test(cat-gateway): Integration test for RBAC endpoint (#2453)

* test(cat-gateway): add integration test for rbac endpoint

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): refactor

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): fix spelling

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): fix spelling

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): fix spelling

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): update test data and fix rbac_chain logic

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): update test data

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): typo

Signed-off-by: bkioshn <[email protected]>

* test(cat-gateway): test all role for rbac auth token

Signed-off-by: bkioshn <[email protected]>

---------

Signed-off-by: bkioshn <[email protected]>
Co-authored-by: Steven Johnson <[email protected]>

Author: bkioshn

catalyst-gateway/bin/src/service/common/types/cardano/catalyst_id.rs

@@ -1,4 +1,4 @@
-//! A Catalyst short identifier.
+//! A Catalyst identifier.
 
 // cSpell:ignoreRegExp cardano/Fftx
 
@@ -16,22 +16,22 @@ use serde_json::Value;
 /// Catalyst Id String Format
 pub(crate) const FORMAT: &str = "catalyst_id";
 
-/// Catalyst Id Pattern
-pub(crate) const PATTERN: &str = r".+\..+\/[A-Za-z0-9_-]{43}";
+/// Minimum format for Catalyst Id. (<`text`/`public_key_base64_url`>)
+pub(crate) const PATTERN: &str = r".+\/[A-Za-z0-9_-]{43}";
 
 /// A schema.
 static SCHEMA: LazyLock<MetaSchema> = LazyLock::new(|| {
     let example = Some(CatalystId::example().0.to_string().into());
     MetaSchema {
-        title: Some("Catalyst short ID".into()),
-        description: Some("Catalyst short identifier in string format"),
+        title: Some("Catalyst ID".into()),
+        description: Some("Catalyst identifier in string format"),
         example,
         pattern: Some(PATTERN.into()),
         ..MetaSchema::ANY
     }
 });
 
-/// A Catalyst short identifier.
+/// A Catalyst identifier.
 #[derive(Debug, Clone, PartialEq, Hash)]
 pub(crate) struct CatalystId(CatalystIdInner);
 

catalyst-gateway/tests/api_tests/integration/test_rbac.py

@@ -0,0 +1,48 @@
+import pytest
+from utils.rbac_chain import ONLY_ROLE_0_REG_JSON, rbac_chain_factory, RoleID
+from api.v1.rbac import get
+
+@pytest.mark.preprod_indexing
+def test_rbac_endpoints(rbac_chain_factory):
+    
+    auth_token = rbac_chain_factory(RoleID.ROLE_0).auth_token()
+    
+    # Registered stake address lookup
+    stake_address = ONLY_ROLE_0_REG_JSON["0"][0]["stake_address"]
+    resp = get(lookup=stake_address, token=auth_token)
+    assert(resp.status_code == 200), f"Expected registered stake address: {resp.status_code} - {resp.text}"
+
+    # Not registered stake address lookup
+    # Cardano test data CIP0019
+    # <https://github.com/cardano-foundation/CIPs/blob/master/CIP-0019/README.md>
+    # cspell:disable-next-line
+    stake_address = "stake_test17rphkx6acpnf78fuvxn0mkew3l0fd058hzquvz7w36x4gtcljw6kf"
+    resp = get(lookup=stake_address, token=auth_token)
+    assert(resp.status_code == 404), f"Expected not registered stake address: {resp.status_code} - {resp.text}"
+
+    # Wrong format stake address lookup
+    stake_address = "stake_invalid_address"
+    resp = get(lookup=stake_address, token=auth_token)
+    assert(resp.status_code == 412), f"Expected wrong format stake address: {resp.status_code} - {resp.text}"
+    
+    # Registered Catalyst ID lookup
+    cat_id = rbac_chain_factory(RoleID.ROLE_0).cat_id_for_role(RoleID.ROLE_0)[0]
+    resp = get(lookup=cat_id, token=auth_token)
+    assert(resp.status_code == 200), f"Expected registered cat id: {resp.status_code} - {resp.text}"
+
+    cat_id = rbac_chain_factory(RoleID.ROLE_0).short_cat_id()
+    resp = get(lookup=cat_id, token=auth_token)
+    assert(resp.status_code == 200), f"Expected registered short cat id: {resp.status_code} - {resp.text}"
+    
+    # Not registered Catalyst ID lookup
+    # <https://input-output-hk.github.io/catalyst-libs/architecture/08_concepts/rbac_id_uri/catalyst-id-uri/#test-vectors>
+    # cspell:disable-next-line
+    cat_id = "preprod.cardano/FftxFnOrj2qmTuB2oZG2v0YEWJfKvQ9Gg8AgNAhDsKE"
+    resp = get(lookup=cat_id, token=auth_token)
+    assert(resp.status_code == 404), f"Expected not registered cat id: {resp.status_code} - {resp.text}"
+        
+    # Wrong format Catalyst ID lookup
+    # cspell:disable-next-line
+    cat_id = "invalidFftxFnOrj2qmTuB2oZG2v0YEWJfKvQ9Gg8AgNAhDsKE"
+    resp = get(lookup="cat_id", token=auth_token)
+    assert(resp.status_code == 412), f"Expected wrong format cat id: {resp.status_code} - {resp.text}"

catalyst-gateway/tests/api_tests/integration/test_rbac_auth_token.py

@@ -42,7 +42,7 @@ def test_invalid_rbac_auth_token(rbac_chain_factory):
     resp = get(lookup=None, token=token)
     assert(resp.status_code == 401), f"Expected must not contain username: {resp.status_code} - {resp.text}"
 
-    # Catalyst ID not in a correct format -> 401
+    # Catalyst ID not in a correct format (Should be in short form with catid. -> 401
     token = rbac_chain_factory(RoleID.ROLE_0).auth_token(is_uri=True)
     resp = get(lookup=None, token=token)
     assert(resp.status_code == 401), f"Expected invalid Catalyst ID format: {resp.status_code} - {resp.text}"
@@ -92,18 +92,24 @@ def test_invalid_rbac_auth_token(rbac_chain_factory):
 
 @pytest.mark.preprod_indexing
 def test_valid_rbac_auth_token(rbac_chain_factory):
-    token = rbac_chain_factory(RoleID.ROLE_0).auth_token()
-    resp = get(lookup=None, token=token)
-    assert(resp.status_code == 200), f"Expected valid token that already registered: {resp.status_code} - {resp.text}"
-    
-    # X-API-Key does not match as expected value, but still pass because the nonce is valid
-    token = rbac_chain_factory(RoleID.ROLE_0).auth_token()
-    resp = get(lookup=None, token=token, extra_headers={"X-API-Key": "test"})
-    assert(resp.status_code == 200), f"Expected valid token that already registered when X-API-Key does not match {resp.status_code} - {resp.text}"
+    def test_valid_rbac_auth_token_inner(role: RoleID):
+        token = rbac_chain_factory(role).auth_token()
 
-    # X-API-Key does match the expected, nonce validation is skipped
-    nonce = int((datetime.now(timezone.utc) - timedelta(days=30)).timestamp())  
-    token = rbac_chain_factory(RoleID.ROLE_0).auth_token(nonce=nonce)
-    resp = get(lookup=None, token=token, extra_headers={"X-API-Key": "123"})
-    assert(resp.status_code == 200), f"Expected valid token that already registered when X-API-Key does match, nonce validation is skipped: {resp.status_code} - {resp.text}"
+        resp = get(lookup=None, token=token)
+        assert(resp.status_code == 200), f"Expected valid token that already registered: {resp.status_code} - {resp.text}"
+        
+        # X-API-Key does not match as expected value, but still pass because the nonce is valid
+        token = rbac_chain_factory(role).auth_token()
+        resp = get(lookup=None, token=token, extra_headers={"X-API-Key": "test"})
+        assert(resp.status_code == 200), f"Expected valid token that already registered when X-API-Key does not match {resp.status_code} - {resp.text}"
+        
+        # X-API-Key does match the expected, nonce validation is skipped
+        nonce = int((datetime.now(timezone.utc) - timedelta(days=30)).timestamp())  
+        token = rbac_chain_factory(role).auth_token(nonce=nonce)
+        resp = get(lookup=None, token=token, extra_headers={"X-API-Key": "123"})
+        assert(resp.status_code == 200), f"Expected valid token that already registered when X-API-Key does match, nonce validation is skipped: {resp.status_code} - {resp.text}"
+
+        
+    for role in RoleID:
+        test_valid_rbac_auth_token_inner(role)
 

catalyst-gateway/tests/api_tests/test_data/rbac_regs/only_role_0.jsonc

@@ -1,8 +1,11 @@
 {
-    "0": {
-        "tx_id": "e4d3c4957cfb8a77bfb7be3e320af57b6d5b2f6f36a8564b6c7921cb9b6ffd39",
-        "sk": "600f662a02d72db06c21201e2e7810042419fa769f30b5be46f92e29e7e59341f03aa7eb2c89083569968ec621f1b0c8cdc392f4d895651cc29b168522066fbe65dcadfa4e257915afe0972ef01a805adabb725daf4b7eaa997f4a7181ebd512",
-        "pk": "d0a195a645d57b9fa1d517c86f4f0c9dcfb13194f3497e555673c3687be1aea465dcadfa4e257915afe0972ef01a805adabb725daf4b7eaa997f4a7181ebd512",
-        "rotation": 0
-    }
-}
+    "0":[
+       {
+          "tx_id":"e4d3c4957cfb8a77bfb7be3e320af57b6d5b2f6f36a8564b6c7921cb9b6ffd39",
+          "sk":"600f662a02d72db06c21201e2e7810042419fa769f30b5be46f92e29e7e59341f03aa7eb2c89083569968ec621f1b0c8cdc392f4d895651cc29b168522066fbe65dcadfa4e257915afe0972ef01a805adabb725daf4b7eaa997f4a7181ebd512",
+          "pk":"d0a195a645d57b9fa1d517c86f4f0c9dcfb13194f3497e555673c3687be1aea465dcadfa4e257915afe0972ef01a805adabb725daf4b7eaa997f4a7181ebd512",
+          "stake_address":"stake_test1upkg8vzueeczrg443wkjkqhj2xk3hcz9hfe02vz48ayeqtsqeyvpf",
+          "rotation":0
+       }
+    ]
+ }

catalyst-gateway/tests/api_tests/test_data/rbac_regs/role_3.jsonc

@@ -1,14 +1,25 @@
 {
-    "0": {
-        "tx_id": "5fd71fb559d3ebf16bb0b8b30028a1d0fbbb3a983dbbe2e92eb87f851c6d205c",
-        "sk": "a8f84dd9576f9b5224da38146df1dd4c80c6aa767cb71540bd86294f62cced568ecdf07352e0b48e1ae66370352e56aba4113461ec08e13b2fed10ecc056c65fd2a76829a3b53e66af79bb0cb1efade075f0ae65eaaabb75f5106bbeef59b866",
-        "pk": "42149f1a6f1da43fcf066a473e12515b5b6216fedfc52b87bee091456981d9c6d2a76829a3b53e66af79bb0cb1efade075f0ae65eaaabb75f5106bbeef59b866",
-        "rotation": 0
-    },
-    "3": {
-        "tx_id": "5fd71fb559d3ebf16bb0b8b30028a1d0fbbb3a983dbbe2e92eb87f851c6d205c",
-        "sk": "284b1a3b46f00d99193aefe80df3797cfcd88d1058203da1b3c695315bcced5665a53e06fb76f5a5d3a5122cbaa4eba94b81d3f4c7db7ace8bf6c7340a34bfc7995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
-        "pk": "ac36a7c87a77de72c3404cca36029e63cdd5cc6e7b2538a52908eee983011b51995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
-        "rotation": 1
-    }
-}
+    "0":[
+       {
+          "tx_id":"5fd71fb559d3ebf16bb0b8b30028a1d0fbbb3a983dbbe2e92eb87f851c6d205c",
+          "sk":"a8f84dd9576f9b5224da38146df1dd4c80c6aa767cb71540bd86294f62cced568ecdf07352e0b48e1ae66370352e56aba4113461ec08e13b2fed10ecc056c65fd2a76829a3b53e66af79bb0cb1efade075f0ae65eaaabb75f5106bbeef59b866",
+          "pk":"42149f1a6f1da43fcf066a473e12515b5b6216fedfc52b87bee091456981d9c6d2a76829a3b53e66af79bb0cb1efade075f0ae65eaaabb75f5106bbeef59b866",
+          "stake_address":"stake_test1urhsxq8996yy7varz0kgr0ev2e9wltvkcr0kuzd4wwzsdzqvt0e8t",
+          "rotation":0
+       }
+    ],
+    "3":[
+       {
+          "tx_id":"5fd71fb559d3ebf16bb0b8b30028a1d0fbbb3a983dbbe2e92eb87f851c6d205c",
+          "sk":"284b1a3b46f00d99193aefe80df3797cfcd88d1058203da1b3c695315bcced5665a53e06fb76f5a5d3a5122cbaa4eba94b81d3f4c7db7ace8bf6c7340a34bfc7995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
+          "pk":"ac36a7c87a77de72c3404cca36029e63cdd5cc6e7b2538a52908eee983011b51995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
+          "rotation":0
+       },
+       {
+          "tx_id":"95f781a3db75af41d1dde5a997b9f9ab3e20035882d4a2ccafdc81cfda6f52a2",
+          "sk":"284b1a3b46f00d99193aefe80df3797cfcd88d1058203da1b3c695315bcced5665a53e06fb76f5a5d3a5122cbaa4eba94b81d3f4c7db7ace8bf6c7340a34bfc7995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
+          "pk":"ac36a7c87a77de72c3404cca36029e63cdd5cc6e7b2538a52908eee983011b51995bb20c59d086d671cfac83177857761a4f4badd65fee96f3b8e351ebe217b8",
+          "rotation":1
+       }
+    ]
+ }

catalyst-gateway/tests/api_tests/utils/rbac_chain.py

@@ -27,28 +27,43 @@ def __init__(self, keys_map: dict, network: str, subnet: str):
         self.subnet = subnet
 
     def auth_token(self, cid: str = None, sig: str = None, username: str = None, is_uri: bool = False, nonce: str = None) -> str:
-        role_0_keys = self.keys_map[f"{RoleID.ROLE_0}"]
+        role_0_arr = self.keys_map[f"{RoleID.ROLE_0}"]
         return generate_rbac_auth_token(
-            self.network, self.subnet, role_0_keys["pk"], role_0_keys["sk"], cid, sig, username, is_uri, nonce
+            self.network,
+            self.subnet,
+            role_0_arr[0]["pk"],
+            role_0_arr[-1]["sk"],
+            cid,
+            sig,
+            username,
+            is_uri,
+            nonce
         )
 
     # returns a role's catalyst id, with the provided role secret key
     def cat_id_for_role(self, role_id: RoleID) -> (str, str):
-        role_data = self.keys_map[f"{role_id}"]
-        role_0_pk = self.keys_map[f"{RoleID.ROLE_0}"]["pk"]
+        role_data_arr = self.keys_map[f"{role_id}"]
+        role_0_arr= self.keys_map[f"{RoleID.ROLE_0}"]
         return (
             generate_cat_id(
-                self.network,
-                self.subnet,
-                role_id,
-                role_0_pk,
-                role_data["rotation"],
-                True,
+                network=self.network,
+                subnet=self.subnet,
+                role_id=role_id,
+                pk_hex=role_0_arr[0]["pk"],
+                rotation=role_data_arr[-1]["rotation"],
+                is_uri=True,
             ),
-            role_data["sk"],
+            role_data_arr[-1]["sk"],
+        )    
+    
+    def short_cat_id(self) -> str:        
+        return generate_cat_id(
+            network=self.network,
+            subnet=self.subnet,
+            pk_hex=self.keys_map[f"{RoleID.ROLE_0}"][0]["pk"],
+            is_uri=False,
         )
 
-
 @pytest.fixture
 def rbac_chain_factory():
     def __rbac_chain_factory(role_id: RoleID, network: str = "cardano", subnet: str = "preprod") -> RBACChain:
@@ -62,26 +77,50 @@ def __rbac_chain_factory(role_id: RoleID, network: str = "cardano", subnet: str
 
     return __rbac_chain_factory
 
-
+# Default is set to URI format
+# Optional field = subnet, role id, rotation, username, nonce
 def generate_cat_id(
-    network: str, subnet: str, role_id: RoleID, pk_hex: str, rotation: int, is_uri: bool, nonce: str = None
-):
+    network: str,
+    pk_hex: str,
+    is_uri: bool = True,
+    subnet: str = None,
+    role_id: str = None,
+    rotation: str = None,
+    username: str = None,
+    nonce: str = None,
+) -> str:
     pk = bytes.fromhex(pk_hex)[:32]
+    role0_pk_b64 = base64_url(pk)
+
+    # If nonce is set to none, use current timestamp
+    # If set to empty string, use empty string (no nonce)
     if nonce is None:
         nonce = f"{int(datetime.now(timezone.utc).timestamp())}"
-    subnet = f"{subnet}." if subnet else ""
-    role0_pk_b64 = base64_url(pk)
 
-    if role_id == RoleID.ROLE_0 and rotation == 0:
-        res = f":{nonce}@{subnet}{network}/{role0_pk_b64}"
-    else:
-        res = f":{nonce}@{subnet}{network}/{role0_pk_b64}/{role_id}/{rotation}"
+    # Authority part
+    authority = ""
+    if username:
+        authority += f"{username}"
+    if nonce:
+        authority += f":{nonce}"
+    authority += "@"
 
+    if subnet:
+        authority += f"{subnet}.{network}"
+    else:
+        authority += network
+
+    # Path
+    path = f"{role0_pk_b64}"
+    if role_id:
+        path += f"/{role_id}"
+        if rotation:
+            path += f"/{rotation}"
+            
     if is_uri:
-        res = f"id.catalyst://{res}"
-
-    return res
-
+        return f"id.catalyst://{authority}/{path}"
+    else:
+        return f"{authority}/{path}"
 
 def generate_rbac_auth_token(
     network: str,
@@ -92,7 +131,7 @@ def generate_rbac_auth_token(
     sig: str = None,
     username: str = None,
     is_uri: bool = False,
-    nonce: int = None,
+    nonce: str = None,
 ) -> str:
     pk = bytes.fromhex(pk_hex)[:32]
     sk = bytes.fromhex(sk_hex)[:64]
@@ -103,7 +142,12 @@ def generate_rbac_auth_token(
 
     token_prefix = f"catid.{username}" if username else "catid."
     if cid is None:
-        cat_id = f"{token_prefix}{generate_cat_id(network, subnet, RoleID.ROLE_0, pk_hex, 0, is_uri, nonce)}."
+        cat_id = f"{token_prefix}{generate_cat_id(
+            network=network, 
+            subnet=subnet, 
+            pk_hex=pk_hex, 
+            is_uri=is_uri,
+            nonce=nonce)}."
     else:
         cat_id = f"{token_prefix}:{cid}."
 

cspell.json

@@ -182,7 +182,8 @@
         "catalyst_voices/utilities/poc_local_storage/**/**",
         "**/*.svg",
         "catalyst_voices/packages/libs/catalyst_key_derivation/lib/src/rust/**",
-        "catalyst_voices/packages/internal/catalyst_voices_driver/lib/src/browser_extensions/**"
+        "catalyst_voices/packages/internal/catalyst_voices_driver/lib/src/browser_extensions/**",
+        "catalyst-gateway/tests/api_tests/test_data/**",
     ],
     "enableFiletypes": [
         "earthfile",