fix: setting custom etag header breaks certification (#3429)

Author: sesi200

Diff for: CHANGELOG.md

@@ -28,9 +28,12 @@ Updated Motoko to [0.10.1](https://github.com/dfinity/motoko/releases/tag/0.10.1
 
 ### Frontend canister
 
+Defining a custom `etag` header no longer breaks certification.
+
 Fixed a certification issue where under certain conditions the fallback file (`/index.html`) was served with an incomplete certificate tree, not proving sufficiently that the fallback file may be used as a replacement.
 
-- Module hash: 32f0024c3310b312b15118a8229998e326171c847955ecf223e166ba6b96b158
+- Module hash: 965c8899f0a033593dc9b1634b2ab4e0f3fd28c1cfa06993069be2040a2f700e
+- https://github.com/dfinity/sdk/pull/3429
 - https://github.com/dfinity/sdk/pull/3428
 - https://github.com/dfinity/sdk/pull/3421
 

Diff for: Cargo.lock

@@ -1228,57 +1228,22 @@ CHERRIES" "$stdout"
   assert_match "404 Not Found"
 }
 
-@test "asset configuration via .ic-assets.json5 - overwriting etag breaks certification" {
-  # this is observed behavior, not expected behavior
-  # https://dfinity.atlassian.net/browse/SDK-1245
-  install_asset assetscanister
-
-  dfx_start
-
-  touch src/e2e_project_frontend/assets/thing.json
-
-  dfx deploy
-
-  ID=$(dfx canister id e2e_project_frontend)
-  PORT=$(get_webserver_port)
-
-  dfx canister  call --query e2e_project_frontend http_request '(record{url="/thing.json";headers=vec{};method="GET";body=vec{}})'
-  assert_command curl --fail --head "http://localhost:$PORT/thing.json?canisterId=$ID"
-
-  echo '[
-    {
-      "match": "thing.json",
-      "headers": {
-        "etag": "my-etag"
-      }
-    }
-  ]' > src/e2e_project_frontend/assets/.ic-assets.json5
-
-  dfx deploy
-
-  dfx canister call --query e2e_project_frontend http_request '(record{url="/thing.json";headers=vec{};method="GET";body=vec{}})'
-
-  assert_command_fail curl --fail --head "http://localhost:$PORT/thing.json?canisterId=$ID"
-  assert_contains "500 Internal Server Error"
-}
-
 @test "asset configuration via .ic-assets.json5 - overwriting default headers" {
   install_asset assetscanister
 
   dfx_start
 
   touch src/e2e_project_frontend/assets/thing.json
 
-  # this test used to also set etag, but that breaks certification
-  # see https://dfinity.atlassian.net/browse/SDK-1245
   echo '[
     {
       "match": "thing.json",
       "cache": { "max_age": 2000 },
       "headers": {
         "Content-Encoding": "my-encoding",
         "Content-Type": "x-type",
-        "Cache-Control": "custom"
+        "Cache-Control": "custom",
+        "etag": "my-custom-etag"
       }
     }
   ]' > src/e2e_project_frontend/assets/.ic-assets.json5
@@ -1294,8 +1259,7 @@ CHERRIES" "$stdout"
   assert_match "cache-control: custom"
   assert_match "content-encoding: my-encoding"
   assert_match "content-type: x-type"
-  # https://dfinity.atlassian.net/browse/SDK-1245 assert_not_match "etag: my-etag"
-  assert_match "etag: \"[a-z0-9]{64}\""
+  assert_match "etag: my-custom-etag"
 }
 
 @test "aliasing rules: <filename> to <filename>.html or <filename>/index.html" {

Diff for: e2e/tests-dfx/assetscanister.bash

@@ -182,10 +182,15 @@ impl HttpResponse {
         let (status_code, body) = if etags.contains(&enc.sha256) {
             (304, RcBytes::default())
         } else {
-            headers.insert(
-                "etag".to_string(),
-                format!("\"{}\"", hex::encode(enc.sha256)),
-            );
+            if !headers
+                .iter()
+                .any(|(header_name, _)| header_name.eq_ignore_ascii_case("etag"))
+            {
+                headers.insert(
+                    "etag".to_string(),
+                    format!("\"{}\"", hex::encode(enc.sha256)),
+                );
+            }
             (200, enc.content_chunks[chunk_index].clone())
         };
 

Diff for: src/canisters/frontend/ic-certified-assets/src/asset_certification/types/http.rs

@@ -1887,6 +1887,49 @@ mod certification_v2 {
 
         assert!(lookup_header(&response, "ic-certificate").is_some());
     }
+
+    #[test]
+    fn etag() {
+        // For now only checks that defining a custom etag doesn't break certification.
+        // Serving HTTP 304 responses if the etag matches is part of https://dfinity.atlassian.net/browse/SDK-191
+
+        let mut state = State::default();
+        let time_now = 100_000_000_000;
+
+        const BODY: &[u8] = b"<!DOCTYPE html><html></html>";
+
+        create_assets(
+            &mut state,
+            time_now,
+            vec![AssetBuilder::new("/contents.html", "text/html")
+                .with_encoding("identity", vec![BODY])
+                .with_header("etag", "my-etag")],
+        );
+
+        let response = certified_http_request(
+            &state,
+            RequestBuilder::get("/contents.html")
+                .with_header("Accept-Encoding", "gzip,identity")
+                .with_certificate_version(1)
+                .build(),
+        );
+        assert_eq!(
+            lookup_header(&response, "etag").expect("ic-certificate header missing"),
+            "my-etag"
+        );
+
+        let response = certified_http_request(
+            &state,
+            RequestBuilder::get("/contents.html")
+                .with_header("Accept-Encoding", "gzip,identity")
+                .with_certificate_version(2)
+                .build(),
+        );
+        assert_eq!(
+            lookup_header(&response, "etag").expect("ic-certificate header missing"),
+            "my-etag"
+        );
+    }
 }
 
 #[cfg(test)]