tmp

Author: apskhem

rust/rbac-registration/src/cardano/cip509/cip509.rs

@@ -13,7 +13,7 @@ use cardano_blockchain_types::{
     pallas_addresses::{Address, ShelleyAddress},
     pallas_primitives::{conway, Nullable},
     pallas_traverse::MultiEraTx,
-    MetadatumLabel, MultiEraBlock, TxnIndex,
+    MetadatumLabel, MultiEraBlock, StakeAddress, TxnIndex,
 };
 use catalyst_types::{
     catalyst_id::{role_index::RoleId, CatalystId},
@@ -305,6 +305,14 @@ impl Cip509 {
         self.metadata.as_ref()
     }
 
+    /// Returns a set of stake addresses.
+    #[must_use]
+    pub fn stake_addresses(&self) -> HashSet<StakeAddress> {
+        self.certificate_uris()
+            .map(Cip0134UriSet::stake_addresses)
+            .unwrap_or_default()
+    }
+
     /// Returns `Cip509` fields consuming the structure if it was successfully decoded and
     /// validated otherwise return the problem report that contains all the encountered
     /// issues.

rust/rbac-registration/src/registration/cardano/mod.rs

@@ -23,9 +23,13 @@ use update_rbac::{
 };
 use x509_cert::certificate::Certificate as X509Certificate;
 
-use crate::cardano::cip509::{
-    CertKeyHash, CertOrPk, Cip0134UriSet, Cip509, PaymentHistory, PointData, RoleData,
-    RoleDataRecord, ValidationSignature,
+use crate::{
+    cardano::cip509::{
+        CertKeyHash, CertOrPk, Cip0134UriSet, Cip509, PaymentHistory, PointData, RoleData,
+        RoleDataRecord, ValidationSignature,
+    },
+    providers::RbacRegistrationProvider,
+    registration::cardano::validation::RbacValidationError,
 };
 
 /// Registration chains.
@@ -84,6 +88,47 @@ impl RegistrationChain {
         })
     }
 
+    /// Validates that none of the signing keys in a given RBAC registration chain
+    /// have been used by any other existing chain, ensuring global key uniqueness
+    /// across all Catalyst registrations.
+    ///
+    /// # Returns
+    /// Returns a [`Result<HashSet<VerifyingKey>>`] containing all unique public keys
+    /// extracted from the registration chain if validation passes successfully.
+    ///
+    /// # Errors
+    /// - Propagates any I/O or provider-level errors encountered while checking key
+    ///   ownership (e.g., database lookup failures).
+    pub async fn validate_public_keys<Provider>(
+        &self,
+        report: &ProblemReport,
+        provider: &Provider,
+    ) -> Result<HashSet<VerifyingKey>, RbacValidationError>
+    where
+        Provider: RbacRegistrationProvider,
+    {
+        let mut keys = HashSet::new();
+
+        let roles: Vec<_> = self.role_data_history().keys().collect();
+        let catalyst_id = self.catalyst_id().as_short_id();
+
+        for role in roles {
+            if let Some((key, _)) = self.get_latest_signing_pk_for_role(role) {
+                keys.insert(key);
+                if let Some(previous) = provider.catalyst_id_from_public_key(key).await? {
+                    if previous != catalyst_id {
+                        report.functional_validation(
+                        &format!("An update to {catalyst_id} registration chain uses the same public key ({key:?}) as {previous} chain"),
+                        "It isn't allowed to use role 0 signing (certificate subject public) key in different chains",
+                        );
+                    }
+                }
+            }
+        }
+
+        Ok(keys)
+    }
+
     /// Returns a Catalyst ID.
     #[must_use]
     pub fn catalyst_id(&self) -> &CatalystId {
@@ -257,6 +302,14 @@ impl RegistrationChain {
     }
 }
 
+impl From<RegistrationChainInner> for RegistrationChain {
+    fn from(value: RegistrationChainInner) -> Self {
+        Self {
+            inner: Arc::new(value),
+        }
+    }
+}
+
 /// Inner structure of registration chain.
 #[derive(Debug, Clone)]
 struct RegistrationChainInner {
@@ -491,6 +544,84 @@ impl RegistrationChainInner {
 
         Some(new_inner)
     }
+
+    /// Attempts to update an existing RBAC registration chain
+    /// with a new CIP-509 registration, validating address and key usage consistency.
+    ///
+    /// # Returns
+    /// - `Ok((new_chain, validation_result))` if the chain was successfully updated and
+    ///   validated.
+    ///
+    /// # Errors
+    /// - Returns [`RbacValidationError::UnknownCatalystId`] if no Catalyst chain is found
+    ///   for `previous_txn`.
+    /// - Returns [`RbacValidationError::InvalidRegistration`] if address/key duplication
+    ///   or validation inconsistencies are detected.
+    pub async fn update_from_previous_txn<Provider>(
+        &self,
+        reg: Cip509,
+        previous_txn: TransactionId,
+        provider: &Provider,
+    ) -> Result<RegistrationChain, RbacValidationError>
+    where
+        Provider: RbacRegistrationProvider,
+    {
+        let purpose = reg.purpose();
+        let report = reg.report().to_owned();
+
+        // Find a chain this registration belongs to.
+        let Some(catalyst_id) = provider.catalyst_id_from_txn_id(previous_txn).await? else {
+            // We are unable to determine a Catalyst ID, so there is no sense to update the problem
+            // report because we would be unable to store this registration anyway.
+            return Err(RbacValidationError::UnknownCatalystId);
+        };
+        let chain = provider.chain(catalyst_id.clone()).await?
+        .context("{catalyst_id} is present in 'catalyst_id_for_txn_id' table, but not in 'rbac_registration'")?;
+
+        // Check that addresses from the new registration aren't used in other chains.
+        let previous_addresses = chain.stake_addresses();
+        let reg_addresses = reg.stake_addresses();
+        let new_addresses: Vec<_> = reg_addresses.difference(&previous_addresses).collect();
+        for address in &new_addresses {
+            match provider.catalyst_id_from_stake_address(address).await? {
+                None => {
+                    // All good: the address wasn't used before.
+                },
+                Some(_) => {
+                    report.functional_validation(
+                    &format!("{address} stake addresses is already used"),
+                    "It isn't allowed to use same stake address in multiple registration chains",
+                );
+                },
+            }
+        }
+
+        // Store values before consuming the registration.
+        let stake_addresses = reg.stake_addresses();
+
+        // Try to add a new registration to the chain.
+        let new_chain = chain.update(reg.clone()).ok_or_else(|| {
+            RbacValidationError::InvalidRegistration {
+                catalyst_id: catalyst_id.clone(),
+                purpose,
+                report: report.clone(),
+            }
+        })?;
+
+        // Check that new public keys aren't used by other chains.
+        let public_keys = new_chain.validate_public_keys(&report, provider).await?;
+
+        // Return an error if any issues were recorded in the report.
+        if report.is_problematic() {
+            return Err(RbacValidationError::InvalidRegistration {
+                catalyst_id,
+                purpose,
+                report,
+            });
+        }
+
+        Ok(new_chain)
+    }
 }
 
 /// Perform a check on the validation signature.

rust/rbac-registration/src/registration/cardano/validation.rs

@@ -2,24 +2,19 @@
 
 use std::collections::{HashMap, HashSet};
 
-use anyhow::{Context, Result};
-use cardano_blockchain_types::{hashes::TransactionId, StakeAddress};
+use anyhow::Context;
+use cardano_blockchain_types::StakeAddress;
 use catalyst_types::{
     catalyst_id::{role_index::RoleId, CatalystId},
     problem_report::ProblemReport,
     uuid::UuidV4,
 };
-use ed25519_dalek::VerifyingKey;
 
 use crate::{
-    cardano::cip509::{Cip0134UriSet, Cip509},
-    providers::RbacRegistrationProvider,
+    cardano::cip509::Cip509, providers::RbacRegistrationProvider,
     registration::cardano::RegistrationChain,
 };
 
-/// A return value of the `validate_rbac_registration` method.
-pub type RbacValidationResult = Result<RbacValidationSuccess, RbacValidationError>;
-
 /// An error returned from the `validate_rbac_registration` method.
 #[allow(clippy::large_enum_variant)]
 pub enum RbacValidationError {
@@ -53,109 +48,6 @@ impl From<anyhow::Error> for RbacValidationError {
     }
 }
 
-/// Represents the result yielded by `update_chain` or `start_new_chain` upon successful
-/// execution.
-pub struct RbacValidationSuccess {
-    /// A Catalyst ID of the chain this registration belongs to.
-    pub catalyst_id: CatalystId,
-    /// A list of stake addresses that were added to the chain.
-    pub stake_addresses: HashSet<StakeAddress>,
-    /// A list of role public keys used in this registration.
-    pub public_keys: HashSet<VerifyingKey>,
-    /// A list of updates to other chains containing Catalyst IDs and removed stake
-    /// addresses.
-    ///
-    /// A new RBAC registration can take ownership of stake addresses of other chains.
-    pub modified_chains: Vec<(CatalystId, HashSet<StakeAddress>)>,
-    /// An updated registration chain.
-    pub chain: RegistrationChain,
-}
-
-/// Attempts to update an existing RBAC registration chain
-/// with a new CIP-509 registration, validating address and key usage consistency.
-///
-/// # Returns
-/// - `Ok((new_chain, validation_result))` if the chain was successfully updated and
-///   validated.
-///
-/// # Errors
-/// - Returns [`RbacValidationError::UnknownCatalystId`] if no Catalyst chain is found for
-///   `previous_txn`.
-/// - Returns [`RbacValidationError::InvalidRegistration`] if address/key duplication or
-///   validation inconsistencies are detected.
-pub async fn update_chain<Provider>(
-    reg: Cip509,
-    previous_txn: TransactionId,
-    provider: &Provider,
-) -> RbacValidationResult
-where
-    Provider: RbacRegistrationProvider,
-{
-    let purpose = reg.purpose();
-    let report = reg.report().to_owned();
-
-    // Find a chain this registration belongs to.
-    let Some(catalyst_id) = provider.catalyst_id_from_txn_id(previous_txn).await? else {
-        // We are unable to determine a Catalyst ID, so there is no sense to update the problem
-        // report because we would be unable to store this registration anyway.
-        return Err(RbacValidationError::UnknownCatalystId);
-    };
-    let chain = provider.chain(catalyst_id.clone()).await?
-        .context("{catalyst_id} is present in 'catalyst_id_for_txn_id' table, but not in 'rbac_registration'")?;
-
-    // Check that addresses from the new registration aren't used in other chains.
-    let previous_addresses = chain.stake_addresses();
-    let reg_addresses = cip509_stake_addresses(&reg);
-    let new_addresses: Vec<_> = reg_addresses.difference(&previous_addresses).collect();
-    for address in &new_addresses {
-        match provider.catalyst_id_from_stake_address(address).await? {
-            None => {
-                // All good: the address wasn't used before.
-            },
-            Some(_) => {
-                report.functional_validation(
-                    &format!("{address} stake addresses is already used"),
-                    "It isn't allowed to use same stake address in multiple registration chains",
-                );
-            },
-        }
-    }
-
-    // Store values before consuming the registration.
-    let stake_addresses = cip509_stake_addresses(&reg);
-
-    // Try to add a new registration to the chain.
-    let new_chain = chain.update(reg.clone()).ok_or_else(|| {
-        RbacValidationError::InvalidRegistration {
-            catalyst_id: catalyst_id.clone(),
-            purpose,
-            report: report.clone(),
-        }
-    })?;
-
-    // Check that new public keys aren't used by other chains.
-    let public_keys = validate_public_keys(&new_chain, &report, provider).await?;
-
-    // Return an error if any issues were recorded in the report.
-    if report.is_problematic() {
-        return Err(RbacValidationError::InvalidRegistration {
-            catalyst_id,
-            purpose,
-            report,
-        });
-    }
-
-    Ok(RbacValidationSuccess {
-        catalyst_id,
-        stake_addresses,
-        public_keys,
-        // Only new chains can take ownership of stake addresses of existing chains, so in this
-        // case other chains aren't affected.
-        modified_chains: Vec::new(),
-        chain: new_chain,
-    })
-}
-
 /// Attempts to initialize a new RBAC registration chain
 /// from a given CIP-509 registration, ensuring uniqueness of Catalyst ID, stake
 /// addresses, and associated public keys.
@@ -239,7 +131,7 @@ where
     }
 
     // Check that new public keys aren't used by other chains.
-    let public_keys = validate_public_keys(&new_chain, &report, provider).await?;
+    let public_keys = new_chain.validate_public_keys(&report, provider).await?;
 
     if report.is_problematic() {
         return Err(RbacValidationError::InvalidRegistration {
@@ -257,52 +149,3 @@ where
         chain: new_chain,
     })
 }
-
-/// Validates that none of the signing keys in a given RBAC registration chain
-/// have been used by any other existing chain, ensuring global key uniqueness
-/// across all Catalyst registrations.
-///
-/// # Returns
-/// Returns a [`Result<HashSet<VerifyingKey>>`] containing all unique public keys
-/// extracted from the registration chain if validation passes successfully.
-///
-/// # Errors
-/// - Propagates any I/O or provider-level errors encountered while checking key ownership
-///   (e.g., database lookup failures).
-pub async fn validate_public_keys<Provider>(
-    chain: &RegistrationChain,
-    report: &ProblemReport,
-    provider: &Provider,
-) -> Result<HashSet<VerifyingKey>>
-where
-    Provider: RbacRegistrationProvider,
-{
-    let mut keys = HashSet::new();
-
-    let roles: Vec<_> = chain.role_data_history().keys().collect();
-    let catalyst_id = chain.catalyst_id().as_short_id();
-
-    for role in roles {
-        if let Some((key, _)) = chain.get_latest_signing_pk_for_role(role) {
-            keys.insert(key);
-            if let Some(previous) = provider.catalyst_id_from_public_key(key).await? {
-                if previous != catalyst_id {
-                    report.functional_validation(
-                        &format!("An update to {catalyst_id} registration chain uses the same public key ({key:?}) as {previous} chain"),
-                        "It isn't allowed to use role 0 signing (certificate subject public) key in different chains",
-                    );
-                }
-            }
-        }
-    }
-
-    Ok(keys)
-}
-
-/// Returns a set of stake addresses in the given registration.
-pub fn cip509_stake_addresses(cip509: &Cip509) -> HashSet<StakeAddress> {
-    cip509
-        .certificate_uris()
-        .map(Cip0134UriSet::stake_addresses)
-        .unwrap_or_default()
-}