Merge branch 'main' into fix/cip36-assets-indexing

Author: Mr-Leshiy

.config/dictionaries/project.dic

@@ -192,6 +192,7 @@ loguru
 lovelace
 lovelaces
 LTRB
+ltwh
 LynxLynxx
 Lynxx
 mdlint
@@ -259,6 +260,7 @@ pytest
 qrcode
 rapidoc
 ratelimit
+RGBO
 redoc
 reloadable
 Replayability
@@ -361,6 +363,7 @@ vsync
 wallclock
 wasmtime
 Wconditional
+webos
 Werror
 Wireframes
 Wmissing

catalyst-gateway/bin/Cargo.toml

@@ -15,12 +15,11 @@ repository.workspace = true
 workspace = true
 
 [dependencies]
-cardano-chain-follower = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
-rbac-registration = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
-catalyst-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
-cardano-blockchain-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
-catalyst-signed-doc = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
-c509-certificate = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250325-00" }
+cardano-chain-follower = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250331-01" }
+rbac-registration = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250331-01" }
+catalyst-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250331-01" }
+cardano-blockchain-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250331-01" }
+catalyst-signed-doc = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250331-01" }
 
 pallas = { version = "0.30.1", git = "https://github.com/input-output-hk/catalyst-pallas.git", rev = "9b5183c8b90b90fe2cc319d986e933e9518957b3" }
 pallas-traverse = { version = "0.30.1", git = "https://github.com/input-output-hk/catalyst-pallas.git", rev = "9b5183c8b90b90fe2cc319d986e933e9518957b3" }
@@ -66,7 +65,7 @@ futures = "0.3.31"
 rand = "0.8.5"
 moka = { version = "0.12.8", features = ["future"] }
 crossbeam-skiplist = "0.1.3"
-poem = { version = "3.1.6", features = ["embed", "prometheus", "compression"] }
+poem = { version = "=3.1.6", features = ["embed", "prometheus", "compression"] }
 poem-openapi = { version = "=5.1.5", features = [
     "openapi-explorer",
     "rapidoc",
@@ -98,19 +97,19 @@ stats_alloc = "0.1.10"
 memory-stats = "1.0.0"
 derive_more = { version = "2.0.1", default-features = false, features = ["from", "into"] }
 rayon = "1.10"
-oid-registry = "0.7.1"
-x509-cert = "0.2.5"
 
 # Its a transitive dependency of the "poem-openapi" crate,
 # but its breaks API after version "5.1.8".
 poem-openapi-derive = { version = "=5.1.4" }
+# Its a transitive dependency of the "poem-openapi-derive" crate,
+# but its breaks API after version "0.20.11".
+darling = { version = "=0.20.10" }
 
 [dev-dependencies]
-x509-cert = { version = "0.2.5", features = ["builder"] }
 
 [build-dependencies]
 build-info-build = "0.0.39"
 
 [package.metadata.cargo-machete]
 # remove that after fixing issues with latest crates
-ignored = ["poem-openapi-derive"]
+ignored = ["poem-openapi-derive", "darling"]

catalyst-gateway/bin/src/service/api/documents/post_document_index_query/mod.rs

@@ -1,8 +1,7 @@
 //! Document Index Query
 
-use std::future;
+use std::collections::HashMap;
 
-use dashmap::DashMap;
 use futures::TryStreamExt;
 use poem_openapi::{payload::Json, ApiResponse};
 use query_filter::DocumentIndexQueryFilter;
@@ -55,7 +54,7 @@ pub(crate) async fn endpoint(
         Err(e) => return AllResponses::handle_error(&e),
     };
 
-    let (docs, counts) = tokio::join!(
+    let (fetched_docs, total_doc_count) = tokio::join!(
         fetch_docs(&conditions, &query_limits),
         SignedDocBody::retrieve_count(&conditions)
     );
@@ -64,7 +63,7 @@ pub(crate) async fn endpoint(
     let page = page.unwrap_or_default();
     let limit = limit.unwrap_or_default();
 
-    let total: u32 = match counts {
+    let total: u32 = match total_doc_count {
         Ok(total) => {
             match total.try_into() {
                 Ok(t) => t,
@@ -76,13 +75,8 @@ pub(crate) async fn endpoint(
         Err(e) => return AllResponses::handle_error(&e),
     };
 
-    match docs {
-        Ok(docs) => {
-            let doc_count: u32 = match docs.len().try_into() {
-                Ok(d) => d,
-                Err(e) => return AllResponses::handle_error(&e.into()),
-            };
-
+    match fetched_docs {
+        Ok((docs, doc_count)) => {
             let remaining = Remaining::calculate(page.into(), limit.into(), total, doc_count);
 
             Responses::Ok(Json(DocumentIndexListDocumented(DocumentIndexList {
@@ -103,16 +97,23 @@ pub(crate) async fn endpoint(
 /// Fetch documents from the event db
 async fn fetch_docs(
     conditions: &DocsQueryFilter, query_limits: &QueryLimits,
-) -> anyhow::Result<Vec<IndexedDocumentDocumented>> {
+) -> anyhow::Result<(Vec<IndexedDocumentDocumented>, u32)> {
     let docs_stream = SignedDocBody::retrieve(conditions, query_limits).await?;
-    let indexed_docs = DashMap::new();
 
-    docs_stream
-        .try_for_each(|doc: SignedDocBody| {
-            let id = *doc.id();
-            indexed_docs.entry(id).or_insert_with(Vec::new).push(doc);
-            future::ready(Ok(()))
-        })
+    let (indexed_docs, total_fetched_doc_count) = docs_stream
+        .try_fold(
+            (HashMap::new(), 0u32),
+            |(mut indexed_docs, mut total_fetched_doc_count), doc| {
+                async move {
+                    let id = *doc.id();
+                    indexed_docs.entry(id).or_insert_with(Vec::new).push(doc);
+                    total_fetched_doc_count = total_fetched_doc_count
+                        .checked_add(1)
+                        .ok_or(anyhow::anyhow!("Fetched Signed Documents overflow"))?;
+                    Ok((indexed_docs, total_fetched_doc_count))
+                }
+            },
+        )
         .await?;
 
     let docs = indexed_docs
@@ -130,5 +131,5 @@ async fn fetch_docs(
             }))
         })
         .collect::<Result<_, _>>()?;
-    Ok(docs)
+    Ok((docs, total_fetched_doc_count))
 }

catalyst-gateway/bin/src/service/common/auth/rbac/scheme.rs

@@ -2,22 +2,19 @@
 use std::{env, error::Error, sync::LazyLock, time::Duration};
 
 use anyhow::{anyhow, Context};
-use c509_certificate::c509::C509;
 use cardano_blockchain_types::{Network, Point, Slot, TxnIndex};
 use cardano_chain_follower::ChainFollower;
 use catalyst_types::id_uri::IdUri;
-use ed25519_dalek::{VerifyingKey, PUBLIC_KEY_LENGTH};
+use ed25519_dalek::VerifyingKey;
 use futures::{TryFutureExt, TryStreamExt};
 use moka::future::Cache;
-use oid_registry::{Oid, OID_SIG_ED25519};
 use poem::{error::ResponseError, http::StatusCode, IntoResponse, Request};
 use poem_openapi::{auth::Bearer, payload::Json, SecurityScheme};
 use rbac_registration::{
-    cardano::cip509::{Cip509, LocalRefInt, RoleNumber},
+    cardano::cip509::{Cip509, RoleNumber},
     registration::cardano::RegistrationChain,
 };
 use tracing::{error, warn};
-use x509_cert::Certificate;
 
 use super::token::CatalystRBACTokenV1;
 use crate::{
@@ -161,6 +158,7 @@ async fn checker_api_catalyst_auth(
     // }
 
     // Step 8: get the latest stable signing certificate registered for Role 0.
+
     let public_key = last_signing_key(token.network(), &registrations)
         .await
         .map_err(|e| {
@@ -233,41 +231,10 @@ async fn last_signing_key(
     let chain = registration_chain(network, indexed_registrations)
         .await
         .context("Failed to build registration chain")?;
-    let key_ref = chain
-        .role_data()
-        .get(&RoleNumber::ROLE_0)
-        .context("Missing role 0 data")?
-        .data()
-        .signing_key()
-        .context("Missing signing key")?;
-    match key_ref.local_ref {
-        LocalRefInt::X509Certs => {
-            let cert = &chain
-                .x509_certs()
-                .get(&key_ref.key_offset)
-                .context("Missing X509 role 0 certificate")?
-                .last()
-                .and_then(|p| p.data().as_ref())
-                .context("Unable to get last X509 role 0 certificate")?;
-            x509_key(cert)
-        },
-        LocalRefInt::C509Certs => {
-            let cert = &chain
-                .c509_certs()
-                .get(&key_ref.key_offset)
-                .context("Missing C509 role 0 certificate")?
-                .last()
-                .and_then(|p| p.data().as_ref())
-                .context("Unable to get last C509 role 0 certificate")?;
-            c509_key(cert)
-        },
-        LocalRefInt::PubKeys => {
-            // We check this during Cip509 validation.
-            Err(anyhow!(
-                "Invalid signing key for role 0: it must reference a certificate, not public key"
-            ))
-        },
-    }
+    chain
+        .get_latest_signing_pk_for_role(&RoleNumber::ROLE_0)
+        .ok_or(anyhow!("Cannot find latest role 0 public key"))
+        .map(|(pk, _)| pk)
 }
 
 /// Build a registration chain from the given indexed data.
@@ -328,68 +295,3 @@ async fn registration(network: Network, slot: Slot, txn_index: TxnIndex) -> anyh
         .context("Invalid RBAC registration")?
         .context("No RBAC registration at this block and txn index")
 }
-
-/// Returns `VerifyingKey` from the given X509 certificate.
-fn x509_key(cert: &Certificate) -> anyhow::Result<VerifyingKey> {
-    let oid: Oid = cert
-        .tbs_certificate
-        .subject_public_key_info
-        .algorithm
-        .oid
-        .to_string()
-        .parse()
-        // `Context` cannot be used here because `OidParseError` doesn't implement `std::Error`.
-        .map_err(|e| anyhow!("Invalid signature algorithm OID: {e:?}"))?;
-    check_signature_algorithm(&oid)?;
-    let extended_public_key = cert
-        .tbs_certificate
-        .subject_public_key_info
-        .subject_public_key
-        .as_bytes()
-        .context("Invalid subject_public_key value (has unused bits)")?;
-    verifying_key(extended_public_key).context("Unable to get verifying key from X509 certificate")
-}
-
-/// Returns `VerifyingKey` from the given C509 certificate.
-fn c509_key(cert: &C509) -> anyhow::Result<VerifyingKey> {
-    let oid = cert
-        .tbs_cert()
-        .subject_public_key_algorithm()
-        .algo_identifier()
-        .oid();
-    check_signature_algorithm(oid)?;
-    verifying_key(cert.tbs_cert().subject_public_key())
-        .context("Unable to get verifying key from C509 certificate")
-}
-
-/// Checks that the signature algorithm is supported.
-fn check_signature_algorithm(oid: &Oid) -> anyhow::Result<()> {
-    // Currently the only supported signature algorithm is ED25519.
-    if *oid != OID_SIG_ED25519 {
-        return Err(anyhow!("Unsupported signature algorithm: {oid}"));
-    }
-    Ok(())
-}
-
-// TODO: The very similar logic exists in the `rbac-registration` crate. It should be
-// moved somewhere and reused. See https://github.com/input-output-hk/catalyst-voices/issues/1952
-/// Creates `VerifyingKey` from the given extended public key.
-fn verifying_key(extended_public_key: &[u8]) -> anyhow::Result<VerifyingKey> {
-    /// An extender public key length in bytes.
-    const EXTENDED_PUBLIC_KEY_LENGTH: usize = 64;
-
-    if extended_public_key.len() != EXTENDED_PUBLIC_KEY_LENGTH {
-        return Err(anyhow!(
-            "Unexpected extended public key length in certificate: {}, expected {EXTENDED_PUBLIC_KEY_LENGTH}",
-            extended_public_key.len()
-        ));
-    }
-    // This should never fail because of the check above.
-    let public_key = extended_public_key
-        .get(0..PUBLIC_KEY_LENGTH)
-        .context("Unable to get public key part")?;
-    let bytes: &[u8; PUBLIC_KEY_LENGTH] = public_key
-        .try_into()
-        .context("Invalid public key length in X509 certificate")?;
-    VerifyingKey::from_bytes(bytes).context("Invalid public key in X509 certificate")
-}

catalyst-gateway/tests/api_tests/Earthfile

@@ -1,7 +1,7 @@
 VERSION 0.8
 
 IMPORT github.com/input-output-hk/catalyst-ci/earthly/python:v3.3.1 AS python-ci
-IMPORT github.com/input-output-hk/catalyst-libs/rust:r20250227-00 AS cat-libs-rust
+IMPORT github.com/input-output-hk/catalyst-libs/rust:r20250330-00 AS cat-libs-rust
 
 builder:
     FROM python-ci+python-base