Merge branch 'feat/allow-admin-roles' into feat/signed-doc-tests

Author: Mr-Leshiy

rust/catalyst-signed-doc-spec/Cargo.toml

@@ -17,7 +17,7 @@ serde = { version = "1.0.219", features = ["derive"] }
 
 quote = "1.0"
 proc-macro2 = "1.0"
-build-info = "0.0.41"
+build-info = "0.0.39"
 
 [build-dependencies]
-build-info-build = "0.0.41"
+build-info-build = "0.0.39"

rust/catalyst-signed-doc-spec/src/signers/roles.rs

@@ -4,17 +4,52 @@
 #[derive(serde::Deserialize)]
 #[allow(clippy::missing_docs_in_private_items)]
 pub struct Roles {
-    pub user: Vec<Role>,
+    #[serde(default)]
+    pub user: Vec<UserRole>,
+    #[serde(default)]
+    pub admin: Vec<AdminRole>,
 }
 
 /// Role definition
 #[derive(serde::Deserialize)]
 #[allow(clippy::missing_docs_in_private_items)]
-pub enum Role {
+pub enum UserRole {
     /// Role 0 - A registered User / Voter - Base Role
     Registered,
     /// Registered for posting proposals
     Proposer,
     /// Registered as a rep for voting purposes.
     Representative,
 }
+
+#[derive(serde::Deserialize)]
+#[allow(clippy::missing_docs_in_private_items)]
+pub enum AdminRole {
+    /// Root Certificate Authority role.
+    #[serde(rename = "Root CA")]
+    RootCA,
+    /// Brand Certificate Authority role.
+    #[serde(rename = "Brand CA")]
+    BrandCA,
+    /// Campaign Certificate Authority role.
+    #[serde(rename = "Campaign CA")]
+    CampaignCA,
+    /// Category Certificate Authority role.
+    #[serde(rename = "Category CA")]
+    CategoryCA,
+    /// Root Admin role.
+    #[serde(rename = "Root Admin")]
+    RootAdmin,
+    /// Brand Admin role.
+    #[serde(rename = "Brand Admin")]
+    BrandAdmin,
+    /// Campaign Admin role.
+    #[serde(rename = "Campaign Admin")]
+    CampaignAdmin,
+    /// Category Admin role.
+    #[serde(rename = "Category Admin")]
+    CategoryAdmin,
+    /// Moderator role.
+    #[serde(rename = "Moderator")]
+    Moderator,
+}

rust/catalyst-types/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "catalyst-types"
-version = "0.0.7"
+version = "0.0.8"
 edition.workspace = true
 license.workspace = true
 authors.workspace = true

rust/catalyst-types/src/catalyst_id/role_index.rs

@@ -31,13 +31,28 @@ pub enum RoleIdError {
 pub enum RoleId {
     /// Primary required role use for voting and commenting.
     Role0 = 0,
-
     /// Delegated representative (dRep) that vote on behalf of delegators.
     DelegatedRepresentative = 1,
-
     /// Proposer that enabling creation, collaboration, and submission of proposals.
     Proposer = 3,
-
+    /// Root Certificate Authority role.
+    RootCA = 100,
+    /// Brand Certificate Authority role.
+    BrandCA = 101,
+    /// Campaign Certificate Authority role.
+    CampaignCA = 102,
+    /// Category Certificate Authority role.
+    CategoryCA = 103,
+    /// Root Admin role.
+    RootAdmin = 104,
+    /// Brand Admin role.
+    BrandAdmin = 105,
+    /// Campaign Admin role.
+    CampaignAdmin = 106,
+    /// Category Admin role.
+    CategoryAdmin = 107,
+    /// Moderator role.
+    Moderator = 108,
     /// A custom role.
     Unknown(u8),
 }
@@ -56,6 +71,15 @@ impl RoleId {
             RoleId::Role0 => 0,
             RoleId::DelegatedRepresentative => 1,
             RoleId::Proposer => 3,
+            RoleId::RootCA => 100,
+            RoleId::BrandCA => 101,
+            RoleId::CampaignCA => 102,
+            RoleId::CategoryCA => 103,
+            RoleId::RootAdmin => 104,
+            RoleId::BrandAdmin => 105,
+            RoleId::CampaignAdmin => 106,
+            RoleId::CategoryAdmin => 107,
+            RoleId::Moderator => 108,
             RoleId::Unknown(b) => b,
         }
     }
@@ -73,6 +97,15 @@ impl From<u8> for RoleId {
             0 => Self::Role0,
             1 => Self::DelegatedRepresentative,
             3 => Self::Proposer,
+            100 => Self::RootCA,
+            101 => Self::BrandCA,
+            102 => Self::CampaignCA,
+            103 => Self::CategoryCA,
+            104 => Self::RootAdmin,
+            105 => Self::BrandAdmin,
+            106 => Self::CampaignAdmin,
+            107 => Self::CategoryAdmin,
+            108 => Self::Moderator,
             b => Self::Unknown(b),
         }
     }

rust/signed_doc/Cargo.toml

@@ -11,7 +11,7 @@ license.workspace = true
 workspace = true
 
 [dependencies]
-catalyst-types = { version = "0.0.7", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "catalyst-types/v0.0.7" }
+catalyst-types = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "catalyst-types/v0.0.8" }
 cbork-utils = { version = "0.0.2", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "cbork-utils-v0.0.2" }
 
 catalyst-signed-doc-macro = { version = "0.0.1", path = "../catalyst-signed-doc-macro" }

rust/signed_doc/src/providers.rs

@@ -7,10 +7,12 @@ use ed25519_dalek::VerifyingKey;
 
 use crate::{CatalystSignedDocument, DocumentRef};
 
-/// `VerifyingKey` Provider trait
-pub trait VerifyingKeyProvider: Send + Sync {
-    /// Try to get `VerifyingKey`
-    fn try_get_key(
+/// `CatalystId` Provider trait
+pub trait CatalystIdProvider: Send + Sync {
+    /// Try to get `VerifyingKey` by the provided `CatalystId` and corresponding `RoleId`
+    /// and `KeyRotation` Return `None` if the provided `CatalystId` with the
+    /// corresponding `RoleId` and `KeyRotation` has not been registered.
+    fn try_get_registered_key(
         &self,
         kid: &CatalystId,
     ) -> impl Future<Output = anyhow::Result<Option<VerifyingKey>>> + Send;
@@ -48,8 +50,8 @@ pub mod tests {
     use std::{collections::HashMap, time::Duration};
 
     use super::{
-        CatalystId, CatalystSignedDocument, CatalystSignedDocumentProvider, VerifyingKey,
-        VerifyingKeyProvider,
+        CatalystId, CatalystIdProvider, CatalystSignedDocument, CatalystSignedDocumentProvider,
+        VerifyingKey,
     };
     use crate::{DocLocator, DocumentRef};
 
@@ -123,8 +125,8 @@ pub mod tests {
         }
     }
 
-    impl VerifyingKeyProvider for TestCatalystProvider {
-        async fn try_get_key(
+    impl CatalystIdProvider for TestCatalystProvider {
+        async fn try_get_registered_key(
             &self,
             kid: &CatalystId,
         ) -> anyhow::Result<Option<VerifyingKey>> {

rust/signed_doc/src/validator/mod.rs

@@ -9,7 +9,7 @@ use rules::Rules;
 
 use crate::{
     metadata::DocType,
-    providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
+    providers::{CatalystIdProvider, CatalystSignedDocumentProvider},
     CatalystSignedDocument,
 };
 
@@ -38,7 +38,7 @@ pub async fn validate<Provider>(
     provider: &Provider,
 ) -> anyhow::Result<bool>
 where
-    Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
+    Provider: CatalystSignedDocumentProvider + CatalystIdProvider,
 {
     let Ok(doc_type) = doc.doc_type() else {
         doc.report().missing_field(

rust/signed_doc/src/validator/rules/mod.rs

@@ -4,7 +4,7 @@
 use futures::FutureExt;
 
 use crate::{
-    providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
+    providers::{CatalystIdProvider, CatalystSignedDocumentProvider},
     CatalystSignedDocument,
 };
 
@@ -80,7 +80,7 @@ impl Rules {
         provider: &Provider,
     ) -> anyhow::Result<bool>
     where
-        Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
+        Provider: CatalystSignedDocumentProvider + CatalystIdProvider,
     {
         let rules = [
             self.id.check(doc, provider).boxed(),
@@ -139,7 +139,7 @@ impl Rules {
                 section: SectionRule::NotSpecified,
                 collaborators: CollaboratorsRule::NotSpecified,
                 content: ContentRule::new(&doc_spec.payload)?,
-                kid: SignatureKidRule::new(&doc_spec.signers.roles),
+                kid: SignatureKidRule::new(&doc_spec.signers.roles)?,
                 signature: SignatureRule { mutlisig: false },
                 original_author: OriginalAuthorRule,
             };

rust/signed_doc/src/validator/rules/signature.rs

@@ -4,7 +4,7 @@ use anyhow::Context;
 use catalyst_types::problem_report::ProblemReport;
 
 use crate::{
-    providers::{CatalystSignedDocumentProvider, VerifyingKeyProvider},
+    providers::{CatalystIdProvider, CatalystSignedDocumentProvider},
     signature::{tbs_data, Signature},
     CatalystSignedDocument,
 };
@@ -28,7 +28,7 @@ impl SignatureRule {
         provider: &Provider,
     ) -> anyhow::Result<bool>
     where
-        Provider: CatalystSignedDocumentProvider + VerifyingKeyProvider,
+        Provider: CatalystSignedDocumentProvider + CatalystIdProvider,
     {
         if doc.signatures().is_empty() {
             doc.report().other(
@@ -74,11 +74,11 @@ async fn validate_signature<Provider>(
     report: &ProblemReport,
 ) -> anyhow::Result<bool>
 where
-    Provider: VerifyingKeyProvider,
+    Provider: CatalystIdProvider,
 {
     let kid = sign.kid();
 
-    let Some(pk) = provider.try_get_key(kid).await? else {
+    let Some(pk) = provider.try_get_registered_key(kid).await? else {
         report.other(
             &format!("Missing public key for {kid}."),
             "During public key extraction",

rust/signed_doc/src/validator/rules/signature_kid.rs

@@ -1,6 +1,8 @@
 //! Catalyst Signed Document COSE signature `kid` (Catalyst Id) role validation
 
-use catalyst_signed_doc_spec::signers::roles::{Role, Roles};
+use std::collections::HashSet;
+
+use catalyst_signed_doc_spec::signers::roles::{AdminRole, Roles, UserRole};
 use catalyst_types::catalyst_id::role_index::RoleId;
 
 use crate::CatalystSignedDocument;
@@ -9,24 +11,43 @@ use crate::CatalystSignedDocument;
 #[derive(Debug)]
 pub(crate) struct SignatureKidRule {
     /// expected `RoleId` values for the `kid` field
-    pub(crate) allowed_roles: Vec<RoleId>,
+    pub(crate) allowed_roles: HashSet<RoleId>,
 }
 
 impl SignatureKidRule {
     /// Generating `SignatureKidRule` from specs
-    pub(crate) fn new(spec: &Roles) -> Self {
-        let allowed_roles = spec
+    pub(crate) fn new(spec: &Roles) -> anyhow::Result<Self> {
+        let allowed_roles: HashSet<_> = spec
             .user
             .iter()
             .map(|v| {
                 match v {
-                    Role::Registered => RoleId::Role0,
-                    Role::Proposer => RoleId::Proposer,
-                    Role::Representative => RoleId::DelegatedRepresentative,
+                    UserRole::Registered => RoleId::Role0,
+                    UserRole::Proposer => RoleId::Proposer,
+                    UserRole::Representative => RoleId::DelegatedRepresentative,
                 }
             })
+            .chain(spec.admin.iter().map(|v| {
+                match v {
+                    AdminRole::RootCA => RoleId::RootCA,
+                    AdminRole::BrandCA => RoleId::BrandCA,
+                    AdminRole::CampaignCA => RoleId::CampaignCA,
+                    AdminRole::CategoryCA => RoleId::CategoryCA,
+                    AdminRole::RootAdmin => RoleId::RootAdmin,
+                    AdminRole::BrandAdmin => RoleId::BrandAdmin,
+                    AdminRole::CampaignAdmin => RoleId::CampaignAdmin,
+                    AdminRole::CategoryAdmin => RoleId::CategoryAdmin,
+                    AdminRole::Moderator => RoleId::Moderator,
+                }
+            }))
             .collect();
-        Self { allowed_roles }
+
+        anyhow::ensure!(
+            !allowed_roles.is_empty(),
+            "A list of allowed roles cannot be empty"
+        );
+
+        Ok(Self { allowed_roles })
     }
 
     /// Field validation rule
@@ -73,7 +94,9 @@ mod tests {
     #[tokio::test]
     async fn signature_kid_rule_test() {
         let mut rule = SignatureKidRule {
-            allowed_roles: vec![RoleId::Role0, RoleId::DelegatedRepresentative],
+            allowed_roles: [RoleId::Role0, RoleId::DelegatedRepresentative]
+                .into_iter()
+                .collect(),
         };
 
         let sk = ed25519_dalek::SigningKey::generate(&mut rand::rngs::OsRng);
@@ -92,7 +115,7 @@ mod tests {
 
         assert!(rule.check(&doc).await.unwrap());
 
-        rule.allowed_roles = vec![RoleId::Proposer];
+        rule.allowed_roles = [RoleId::Proposer].into_iter().collect();
         assert!(!rule.check(&doc).await.unwrap());
     }
 }