feat(cat-gateway): Bumped cat-libs, include Catalyst Signed Docs time based validation (#2146)

* add signed doc time based validation

* fix spelling

* wip

* wip

* remove usage of uuid7 lib, replace it with the custom impl

* Update catalyst-gateway/bin/src/settings/signed_doc.rs

Co-authored-by: Steven Johnson <[email protected]>

---------

Co-authored-by: Steven Johnson <[email protected]>

Author: Mr-Leshiy

catalyst-gateway/bin/Cargo.toml

@@ -15,11 +15,11 @@ repository.workspace = true
 workspace = true
 
 [dependencies]
-cardano-chain-follower = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250401-01" }
-rbac-registration = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250401-01" }
-catalyst-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250401-01" }
-cardano-blockchain-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250401-01" }
-catalyst-signed-doc = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250401-01" }
+cardano-chain-follower = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250406-00" }
+rbac-registration = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250406-00" }
+catalyst-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250406-00" }
+cardano-blockchain-types = { version = "0.0.3", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250406-00" }
+catalyst-signed-doc = { version = "0.0.4", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250406-00" }
 
 pallas = { version = "0.30.1", git = "https://github.com/input-output-hk/catalyst-pallas.git", rev = "9b5183c8b90b90fe2cc319d986e933e9518957b3" }
 pallas-traverse = { version = "0.30.1", git = "https://github.com/input-output-hk/catalyst-pallas.git", rev = "9b5183c8b90b90fe2cc319d986e933e9518957b3" }

catalyst-gateway/bin/src/service/api/documents/get_document.rs

@@ -7,6 +7,7 @@ use super::templates::get_doc_static_template;
 use crate::{
     db::event::{error::NotFoundError, signed_docs::FullSignedDoc},
     service::common::{responses::WithErrorResponses, types::payload::cbor::Cbor},
+    settings::Settings,
 };
 
 /// Endpoint responses.
@@ -71,4 +72,14 @@ impl catalyst_signed_doc::providers::CatalystSignedDocumentProvider for DocProvi
             Err(err) => Err(err),
         }
     }
+
+    fn future_threshold(&self) -> Option<std::time::Duration> {
+        let signed_doc_cfg = Settings::signed_doc_cfg();
+        Some(signed_doc_cfg.future_threshold())
+    }
+
+    fn past_threshold(&self) -> Option<std::time::Duration> {
+        let signed_doc_cfg = Settings::signed_doc_cfg();
+        Some(signed_doc_cfg.past_threshold())
+    }
 }

catalyst-gateway/bin/src/settings/mod.rs

@@ -23,6 +23,7 @@ use crate::{
 
 pub(crate) mod cassandra_db;
 pub(crate) mod chain_follower;
+pub(crate) mod signed_doc;
 mod str_env_var;
 
 /// Default address to start service on, '0.0.0.0:3030'.
@@ -136,6 +137,9 @@ struct EnvVars {
     /// The Chain Follower configuration
     chain_follower: chain_follower::EnvVars,
 
+    /// The Catalyst Signed Documents configuration
+    signed_doc: signed_doc::EnvVars,
+
     /// Internal API Access API Key
     internal_api_key: Option<StringEnvVar>,
 
@@ -211,6 +215,7 @@ static ENV_VARS: LazyLock<EnvVars> = LazyLock::new(|| {
             cassandra_db::VOLATILE_NAMESPACE_DEFAULT,
         ),
         chain_follower: chain_follower::EnvVars::new(),
+        signed_doc: signed_doc::EnvVars::new(),
         internal_api_key: StringEnvVar::new_optional("INTERNAL_API_KEY", true),
         check_config_tick: StringEnvVar::new_as_duration(
             "CHECK_CONFIG_TICK",
@@ -307,6 +312,11 @@ impl Settings {
         ENV_VARS.chain_follower.clone()
     }
 
+    /// Get the configuration of the Catalyst Signed Documents.
+    pub(crate) fn signed_doc_cfg() -> signed_doc::EnvVars {
+        ENV_VARS.signed_doc.clone()
+    }
+
     /// Chain Follower network (The Blockchain network we are configured to use).
     /// Note: Catalyst Gateway can ONLY follow one network at a time.
     pub(crate) fn cardano_network() -> Network {

catalyst-gateway/bin/src/settings/signed_doc.rs

@@ -0,0 +1,49 @@
+//! Command line and environment variable settings for the Catalyst Signed Docs
+
+use std::time::Duration;
+
+use super::str_env_var::StringEnvVar;
+
+/// Default number value of `future_threshold`, 30 seconds.
+const DEFAULT_FUTURE_THRESHOLD: Duration = Duration::from_secs(30);
+
+/// Default number value of `past_threshold`, 10 minutes.
+const DEFAULT_PAST_THRESHOLD: Duration = Duration::from_secs(60 * 10);
+
+/// Configuration for the Catalyst Signed Documents validation configuration.
+#[derive(Clone)]
+pub(crate) struct EnvVars {
+    /// The Catalyst Signed Document threshold, document cannot be too far in the future.
+    future_threshold: Duration,
+
+    /// The Catalyst Signed Document threshold, document cannot be too far behind.
+    past_threshold: Duration,
+}
+
+impl EnvVars {
+    /// Create a config for Catalyst Signed Document validation configuration.
+    pub(super) fn new() -> Self {
+        let future_threshold =
+            StringEnvVar::new_as_duration("SIGNED_DOC_FUTURE_THRESHOLD", DEFAULT_FUTURE_THRESHOLD);
+
+        let past_threshold =
+            StringEnvVar::new_as_duration("SIGNED_DOC_PAST_THRESHOLD", DEFAULT_PAST_THRESHOLD);
+
+        Self {
+            future_threshold,
+            past_threshold,
+        }
+    }
+
+    /// The Catalyst Signed Document threshold, document cannot be too far in the future
+    /// (in seconds).
+    pub(crate) fn future_threshold(&self) -> Duration {
+        self.future_threshold
+    }
+
+    /// The Catalyst Signed Document threshold, document cannot be too far behind
+    /// (in seconds).
+    pub(crate) fn past_threshold(&self) -> Duration {
+        self.past_threshold
+    }
+}

catalyst-gateway/tests/api_tests/integration/test_signed_doc.py

@@ -1,11 +1,10 @@
 import pytest
 from loguru import logger
-from utils import health, signed_doc
+from utils import health, signed_doc, uuid_v7
 from api.v1 import document
 import os
 import json
 from typing import Dict, Any, List
-from uuid_extensions import uuid7str
 import copy
 from utils.auth_token import rbac_auth_token_factory
 
@@ -70,7 +69,7 @@ def comment_templates() -> List[str]:
 def proposal_doc_factory(proposal_templates, rbac_auth_token_factory):
     def __proposal_doc_factory() -> SignedDocument:
         rbac_auth_token = rbac_auth_token_factory()
-        proposal_doc_id = uuid7str()
+        proposal_doc_id = uuid_v7.uuid_v7()
         proposal_metadata_json = {
             "id": proposal_doc_id,
             "ver": proposal_doc_id,
@@ -99,11 +98,13 @@ def __proposal_doc_factory() -> SignedDocument:
 
 # return a Comment document which is already published to the cat-gateway
 @pytest.fixture
-def comment_doc_factory(proposal_doc_factory, comment_templates, rbac_auth_token_factory) -> SignedDocument:
+def comment_doc_factory(
+    proposal_doc_factory, comment_templates, rbac_auth_token_factory
+) -> SignedDocument:
     def __comment_doc_factory() -> SignedDocument:
         rbac_auth_token = rbac_auth_token_factory()
         proposal_doc = proposal_doc_factory()
-        comment_doc_id = uuid7str()
+        comment_doc_id = uuid_v7.uuid_v7()
         comment_metadata_json = {
             "id": comment_doc_id,
             "ver": comment_doc_id,
@@ -136,7 +137,7 @@ def submission_action_factory(
     def __submission_action_factory() -> SignedDocument:
         rbac_auth_token = rbac_auth_token_factory()
         proposal_doc = proposal_doc_factory()
-        submission_action_id = uuid7str()
+        submission_action_id = uuid_v7.uuid_v7()
         sub_action_metadata_json = {
             "id": submission_action_id,
             "ver": submission_action_id,
@@ -190,7 +191,9 @@ def test_proposal_doc(proposal_doc_factory, rbac_auth_token_factory):
     ), f"Failed to get document: {resp.status_code} - {resp.text}"
 
     # Post a signed document with filter ID
-    resp = document.post("/index", filter={"id": {"eq": proposal_doc_id}}, token=rbac_auth_token)
+    resp = document.post(
+        "/index", filter={"id": {"eq": proposal_doc_id}}, token=rbac_auth_token
+    )
     assert (
         resp.status_code == 200
     ), f"Failed to post document: {resp.status_code} - {resp.text}"
@@ -205,7 +208,7 @@ def test_proposal_doc(proposal_doc_factory, rbac_auth_token_factory):
 
     # Put a signed document with same ID, but different version and different content
     new_doc = proposal_doc.copy()
-    new_doc.metadata["ver"] = uuid7str()
+    new_doc.metadata["ver"] = uuid_v7.uuid_v7()
     new_doc.content["setup"]["title"]["title"] = "another title"
     resp = document.put(data=new_doc.hex(), token=rbac_auth_token)
     assert (
@@ -214,15 +217,15 @@ def test_proposal_doc(proposal_doc_factory, rbac_auth_token_factory):
 
     # Put a proposal document with the not known template field
     invalid_doc = proposal_doc.copy()
-    invalid_doc.metadata["template"] = {"id": uuid7str()}
+    invalid_doc.metadata["template"] = {"id": uuid_v7.uuid_v7()}
     resp = document.put(data=invalid_doc.hex(), token=rbac_auth_token)
     assert (
         resp.status_code == 422
     ), f"Publish document, expected 422 Unprocessable Content: {resp.status_code} - {resp.text}"
 
     # Put a proposal document with empty content
     invalid_doc = proposal_doc.copy()
-    invalid_doc.metadata["ver"] = uuid7str()
+    invalid_doc.metadata["ver"] = uuid_v7.uuid_v7()
     invalid_doc.content = {}
     resp = document.put(data=invalid_doc.hex(), token=rbac_auth_token)
     assert (
@@ -250,14 +253,16 @@ def test_comment_doc(comment_doc_factory, rbac_auth_token_factory):
     ), f"Failed to get document: {resp.status_code} - {resp.text}"
 
     # Post a signed document with filter ID
-    resp = document.post("/index", filter={"id": {"eq": comment_doc_id}}, token=rbac_auth_token)
+    resp = document.post(
+        "/index", filter={"id": {"eq": comment_doc_id}}, token=rbac_auth_token
+    )
     assert (
         resp.status_code == 200
     ), f"Failed to post document: {resp.status_code} - {resp.text}"
 
     # Put a comment document with empty content
     invalid_doc = comment_doc.copy()
-    invalid_doc.metadata["ver"] = uuid7str()
+    invalid_doc.metadata["ver"] = uuid_v7.uuid_v7()
     invalid_doc.content = {}
     resp = document.put(data=invalid_doc.hex(), token=rbac_auth_token)
     assert (
@@ -266,7 +271,7 @@ def test_comment_doc(comment_doc_factory, rbac_auth_token_factory):
 
     # Put a comment document referencing to the not known proposal
     invalid_doc = comment_doc.copy()
-    invalid_doc.metadata["ref"] = {"id": uuid7str()}
+    invalid_doc.metadata["ref"] = {"id": uuid_v7.uuid_v7()}
     resp = document.put(data=invalid_doc.hex(), token=rbac_auth_token)
     assert (
         resp.status_code == 422
@@ -293,7 +298,9 @@ def test_submission_action(submission_action_factory, rbac_auth_token_factory):
     ), f"Failed to get document: {resp.status_code} - {resp.text}"
 
     # Post a signed document with filter ID
-    resp = document.post("/index", filter={"id": {"eq": submission_action_id}}, token=rbac_auth_token)
+    resp = document.post(
+        "/index", filter={"id": {"eq": submission_action_id}}, token=rbac_auth_token
+    )
     assert (
         resp.status_code == 200
     ), f"Failed to post document: {resp.status_code} - {resp.text}"
@@ -308,7 +315,7 @@ def test_submission_action(submission_action_factory, rbac_auth_token_factory):
 
     # Put a submission action document referencing an unknown proposal
     invalid_doc = submission_action.copy()
-    invalid_doc.metadata["ref"] = {"id": uuid7str()}
+    invalid_doc.metadata["ref"] = {"id": uuid_v7.uuid_v7()}
     resp = document.put(data=invalid_doc.hex(), token=rbac_auth_token)
     assert (
         resp.status_code == 422
@@ -325,7 +332,7 @@ def test_document_index_endpoint(proposal_doc_factory, rbac_auth_token_factory):
     for _ in range(total_amount - 1):
         doc = first_proposal.copy()
         # keep the same id, but different version
-        doc.metadata["ver"] = uuid7str()
+        doc.metadata["ver"] = uuid_v7.uuid_v7()
         resp = document.put(data=doc.hex(), token=rbac_auth_token)
         assert (
             resp.status_code == 201
@@ -335,9 +342,7 @@ def test_document_index_endpoint(proposal_doc_factory, rbac_auth_token_factory):
     page = 0
     filter = {"id": {"eq": first_proposal.metadata["id"]}}
     resp = document.post(
-        f"/index?limit={limit}&page={page}",
-        filter=filter,
-        token=rbac_auth_token
+        f"/index?limit={limit}&page={page}", filter=filter, token=rbac_auth_token
     )
     assert (
         resp.status_code == 200
@@ -350,9 +355,7 @@ def test_document_index_endpoint(proposal_doc_factory, rbac_auth_token_factory):
 
     page += 1
     resp = document.post(
-        f"/index?limit={limit}&page={page}",
-        filter=filter,
-        token=rbac_auth_token
+        f"/index?limit={limit}&page={page}", filter=filter, token=rbac_auth_token
     )
     assert (
         resp.status_code == 200
@@ -364,9 +367,7 @@ def test_document_index_endpoint(proposal_doc_factory, rbac_auth_token_factory):
     assert data["page"]["remaining"] == total_amount - 1 - page
 
     resp = document.post(
-        f"/index?limit={total_amount}",
-        filter=filter,
-        token=rbac_auth_token
+        f"/index?limit={total_amount}", filter=filter, token=rbac_auth_token
     )
     assert (
         resp.status_code == 200
@@ -378,9 +379,7 @@ def test_document_index_endpoint(proposal_doc_factory, rbac_auth_token_factory):
 
     # Pagination out of range
     resp = document.post(
-        "/index?page=92233720368547759",
-        filter={},
-        token=rbac_auth_token
+        "/index?page=92233720368547759", filter={}, token=rbac_auth_token
     )
     assert (
         resp.status_code == 412

catalyst-gateway/tests/api_tests/poetry.lock

@@ -20,7 +20,6 @@ requests = "^2.32.3"
 pytest = "^8.0.0"
 python-bitcoinlib = "^0.12.2"
 pytest-cov = "^5.0.0"
-uuid7 = "^0.1.0"
 cryptography = "^44.0.2"
 
 [build-system]

catalyst-gateway/tests/api_tests/pyproject.toml

@@ -0,0 +1,23 @@
+import time
+import os
+
+
+def uuid_v7() -> str:
+    # random bytes
+    value = bytearray(os.urandom(16))
+    # current timestamp in ms
+    timestamp = int(time.time() * 1000)
+
+    # timestamp
+    value[0] = (timestamp >> 40) & 0xFF
+    value[1] = (timestamp >> 32) & 0xFF
+    value[2] = (timestamp >> 24) & 0xFF
+    value[3] = (timestamp >> 16) & 0xFF
+    value[4] = (timestamp >> 8) & 0xFF
+    value[5] = timestamp & 0xFF
+
+    # version and variant
+    value[6] = (value[6] & 0x0F) | 0x70
+    value[8] = (value[8] & 0x3F) | 0x80
+
+    return f"{value[:4].hex()}-{value[4:6].hex()}-{value[6:8].hex()}-{value[8:10].hex()}-{value[10:].hex()}"