aljaz/cdk
1
0
Fork 0
mirror of https://github.com/aljazceru/cdk.git synced 2025-12-20 06:05:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clear and Blind Auth (#510)

Browse Source 
* feat: auth

* chore: corret error codes

* chore: corret error codes

* fix: feature auth in cdk-axum

* refactor: auth logging

* feat: include dleq in auth proof

* feat: mint max auth proofs

* chore: clippy
This commit is contained in:
thesimplekid
2025-03-24 11:13:22 +00:00
committed by GitHub
parent cd71cd47d9
commit be93ff2384
91 changed files with 11300 additions and 503 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
crates/cdk-sqlite/src/mint/auth/migrations/20250109143347_init.sql Normal file
View File

@@ -0,0 +1,44 @@
CREATE TABLE IF NOT EXISTS proof (
y BLOB PRIMARY KEY,
keyset_id TEXT NOT NULL,
secret TEXT NOT NULL,
c BLOB NOT NULL,
state TEXT NOT NULL
);
CREATE INDEX IF NOT EXISTS state_index ON proof(state);
CREATE INDEX IF NOT EXISTS secret_index ON proof(secret);
-- Keysets Table
CREATE TABLE IF NOT EXISTS keyset (
id TEXT PRIMARY KEY,
unit TEXT NOT NULL,
active BOOL NOT NULL,
valid_from INTEGER NOT NULL,
valid_to INTEGER,
derivation_path TEXT NOT NULL,
max_order INTEGER NOT NULL,
derivation_path_index INTEGER NOT NULL
);
CREATE INDEX IF NOT EXISTS unit_index ON keyset(unit);
CREATE INDEX IF NOT EXISTS active_index ON keyset(active);
CREATE TABLE IF NOT EXISTS blind_signature (
y BLOB PRIMARY KEY,
amount INTEGER NOT NULL,
keyset_id TEXT NOT NULL,
c BLOB NOT NULL
);
CREATE INDEX IF NOT EXISTS keyset_id_index ON blind_signature(keyset_id);
CREATE TABLE IF NOT EXISTS protected_endpoints (
endpoint TEXT PRIMARY KEY,
auth TEXT NOT NULL
);

539
crates/cdk-sqlite/src/mint/auth/mod.rs Normal file
View File

@@ -0,0 +1,539 @@
//! SQLite Mint Auth
use std::collections::HashMap;
use std::path::Path;
use std::str::FromStr;
use std::time::Duration;
use async_trait::async_trait;
use cdk_common::database::{self, MintAuthDatabase};
use cdk_common::mint::MintKeySetInfo;
use cdk_common::nuts::{AuthProof, BlindSignature, Id, PublicKey, State};
use cdk_common::{AuthRequired, ProtectedEndpoint};
use sqlx::sqlite::{SqliteConnectOptions, SqlitePool, SqlitePoolOptions};
use sqlx::Row;
use tracing::instrument;
use super::{sqlite_row_to_blind_signature, sqlite_row_to_keyset_info};
use crate::mint::Error;
/// Mint SQLite Database
#[derive(Debug, Clone)]
pub struct MintSqliteAuthDatabase {
pool: SqlitePool,
}
impl MintSqliteAuthDatabase {
/// Create new [`MintSqliteDatabase`]
pub async fn new(path: &Path) -> Result<Self, Error> {
let path = path.to_str().ok_or(Error::InvalidDbPath)?;
let db_options = SqliteConnectOptions::from_str(path)?
.busy_timeout(Duration::from_secs(5))
.read_only(false)
.create_if_missing(true)
.auto_vacuum(sqlx::sqlite::SqliteAutoVacuum::Full);
let pool = SqlitePoolOptions::new()
.max_connections(1)
.connect_with(db_options)
.await?;
Ok(Self { pool })
}
/// Migrate [`MintSqliteDatabase`]
pub async fn migrate(&self) {
sqlx::migrate!("./src/mint/auth/migrations")
.run(&self.pool)
.await
.expect("Could not run migrations");
}
}
#[async_trait]
impl MintAuthDatabase for MintSqliteAuthDatabase {
type Err = database::Error;
#[instrument(skip(self))]
async fn set_active_keyset(&self, id: Id) -> Result<(), Self::Err> {
tracing::info!("Setting auth keyset {id} active");
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let update_res = sqlx::query(
r#"
UPDATE keyset
SET active = CASE
WHEN id = ? THEN TRUE
ELSE FALSE
END;
"#,
)
.bind(id.to_string())
.execute(&mut *transaction)
.await;
match update_res {
Ok(_) => {
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
Err(err) => {
tracing::error!("SQLite Could not update keyset");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(Error::from(err).into())
}
}
}
async fn get_active_keyset_id(&self) -> Result<Option<Id>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let rec = sqlx::query(
r#"
SELECT id
FROM keyset
WHERE active = 1;
"#,
)
.fetch_one(&mut *transaction)
.await;
let rec = match rec {
Ok(rec) => {
transaction.commit().await.map_err(Error::from)?;
rec
}
Err(err) => match err {
sqlx::Error::RowNotFound => {
transaction.commit().await.map_err(Error::from)?;
return Ok(None);
}
_ => {
return {
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(Error::SQLX(err).into())
}
}
},
};
Ok(Some(
Id::from_str(rec.try_get("id").map_err(Error::from)?).map_err(Error::from)?,
))
}
async fn add_keyset_info(&self, keyset: MintKeySetInfo) -> Result<(), Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let res = sqlx::query(
r#"
INSERT OR REPLACE INTO keyset
(id, unit, active, valid_from, valid_to, derivation_path, max_order, derivation_path_index)
VALUES (?, ?, ?, ?, ?, ?, ?, ?);
"#,
)
.bind(keyset.id.to_string())
.bind(keyset.unit.to_string())
.bind(keyset.active)
.bind(keyset.valid_from as i64)
.bind(keyset.valid_to.map(|v| v as i64))
.bind(keyset.derivation_path.to_string())
.bind(keyset.max_order)
.bind(keyset.derivation_path_index)
.execute(&mut *transaction)
.await;
match res {
Ok(_) => {
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
Err(err) => {
tracing::error!("SQLite could not add keyset info");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(Error::from(err).into())
}
}
}
async fn get_keyset_info(&self, id: &Id) -> Result<Option<MintKeySetInfo>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let rec = sqlx::query(
r#"
SELECT *
FROM keyset
WHERE id=?;
"#,
)
.bind(id.to_string())
.fetch_one(&mut *transaction)
.await;
match rec {
Ok(rec) => {
transaction.commit().await.map_err(Error::from)?;
Ok(Some(sqlite_row_to_keyset_info(rec)?))
}
Err(err) => match err {
sqlx::Error::RowNotFound => {
transaction.commit().await.map_err(Error::from)?;
return Ok(None);
}
_ => {
tracing::error!("SQLite could not get keyset info");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
return Err(Error::SQLX(err).into());
}
},
}
}
async fn get_keyset_infos(&self) -> Result<Vec<MintKeySetInfo>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let recs = sqlx::query(
r#"
SELECT *
FROM keyset;
"#,
)
.fetch_all(&mut *transaction)
.await
.map_err(Error::from);
match recs {
Ok(recs) => {
transaction.commit().await.map_err(Error::from)?;
Ok(recs
.into_iter()
.map(sqlite_row_to_keyset_info)
.collect::<Result<_, _>>()?)
}
Err(err) => {
tracing::error!("SQLite could not get keyset info");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(err.into())
}
}
}
async fn add_proof(&self, proof: AuthProof) -> Result<(), Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
if let Err(err) = sqlx::query(
r#"
INSERT INTO proof
(y, keyset_id, secret, c, state)
VALUES (?, ?, ?, ?, ?);
"#,
)
.bind(proof.y()?.to_bytes().to_vec())
.bind(proof.keyset_id.to_string())
.bind(proof.secret.to_string())
.bind(proof.c.to_bytes().to_vec())
.bind("UNSPENT")
.execute(&mut *transaction)
.await
.map_err(Error::from)
{
tracing::debug!("Attempting to add known proof. Skipping.... {:?}", err);
}
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
async fn get_proofs_states(&self, ys: &[PublicKey]) -> Result<Vec<Option<State>>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let sql = format!(
"SELECT y, state FROM proof WHERE y IN ({})",
"?,".repeat(ys.len()).trim_end_matches(',')
);
let mut current_states = ys
.iter()
.fold(sqlx::query(&sql), |query, y| {
query.bind(y.to_bytes().to_vec())
})
.fetch_all(&mut *transaction)
.await
.map_err(|err| {
tracing::error!("SQLite could not get state of proof: {err:?}");
Error::SQLX(err)
})?
.into_iter()
.map(|row| {
PublicKey::from_slice(row.get("y"))
.map_err(Error::from)
.and_then(|y| {
let state: String = row.get("state");
State::from_str(&state)
.map_err(Error::from)
.map(|state| (y, state))
})
})
.collect::<Result<HashMap<_, _>, _>>()?;
Ok(ys.iter().map(|y| current_states.remove(y)).collect())
}
async fn update_proof_state(
&self,
y: &PublicKey,
proofs_state: State,
) -> Result<Option<State>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
// Get current state for single y
let current_state = sqlx::query("SELECT state FROM proof WHERE y = ?")
.bind(y.to_bytes().to_vec())
.fetch_optional(&mut *transaction)
.await
.map_err(|err| {
tracing::error!("SQLite could not get state of proof: {err:?}");
Error::SQLX(err)
})?
.map(|row| {
let state: String = row.get("state");
State::from_str(&state).map_err(Error::from)
})
.transpose()?;
// Update state for single y
sqlx::query("UPDATE proof SET state = ? WHERE state != ? AND y = ?")
.bind(proofs_state.to_string())
.bind(State::Spent.to_string())
.bind(y.to_bytes().to_vec())
.execute(&mut *transaction)
.await
.map_err(|err| {
tracing::error!("SQLite could not update proof state: {err:?}");
Error::SQLX(err)
})?;
transaction.commit().await.map_err(Error::from)?;
Ok(current_state)
}
async fn add_blind_signatures(
&self,
blinded_messages: &[PublicKey],
blind_signatures: &[BlindSignature],
) -> Result<(), Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
for (message, signature) in blinded_messages.iter().zip(blind_signatures) {
let res = sqlx::query(
r#"
INSERT INTO blind_signature
(y, amount, keyset_id, c)
VALUES (?, ?, ?, ?);
"#,
)
.bind(message.to_bytes().to_vec())
.bind(u64::from(signature.amount) as i64)
.bind(signature.keyset_id.to_string())
.bind(signature.c.to_bytes().to_vec())
.execute(&mut *transaction)
.await;
if let Err(err) = res {
tracing::error!("SQLite could not add blind signature");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
return Err(Error::SQLX(err).into());
}
}
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
async fn get_blind_signatures(
&self,
blinded_messages: &[PublicKey],
) -> Result<Vec<Option<BlindSignature>>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let sql = format!(
"SELECT * FROM blind_signature WHERE y IN ({})",
"?,".repeat(blinded_messages.len()).trim_end_matches(',')
);
let mut blinded_signatures = blinded_messages
.iter()
.fold(sqlx::query(&sql), |query, y| {
query.bind(y.to_bytes().to_vec())
})
.fetch_all(&mut *transaction)
.await
.map_err(|err| {
tracing::error!("SQLite could not get state of proof: {err:?}");
Error::SQLX(err)
})?
.into_iter()
.map(|row| {
PublicKey::from_slice(row.get("y"))
.map_err(Error::from)
.and_then(|y| sqlite_row_to_blind_signature(row).map(|blinded| (y, blinded)))
})
.collect::<Result<HashMap<_, _>, _>>()?;
Ok(blinded_messages
.iter()
.map(|y| blinded_signatures.remove(y))
.collect())
}
async fn add_protected_endpoints(
&self,
protected_endpoints: HashMap<ProtectedEndpoint, AuthRequired>,
) -> Result<(), Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
for (endpoint, auth) in protected_endpoints.iter() {
if let Err(err) = sqlx::query(
r#"
INSERT OR REPLACE INTO protected_endpoints
(endpoint, auth)
VALUES (?, ?);
"#,
)
.bind(serde_json::to_string(endpoint)?)
.bind(serde_json::to_string(auth)?)
.execute(&mut *transaction)
.await
.map_err(Error::from)
{
tracing::debug!(
"Attempting to add protected endpoint. Skipping.... {:?}",
err
);
}
}
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
async fn remove_protected_endpoints(
&self,
protected_endpoints: Vec<ProtectedEndpoint>,
) -> Result<(), Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let sql = format!(
"DELETE FROM protected_endpoints WHERE endpoint IN ({})",
std::iter::repeat("?")
.take(protected_endpoints.len())
.collect::<Vec<_>>()
.join(",")
);
let endpoints = protected_endpoints
.iter()
.map(serde_json::to_string)
.collect::<Result<Vec<_>, _>>()?;
endpoints
.iter()
.fold(sqlx::query(&sql), |query, endpoint| query.bind(endpoint))
.execute(&mut *transaction)
.await
.map_err(Error::from)?;
transaction.commit().await.map_err(Error::from)?;
Ok(())
}
async fn get_auth_for_endpoint(
&self,
protected_endpoint: ProtectedEndpoint,
) -> Result<Option<AuthRequired>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let rec = sqlx::query(
r#"
SELECT *
FROM protected_endpoints
WHERE endpoint=?;
"#,
)
.bind(serde_json::to_string(&protected_endpoint)?)
.fetch_one(&mut *transaction)
.await;
match rec {
Ok(rec) => {
transaction.commit().await.map_err(Error::from)?;
let auth: String = rec.try_get("auth").map_err(Error::from)?;
Ok(Some(serde_json::from_str(&auth)?))
}
Err(err) => match err {
sqlx::Error::RowNotFound => {
transaction.commit().await.map_err(Error::from)?;
return Ok(None);
}
_ => {
return {
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(Error::SQLX(err).into())
}
}
},
}
}
async fn get_auth_for_endpoints(
&self,
) -> Result<HashMap<ProtectedEndpoint, Option<AuthRequired>>, Self::Err> {
let mut transaction = self.pool.begin().await.map_err(Error::from)?;
let recs = sqlx::query(
r#"
SELECT *
FROM protected_endpoints
"#,
)
.fetch_all(&mut *transaction)
.await;
match recs {
Ok(recs) => {
transaction.commit().await.map_err(Error::from)?;
let mut endpoints = HashMap::new();
for rec in recs {
let auth: String = rec.try_get("auth").map_err(Error::from)?;
let endpoint: String = rec.try_get("endpoint").map_err(Error::from)?;
let endpoint: ProtectedEndpoint = serde_json::from_str(&endpoint)?;
let auth: AuthRequired = serde_json::from_str(&auth)?;
endpoints.insert(endpoint, Some(auth));
}
Ok(endpoints)
}
Err(err) => {
tracing::error!("SQLite could not get protected endpoints");
if let Err(err) = transaction.rollback().await {
tracing::error!("Could not rollback sql transaction: {}", err);
}
Err(Error::from(err).into())
}
}
}
}

19
crates/cdk-sqlite/src/mint/mod.rs
View File

@@ -26,9 +26,14 @@ use uuid::Uuid;
use crate::common::create_sqlite_pool;
#[cfg(feature = "auth")]
mod auth;
pub mod error;
pub mod memory;
#[cfg(feature = "auth")]
pub use auth::MintSqliteAuthDatabase;
/// Mint SQLite Database
#[derive(Debug, Clone)]
pub struct MintSqliteDatabase {
@@ -1565,7 +1570,7 @@ fn sqlite_row_to_keyset_info(row: SqliteRow) -> Result<MintKeySetInfo, Error> {
let row_valid_to: Option<i64> = row.try_get("valid_to").map_err(Error::from)?;
let row_derivation_path: String = row.try_get("derivation_path").map_err(Error::from)?;
let row_max_order: u8 = row.try_get("max_order").map_err(Error::from)?;
let row_keyset_ppk: Option<i64> = row.try_get("input_fee_ppk").map_err(Error::from)?;
let row_keyset_ppk: Option<i64> = row.try_get("input_fee_ppk").ok();
let row_derivation_path_index: Option<i64> =
row.try_get("derivation_path_index").map_err(Error::from)?;
@@ -1748,7 +1753,7 @@ mod tests {
// Create a keyset and add it to the database
let keyset_id = Id::from_str("00916bbf7ef91a36").unwrap();
let keyset_info = MintKeySetInfo {
id: keyset_id.clone(),
id: keyset_id,
unit: CurrencyUnit::Sat,
active: true,
valid_from: 0,
@@ -1763,7 +1768,7 @@ mod tests {
let proofs = vec![
Proof {
amount: Amount::from(100),
keyset_id: keyset_id.clone(),
keyset_id,
secret: Secret::generate(),
c: SecretKey::generate().public_key(),
witness: None,
@@ -1771,7 +1776,7 @@ mod tests {
},
Proof {
amount: Amount::from(200),
keyset_id: keyset_id.clone(),
keyset_id,
secret: Secret::generate(),
c: SecretKey::generate().public_key(),
witness: None,
@@ -1816,7 +1821,7 @@ mod tests {
// Create a keyset and add it to the database
let keyset_id = Id::from_str("00916bbf7ef91a36").unwrap();
let keyset_info = MintKeySetInfo {
id: keyset_id.clone(),
id: keyset_id,
unit: CurrencyUnit::Sat,
active: true,
valid_from: 0,
@@ -1831,7 +1836,7 @@ mod tests {
let proofs = vec![
Proof {
amount: Amount::from(100),
keyset_id: keyset_id.clone(),
keyset_id,
secret: Secret::generate(),
c: SecretKey::generate().public_key(),
witness: None,
@@ -1839,7 +1844,7 @@ mod tests {
},
Proof {
amount: Amount::from(200),
keyset_id: keyset_id.clone(),
keyset_id,
secret: Secret::generate(),
c: SecretKey::generate().public_key(),
witness: None,