cmd/rofl: Add refresh-trust-root subcommand

cmd/rofl/rofl.go

@@ -25,6 +25,7 @@ func init() {
 	Cmd.AddCommand(listCmd)
 	Cmd.AddCommand(setDefaultCmd)
 	Cmd.AddCommand(trustRootCmd)
+	Cmd.AddCommand(setTrustRootCmd)
 	Cmd.AddCommand(build.Cmd)
 	Cmd.AddCommand(identityCmd)
 	Cmd.AddCommand(secretCmd)

cmd/rofl/set_trust_root.go

@@ -0,0 +1,82 @@
+package rofl
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+
+	consensus "github.com/oasisprotocol/oasis-core/go/consensus/api"
+	"github.com/oasisprotocol/oasis-sdk/client-sdk/go/connection"
+
+	buildRofl "github.com/oasisprotocol/cli/build/rofl"
+	"github.com/oasisprotocol/cli/cmd/common"
+	roflCommon "github.com/oasisprotocol/cli/cmd/rofl/common"
+)
+
+var setTrustRootCmd = &cobra.Command{
+	Use:   "set-trust-root [height] [hash]",
+	Short: "Set the trust root in the rofl.yaml manifest",
+	Long: "Set the consensus block height and hash of the trust root in the rofl.yaml manifest.\n\n" +
+		"If no arguments are passed, the latest finalized block is used. If only the height is\n" +
+		"passed, the corresponding block hash is fetched from the network.",
+	Args: cobra.RangeArgs(0, 2),
+	Run: func(_ *cobra.Command, args []string) {
+		// Load manifest and deployment, and configure network/paratime/account selection.
+		manifest, deployment, npa := roflCommon.LoadManifestAndSetNPA(nil)
+
+		var (
+			height uint64
+			hash   string
+		)
+		switch len(args) {
+		case 2:
+			// Both height and hash passed; set them directly without querying the network.
+			h, err := strconv.ParseUint(args[0], 10, 64)
+			if err != nil {
+				cobra.CheckErr(fmt.Errorf("malformed height: %w", err))
+			}
+			height = h
+			hash = args[1]
+		default:
+			// Determine the block height to query (latest by default).
+			queryHeight := consensus.HeightLatest
+			if len(args) == 1 {
+				h, err := strconv.ParseInt(args[0], 10, 64)
+				if err != nil {
+					cobra.CheckErr(fmt.Errorf("malformed height: %w", err))
+				}
+				queryHeight = h
+			}
+
+			// Establish connection with the target network and fetch the block.
+			ctx := context.Background()
+			conn, err := connection.Connect(ctx, npa.Network)
+			cobra.CheckErr(err)
+
+			blk, err := conn.Consensus().Core().GetBlock(ctx, queryHeight)
+			cobra.CheckErr(err)
+
+			height = uint64(blk.Height)
+			hash = blk.Hash.Hex()
+		}
+
+		if deployment.TrustRoot == nil {
+			deployment.TrustRoot = &buildRofl.TrustRootConfig{}
+		}
+		deployment.TrustRoot.Height = height
+		deployment.TrustRoot.Hash = hash
+
+		if err := manifest.Save(); err != nil {
+			cobra.CheckErr(fmt.Errorf("failed to update manifest: %w", err))
+		}
+
+		fmt.Printf("Updated '%s' with trust root: height=%d, hash=%s\n", manifest.SourceFileName(), height, hash)
+	},
+}
+
+func init() {
+	setTrustRootCmd.Flags().AddFlagSet(common.SelectorNPFlags)
+	setTrustRootCmd.Flags().AddFlagSet(roflCommon.DeploymentFlags)
+}

cmd/rofl/set_trust_root_test.go

@@ -0,0 +1,32 @@
+package rofl
+
+import "testing"
+
+func TestSetTrustRootUse(t *testing.T) {
+	if got, want := setTrustRootCmd.Name(), "set-trust-root"; got != want {
+		t.Fatalf("unexpected command name: got %q, want %q", got, want)
+	}
+}
+
+func TestSetTrustRootCommandRegistered(t *testing.T) {
+	found := false
+	for _, c := range Cmd.Commands() {
+		if c == setTrustRootCmd || c.Name() == "set-trust-root" {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("set-trust-root command not registered under rofl.Cmd")
+	}
+}
+
+func TestSetTrustRootCommandFlags(t *testing.T) {
+	// The command should expose selector flags (network/paratime) and deployment flags.
+	names := []string{"network", "paratime", "no-paratime", "deployment"}
+	for _, n := range names {
+		if setTrustRootCmd.Flags().Lookup(n) == nil {
+			t.Errorf("expected flag %q to be present", n)
+		}
+	}
+}

cmd/rofl/trust_root.go

@@ -2,6 +2,7 @@ package rofl
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 
 	"github.com/spf13/cobra"
@@ -12,6 +13,14 @@ import (
 	cliConfig "github.com/oasisprotocol/cli/config"
 )
 
+// trustRoot is the consensus trust root for a ROFL application.
+type trustRoot struct {
+	Height       uint64 `json:"height"`
+	Hash         string `json:"hash"`
+	RuntimeID    string `json:"runtime_id"`
+	ChainContext string `json:"chain_context"`
+}
+
 var trustRootCmd = &cobra.Command{
 	Use:   "trust-root",
 	Short: "Show a recent trust root for a ROFL application",
@@ -36,13 +45,16 @@ var trustRootCmd = &cobra.Command{
 		blk, err := conn.Consensus().Core().GetBlock(ctx, height)
 		cobra.CheckErr(err)
 
-		// TODO: Support different output formats.
-		fmt.Printf("TrustRoot {\n")
-		fmt.Printf("    height: %d,\n", height)
-		fmt.Printf("    hash: \"%s\".into(),\n", blk.Hash)
-		fmt.Printf("    runtime_id: \"%s\".into(),\n", npa.ParaTime.ID)
-		fmt.Printf("    chain_context: \"%s\".to_string(),\n", npa.Network.ChainContext)
-		fmt.Printf("}\n")
+		tr := trustRoot{
+			Height:       uint64(height),
+			Hash:         blk.Hash.Hex(),
+			RuntimeID:    npa.ParaTime.ID,
+			ChainContext: npa.Network.ChainContext,
+		}
+
+		out, err := json.MarshalIndent(tr, "", "  ")
+		cobra.CheckErr(err)
+		fmt.Println(string(out))
 	},
 }
 

docs/rofl.md

@@ -541,7 +541,7 @@ needs to have a hardcoded *trust root*. Typically, it consists of:
 - the [chain domain separation context],
 - the specific consensus block hash and its height.
 
-To obtain the latest trust root in rust programming language, run
+To obtain the latest trust root in JSON format, run
 `oasis rofl trust-root`:
 
 ![code shell](../examples/rofl/trust-root.in.static)
@@ -554,3 +554,20 @@ You can also define specific [Network and ParaTime][npa] parameters:
 
 [ParaTime ID]: https://github.com/oasisprotocol/oasis-core/blob/master/docs/runtime/identifiers.md
 [chain domain separation context]: https://github.com/oasisprotocol/oasis-core/blob/master/docs/crypto.md#chain-domain-separation
+
+### Set the trust root in the app manifest {#set-trust-root}
+
+The consensus block height and hash of the [trust root](#trust-root) are stored
+in the deployment section of the `rofl.yaml` app manifest and are embedded into
+the app at build time. Instead of editing the manifest by hand, you can fetch
+the latest trust root and update the manifest automatically by running
+`oasis rofl set-trust-root`:
+
+![code shell](../examples/rofl/set-trust-root.in.static)
+
+![code](../examples/rofl/set-trust-root.out.static)
+
+By default the latest finalized consensus block is used. You can also pass the
+block `height` (and optionally the block `hash`) as positional arguments to pin
+a specific block, or `--deployment` to update a non-default deployment. After
+setting the trust root, run [`oasis rofl build`](#build) for it to take effect.

examples/rofl/set-trust-root.in.static

@@ -0,0 +1 @@
+oasis rofl set-trust-root

examples/rofl/set-trust-root.out.static

@@ -0,0 +1 @@
+Updated 'rofl.yaml' with trust root: height=1022, hash=bb3e63d729dd568ce07b37eea33eddf8082ed4cacbd64097aad32168a4a4fc9a

examples/rofl/trust-root.out.static

@@ -1,6 +1,6 @@
-TrustRoot {
-    height: 1022,
-    hash: "bb3e63d729dd568ce07b37eea33eddf8082ed4cacbd64097aad32168a4a4fc9a".into(),
-    runtime_id: "8000000000000000000000000000000000000000000000000000000000000000".into(),
-    chain_context: "074f5ba071c4385a7ad24aea0a3a7b137901395e8f3b35479c1cce87d3170f4e".to_string(),
+{
+  "height": 1022,
+  "hash": "bb3e63d729dd568ce07b37eea33eddf8082ed4cacbd64097aad32168a4a4fc9a",
+  "runtime_id": "8000000000000000000000000000000000000000000000000000000000000000",
+  "chain_context": "074f5ba071c4385a7ad24aea0a3a7b137901395e8f3b35479c1cce87d3170f4e"
 }