Merge branch 'main' into feat/signed-doc-validation-optional-content-type

apskhem · web-flow · commit 0f40e96e38ab · 2025-09-03T17:26:54.000+07:00
diff --git a/rust/catalyst-signed-doc-macro/src/rules/doc_ref.rs b/rust/catalyst-signed-doc-macro/src/rules/doc_ref.rs
@@ -0,0 +1,38 @@
+//! `RefRule` generation
+
+use proc_macro2::TokenStream;
+use quote::quote;
+
+use crate::signed_doc_spec::{self, IsRequired};
+
+/// Generating `RefRule` instantiation
+pub(crate) fn ref_rule(ref_spec: &signed_doc_spec::doc_ref::Ref) -> anyhow::Result<TokenStream> {
+    let optional = match ref_spec.required {
+        IsRequired::Yes => false,
+        IsRequired::Optional => true,
+        IsRequired::Excluded => {
+            return Ok(quote! {
+                crate::validator::rules::RefRule::NotSpecified
+            });
+        },
+    };
+
+    anyhow::ensure!(!ref_spec.doc_type.is_empty(), "'type' field should exists and has at least one entry for the required 'ref' metadata definition");
+
+    let const_type_name_idents = ref_spec.doc_type.iter().map(|doc_name| {
+        let const_type_name_ident = doc_name.ident();
+        quote! {
+            crate::doc_types::#const_type_name_ident
+        }
+    });
+    let multiple = ref_spec.multiple.ok_or(anyhow::anyhow!(
+        "'multiple' field should exists for the required 'ref' metadata definition"
+    ))?;
+    Ok(quote! {
+        crate::validator::rules::RefRule::Specified {
+            exp_ref_types: vec![ #(#const_type_name_idents,)* ],
+            multiple: #multiple,
+            optional: #optional,
+        }
+    })
+}
diff --git a/rust/catalyst-signed-doc-macro/src/rules/mod.rs b/rust/catalyst-signed-doc-macro/src/rules/mod.rs
@@ -1,5 +1,7 @@
 //! `catalyst_signed_documents_rules!` macro implementation
 
+pub(crate) mod doc_ref;
+
 use proc_macro2::TokenStream;
 use quote::quote;
 
@@ -10,9 +12,10 @@ pub(crate) fn catalyst_signed_documents_rules_impl() -> anyhow::Result<TokenStre
     let spec = CatalystSignedDocSpec::load_signed_doc_spec()?;
 
     let mut rules_definitions = Vec::new();
-    for (doc_name, _doc_spec) in spec.docs {
+    for (doc_name, doc_spec) in spec.docs {
         let const_type_name_ident = doc_name.ident();
 
+        let ref_rule = doc_ref::ref_rule(&doc_spec.metadata.doc_ref)?;
         // TODO: implement a proper initialization for all specific validation rules
         let rules = quote! {
             crate::validator::rules::Rules {
@@ -25,7 +28,7 @@ pub(crate) fn catalyst_signed_documents_rules_impl() -> anyhow::Result<TokenStre
                 },
                 content: crate::validator::rules::ContentRule::NotSpecified,
                 parameters: crate::validator::rules::ParametersRule::NotSpecified,
-                doc_ref: crate::validator::rules::RefRule::NotSpecified,
+                doc_ref: #ref_rule,
                 reply: crate::validator::rules::ReplyRule::NotSpecified,
                 section: crate::validator::rules::SectionRule::NotSpecified,
                 kid: crate::validator::rules::SignatureKidRule {
diff --git a/rust/catalyst-signed-doc-macro/src/signed_doc_spec/doc_ref.rs b/rust/catalyst-signed-doc-macro/src/signed_doc_spec/doc_ref.rs
@@ -0,0 +1,13 @@
+//! `signed_doc.json` "ref" field JSON definition
+
+use crate::signed_doc_spec::{DocTypes, IsRequired};
+
+/// `signed_doc.json` "ref" field JSON object
+#[derive(serde::Deserialize)]
+#[allow(clippy::missing_docs_in_private_items)]
+pub(crate) struct Ref {
+    pub(crate) required: IsRequired,
+    #[serde(rename = "type")]
+    pub(crate) doc_type: DocTypes,
+    pub(crate) multiple: Option<bool>,
+}
diff --git a/rust/catalyst-signed-doc-macro/src/signed_doc_spec/mod.rs b/rust/catalyst-signed-doc-macro/src/signed_doc_spec/mod.rs
@@ -1,8 +1,9 @@
 //! Catalyst Signed Document spec type
 
-use std::collections::HashMap;
+pub(crate) mod doc_ref;
+
+use std::{collections::HashMap, ops::Deref};
 
-use anyhow::Context;
 use proc_macro2::Ident;
 use quote::format_ident;
 
@@ -43,15 +44,66 @@ pub(crate) struct DocSpec {
     /// Document type UUID v4 value
     #[serde(rename = "type")]
     pub(crate) doc_type: String,
+
+    /// Document type metadata definitions
+    pub(crate) metadata: Metadata,
+}
+
+/// Document's metadata fields definition
+#[derive(serde::Deserialize)]
+#[allow(clippy::missing_docs_in_private_items)]
+pub(crate) struct Metadata {
+    #[serde(rename = "ref")]
+    pub(crate) doc_ref: doc_ref::Ref,
+}
+
+/// "required" field definition
+#[derive(serde::Deserialize)]
+#[serde(rename_all = "lowercase")]
+#[allow(clippy::missing_docs_in_private_items)]
+pub(crate) enum IsRequired {
+    Yes,
+    Excluded,
+    Optional,
+}
+
+/// A helper type for deserialization "type" metadata field
+pub(crate) struct DocTypes(Vec<DocumentName>);
+
+impl Deref for DocTypes {
+    type Target = Vec<DocumentName>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl<'de> serde::Deserialize<'de> for DocTypes {
+    #[allow(clippy::missing_docs_in_private_items)]
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where D: serde::Deserializer<'de> {
+        #[derive(serde::Deserialize)]
+        #[serde(untagged)]
+        enum SingleOrVec {
+            Single(DocumentName),
+            Multiple(Vec<DocumentName>),
+        }
+        let value = Option::<SingleOrVec>::deserialize(deserializer)?;
+        let result = match value {
+            Some(SingleOrVec::Single(item)) => vec![item],
+            Some(SingleOrVec::Multiple(items)) => items,
+            None => vec![],
+        };
+        Ok(Self(result))
+    }
 }
 
 impl CatalystSignedDocSpec {
     /// Loading a Catalyst Signed Documents spec from the `signed_doc.json`
     // #[allow(dependency_on_unit_never_type_fallback)]
     pub(crate) fn load_signed_doc_spec() -> anyhow::Result<CatalystSignedDocSpec> {
-        let signed_doc_str = include_str!("../../../specs/signed_doc.json");
-        let signed_doc_spec = serde_json::from_str(signed_doc_str)
-            .context("Catalyst Signed Documents spec must be a JSON object")?;
+        let signed_doc_str = include_str!("../../../../specs/signed_doc.json");
+        let signed_doc_spec = serde_json::from_str(signed_doc_str)?;
         Ok(signed_doc_spec)
     }
 }
diff --git a/rust/rbac-registration/src/cardano/cip509/cip509.rs b/rust/rbac-registration/src/cardano/cip509/cip509.rs
@@ -13,7 +13,7 @@ use cardano_blockchain_types::{
     pallas_addresses::{Address, ShelleyAddress},
     pallas_primitives::{conway, Nullable},
     pallas_traverse::MultiEraTx,
-    MetadatumLabel, MultiEraBlock, StakeAddress, TxnIndex,
+    MetadatumLabel, MultiEraBlock, TxnIndex,
 };
 use catalyst_types::{
     catalyst_id::{role_index::RoleId, CatalystId},
@@ -36,7 +36,7 @@ use crate::cardano::cip509::{
     types::{PaymentHistory, TxInputHash, ValidationSignature},
     utils::Cip0134UriSet,
     validation::{
-        validate_aux, validate_role_data, validate_self_sign_cert, validate_stake_public_key,
+        validate_aux, validate_cert_addrs, validate_role_data, validate_self_sign_cert,
         validate_txn_inputs_hash,
     },
     x509_chunks::X509Chunks,
@@ -172,12 +172,11 @@ impl Cip509 {
             txn.transaction_body.auxiliary_data_hash.as_ref(),
             &cip509.report,
         );
-        if cip509.role_data(RoleId::Role0).is_some() {
-            // The following check is only performed for the role 0.
-            validate_stake_public_key(txn, cip509.certificate_uris(), &cip509.report);
-        }
         if let Some(metadata) = &cip509.metadata {
             cip509.catalyst_id = validate_role_data(metadata, block.network(), &cip509.report);
+            // General check for all roles, check whether the addresses in the certificate URIs are
+            // witnessed in the transaction.
+            validate_cert_addrs(txn, cip509.certificate_uris(), &report);
             validate_self_sign_cert(metadata, &report);
         }
 
@@ -276,12 +275,15 @@ impl Cip509 {
         self.catalyst_id.as_ref()
     }
 
-    /// Returns a list of role 0 stake addresses.
+    /// Returns a list of addresses extracted from certificate URIs of a specific role.
     #[must_use]
-    pub fn role_0_stake_addresses(&self) -> HashSet<StakeAddress> {
+    pub fn certificate_addresses(
+        &self,
+        role: usize,
+    ) -> HashSet<Address> {
         self.metadata
             .as_ref()
-            .map(|m| m.certificate_uris.stake_addresses(0))
+            .map(|m| m.certificate_uris.role_addresses(role))
             .unwrap_or_default()
     }
 
diff --git a/rust/rbac-registration/src/cardano/cip509/utils/cip134_uri_set.rs b/rust/rbac-registration/src/cardano/cip509/utils/cip134_uri_set.rs
@@ -72,24 +72,57 @@ impl Cip0134UriSet {
         self.x_uris().is_empty() && self.c_uris().is_empty()
     }
 
-    /// Returns a list of stake addresses by the given index.
+    /// Returns a list of addresses by the given role.
     #[must_use]
-    pub fn stake_addresses(
+    pub fn role_addresses(
         &self,
-        index: usize,
-    ) -> HashSet<StakeAddress> {
+        role: usize,
+    ) -> HashSet<Address> {
         let mut result = HashSet::new();
 
-        if let Some(uris) = self.x_uris().get(&index) {
-            result.extend(convert_stake_addresses(uris));
+        if let Some(uris) = self.x_uris().get(&role) {
+            result.extend(uris.iter().map(|uri| uri.address().clone()));
         }
-        if let Some(uris) = self.c_uris().get(&index) {
-            result.extend(convert_stake_addresses(uris));
+        if let Some(uris) = self.c_uris().get(&role) {
+            result.extend(uris.iter().map(|uri| uri.address().clone()));
         }
 
         result
     }
 
+    /// Returns a list of stake addresses by the given role.
+    #[must_use]
+    pub fn role_stake_addresses(
+        &self,
+        role: usize,
+    ) -> HashSet<StakeAddress> {
+        self.role_addresses(role)
+            .iter()
+            .filter_map(|address| {
+                match address {
+                    Address::Stake(a) => Some(a.clone().into()),
+                    _ => None,
+                }
+            })
+            .collect()
+    }
+
+    /// Returns a list of all stake addresses.
+    #[must_use]
+    pub fn stake_addresses(&self) -> HashSet<StakeAddress> {
+        self.x_uris()
+            .values()
+            .chain(self.c_uris().values())
+            .flat_map(|uris| uris.iter())
+            .filter_map(|uri| {
+                match uri.address() {
+                    Address::Stake(a) => Some(a.clone().into()),
+                    _ => None,
+                }
+            })
+            .collect()
+    }
+
     /// Return the updated URIs set.
     ///
     /// The resulting set includes all the data from both the original and a new one. In
@@ -289,18 +322,6 @@ fn extract_c509_uris(
     result
 }
 
-/// Converts a list of `Cip0134Uri` to a list of stake addresses.
-fn convert_stake_addresses(uris: &[Cip0134Uri]) -> Vec<StakeAddress> {
-    uris.iter()
-        .filter_map(|uri| {
-            match uri.address() {
-                Address::Stake(a) => Some(a.clone().into()),
-                _ => None,
-            }
-        })
-        .collect()
-}
-
 #[cfg(test)]
 mod tests {
 
@@ -323,6 +344,9 @@ mod tests {
         let set = cip509.certificate_uris().unwrap();
         assert!(!set.is_empty());
         assert!(set.c_uris().is_empty());
+        assert_eq!(set.role_addresses(0).len(), 1);
+        assert_eq!(set.role_stake_addresses(0).len(), 1);
+        assert_eq!(set.stake_addresses().len(), 1);
 
         let x_uris = set.x_uris();
         assert_eq!(x_uris.len(), 1);
diff --git a/rust/rbac-registration/src/cardano/cip509/validation.rs b/rust/rbac-registration/src/cardano/cip509/validation.rs
diff --git a/rust/rbac-registration/src/registration/cardano/mod.rs b/rust/rbac-registration/src/registration/cardano/mod.rs
