        NodeRecord {
+            chip_id: Some(duplicate_chip_id.clone()),
+            ..Default::default()
+        }
+        .encode_to_vec(),
+    );
+
+    let err = check_node_record_invariants(&snapshot).unwrap_err();
+    assert!(err.msg.contains("multiple nodes"), "{}", err.msg);
+    assert!(
+        err.msg.contains(&hex::encode(&duplicate_chip_id)),
+        "{}",
+        err.msg
+    );
+}
