Set constitution during recovery (#7155)

cjen1-msft · eddyashton · web-flow · commit 611c7f1ad0d7 · 2025-08-01T20:04:15.000+01:00
Co-authored-by: Eddy Ashton &lt;edashton@microsoft.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 [7.0.0-dev2]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.0-dev2
 
+### Added
+
+- Allow changing the constitution during disaster recovery via the `command.recover.constitution_files` entry in cchost. (#7155)
+
 ### Changed
 
 - `cchost` is removed, and each application now provides its own executable:
diff --git a/doc/host_config_schema/cchost_config.json b/doc/host_config_schema/cchost_config.json
@@ -417,6 +417,13 @@
                   "previous_sealed_ledger_secret_location": {
                     "type": ["string"],
                     "description": "Path to the sealed ledger secret folder, the ledger secrets for the recovered service will be unsealed from here instead of reconstructed from recovery shares."
+                  },
+                  "constitution_files": {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    },
+                    "description": "List of constitution files. These typically include actions.js, validate.js, resolve.js and apply.js"
                   }
                 },
                 "required": ["previous_service_identity_file"],
diff --git a/include/ccf/node/startup_config.h b/include/ccf/node/startup_config.h
@@ -146,6 +146,7 @@ namespace ccf
         std::nullopt;
       std::optional<std::string> previous_sealed_ledger_secret_location =
         std::nullopt;
+      std::optional<std::string> constitution = std::nullopt;
     };
     Recover recover = {};
   };
diff --git a/src/common/configuration.h b/src/common/configuration.h
@@ -5,6 +5,7 @@
 
 #include "ccf/crypto/curve.h"
 #include "ccf/crypto/pem.h"
+#include "ccf/ds/json.h"
 #include "ccf/ds/logger.h"
 #include "ccf/ds/unit_strings.h"
 #include "ccf/node/startup_config.h"
@@ -125,11 +126,12 @@ namespace ccf
     service_cert,
     follow_redirect);
 
-  DECLARE_JSON_TYPE(StartupConfig::Recover);
+  DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(StartupConfig::Recover);
   DECLARE_JSON_REQUIRED_FIELDS(
     StartupConfig::Recover,
     previous_service_identity,
     previous_sealed_ledger_secret_location);
+  DECLARE_JSON_OPTIONAL_FIELDS(StartupConfig::Recover, constitution);
 
   DECLARE_JSON_TYPE_WITH_BASE(StartupConfig, CCFConfig);
   DECLARE_JSON_REQUIRED_FIELDS(
diff --git a/src/host/configuration.h b/src/host/configuration.h
@@ -118,6 +118,7 @@ namespace host
         std::string previous_service_identity_file;
         std::optional<std::string> previous_sealed_ledger_secret_location =
           std::nullopt;
+        std::vector<std::string> constitution_files = {};
         bool operator==(const Recover&) const = default;
       };
       Recover recover = {};
@@ -168,7 +169,8 @@ namespace host
     CCHostConfig::Command::Recover,
     initial_service_certificate_validity_days,
     previous_service_identity_file,
-    previous_sealed_ledger_secret_location);
+    previous_sealed_ledger_secret_location,
+    constitution_files);
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(CCHostConfig::Command);
   DECLARE_JSON_REQUIRED_FIELDS(CCHostConfig::Command, type);
diff --git a/src/host/run.cpp b/src/host/run.cpp
@@ -799,6 +799,26 @@ namespace ccf
         LOG_INFO_FMT("Reading previous service identity from {}", idf);
         startup_config.recover.previous_service_identity = files::slurp(idf);
 
+        if (!config.command.recover.constitution_files.empty())
+        {
+          LOG_INFO_FMT(
+            "Reading [{}] constitution file(s) for recovery",
+            fmt::join(config.command.recover.constitution_files, ", "));
+          startup_config.recover.constitution = "";
+          for (const auto& constitution_path :
+               config.command.recover.constitution_files)
+          {
+            // Separate with single newlines
+            if (!startup_config.recover.constitution->empty())
+            {
+              startup_config.recover.constitution.value() += '\n';
+            }
+
+            startup_config.recover.constitution.value() +=
+              files::slurp_string(constitution_path);
+          }
+        }
+
         if (config.command.recover.previous_sealed_ledger_secret_location
               .has_value())
         {
diff --git a/src/node/node_state.h b/src/node/node_state.h
@@ -392,6 +392,7 @@ namespace ccf
       {
         case StartType::Start:
         {
+          LOG_INFO_FMT("Creating boot request");
           create_and_send_boot_request(
             aft::starting_view_change, true /* Create new consortium */);
           return;
@@ -2127,6 +2128,16 @@ namespace ccf
       {
         create_params.genesis_info = config.start;
       }
+      create_params.recovery_constitution = config.recover.constitution;
+      LOG_INFO_FMT("serialise_create_request, set recovery_constitution to:");
+      if (create_params.recovery_constitution.has_value())
+      {
+        LOG_INFO_FMT("{}", create_params.recovery_constitution.value());
+      }
+      else
+      {
+        LOG_INFO_FMT("No recovery constitution provided");
+      }
 
       create_params.node_id = self;
       create_params.certificate_signing_request = node_sign_kp->create_csr(
diff --git a/src/node/rpc/node_call_types.h b/src/node/rpc/node_call_types.h
@@ -74,6 +74,8 @@ namespace ccf
 
       // Only set on genesis transaction, but not on recovery
       std::optional<ccf::StartupConfig::Start> genesis_info = std::nullopt;
+      // Constitution to set on recovery
+      std::optional<std::string> recovery_constitution = std::nullopt;
     };
   };
 
diff --git a/src/node/rpc/node_frontend.h b/src/node/rpc/node_frontend.h
@@ -1568,6 +1568,11 @@ namespace ccf
         }
         else
         {
+          if (in.recovery_constitution.has_value())
+          {
+            InternalTablesAccess::set_constitution(
+              ctx.tx, in.recovery_constitution.value());
+          }
           // On recovery, force a new ledger chunk
           auto tx_ = static_cast<ccf::kv::CommittableTx*>(&ctx.tx);
           if (tx_ == nullptr)
diff --git a/src/node/rpc/serialization.h b/src/node/rpc/serialization.h
@@ -73,6 +73,7 @@ namespace ccf
   DECLARE_JSON_OPTIONAL_FIELDS(
     CreateNetworkNodeToNode::In,
     genesis_info,
+    recovery_constitution,
     node_data,
     service_data,
     snp_security_policy,
diff --git a/tests/config.jinja b/tests/config.jinja
@@ -55,7 +55,8 @@
       {% if previous_sealed_ledger_secret_location %}
         "previous_sealed_ledger_secret_location": "{{ previous_sealed_ledger_secret_location }}",
       {% endif %}
-      "previous_service_identity_file": "{{ previous_service_identity_file }}"
+      "previous_service_identity_file": "{{ previous_service_identity_file }}"{% if recovery_constitution_files %},
+      "constitution_files": {{ recovery_constitution_files|tojson }} {% endif %}
     }
   },
   "ledger":
diff --git a/tests/e2e_operations.py b/tests/e2e_operations.py
@@ -1434,6 +1434,55 @@ def run(self, src_dir, dst_dir):
             prev_network = recovery_network
 
 
+def run_recovery_change_constitution(const_args):
+    LOG.info("Running recovery with constitution change")
+    args = copy.deepcopy(const_args)
+    args.nodes = infra.e2e_args.min_nodes(args, f=0)
+    with tempfile.NamedTemporaryFile("w") as c_new:
+        c_new.write(
+            """
+actions.set(
+    "hello_world",
+    new Action(
+        function validate(args) { console.log("Validating hello") },
+        function apply(args, proposalId) { console.log("Applying hello")}
+    )
+)"""
+        )
+        c_new.flush()
+
+        network = infra.network.Network(args.nodes, args.binary_dir)
+        network.start_and_open(args)
+        network.save_service_identity(args)
+        network.stop_all_nodes()
+
+        recovery_args = copy.deepcopy(args)
+        recovery_args.recovery_constitution_files = args.constitution + [c_new.name]
+
+        recovery_network = infra.network.Network(
+            recovery_args.nodes,
+            recovery_args.binary_dir,
+            existing_network=network,
+        )
+
+        current_ledger_dir, committed_ledger_dirs = network.nodes[0].get_ledger()
+        recovery_network.start_in_recovery(
+            recovery_args,
+            ledger_dir=current_ledger_dir,
+            committed_ledger_dirs=committed_ledger_dirs,
+        )
+        recovery_network.recover(recovery_args, set_constitution=False)
+
+        primary, _ = recovery_network.find_primary()
+        proposal_body, vote = network.consortium.make_proposal("hello_world")
+        proposal = network.consortium.get_any_active_member().propose(
+            primary, proposal_body
+        )
+        network.consortium.vote_using_majority(primary, proposal, vote)
+
+        recovery_network.stop_all_nodes()
+
+
 def run_read_ledger_on_testdata(args):
     for testdata_dir in os.scandir(args.historical_testdata):
         assert testdata_dir.is_dir()
@@ -1657,3 +1706,4 @@ def run(args):
         run_recovery_unsealing_validate_audit(args)
     run_read_ledger_on_testdata(args)
     run_ledger_chunk_bytes_check(args)
+    run_recovery_change_constitution(args)
diff --git a/tests/infra/network.py b/tests/infra/network.py
@@ -204,6 +204,7 @@ class Network:
         "idle_connection_timeout_s",
         "enable_local_sealing",
         "previous_sealed_ledger_secret_location",
+        "recovery_constitution_files",
     ]
 
     # Maximum delay (seconds) for updates to propagate from the primary to backups
@@ -762,6 +763,7 @@ def recover(
         expected_recovery_count=None,
         via_recovery_owner=False,
         via_local_sealing=False,
+        set_constitution=True,
     ):
         """
         Recovers a CCF network previously started in recovery mode.
@@ -779,9 +781,10 @@ def recover(
         )
         self.wait_for_all_nodes_to_be_trusted(self.find_random_node())
 
-        # The new service may be running a newer version of the constitution,
-        # so we make sure that we're running the right one.
-        self.consortium.set_constitution(random_node, args.constitution)
+        if set_constitution:
+            # The new service may be running a newer version of the constitution,
+            # so we make sure that we're running the right one.
+            self.consortium.set_constitution(random_node, args.constitution)
 
         prev_service_identity = None
         if args.previous_service_identity_file:
diff --git a/tests/infra/node.py b/tests/infra/node.py
@@ -286,6 +286,7 @@ def _setup(
         members_info=None,
         enable_local_sealing=False,
         previous_sealed_ledger_secret_location=None,
+        recovery_constitution_files=None,
         **kwargs,
     ):
         """
@@ -314,6 +315,8 @@ def _setup(
             previous_sealed_ledger_secret_location
         )
 
+        self.recovery_constitution_files = recovery_constitution_files or []
+
         self.certificate_validity_days = kwargs.get("initial_node_cert_validity_days")
         self.remote = infra.remote.CCFRemote(
             start_type,
@@ -336,6 +339,7 @@ def _setup(
             enable_local_sealing=enable_local_sealing,
             sealed_ledger_secret_location=self.sealed_ledger_secret_location,
             previous_sealed_ledger_secret_location=previous_sealed_ledger_secret_location,
+            recovery_constitution_files=recovery_constitution_files,
             **kwargs,
         )
         self.remote.setup()
diff --git a/tests/infra/remote.py b/tests/infra/remote.py
@@ -317,6 +317,7 @@ def __init__(
         cose_signatures_subject="ledger.signature",
         sealed_ledger_secret_location=None,
         previous_sealed_ledger_secret_location=None,
+        recovery_constitution_files=None,
         **kwargs,
     ):
         """
@@ -524,6 +525,7 @@ def __init__(
                 historical_cache_soft_limit=historical_cache_soft_limit,
                 cose_signatures_issuer=cose_signatures_issuer,
                 cose_signatures_subject=cose_signatures_subject,
+                recovery_constitution_files=recovery_constitution_files or [],
                 **auto_dr_args,
                 **kwargs,
             )

Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,7 @@ namespace ccf`
`392`	`392`	`{`
`393`	`393`	`case StartType::Start:`
`394`	`394`	`{`
	`395`	`+ LOG_INFO_FMT("Creating boot request");`
`395`	`396`	`create_and_send_boot_request(`
`396`	`397`	`aft::starting_view_change, true /* Create new consortium */);`
`397`	`398`	`return;`
`@@ -2127,6 +2128,16 @@ namespace ccf`
`2127`	`2128`	`{`
`2128`	`2129`	`create_params.genesis_info = config.start;`
`2129`	`2130`	`}`
	`2131`	`+ create_params.recovery_constitution = config.recover.constitution;`
	`2132`	`+ LOG_INFO_FMT("serialise_create_request, set recovery_constitution to:");`
	`2133`	`+ if (create_params.recovery_constitution.has_value())`
	`2134`	`+ {`
	`2135`	`+ LOG_INFO_FMT("{}", create_params.recovery_constitution.value());`
	`2136`	`+ }`
	`2137`	`+ else`
	`2138`	`+ {`
	`2139`	`+ LOG_INFO_FMT("No recovery constitution provided");`
	`2140`	`+ }`
`2130`	`2141`
`2131`	`2142`	`create_params.node_id = self;`
`2132`	`2143`	`create_params.certificate_signing_request = node_sign_kp->create_csr(`
Original file line number	Diff line number	Diff line change
`@@ -1568,6 +1568,11 @@ namespace ccf`
`1568`	`1568`	`}`
`1569`	`1569`	`else`
`1570`	`1570`	`{`
	`1571`	`+ if (in.recovery_constitution.has_value())`
	`1572`	`+ {`
	`1573`	`+ InternalTablesAccess::set_constitution(`
	`1574`	`+ ctx.tx, in.recovery_constitution.value());`
	`1575`	`+ }`
`1571`	`1576`	`// On recovery, force a new ledger chunk`
`1572`	`1577`	`auto tx_ = static_cast<ccf::kv::CommittableTx*>(&ctx.tx);`
`1573`	`1578`	`if (tx_ == nullptr)`