Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat introduced icp nonces for context contract #1031

Open
wants to merge 28 commits into
base: feat--add-near-calls-nonce
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
945be8f
fix: remove timestamp from contracts
frdomovic Dec 20, 2024
bbd07ee
fix: tests 2
frdomovic Dec 20, 2024
964fa46
fix: removed prints in mock contract, optimized proxy contract deploy…
alenmestrov Dec 20, 2024
9bbc038
feat: introduced nonces in icp context contract
alenmestrov Dec 20, 2024
545b72d
fix: lint
alenmestrov Dec 20, 2024
39e5c26
fix: check the transfer result before doing cross contract call
alenmestrov Dec 20, 2024
2fa86ac
fix: resolved PR comments
alenmestrov Dec 20, 2024
d3d22a7
fix:lint
alenmestrov Dec 20, 2024
fcd5b3a
fix: reverted back grouping of members and nonces
alenmestrov Dec 20, 2024
14db1bb
fix: lint
alenmestrov Dec 20, 2024
bc99546
fix: resolved PR comments
alenmestrov Dec 20, 2024
244aab0
simplify nonce validation
miraclx Dec 20, 2024
0182e26
prevent spurious proxy deployment for existing context
miraclx Dec 20, 2024
647192c
pulled latest changes
alenmestrov Dec 23, 2024
f440214
fix: removed mock_ledger from Cargo
alenmestrov Dec 23, 2024
dcac961
fix: lint
alenmestrov Dec 23, 2024
d73e5e5
merged feat--add-near-calls-nonce
alenmestrov Dec 23, 2024
af88a83
fix: removed mock_ledger build process
alenmestrov Dec 23, 2024
ba80769
feat: added automated script for devnet deployment
alenmestrov Dec 23, 2024
a5f839d
fix: resolved issue with NEAR nonce
alenmestrov Dec 23, 2024
42a9528
feat: added container_ids.json file to gitignore
alenmestrov Dec 23, 2024
df5b56f
fix: check if canister_ids.json file exists before trying to delete it
alenmestrov Dec 23, 2024
84ff731
fix: fixed getting proxy contract wasm content
alenmestrov Dec 23, 2024
f99d909
fix: fixed fetching nonce encoding
alenmestrov Dec 24, 2024
95d0d1d
fix: updated script for devnet deployment, adjusted initial context c…
alenmestrov Dec 26, 2024
5fb103d
feat: implemented endpoint for fetching proxy contract ID
alenmestrov Dec 26, 2024
5ee39c9
fix: lint
alenmestrov Dec 26, 2024
8912db4
fix: cleaned deployment script and created test recipient account
alenmestrov Dec 26, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ type Result = variant { Ok; Err : text };
service : () -> {
application : (blob) -> (ICApplication) query;
application_revision : (blob) -> (nat64) query;
fetch_nonce : (blob, blob) -> (opt nat64) query;
has_member : (blob, blob) -> (bool) query;
members : (blob, nat64, nat64) -> (vec blob) query;
members_revision : (blob) -> (nat64) query;
Expand Down
1 change: 1 addition & 0 deletions contracts/icp/context-config/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ pub struct Context {
pub application: Guard<ICApplication>,
pub members: Guard<BTreeSet<ICRepr<ContextIdentity>>>,
pub proxy: Guard<Principal>,
pub member_nonces: BTreeMap<ICRepr<ContextIdentity>, u64>,
alenmestrov marked this conversation as resolved.
Show resolved Hide resolved
}

#[derive(CandidType, Deserialize, Debug)]
Expand Down
107 changes: 65 additions & 42 deletions contracts/icp/context-config/src/mutate.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,39 +21,29 @@ pub async fn mutate(signed_request: ICSigned<ICRequest>) -> Result<(), String> {
.parse(|r| *r.signer_id)
.map_err(|e| format!("Failed to verify signature: {}", e))?;

// Add debug logging
let current_time = ic_cdk::api::time() / 1_000_000;
let time_diff = current_time.saturating_sub(request.timestamp_ms);
if time_diff > 1000 * 5 {
return Err(format!(
"request expired: diff={}ms, current={}, request={}",
time_diff, current_time, request.timestamp_ms
));
}

match request.kind {
ICRequestKind::Context(ICContextRequest { context_id, kind }) => match kind {
ICContextRequestKind::Add {
author_id,
application,
} => add_context(&request.signer_id, context_id, *author_id, application).await,
ICContextRequestKind::UpdateApplication { application } => {
update_application(&request.signer_id, &context_id, application)
update_application(&request.signer_id, &context_id, request.nonce, application)
}
ICContextRequestKind::AddMembers { members } => {
add_members(&request.signer_id, &context_id, members)
add_members(&request.signer_id, &context_id, request.nonce, members)
}
ICContextRequestKind::RemoveMembers { members } => {
remove_members(&request.signer_id, &context_id, members)
remove_members(&request.signer_id, &context_id, request.nonce, members)
}
ICContextRequestKind::Grant { capabilities } => {
grant(&request.signer_id, &context_id, capabilities)
grant(&request.signer_id, &context_id, request.nonce, capabilities)
}
ICContextRequestKind::Revoke { capabilities } => {
revoke(&request.signer_id, &context_id, capabilities)
revoke(&request.signer_id, &context_id, request.nonce, capabilities)
}
ICContextRequestKind::UpdateProxyContract => {
update_proxy_contract(&request.signer_id, context_id).await
update_proxy_contract(&request.signer_id, context_id, request.nonce).await
}
},
}
Expand All @@ -79,12 +69,17 @@ async fn add_context(
application: Guard::new(author_id.rt().expect("infallible conversion"), application),
members: Guard::new(
author_id.rt().expect("infallible conversion"),
[author_id.rt().expect("infallible conversion")].into(),
[author_id.rt().expect("infallible conversion")]
.into_iter()
.collect(),
),
proxy: Guard::new(
author_id.rt().expect("infallible conversion"),
proxy_canister_id,
),
member_nonces: [(author_id.rt().expect("infallible conversion"), 0)]
.into_iter()
.collect(),
};

// Store context
Expand Down Expand Up @@ -116,7 +111,7 @@ async fn deploy_proxy_contract(context_id: ICRepr<ContextId>) -> Result<Principa
}),
};

let (canister_record,) = create_canister(create_args, 500_000_000_000_000u128)
let (canister_record,) = create_canister(create_args, 1_500_000_000_000u128)
.await
.map_err(|e| format!("Failed to create canister: {:?}", e))?;

Expand All @@ -143,23 +138,24 @@ async fn deploy_proxy_contract(context_id: ICRepr<ContextId>) -> Result<Principa
fn update_application(
signer_id: &SignerId,
context_id: &ContextId,
nonce: u64,
application: ICApplication,
) -> Result<(), String> {
with_state_mut(|configs| {
// Get the context or return error if it doesn't exist
let context = configs
.contexts
.get_mut(context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Get mutable access to the application through the Guard
// Add nonce check
check_and_increment_nonce(context, nonce, signer_id)?;

// Original implementation continues unchanged
let guard_ref = context
.application
.get(signer_id)
.map_err(|e| e.to_string())?;
let mut app_ref = guard_ref.get_mut();

// Replace the application with the new one
*app_ref = application;

Ok(())
Expand All @@ -169,22 +165,26 @@ fn update_application(
fn add_members(
signer_id: &SignerId,
context_id: &ContextId,
nonce: u64,
members: Vec<ICRepr<ContextIdentity>>,
) -> Result<(), String> {
with_state_mut(|configs| {
// Get the context or return error if it doesn't exist
let context = configs
.contexts
.get_mut(context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Get mutable access to the members through the Guard
// Check nonce
check_and_increment_nonce(context, nonce, signer_id)?;

let guard_ref = context.members.get(signer_id).map_err(|e| e.to_string())?;
let mut ctx_members = guard_ref.get_mut();

// Add each member
for member in members {
ctx_members.insert(member);
if !ctx_members.contains(&member) {
ctx_members.insert(member);
let _ignored = context.member_nonces.entry(member).or_default();
}
}

Ok(())
Expand All @@ -194,33 +194,24 @@ fn add_members(
fn remove_members(
signer_id: &SignerId,
context_id: &ContextId,
nonce: u64,
alenmestrov marked this conversation as resolved.
Show resolved Hide resolved
members: Vec<ICRepr<ContextIdentity>>,
) -> Result<(), String> {
with_state_mut(|configs| {
// Get the context or return error if it doesn't exist
let context = configs
.contexts
.get_mut(context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Get mutable access to the members through the Guard
let mut ctx_members = context
.members
.get(signer_id)
.map_err(|e| e.to_string())?
.get_mut();
// Check nonce
check_and_increment_nonce(context, nonce, signer_id)?;

let guard_ref = context.members.get(signer_id).map_err(|e| e.to_string())?;
let mut ctx_members = guard_ref.get_mut();

for member in members {
ctx_members.remove(&member);

// Revoke privileges
ctx_members
.privileges()
.revoke(&member.rt().expect("infallible conversion"));
context
.application
.privileges()
.revoke(&member.rt().expect("infallible conversion"));
context.member_nonces.remove(&member);
}

Ok(())
Expand All @@ -230,6 +221,7 @@ fn remove_members(
fn grant(
signer_id: &SignerId,
context_id: &ContextId,
nonce: u64,
capabilities: Vec<(ICRepr<ContextIdentity>, ICCapability)>,
) -> Result<(), String> {
with_state_mut(|configs| {
Expand All @@ -238,6 +230,9 @@ fn grant(
.get_mut(context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Check nonce
check_and_increment_nonce(context, nonce, signer_id)?;

for (identity, capability) in capabilities {
let is_member = context.members.deref().contains(&identity);

Expand Down Expand Up @@ -280,6 +275,7 @@ fn grant(
fn revoke(
signer_id: &SignerId,
context_id: &ContextId,
nonce: u64,
capabilities: Vec<(ICRepr<ContextIdentity>, ICCapability)>,
) -> Result<(), String> {
with_state_mut(|configs| {
Expand All @@ -288,6 +284,9 @@ fn revoke(
.get_mut(context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Check nonce
check_and_increment_nonce(context, nonce, signer_id)?;

for (identity, capability) in capabilities {
match capability {
ICCapability::ManageApplication => {
Expand Down Expand Up @@ -324,13 +323,17 @@ fn revoke(
async fn update_proxy_contract(
signer_id: &SignerId,
context_id: ICRepr<ContextId>,
nonce: u64,
) -> Result<(), String> {
let (proxy_canister_id, proxy_code) = with_state_mut(|configs| {
let context = configs
.contexts
.get_mut(&context_id)
.ok_or_else(|| "context does not exist".to_string())?;

// Check nonce
check_and_increment_nonce(context, nonce, signer_id)?;

let proxy_cannister = *context
.proxy
.get(signer_id)
Expand All @@ -356,3 +359,23 @@ async fn update_proxy_contract(

Ok(())
}

fn check_and_increment_nonce(
context: &mut Context,
nonce: u64,
signer_id: &SignerId,
) -> Result<(), String> {
let context_identity = signer_id.rt().expect("infallible conversion");
let current_nonce = context
.member_nonces
.get(&context_identity)
.copied()
.unwrap_or(0);

if current_nonce != nonce {
return Err("invalid nonce".into());
}

context.member_nonces.insert(context_identity, nonce + 1);
alenmestrov marked this conversation as resolved.
Show resolved Hide resolved
alenmestrov marked this conversation as resolved.
Show resolved Hide resolved
Ok(())
}
11 changes: 11 additions & 0 deletions contracts/icp/context-config/src/query.rs
Original file line number Diff line number Diff line change
Expand Up @@ -134,3 +134,14 @@ fn privileges(
privileges
})
}

#[ic_cdk::query]
fn fetch_nonce(context_id: ICRepr<ContextId>, member_id: ICRepr<ContextIdentity>) -> Option<u64> {
with_state(|configs| {
configs
.contexts
.get(&context_id)
.and_then(|context| context.member_nonces.get(&member_id))
.copied()
Comment on lines +141 to +145
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for consistency, we should probably panic if the context does not exist

same as we have it above

Copy link
Member

@miraclx miraclx Dec 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but should we be panicking in ICP at all? how do they handle that? since the state is in-memory, do we lose data?

})
}
Loading
Loading