feat(rust/cardano-chain-follower): RBAC CIP509 validation (#16)

* feat: move rbac validate from hermes

* fix: change tx index to u16

* fix: rust ci branch pointing

* fix: update rust ci version

* fix(rust/cardano-chain-follower): move chain follower commands to itss on justfile

* fix(rust/c509-certificate): only extract stake key for pubkey validation

* fix(rust/c509-certificate): spelling

* fix(rust/c509-certificate): stake public key validation + test cases

* fix(rust/c509-certificate): ignore format for cspell addresses

* fix(rust/c509-certificate): disable cspell check for addresses

* fix(rust/cardano-chain-follower): payment key ref index

* fix(rust/cardano-chain-follower): payment key ref index type to i16

* test(rust/cardano-chain-follower): CIP509 RBAC validation (#25)

* test(rust/cardano-chain-follower): add test data

* test(rust/cardano-chain-follower): add test for x509_chunk decompression

* fix(rust/cardano-chain-follower): payment key should accept negative number

* test(rust/cardano-chain-follower): add test for cip509 validation

* chore(rust/cardano-chain-follower): typo

* fix(rust/cardano-chain-follower): update test data

---------

Co-authored-by: Steven Johnson <[email protected]>

Author: bkioshn

.config/dictionaries/project.dic

@@ -2,6 +2,7 @@ aarch
 abcz
 ABNF
 addrr
+addrs
 adminer
 anypolicy
 apskhem
@@ -10,6 +11,7 @@ asyncio
 Attributes
 auditability
 backpressure
+bech
 bimap
 bindgen
 bkioshn
@@ -59,6 +61,7 @@ encryptor
 Errno
 Eternl
 excalidraw
+extn
 fadvise
 fcntl
 fdatasync
@@ -85,6 +88,7 @@ happ
 hardano
 Hardlink
 hasher
+heaptrack
 hexdigit
 highwater
 hmod

rust/cardano-chain-follower/Cargo.toml

@@ -65,6 +65,9 @@ ureq = { version = "2.10.1", features = ["native-certs"] }
 http = "1.1.0"
 hickory-resolver = { version = "0.24.1", features = ["dns-over-rustls"] }
 moka = { version = "0.12.8", features = ["sync"] }
+der-parser = "9.0.0"
+regex = "1.10.6"
+bech32 = "0.11.0"
 
 [dev-dependencies]
 hex = "0.4.3"

rust/cardano-chain-follower/Justfile

@@ -0,0 +1,41 @@
+# use with https://github.com/casey/just
+#
+# Cardano chain follower developer convenience functions
+
+# Format the rust code
+code-format:
+    cargo +nightly fmtfix
+    cargo +nightly fmtchk
+
+# Run long running developer test for mithril downloading.
+run-mithril-download-example-preprod: code-format
+    cargo build -r --package cardano-chain-follower --example follow_chains --features mimalloc
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    ../target/release/examples/follow_chains --preprod
+
+run-mithril-download-example-preprod-high-dl-bandwidth: code-format
+    cargo build -r --package cardano-chain-follower --example follow_chains --features mimalloc
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    ../target/release/examples/follow_chains --preprod --mithril-sync-workers 64 --mithril-sync-chunk-size 16 --mithril-sync-queue-ahead=6
+
+run-mithril-download-example-preprod-conservative-dl-bandwidth: code-format
+    cargo build -r --package cardano-chain-follower --example follow_chains --features mimalloc
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    ../target/release/examples/follow_chains --preprod --mithril-sync-workers 8 --mithril-sync-chunk-size 1 --mithril-sync-queue-ahead=2
+
+run-mithril-download-example-preview: code-format
+    cargo build -r --package cardano-chain-follower --example follow_chains --features mimalloc
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    ../target/release/examples/follow_chains --preview
+
+# Run long running developer test for mithril downloading.
+run-mithril-download-example-mainnet: code-format
+    cargo build -r --package cardano-chain-follower --example follow_chains --features mimalloc
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    ../target/release/examples/follow_chains --mainnet
+
+# Run long running developer test for mithril downloading.
+debug-heap-mithril-download-example:
+    cargo build --package cardano-chain-follower --example follow_chains
+    RUST_LOG="error,follow_chains=debug,cardano_chain_follower=debug,mithril-client=debug" \
+    heaptrack ../target/debug/examples/follow_chains --preprod

rust/cardano-chain-follower/examples/follow_chains.rs

@@ -16,12 +16,13 @@ static GLOBAL: MiMalloc = MiMalloc;
 use std::{error::Error, time::Duration};
 
 use cardano_chain_follower::{
-    ChainFollower, ChainSyncConfig, ChainUpdate, Kind, Metadata, Network, Statistics, ORIGIN_POINT,
-    TIP_POINT,
+    ChainFollower, ChainSyncConfig, ChainUpdate, Kind,
+    Metadata::{self},
+    Network, Statistics, ORIGIN_POINT, TIP_POINT,
 };
 use clap::{arg, ArgAction, ArgMatches, Command};
 use tokio::time::Instant;
-use tracing::{error, info, level_filters::LevelFilter};
+use tracing::{error, info, level_filters::LevelFilter, warn};
 use tracing_subscriber::EnvFilter;
 
 /// Process our CLI Arguments
@@ -39,7 +40,11 @@ fn process_argument() -> (Vec<Network>, ArgMatches) {
                 .action(ArgAction::SetTrue),
             arg!(--"halt-on-error" "Stop the process when an error occurs without retrying.")
                 .action(ArgAction::SetTrue),
-            arg!(--"bad-cip36" "Dump Bad Cip36 registrations detected.")
+            arg!(--"log-bad-cip36" "Dump Bad CIP36 registrations detected.")
+                .action(ArgAction::SetTrue),
+            arg!(--"log-cip509" "Dump CIP509 validation.")
+                .action(ArgAction::SetTrue),
+            arg!(--"log-raw-aux" "Dump raw auxiliary data.")
                 .action(ArgAction::SetTrue),
             arg!(--"largest-metadata" "Dump The largest transaction metadata we find (as we find it).")
                 .action(ArgAction::SetTrue),
@@ -146,7 +151,9 @@ async fn follow_for(network: Network, matches: ArgMatches) {
     let all_live_blocks = matches.get_flag("all-live-blocks");
     let stop_at_tip = matches.get_flag("stop-at-tip");
     let halt_on_error = matches.get_flag("halt-on-error");
-    let bad_cip36 = matches.get_flag("bad-cip36");
+    let log_bad_cip36 = matches.get_flag("log-bad-cip36");
+    let log_cip509 = matches.get_flag("log-cip509");
+    let log_raw_aux = matches.get_flag("log-raw-aux");
     let largest_metadata = matches.get_flag("largest-metadata");
 
     let mut current_era = String::new();
@@ -235,44 +242,24 @@ async fn follow_for(network: Network, matches: ArgMatches) {
         }
 
         // Inspect the transactions in the block.
-        let mut dump_raw_aux_data = false;
         for (tx_idx, _tx) in block.txs().iter().enumerate() {
-            if let Some(decoded_metadata) = chain_update
-                .data
-                .txn_metadata(tx_idx, Metadata::cip36::LABEL)
+            if let Some(aux_data) =
+                update_biggest_aux_data(&chain_update, tx_idx, largest_metadata, biggest_aux_data)
             {
-                let raw_size = match chain_update
-                    .data
-                    .txn_raw_metadata(tx_idx, Metadata::cip36::LABEL)
-                {
-                    Some(raw) => raw.len(),
-                    None => 0,
-                };
-
-                if largest_metadata && raw_size > biggest_aux_data {
-                    biggest_aux_data = raw_size;
-                    dump_raw_aux_data = true;
-                }
-
-                if bad_cip36 {
-                    #[allow(irrefutable_let_patterns)] // Won't always be irrefutable.
-                    if let Metadata::DecodedMetadataValues::Cip36(cip36) = &decoded_metadata.value {
-                        if !cip36.signed {
-                            dump_raw_aux_data = true;
-                        }
-                        if !decoded_metadata.report.is_empty() {
-                            info!(
-                                chain = network.to_string(),
-                                "Cip36 {tx_idx}:{:?} - {raw_size}", decoded_metadata
-                            );
-                            dump_raw_aux_data = true;
-                        }
-                    }
-                }
+                biggest_aux_data = aux_data;
+            }
+
+            // If flag `log_bad_cip36` is set, log the bad CIP36.
+            if log_bad_cip36 {
+                log_bad_cip36_info(&chain_update, network, tx_idx);
+            }
+            // If flag `log_cip509` is set, log the CIP509 validation.
+            if log_cip509 {
+                log_cip509_info(&chain_update, block.number(), network, tx_idx);
             }
         }
 
-        if dump_raw_aux_data {
+        if log_raw_aux {
             if let Some(x) = block.as_alonzo() {
                 info!(
                     chain = network.to_string(),
@@ -330,6 +317,80 @@ async fn follow_for(network: Network, matches: ArgMatches) {
     info!(chain = network.to_string(), "Following Completed.");
 }
 
+/// Helper function for updating the biggest aux data.
+fn update_biggest_aux_data(
+    chain_update: &ChainUpdate, tx_idx: usize, largest_metadata: bool, biggest_aux_data: usize,
+) -> Option<usize> {
+    let raw_size_cip36 = match chain_update
+        .data
+        .txn_raw_metadata(tx_idx, Metadata::cip36::LABEL)
+    {
+        Some(raw) => raw.len(),
+        None => 0,
+    };
+
+    let raw_size_cip509 = match chain_update
+        .data
+        .txn_raw_metadata(tx_idx, Metadata::cip509::LABEL)
+    {
+        Some(raw) => raw.len(),
+        None => 0,
+    };
+
+    // Get the maximum raw size from both cip36 and cip509
+    let raw_size = raw_size_cip36.max(raw_size_cip509);
+
+    if largest_metadata && raw_size > biggest_aux_data {
+        return Some(raw_size);
+    }
+
+    None
+}
+
+/// Helper function for logging bad CIP36.
+fn log_bad_cip36_info(chain_update: &ChainUpdate, network: Network, tx_idx: usize) {
+    if let Some(decoded_metadata) = chain_update
+        .data
+        .txn_metadata(tx_idx, Metadata::cip36::LABEL)
+    {
+        if let Metadata::DecodedMetadataValues::Cip36(cip36) = &decoded_metadata.value {
+            if (!cip36.signed || !decoded_metadata.report.is_empty())
+                && !decoded_metadata.report.is_empty()
+            {
+                info!(
+                    chain = network.to_string(),
+                    "CIP36 {tx_idx}: {:?}", decoded_metadata
+                );
+            }
+        }
+    }
+}
+
+/// Helper function for logging CIP509 validation.
+fn log_cip509_info(chain_update: &ChainUpdate, block_num: u64, network: Network, tx_idx: usize) {
+    if let Some(decoded_metadata) = chain_update
+        .data
+        .txn_metadata(tx_idx, Metadata::cip509::LABEL)
+    {
+        info!("Block Number {}", block_num);
+
+        if let Metadata::DecodedMetadataValues::Cip509(cip509) = &decoded_metadata.value {
+            info!(
+                chain = network.to_string(),
+                "CIP509 {tx_idx}: {:?}", cip509.validation
+            );
+        }
+
+        // If report is not empty, log it, log it as a warning.
+        if !decoded_metadata.report.is_empty() {
+            warn!(
+                chain = network.to_string(),
+                "CIP509 {tx_idx}: {:?}", decoded_metadata.report
+            );
+        }
+    }
+}
+
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
     tracing_subscriber::fmt()

rust/cardano-chain-follower/src/metadata/cip36.rs

@@ -79,11 +79,12 @@ impl Cip36 {
     /// * `decoded_metadata` - Decoded Metadata - Will be updated only if CIP36 Metadata
     ///   is found.
     /// * `slot` - Current Slot
-    /// * `txn` - Transaction Aux data was attached to and to be validated/decoded
-    ///   against. Not used for CIP36 Metadata.
+    /// * `txn` - Transaction data was attached to and to be validated/decoded against.
+    ///   Not used for CIP36 Metadata.
     /// * `raw_aux_data` - Raw Auxiliary Data for the transaction.
     /// * `catalyst_strict` - Strict Catalyst Validation - otherwise Catalyst Specific
     ///   rules/workarounds are not applied.
+    /// * `chain` - Network Chain
     ///
     /// # Returns
     ///