Feat introduced icp nonces for context contract

contracts/icp/context-config/res/calimero_context_config_icp.did

@@ -11,6 +11,7 @@ type Result = variant { Ok; Err : text };
 service : () -> {
   application : (blob) -> (ICApplication) query;
   application_revision : (blob) -> (nat64) query;
+  fetch_nonce : (blob, blob) -> (opt nat64) query;
   has_member : (blob, blob) -> (bool) query;
   members : (blob, nat64, nat64) -> (vec blob) query;
   members_revision : (blob) -> (nat64) query;

contracts/icp/context-config/src/lib.rs

@@ -23,6 +23,7 @@ pub struct Context {
     pub application: Guard<ICApplication>,
     pub members: Guard<BTreeSet<ICRepr<ContextIdentity>>>,
     pub proxy: Guard<Principal>,
+    pub member_nonces: BTreeMap<ICRepr<ContextIdentity>, u64>,
 }
 
 #[derive(CandidType, Deserialize, Debug)]

contracts/icp/context-config/src/mutate.rs

@@ -1,3 +1,4 @@
+use std::collections::BTreeMap;
 use std::ops::Deref;
 
 use calimero_context_config::icp::repr::ICRepr;
@@ -21,39 +22,29 @@ pub async fn mutate(signed_request: ICSigned<ICRequest>) -> Result<(), String> {
         .parse(|r| *r.signer_id)
         .map_err(|e| format!("Failed to verify signature: {}", e))?;
 
-    // Add debug logging
-    let current_time = ic_cdk::api::time() / 1_000_000;
-    let time_diff = current_time.saturating_sub(request.timestamp_ms);
-    if time_diff > 1000 * 5 {
-        return Err(format!(
-            "request expired: diff={}ms, current={}, request={}",
-            time_diff, current_time, request.timestamp_ms
-        ));
-    }
-
     match request.kind {
         ICRequestKind::Context(ICContextRequest { context_id, kind }) => match kind {
             ICContextRequestKind::Add {
                 author_id,
                 application,
             } => add_context(&request.signer_id, context_id, *author_id, application).await,
             ICContextRequestKind::UpdateApplication { application } => {
-                update_application(&request.signer_id, &context_id, application)
+                update_application(&request.signer_id, &context_id, request.nonce, application)
             }
             ICContextRequestKind::AddMembers { members } => {
-                add_members(&request.signer_id, &context_id, members)
+                add_members(&request.signer_id, &context_id, request.nonce, members)
             }
             ICContextRequestKind::RemoveMembers { members } => {
-                remove_members(&request.signer_id, &context_id, members)
+                remove_members(&request.signer_id, &context_id, request.nonce, members)
             }
             ICContextRequestKind::Grant { capabilities } => {
-                grant(&request.signer_id, &context_id, capabilities)
+                grant(&request.signer_id, &context_id, request.nonce, capabilities)
             }
             ICContextRequestKind::Revoke { capabilities } => {
-                revoke(&request.signer_id, &context_id, capabilities)
+                revoke(&request.signer_id, &context_id, request.nonce, capabilities)
             }
             ICContextRequestKind::UpdateProxyContract => {
-                update_proxy_contract(&request.signer_id, context_id).await
+                update_proxy_contract(&request.signer_id, context_id, request.nonce).await
             }
         },
     }
@@ -75,7 +66,7 @@ async fn add_context(
 
     with_state_mut(|configs| {
         // Create context with guards
-        let context = Context {
+        let mut context = Context {
             application: Guard::new(author_id.rt().expect("infallible conversion"), application),
             members: Guard::new(
                 author_id.rt().expect("infallible conversion"),
@@ -85,8 +76,14 @@ async fn add_context(
                 author_id.rt().expect("infallible conversion"),
                 proxy_canister_id,
             ),
+            member_nonces: BTreeMap::new(),
         };
 
+        // Initialize the author's nonce
+        context
+            .member_nonces
+            .insert(author_id.rt().expect("infallible conversion"), 0);
+
         // Store context
         if configs.contexts.insert(context_id, context).is_some() {
             return Err("context already exists".into());
@@ -116,7 +113,7 @@ async fn deploy_proxy_contract(context_id: ICRepr<ContextId>) -> Result<Principa
         }),
     };
 
-    let (canister_record,) = create_canister(create_args, 500_000_000_000_000u128)
+    let (canister_record,) = create_canister(create_args, 850_000_000_000u128)
         .await
         .map_err(|e| format!("Failed to create canister: {:?}", e))?;
 
@@ -143,23 +140,24 @@ async fn deploy_proxy_contract(context_id: ICRepr<ContextId>) -> Result<Principa
 fn update_application(
     signer_id: &SignerId,
     context_id: &ContextId,
+    nonce: u64,
     application: ICApplication,
 ) -> Result<(), String> {
     with_state_mut(|configs| {
-        // Get the context or return error if it doesn't exist
         let context = configs
             .contexts
             .get_mut(context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
-        // Get mutable access to the application through the Guard
+        // Add nonce check
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
+        // Original implementation continues unchanged
         let guard_ref = context
             .application
             .get(signer_id)
             .map_err(|e| e.to_string())?;
         let mut app_ref = guard_ref.get_mut();
-
-        // Replace the application with the new one
         *app_ref = application;
 
         Ok(())
@@ -169,22 +167,25 @@ fn update_application(
 fn add_members(
     signer_id: &SignerId,
     context_id: &ContextId,
+    nonce: u64,
     members: Vec<ICRepr<ContextIdentity>>,
 ) -> Result<(), String> {
     with_state_mut(|configs| {
-        // Get the context or return error if it doesn't exist
         let context = configs
             .contexts
             .get_mut(context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
-        // Get mutable access to the members through the Guard
+        // Check nonce
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
+        // Rest of the function...
         let guard_ref = context.members.get(signer_id).map_err(|e| e.to_string())?;
         let mut ctx_members = guard_ref.get_mut();
 
-        // Add each member
         for member in members {
             ctx_members.insert(member);
+            context.member_nonces.insert(member, 0);
         }
 
         Ok(())
@@ -194,15 +195,18 @@ fn add_members(
 fn remove_members(
     signer_id: &SignerId,
     context_id: &ContextId,
+    nonce: u64,
     members: Vec<ICRepr<ContextIdentity>>,
 ) -> Result<(), String> {
     with_state_mut(|configs| {
-        // Get the context or return error if it doesn't exist
         let context = configs
             .contexts
             .get_mut(context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
+        // Check nonce
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
         // Get mutable access to the members through the Guard
         let mut ctx_members = context
             .members
@@ -230,6 +234,7 @@ fn remove_members(
 fn grant(
     signer_id: &SignerId,
     context_id: &ContextId,
+    nonce: u64,
     capabilities: Vec<(ICRepr<ContextIdentity>, ICCapability)>,
 ) -> Result<(), String> {
     with_state_mut(|configs| {
@@ -238,6 +243,9 @@ fn grant(
             .get_mut(context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
+        // Check nonce
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
         for (identity, capability) in capabilities {
             let is_member = context.members.deref().contains(&identity);
 
@@ -280,6 +288,7 @@ fn grant(
 fn revoke(
     signer_id: &SignerId,
     context_id: &ContextId,
+    nonce: u64,
     capabilities: Vec<(ICRepr<ContextIdentity>, ICCapability)>,
 ) -> Result<(), String> {
     with_state_mut(|configs| {
@@ -288,6 +297,9 @@ fn revoke(
             .get_mut(context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
+        // Check nonce
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
         for (identity, capability) in capabilities {
             match capability {
                 ICCapability::ManageApplication => {
@@ -324,13 +336,17 @@ fn revoke(
 async fn update_proxy_contract(
     signer_id: &SignerId,
     context_id: ICRepr<ContextId>,
+    nonce: u64,
 ) -> Result<(), String> {
     let (proxy_canister_id, proxy_code) = with_state_mut(|configs| {
         let context = configs
             .contexts
             .get_mut(&context_id)
             .ok_or_else(|| "context does not exist".to_string())?;
 
+        // Check nonce
+        check_and_increment_nonce(context, nonce, signer_id)?;
+
         let proxy_cannister = *context
             .proxy
             .get(signer_id)
@@ -356,3 +372,19 @@ async fn update_proxy_contract(
 
     Ok(())
 }
+
+fn check_and_increment_nonce(
+    context: &mut Context,
+    nonce: u64,
+    signer_id: &SignerId,
+) -> Result<(), String> {
+    let context_identity = signer_id.rt().expect("infallible conversion");
+    let current_nonce = *context.member_nonces.get(&context_identity).unwrap_or(&0);
+
+    if current_nonce != nonce {
+        return Err("invalid nonce".into());
+    }
+
+    context.member_nonces.insert(context_identity, nonce + 1);
+    Ok(())
+}

contracts/icp/context-config/src/query.rs

@@ -134,3 +134,14 @@ fn privileges(
         privileges
     })
 }
+
+#[ic_cdk::query]
+fn fetch_nonce(context_id: ICRepr<ContextId>, member_id: ICRepr<ContextIdentity>) -> Option<u64> {
+    with_state(|configs| {
+        configs
+            .contexts
+            .get(&context_id)
+            .and_then(|context| context.member_nonces.get(&member_id))
+            .copied()
+    })
+}