fedimint_server/config/

setup.rs

use std::collections::{BTreeMap, BTreeSet};
use std::fs;
use std::io::Read as _;
use std::iter::once;
use std::mem::discriminant;
use std::path::{Component, Path, PathBuf};
use std::str::FromStr as _;
use std::sync::Arc;

use anyhow::{Context, ensure};
use async_trait::async_trait;
use fedimint_core::admin_client::{SetLocalParamsRequest, SetupStatus};
use fedimint_core::base32::FEDIMINT_PREFIX;
use fedimint_core::config::META_FEDERATION_NAME_KEY;
use fedimint_core::core::{ModuleInstanceId, ModuleKind};
use fedimint_core::db::Database;
use fedimint_core::endpoint_constants::{
    ADD_PEER_SETUP_CODE_ENDPOINT, GET_SETUP_CODE_ENDPOINT, RESET_PEER_SETUP_CODES_ENDPOINT,
    SET_LOCAL_PARAMS_ENDPOINT, SETUP_STATUS_ENDPOINT, START_DKG_ENDPOINT,
};
use fedimint_core::envs::{
    FM_DISABLE_BASE_FEES_ENV, FM_IROH_API_SECRET_KEY_OVERRIDE_ENV,
    FM_IROH_P2P_SECRET_KEY_OVERRIDE_ENV, is_env_var_set,
};
use fedimint_core::module::{
    ApiAuth, ApiEndpoint, ApiEndpointContext, ApiError, ApiRequestErased, ApiVersion, api_endpoint,
};
use fedimint_core::net::auth::check_auth;
use fedimint_core::setup_code::PeerEndpoints;
use fedimint_core::util::{FmtCompact as _, write_new};
use fedimint_core::{PeerId, base32, runtime};
use fedimint_logging::LOG_CONSENSUS;
use fedimint_server_core::setup_ui::ISetupApi;
use iroh::SecretKey;
use rand::rngs::OsRng;
use tokio::sync::mpsc::Sender;
use tokio::sync::{Mutex, oneshot};
use tokio_rustls::rustls;
use tracing::warn;

use crate::config::io::{
    CONSENSUS_CONFIG, ENCRYPTED_EXT, JSON_EXT, LOCAL_CONFIG, PLAINTEXT_PASSWORD, PRIVATE_CONFIG,
    SALT_FILE, read_server_config,
};
use crate::config::{ConfigGenParams, ConfigGenSettings, PeerSetupCode, ServerConfig};
use crate::net::api::HasApiContext;
use crate::net::p2p_connector::gen_cert_and_key;

/// Restored guardian configuration staged in a temporary directory.
///
/// Restore is intentionally split into two phases. First the uploaded backup is
/// unpacked into `restore_dir` and parsed into `cfg` without touching the live
/// config files. Later, after the caller performs cross-checks that need the
/// full server context, [`RestoredGuardianConfig::install`] moves the staged
/// files into the real data directory.
pub struct RestoredGuardianConfig {
    /// Parsed server config read from the staged files.
    pub cfg: ServerConfig,
    /// Temporary directory holding the exact files that will be installed.
    restore_dir: PathBuf,
}

impl RestoredGuardianConfig {
    /// Best-effort cleanup of the staged restore directory.
    ///
    /// This is used on validation and handoff failures before the staged files
    /// become live config. Cleanup failures are only logged because callers are
    /// already handling another restore error.
    pub fn cleanup(&self) {
        if let Err(e) = fs::remove_dir_all(&self.restore_dir) {
            warn!(
                target: LOG_CONSENSUS,
                path = %self.restore_dir.display(),
                err = %e.fmt_compact(),
                "Failed to clean up restore directory"
            );
        }
    }

    /// Install the staged restored config into `data_dir`.
    ///
    /// This consumes `self` because after install there must be no separate
    /// staged restore state. The method refuses to overwrite existing live
    /// files, moves each expected file from `restore_dir` into `data_dir`,
    /// and tries to roll back already moved files if a later move fails. On
    /// success the temp directory is removed and the parsed
    /// [`ServerConfig`] is returned for consensus startup.
    pub fn install(self, data_dir: &Path) -> anyhow::Result<ServerConfig> {
        let install_paths = [
            PathBuf::from(LOCAL_CONFIG).with_extension(JSON_EXT),
            PathBuf::from(CONSENSUS_CONFIG).with_extension(JSON_EXT),
            PathBuf::from(PRIVATE_CONFIG).with_extension(ENCRYPTED_EXT),
            PathBuf::from(SALT_FILE),
            PathBuf::from(PLAINTEXT_PASSWORD),
        ];

        for path in &install_paths {
            let destination = data_dir.join(path);
            if destination.exists() {
                self.cleanup();
                anyhow::bail!("Refusing to overwrite existing {}", path.display());
            }
        }

        let mut installed_paths: Vec<PathBuf> = Vec::new();
        for path in &install_paths {
            let destination = data_dir.join(path);
            if let Err(e) = fs::rename(self.restore_dir.join(path), &destination) {
                for installed_path in installed_paths.iter().rev() {
                    if let Err(rollback_err) = fs::rename(
                        data_dir.join(installed_path),
                        self.restore_dir.join(installed_path),
                    ) {
                        warn!(
                            target: LOG_CONSENSUS,
                            path = %installed_path.display(),
                            err = %rollback_err.fmt_compact(),
                            "Failed to roll back installed path during restore failure"
                        );
                    }
                }
                self.cleanup();
                return Err(e).with_context(|| format!("Installing restored {}", path.display()));
            }
            installed_paths.push(path.clone());
        }

        fs::remove_dir_all(&self.restore_dir).context("Removing restore directory")?;
        Ok(self.cfg)
    }
}

/// Result sent from the setup API task to the main setup driver.
///
/// Normal DKG sends generated params directly. Restore sends staged config plus
/// a oneshot acknowledgement so the HTTP handler can report success only after
/// the main setup driver validates and installs the restored files.
pub enum ConfigGenOutcome {
    Generated(Box<ConfigGenParams>),
    Restored(
        Box<RestoredGuardianConfig>,
        oneshot::Sender<Result<(), String>>,
    ),
}

/// State held by the API after receiving a `ConfigGenConnectionsRequest`
#[derive(Debug, Clone, Default)]
pub struct SetupState {
    /// Our local connection
    local_params: Option<LocalParams>,
    /// Connection info received from other guardians
    setup_codes: BTreeSet<PeerSetupCode>,
    /// Set while a backup restore is being processed
    restore_in_progress: bool,
}

#[derive(Clone, Debug)]
/// Connection information sent between peers in order to start config gen
pub struct LocalParams {
    /// Our auth string
    auth: ApiAuth,
    /// Our TLS private key
    tls_key: Option<Arc<rustls::pki_types::PrivateKeyDer<'static>>>,
    /// Optional secret key for our iroh api endpoint
    iroh_api_sk: Option<iroh::SecretKey>,
    /// Optional secret key for our iroh p2p endpoint
    iroh_p2p_sk: Option<iroh::SecretKey>,
    /// Our api and p2p endpoint
    endpoints: PeerEndpoints,
    /// Name of the peer, used in TLS auth
    name: String,
    /// Federation name set by the leader
    federation_name: Option<String>,
    /// Whether to disable base fees, set by the leader
    disable_base_fees: Option<bool>,
    /// Modules enabled by the leader (if None, all available modules are
    /// enabled)
    enabled_modules: Option<BTreeSet<ModuleKind>>,
    /// Total number of guardians (including the one who sets this), set by the
    /// leader
    federation_size: Option<u32>,
    /// Bitcoin network configured locally
    network: bitcoin::Network,
}

impl LocalParams {
    pub fn setup_code(&self) -> PeerSetupCode {
        PeerSetupCode {
            name: self.name.clone(),
            endpoints: self.endpoints.clone(),
            federation_name: self.federation_name.clone(),
            disable_base_fees: self.disable_base_fees,
            enabled_modules: self.enabled_modules.clone(),
            federation_size: self.federation_size,
            network: self.network,
        }
    }
}

/// Serves the config gen API endpoints
#[derive(Clone)]
pub struct SetupApi {
    /// Our config gen settings configured locally
    settings: ConfigGenSettings,
    /// In-memory state machine
    state: Arc<Mutex<SetupState>>,
    /// DB not really used
    db: Database,
    /// Directory containing guardian config files
    data_dir: PathBuf,
    /// Triggers config generation or config restore
    sender: Sender<ConfigGenOutcome>,
    /// Version of the running fedimintd binary
    code_version_str: String,
    /// Git hash of the running fedimintd binary
    code_version_hash: String,
}

impl SetupApi {
    pub fn new(
        settings: ConfigGenSettings,
        db: Database,
        data_dir: PathBuf,
        sender: Sender<ConfigGenOutcome>,
        code_version_str: String,
        code_version_hash: String,
    ) -> Self {
        Self {
            settings,
            state: Arc::new(Mutex::new(SetupState::default())),
            db,
            data_dir,
            sender,
            code_version_str,
            code_version_hash,
        }
    }

    pub async fn setup_status(&self) -> SetupStatus {
        match self.state.lock().await.local_params {
            Some(..) => SetupStatus::SharingConnectionCodes,
            None => SetupStatus::AwaitingLocalParams,
        }
    }
}

fn is_expected_backup_path(path: &Path) -> bool {
    let expected_paths = [
        PathBuf::from(LOCAL_CONFIG).with_extension(JSON_EXT),
        PathBuf::from(CONSENSUS_CONFIG).with_extension(JSON_EXT),
        PathBuf::from(PRIVATE_CONFIG).with_extension(ENCRYPTED_EXT),
        PathBuf::from(SALT_FILE),
    ];

    expected_paths.iter().any(|expected| expected == path)
}

/// Unpack a guardian backup tar into `restore_dir` and parse it.
///
/// This function only stages files. It validates archive paths, rejects missing
/// or duplicate required files, verifies the password against the restored API
/// auth, and writes the plaintext password file into the staged directory. The
/// live data directory is not modified here.
fn unpack_backup_to_restore_dir(
    backup: &[u8],
    password: &str,
    restore_dir: &Path,
) -> anyhow::Result<RestoredGuardianConfig> {
    let mut archive = tar::Archive::new(backup);
    let mut restored_paths = BTreeSet::new();

    for entry in archive.entries().context("Reading backup archive")? {
        let mut entry = entry.context("Reading backup archive entry")?;
        let path = entry
            .path()
            .context("Reading backup archive entry path")?
            .into_owned();
        ensure!(
            path.components()
                .all(|component| matches!(component, Component::Normal(_))),
            "Backup archive contains an invalid path"
        );
        ensure!(
            is_expected_backup_path(&path),
            "Backup archive contains unexpected file {}",
            path.display()
        );
        ensure!(
            entry.header().entry_type().is_file(),
            "Backup archive contains non-file entry {}",
            path.display()
        );
        ensure!(
            restored_paths.insert(path.clone()),
            "Backup archive contains duplicate file {}",
            path.display()
        );

        let mut bytes = Vec::new();
        entry
            .read_to_end(&mut bytes)
            .context("Reading backup archive entry contents")?;
        write_new(restore_dir.join(&path), bytes).context("Writing restored config file")?;
    }

    for path in [
        PathBuf::from(LOCAL_CONFIG).with_extension(JSON_EXT),
        PathBuf::from(CONSENSUS_CONFIG).with_extension(JSON_EXT),
        PathBuf::from(PRIVATE_CONFIG).with_extension(ENCRYPTED_EXT),
        PathBuf::from(SALT_FILE),
    ] {
        ensure!(
            restored_paths.contains(&path),
            "Backup archive is missing {}",
            path.display()
        );
    }

    let cfg = read_server_config(password, restore_dir).context("Reading restored config")?;
    ensure!(
        cfg.private.api_auth.verify(password),
        "The backup password does not match the restored guardian auth"
    );
    write_new(restore_dir.join(PLAINTEXT_PASSWORD), password)
        .context("Writing restored password file")?;

    Ok(RestoredGuardianConfig {
        cfg,
        restore_dir: restore_dir.to_path_buf(),
    })
}

/// Create a fresh restore staging directory under `data_dir` and unpack into
/// it.
///
/// On success the caller receives a [`RestoredGuardianConfig`] whose files are
/// still staged in `restore.tmp`. On failure the staging directory is removed
/// so a later restore attempt can retry cleanly.
fn restore_backup_to_dir(
    backup: &[u8],
    password: &str,
    data_dir: &Path,
) -> anyhow::Result<RestoredGuardianConfig> {
    let restore_dir = data_dir.join("restore.tmp");
    if restore_dir.exists() {
        fs::remove_dir_all(&restore_dir).context("Removing stale restore directory")?;
    }
    fs::create_dir(&restore_dir).context("Creating restore directory")?;

    let restore_result = unpack_backup_to_restore_dir(backup, password, &restore_dir);

    if restore_result.is_err()
        && restore_dir.exists()
        && let Err(e) = fs::remove_dir_all(&restore_dir)
    {
        warn!(
            target: LOG_CONSENSUS,
            path = %restore_dir.display(),
            err = %e.fmt_compact(),
            "Failed to clean up restore directory after restore failure"
        );
    }

    restore_result
}

#[async_trait]
impl ISetupApi for SetupApi {
    async fn setup_code(&self) -> Option<String> {
        self.state
            .lock()
            .await
            .local_params
            .as_ref()
            .map(|lp| base32::encode_prefixed(FEDIMINT_PREFIX, &lp.setup_code()))
    }

    async fn guardian_name(&self) -> Option<String> {
        self.state
            .lock()
            .await
            .local_params
            .as_ref()
            .map(|lp| lp.name.clone())
    }

    async fn auth(&self) -> Option<ApiAuth> {
        self.state
            .lock()
            .await
            .local_params
            .as_ref()
            .map(|lp| lp.auth.clone())
    }

    async fn connected_peers(&self) -> Vec<String> {
        self.state
            .lock()
            .await
            .setup_codes
            .clone()
            .into_iter()
            .map(|info| info.name)
            .collect()
    }

    fn available_modules(&self) -> BTreeSet<ModuleKind> {
        self.settings.available_modules.clone()
    }

    fn default_modules(&self) -> BTreeSet<ModuleKind> {
        self.settings.default_modules.clone()
    }

    async fn reset_setup_codes(&self) {
        self.state.lock().await.setup_codes.clear();
    }

    async fn set_local_parameters(
        &self,
        auth: ApiAuth,
        name: String,
        federation_name: Option<String>,
        disable_base_fees: Option<bool>,
        enabled_modules: Option<BTreeSet<ModuleKind>>,
        federation_size: Option<u32>,
    ) -> anyhow::Result<String> {
        if let Some(existing_local_parameters) = self.state.lock().await.local_params.clone()
            && existing_local_parameters.auth.as_str() == auth.as_str()
            && existing_local_parameters.name == name
            && existing_local_parameters.federation_name == federation_name
            && existing_local_parameters.disable_base_fees == disable_base_fees
            && existing_local_parameters.enabled_modules == enabled_modules
            && existing_local_parameters.federation_size == federation_size
        {
            return Ok(base32::encode_prefixed(
                FEDIMINT_PREFIX,
                &existing_local_parameters.setup_code(),
            ));
        }

        ensure!(!name.is_empty(), "The guardian name is empty");

        ensure!(!auth.as_str().is_empty(), "The password is empty");

        ensure!(
            auth.as_str().trim() == auth.as_str(),
            "The password contains leading/trailing whitespace",
        );

        if let Some(federation_name) = federation_name.as_ref() {
            ensure!(!federation_name.is_empty(), "The federation name is empty");
        }

        if federation_name.is_some() {
            ensure!(
                federation_size.is_some(),
                "The leader must set the federation size"
            );
        }

        if let Some(size) = federation_size {
            ensure!(
                size == 1 || 4 <= size,
                "Federation size must be 1 or at least 4"
            );
        }

        let mut state = self.state.lock().await;

        ensure!(
            state.local_params.is_none(),
            "Local parameters have already been set"
        );

        ensure!(
            !state.restore_in_progress,
            "A restore is already in progress"
        );

        let lp = if self.settings.enable_iroh {
            let iroh_api_sk = if let Ok(var) = std::env::var(FM_IROH_API_SECRET_KEY_OVERRIDE_ENV) {
                SecretKey::from_str(&var)
                    .with_context(|| format!("Parsing {FM_IROH_API_SECRET_KEY_OVERRIDE_ENV}"))?
            } else {
                SecretKey::generate(&mut OsRng)
            };

            let iroh_p2p_sk = if let Ok(var) = std::env::var(FM_IROH_P2P_SECRET_KEY_OVERRIDE_ENV) {
                SecretKey::from_str(&var)
                    .with_context(|| format!("Parsing {FM_IROH_P2P_SECRET_KEY_OVERRIDE_ENV}"))?
            } else {
                SecretKey::generate(&mut OsRng)
            };

            LocalParams {
                auth,
                tls_key: None,
                iroh_api_sk: Some(iroh_api_sk.clone()),
                iroh_p2p_sk: Some(iroh_p2p_sk.clone()),
                endpoints: PeerEndpoints::Iroh {
                    api_pk: iroh_api_sk.public(),
                    p2p_pk: iroh_p2p_sk.public(),
                },
                name,
                federation_name,
                disable_base_fees,
                enabled_modules,
                federation_size,
                network: self.settings.network,
            }
        } else {
            let (tls_cert, tls_key) =
                gen_cert_and_key(&name).expect("Failed to generate TLS for given guardian name");

            LocalParams {
                auth,
                tls_key: Some(tls_key),
                iroh_api_sk: None,
                iroh_p2p_sk: None,
                endpoints: PeerEndpoints::Tcp {
                    api_url: self
                        .settings
                        .api_url
                        .clone()
                        .ok_or_else(|| anyhow::format_err!("Api URL must be configured"))?,
                    p2p_url: self
                        .settings
                        .p2p_url
                        .clone()
                        .ok_or_else(|| anyhow::format_err!("P2P URL must be configured"))?,

                    cert: tls_cert.as_ref().to_vec(),
                },
                name,
                federation_name,
                disable_base_fees,
                enabled_modules,
                federation_size,
                network: self.settings.network,
            }
        };

        state.local_params = Some(lp.clone());

        Ok(base32::encode_prefixed(FEDIMINT_PREFIX, &lp.setup_code()))
    }

    async fn add_peer_setup_code(&self, info: String) -> anyhow::Result<String> {
        let info = base32::decode_prefixed(FEDIMINT_PREFIX, &info)?;

        let mut state = self.state.lock().await;

        if state.setup_codes.contains(&info) {
            return Ok(info.name.clone());
        }

        ensure!(
            !state.restore_in_progress,
            "A restore is already in progress"
        );

        let local_params = state
            .local_params
            .clone()
            .expect("The endpoint is authenticated.");

        ensure!(
            info != local_params.setup_code(),
            "You cannot add your own setup code"
        );

        ensure!(
            discriminant(&info.endpoints) == discriminant(&local_params.endpoints),
            "Guardian has different endpoint variant (TCP/Iroh) than us.",
        );

        ensure!(
            info.network == local_params.network,
            "Guardian uses Bitcoin network {} but we use {}",
            info.network,
            local_params.network,
        );

        if let Some(federation_name) = state
            .setup_codes
            .iter()
            .chain(once(&local_params.setup_code()))
            .find_map(|info| info.federation_name.clone())
        {
            ensure!(
                info.federation_name.is_none(),
                "Federation name has already been set to {federation_name}"
            );
        }

        if let Some(disable_base_fees) = state
            .setup_codes
            .iter()
            .chain(once(&local_params.setup_code()))
            .find_map(|info| info.disable_base_fees)
        {
            ensure!(
                info.disable_base_fees.is_none(),
                "Base fees setting has already been configured to disabled={disable_base_fees}"
            );
        }

        if state
            .setup_codes
            .iter()
            .chain(once(&local_params.setup_code()))
            .any(|info| info.enabled_modules.is_some())
        {
            ensure!(
                info.enabled_modules.is_none(),
                "Enabled modules have already been configured by another guardian"
            );
        }

        if let Some(federation_size) = state
            .setup_codes
            .iter()
            .chain(once(&local_params.setup_code()))
            .find_map(|info| info.federation_size)
        {
            ensure!(
                info.federation_size.is_none(),
                "Federation size has already been set to {federation_size}"
            );
        }

        state.setup_codes.insert(info.clone());

        Ok(info.name)
    }

    async fn start_dkg(&self) -> anyhow::Result<()> {
        let mut state = self.state.lock().await.clone();

        ensure!(
            !state.restore_in_progress,
            "A restore is already in progress"
        );

        let local_params = state
            .local_params
            .clone()
            .expect("The endpoint is authenticated.");

        let our_setup_code = local_params.setup_code();

        state.setup_codes.insert(our_setup_code.clone());

        ensure!(
            state.setup_codes.len() == 1 || 4 <= state.setup_codes.len(),
            "The number of guardians is invalid"
        );

        if let Some(federation_size) = state
            .setup_codes
            .iter()
            .find_map(|info| info.federation_size)
        {
            ensure!(
                state.setup_codes.len() == federation_size as usize,
                "Expected {federation_size} guardians but got {}",
                state.setup_codes.len()
            );
        }

        let federation_name = state
            .setup_codes
            .iter()
            .find_map(|info| info.federation_name.clone())
            .context("We need one guardian to configure the federations name")?;

        let disable_base_fees = state
            .setup_codes
            .iter()
            .find_map(|info| info.disable_base_fees)
            .unwrap_or(is_env_var_set(FM_DISABLE_BASE_FEES_ENV));

        let enabled_modules = state
            .setup_codes
            .iter()
            .find_map(|info| info.enabled_modules.clone())
            .unwrap_or_else(|| self.settings.default_modules.clone());

        let our_id = state
            .setup_codes
            .iter()
            .position(|info| info == &our_setup_code)
            .expect("We inserted the key above.");

        let params = ConfigGenParams {
            identity: PeerId::from(our_id as u16),
            tls_key: local_params.tls_key,
            iroh_api_sk: local_params.iroh_api_sk,
            iroh_p2p_sk: local_params.iroh_p2p_sk,
            api_auth: local_params.auth,
            peers: (0..)
                .map(|i| PeerId::from(i as u16))
                .zip(state.setup_codes.clone())
                .collect(),
            meta: BTreeMap::from_iter(vec![(
                META_FEDERATION_NAME_KEY.to_string(),
                federation_name,
            )]),
            disable_base_fees,
            enabled_modules,
            network: local_params.network,
        };

        self.sender
            .send(ConfigGenOutcome::Generated(Box::new(params)))
            .await
            .context("Failed to send config gen params")?;

        Ok(())
    }

    async fn restore_from_backup(&self, password: String, backup: Vec<u8>) -> anyhow::Result<()> {
        ensure!(!password.is_empty(), "The password is empty");
        ensure!(
            password.trim() == password,
            "The password contains leading/trailing whitespace",
        );
        {
            let mut state = self.state.lock().await;
            ensure!(
                state.local_params.is_none(),
                "Local parameters have already been set"
            );
            ensure!(
                !state.restore_in_progress,
                "A restore is already in progress"
            );
            state.restore_in_progress = true;
        }

        let state = self.state.clone();
        let sender = self.sender.clone();
        let data_dir = self.data_dir.clone();
        runtime::spawn("restore guardian backup", async move {
            let result = async {
                let cfg = tokio::task::spawn_blocking(move || {
                    restore_backup_to_dir(&backup, &password, &data_dir)
                })
                .await
                .context("Restore backup task panicked")??;
                let (restore_result_sender, restore_result_receiver) = oneshot::channel();
                let restored = ConfigGenOutcome::Restored(Box::new(cfg), restore_result_sender);
                if let Err(e) = sender.send(restored).await {
                    if let ConfigGenOutcome::Restored(restored, _) = e.0 {
                        restored.cleanup();
                    }
                    return Err(anyhow::format_err!("Failed to send restored config"));
                }
                restore_result_receiver
                    .await
                    .context("Restore result sender dropped")?
                    .map_err(anyhow::Error::msg)?;
                Ok(())
            }
            .await;

            if result.is_err() {
                state.lock().await.restore_in_progress = false;
            }
            // On success, the setup task consumes the restored config and exits setup mode,
            // so there is no setup API left that could observe or reset
            // `restore_in_progress`.

            result
        })
        .await
        .context("Restore task panicked")?
    }

    async fn federation_size(&self) -> Option<u32> {
        let state = self.state.lock().await;
        let local_setup_code = state.local_params.as_ref().map(LocalParams::setup_code);
        state
            .setup_codes
            .iter()
            .chain(local_setup_code.iter())
            .find_map(|info| info.federation_size)
    }

    async fn cfg_federation_name(&self) -> Option<String> {
        let state = self.state.lock().await;
        let local_setup_code = state.local_params.as_ref().map(LocalParams::setup_code);
        state
            .setup_codes
            .iter()
            .chain(local_setup_code.iter())
            .find_map(|info| info.federation_name.clone())
    }

    async fn cfg_base_fees_disabled(&self) -> Option<bool> {
        let state = self.state.lock().await;
        let local_setup_code = state.local_params.as_ref().map(LocalParams::setup_code);
        state
            .setup_codes
            .iter()
            .chain(local_setup_code.iter())
            .find_map(|info| info.disable_base_fees)
    }

    async fn cfg_enabled_modules(&self) -> Option<BTreeSet<ModuleKind>> {
        let state = self.state.lock().await;
        let local_setup_code = state.local_params.as_ref().map(LocalParams::setup_code);
        state
            .setup_codes
            .iter()
            .chain(local_setup_code.iter())
            .find_map(|info| info.enabled_modules.clone())
    }

    async fn fedimintd_version(&self) -> String {
        self.code_version_str.clone()
    }

    async fn fedimintd_version_hash(&self) -> Option<String> {
        fedimint_core::version::non_zero_version_hash(&self.code_version_hash).map(str::to_owned)
    }
}

#[async_trait]
impl HasApiContext<SetupApi> for SetupApi {
    async fn context(
        &self,
        request: &ApiRequestErased,
        id: Option<ModuleInstanceId>,
    ) -> (&SetupApi, ApiEndpointContext) {
        assert!(id.is_none());

        let db = self.db.clone();

        let is_authenticated = match self.state.lock().await.local_params {
            None => false,
            Some(ref params) => match request.auth.as_ref() {
                Some(auth) => params.auth.verify(auth.as_str()),
                None => false,
            },
        };

        let context = ApiEndpointContext::new(db, is_authenticated, request.auth.clone());

        (self, context)
    }
}

pub fn server_endpoints() -> Vec<ApiEndpoint<SetupApi>> {
    vec![
        api_endpoint! {
            SETUP_STATUS_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, _c, _v: ()| -> SetupStatus {
                Ok(config.setup_status().await)
            }
        },
        api_endpoint! {
            SET_LOCAL_PARAMS_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, context, request: SetLocalParamsRequest| -> String {
                let auth = context
                    .request_auth()
                    .ok_or(ApiError::bad_request("Missing password".to_string()))?;

                 config.set_local_parameters(auth, request.name, request.federation_name, request.disable_base_fees, request.enabled_modules, request.federation_size)
                    .await
                    .map_err(|e| ApiError::bad_request(e.to_string()))
            }
        },
        api_endpoint! {
            ADD_PEER_SETUP_CODE_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, context, info: String| -> String {
                check_auth(context)?;

                config.add_peer_setup_code(info.clone())
                    .await
                    .map_err(|e|ApiError::bad_request(e.to_string()))
            }
        },
        api_endpoint! {
            RESET_PEER_SETUP_CODES_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, context, _v: ()| -> () {
                check_auth(context)?;

                config.reset_setup_codes().await;

                Ok(())
            }
        },
        api_endpoint! {
            GET_SETUP_CODE_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, context, _request: ()| -> Option<String> {
                check_auth(context)?;

                Ok(config.setup_code().await)
            }
        },
        api_endpoint! {
            START_DKG_ENDPOINT,
            ApiVersion::new(0, 0),
            async |config: &SetupApi, context, _v: ()| -> () {
                check_auth(context)?;

                config.start_dkg().await.map_err(|e| ApiError::server_error(e.to_string()))
            }
        },
    ]
}

#[cfg(test)]
mod tests {
    use std::collections::BTreeSet;
    use std::net::{IpAddr, Ipv4Addr, SocketAddr};

    use base64::Engine as _;
    use bitcoin::Network;
    use fedimint_core::db::IRawDatabaseExt;
    use fedimint_core::db::mem_impl::MemDatabase;
    use fedimint_core::module::ApiAuth;
    use tokio::sync::mpsc;

    use super::*;

    fn setup_api(network: Network) -> SetupApi {
        let (sender, _receiver) = mpsc::channel(1);
        let bind = SocketAddr::new(IpAddr::V4(Ipv4Addr::LOCALHOST), 0);

        SetupApi::new(
            ConfigGenSettings {
                p2p_bind: bind,
                api_bind: bind,
                ui_bind: bind,
                p2p_url: None,
                api_url: None,
                enable_iroh: true,
                iroh_dns: None,
                iroh_relays: Vec::new(),
                network,
                available_modules: BTreeSet::new(),
                default_modules: BTreeSet::new(),
            },
            MemDatabase::new().into_database(),
            std::env::temp_dir(),
            sender,
            String::new(),
            String::new(),
        )
    }

    const INVALID_RESTORE_BACKUP_FIXTURE_B64: &str =
        include_str!("../test_fixtures/guardian-backup-invalid-config.tar.b64");

    async fn setup_code(api: &SetupApi, name: &str) -> String {
        api.set_local_parameters(
            ApiAuth::new(format!("{name}-password")),
            name.to_string(),
            None,
            None,
            None,
            None,
        )
        .await
        .expect("setting local parameters should succeed")
    }

    #[tokio::test]
    async fn accepts_peer_setup_code_with_matching_network() {
        let api = setup_api(Network::Regtest);
        let peer_api = setup_api(Network::Regtest);

        setup_code(&api, "local").await;
        let peer_code = setup_code(&peer_api, "peer").await;

        let added_peer = api
            .add_peer_setup_code(peer_code)
            .await
            .expect("peer setup code with matching network should be accepted");

        assert_eq!(added_peer, "peer");
    }

    #[test]
    fn checked_in_backup_fixture_reaches_config_validation() {
        let tempdir = tempfile::tempdir().expect("creating temp dir should succeed");

        let backup = base64::prelude::BASE64_STANDARD
            .decode(INVALID_RESTORE_BACKUP_FIXTURE_B64.trim())
            .expect("checked-in backup fixture base64 should decode");
        let Err(err) = restore_backup_to_dir(&backup, "pass", tempdir.path()) else {
            panic!("invalid checked-in backup fixture should not restore");
        };

        assert!(
            err.to_string().contains("Reading restored config"),
            "unexpected restore error: {err:#}"
        );
        assert!(
            !tempdir.path().join("restore.tmp").exists(),
            "failed restore should clean up staging dir"
        );
    }

    #[test]
    fn backup_restore_rejects_non_file_entries() {
        let tempdir = tempfile::tempdir().expect("creating temp dir should succeed");
        let mut backup = Vec::new();
        {
            let mut archive = tar::Builder::new(&mut backup);
            let mut header = tar::Header::new_gnu();
            header.set_entry_type(tar::EntryType::Directory);
            header.set_size(0);
            header.set_cksum();
            archive
                .append_data(
                    &mut header,
                    PathBuf::from(LOCAL_CONFIG).with_extension(JSON_EXT),
                    std::io::empty(),
                )
                .expect("writing tar entry should succeed");
            archive.finish().expect("finishing tar should succeed");
        }

        let Err(err) = restore_backup_to_dir(&backup, "pass", tempdir.path()) else {
            panic!("non-file backup entries should be rejected");
        };

        assert!(
            err.to_string().contains("non-file entry"),
            "unexpected restore error: {err:#}"
        );
    }

    #[tokio::test]
    async fn rejects_peer_setup_code_with_different_network() {
        let api = setup_api(Network::Regtest);
        let peer_api = setup_api(Network::Signet);

        setup_code(&api, "local").await;
        let peer_code = setup_code(&peer_api, "peer").await;

        let err = api
            .add_peer_setup_code(peer_code)
            .await
            .expect_err("peer setup code with different network should be rejected");

        assert!(
            err.to_string()
                .contains("Guardian uses Bitcoin network signet but we use regtest")
        );
    }
}