feat(cmd/rofl): Add support for machine permissions

Author: kostko

build/rofl/manifest.go

@@ -408,6 +408,9 @@ type Machine struct {
 	Offer string `yaml:"offer,omitempty" json:"offer,omitempty"`
 	// ID is the identifier of the machine to deploy into.
 	ID string `yaml:"id,omitempty" json:"id,omitempty"`
+
+	// Permissions is a map of permissions for the machine.
+	Permissions map[string][]string `yaml:"permissions,omitempty" json:"permissions,omitempty"`
 }
 
 // Validate validates the machine for correctness.

build/rofl/scheduler/metadata.go

@@ -11,4 +11,10 @@ const (
 	MetadataKeySchedulerAPI = "net.oasis.scheduler.api"
 	// MetadataKeyProxyDomain is the name of the metadata key that stores the proxy domain.
 	MetadataKeyProxyDomain = "net.oasis.proxy.domain"
+	// MetadataKeyPermissions is the name of the deployment metadata key that stores the machine
+	// permissions.
+	MetadataKeyPermissions = "net.oasis.scheduler.permissions"
+	// MetadataKeyORCReference is the name of the deployment metadata key that stores the ORC
+	// reference.
+	MetadataKeyORCReference = "net.oasis.deployment.orc.ref"
 )

build/rofl/scheduler/permissions.go

@@ -0,0 +1,22 @@
+package scheduler
+
+import (
+	"encoding/base64"
+
+	"github.com/oasisprotocol/oasis-core/go/common/cbor"
+	"github.com/oasisprotocol/oasis-sdk/client-sdk/go/types"
+)
+
+const (
+	// MachinePermissionLogView is the permission required to view logs.
+	MachinePermissionLogView = "log.view"
+)
+
+// Permissions is a map of actions to addresses that are allowed to perform them.
+type Permissions map[string][]types.Address
+
+// MarshalPermissions marshals the permissions map into a base64-encoded CBOR string.
+func MarshalPermissions(permissions Permissions) string {
+	encPerms := cbor.Marshal(permissions)
+	return base64.StdEncoding.EncodeToString(encPerms)
+}

cmd/rofl/deploy.go

@@ -144,9 +144,16 @@ var (
 				AppID:        appID,
 				ManifestHash: manifestHash,
 				Metadata: map[string]string{
-					"net.oasis.deployment.orc.ref": fmt.Sprintf("%s@%s", deployment.OCIRepository, ociDigest),
+					scheduler.MetadataKeyORCReference: fmt.Sprintf("%s@%s", deployment.OCIRepository, ociDigest),
 				},
 			}
+			if len(machine.Permissions) > 0 {
+				perms, err := resolveAndMarshalPermissions(npa, machine.Permissions)
+				if err != nil {
+					cobra.CheckErr(fmt.Sprintf("Failed to marshal permissions: %s", err))
+				}
+				machineDeployment.Metadata[scheduler.MetadataKeyPermissions] = perms
+			}
 
 			obtainMachine := func() (*buildRofl.Machine, *roflmarket.Instance, error) {
 				if deployOffer != "" {
@@ -446,6 +453,22 @@ func term2str(term roflmarket.Term) string {
 	}
 }
 
+func resolveAndMarshalPermissions(npa *common.NPASelection, permissions map[string][]string) (string, error) {
+	perms := make(scheduler.Permissions)
+	for action, addresses := range permissions {
+		perms[action] = make([]types.Address, len(addresses))
+		for i, rawAddr := range addresses {
+			addr, _, err := common.ResolveLocalAccountOrAddress(npa.Network, rawAddr)
+			if err != nil {
+				return "", err
+			}
+
+			perms[action][i] = *addr
+		}
+	}
+	return scheduler.MarshalPermissions(perms), nil
+}
+
 func init() {
 	providerFlags := flag.NewFlagSet("", flag.ContinueOnError)
 	// Default to Testnet playground provider.

cmd/rofl/machine/logs.go

@@ -89,4 +89,5 @@ var logsCmd = &cobra.Command{
 func init() {
 	logsCmd.Flags().AddFlagSet(roflCommon.DeploymentFlags)
 	logsCmd.Flags().AddFlagSet(common.AnswerYesFlag)
+	logsCmd.Flags().AddFlagSet(common.AccountFlag)
 }