feat: Add Support Credentials for Clio (#1712)

Rippled PR: [here](XRPLF/rippled#5103)

src/etl/LoadBalancer.hpp

@@ -24,6 +24,7 @@
 #include "etl/NetworkValidatedLedgersInterface.hpp"
 #include "etl/Source.hpp"
 #include "feed/SubscriptionManagerInterface.hpp"
+#include "rpc/Errors.hpp"
 #include "util/Mutex.hpp"
 #include "util/ResponseExpirationCache.hpp"
 #include "util/config/Config.hpp"

src/rpc/CMakeLists.txt

@@ -6,6 +6,7 @@ target_sources(
           Factories.cpp
           AMMHelpers.cpp
           RPCHelpers.cpp
+          CredentialHelpers.cpp
           Counters.cpp
           WorkQueue.cpp
           common/Specs.cpp

src/rpc/CredentialHelpers.cpp

@@ -0,0 +1,162 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of clio: https://github.com/XRPLF/clio
+    Copyright (c) 2024, the clio developers.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL,  DIRECT,  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include "data/BackendInterface.hpp"
+#include "rpc/Errors.hpp"
+#include "rpc/JS.hpp"
+#include "rpc/common/Types.hpp"
+#include "util/Assert.hpp"
+
+#include <boost/asio/spawn.hpp>
+#include <boost/json/array.hpp>
+#include <boost/json/value_to.hpp>
+#include <xrpl/basics/Slice.h>
+#include <xrpl/basics/StringUtilities.h>
+#include <xrpl/basics/base_uint.h>
+#include <xrpl/basics/chrono.h>
+#include <xrpl/protocol/AccountID.h>
+#include <xrpl/protocol/Indexes.h>
+#include <xrpl/protocol/LedgerFormats.h>
+#include <xrpl/protocol/LedgerHeader.h>
+#include <xrpl/protocol/Protocol.h>
+#include <xrpl/protocol/SField.h>
+#include <xrpl/protocol/STArray.h>
+#include <xrpl/protocol/STLedgerEntry.h>
+#include <xrpl/protocol/STObject.h>
+#include <xrpl/protocol/Serializer.h>
+#include <xrpl/protocol/jss.h>
+
+#include <cstdint>
+#include <expected>
+#include <optional>
+#include <set>
+#include <string>
+#include <string_view>
+#include <unordered_set>
+#include <utility>
+
+namespace rpc::credentials {
+
+bool
+checkExpired(ripple::SLE const& sleCred, ripple::LedgerHeader const& ledger)
+{
+    if (sleCred.isFieldPresent(ripple::sfExpiration)) {
+        std::uint32_t const exp = sleCred.getFieldU32(ripple::sfExpiration);
+        std::uint32_t const now = ledger.parentCloseTime.time_since_epoch().count();
+        return now > exp;
+    }
+    return false;
+}
+
+std::set<std::pair<ripple::AccountID, ripple::Slice>>
+createAuthCredentials(ripple::STArray const& in)
+{
+    std::set<std::pair<ripple::AccountID, ripple::Slice>> out;
+    for (auto const& cred : in)
+        out.insert({cred[ripple::sfIssuer], cred[ripple::sfCredentialType]});
+
+    return out;
+}
+
+ripple::STArray
+parseAuthorizeCredentials(boost::json::array const& jv)
+{
+    ripple::STArray arr;
+    for (auto const& jo : jv) {
+        ASSERT(
+            jo.at(JS(issuer)).is_string(),
+            "issuer must be string, should already be checked in AuthorizeCredentialValidator"
+        );
+        auto const issuer =
+            ripple::parseBase58<ripple::AccountID>(static_cast<std::string>(jo.at(JS(issuer)).as_string()));
+        ASSERT(
+            issuer.has_value(), "issuer must be present, should already be checked in AuthorizeCredentialValidator."
+        );
+
+        ASSERT(
+            jo.at(JS(credential_type)).is_string(),
+            "credential_type must be string, should already be checked in AuthorizeCredentialValidator"
+        );
+        auto const credentialType = ripple::strUnHex(static_cast<std::string>(jo.at(JS(credential_type)).as_string()));
+        ASSERT(
+            credentialType.has_value(),
+            "credential_type must be present, should already be checked in AuthorizeCredentialValidator."
+        );
+
+        auto credential = ripple::STObject::makeInnerObject(ripple::sfCredential);
+        credential.setAccountID(ripple::sfIssuer, *issuer);
+        credential.setFieldVL(ripple::sfCredentialType, *credentialType);
+        arr.push_back(std::move(credential));
+    }
+
+    return arr;
+}
+
+std::expected<ripple::STArray, Status>
+fetchCredentialArray(
+    std::optional<boost::json::array> const& credID,
+    ripple::AccountID const& srcAcc,
+    BackendInterface const& backend,
+    ripple::LedgerHeader const& info,
+    boost::asio::yield_context const& yield
+)
+{
+    ripple::STArray authCreds;
+    std::unordered_set<std::string_view> elems;
+    for (auto const& elem : credID.value()) {
+        ASSERT(elem.is_string(), "should already be checked in validators.hpp that elem is a string.");
+
+        if (elems.contains(elem.as_string()))
+            return Error{Status{RippledError::rpcBAD_CREDENTIALS, "duplicates in credentials."}};
+        elems.insert(elem.as_string());
+
+        ripple::uint256 credHash;
+        ASSERT(
+            credHash.parseHex(boost::json::value_to<std::string>(elem)),
+            "should already be checked in validators.hpp that elem is a uint256 hex"
+        );
+
+        auto const credKeylet = ripple::keylet::credential(credHash).key;
+        auto const credLedgerObject = backend.fetchLedgerObject(credKeylet, info.seq, yield);
+        if (!credLedgerObject)
+            return Error{Status{RippledError::rpcBAD_CREDENTIALS, "credentials don't exist."}};
+
+        auto credIt = ripple::SerialIter{credLedgerObject->data(), credLedgerObject->size()};
+        auto const sleCred = ripple::SLE{credIt, credKeylet};
+
+        if ((sleCred.getType() != ripple::ltCREDENTIAL) ||
+            ((sleCred.getFieldU32(ripple::sfFlags) & ripple::lsfAccepted) == 0u))
+            return Error{Status{RippledError::rpcBAD_CREDENTIALS, "credentials aren't accepted"}};
+
+        if (credentials::checkExpired(sleCred, info))
+            return Error{Status{RippledError::rpcBAD_CREDENTIALS, "credentials are expired"}};
+
+        if (sleCred.getAccountID(ripple::sfSubject) != srcAcc)
+            return Error{Status{RippledError::rpcBAD_CREDENTIALS, "credentials don't belong to the root account"}};
+
+        auto credential = ripple::STObject::makeInnerObject(ripple::sfCredential);
+        credential.setAccountID(ripple::sfIssuer, sleCred.getAccountID(ripple::sfIssuer));
+        credential.setFieldVL(ripple::sfCredentialType, sleCred.getFieldVL(ripple::sfCredentialType));
+        authCreds.push_back(std::move(credential));
+    }
+
+    return authCreds;
+}
+
+}  // namespace rpc::credentials

src/rpc/CredentialHelpers.hpp

@@ -0,0 +1,89 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of clio: https://github.com/XRPLF/clio
+    Copyright (c) 2024, the clio developers.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL,  DIRECT,  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#pragma once
+
+#include "data/BackendInterface.hpp"
+#include "rpc/Errors.hpp"
+
+#include <boost/asio/spawn.hpp>
+#include <boost/json/array.hpp>
+#include <xrpl/basics/Slice.h>
+#include <xrpl/basics/chrono.h>
+#include <xrpl/protocol/AccountID.h>
+#include <xrpl/protocol/LedgerHeader.h>
+#include <xrpl/protocol/Protocol.h>
+#include <xrpl/protocol/STLedgerEntry.h>
+#include <xrpl/protocol/STObject.h>
+
+#include <expected>
+#include <optional>
+#include <set>
+#include <utility>
+
+namespace rpc::credentials {
+
+/**
+ * @brief Check if credential is expired
+ *
+ * @param sleCred The credential to check
+ * @param ledger The ledger to check the closed time of
+ * @return true if credential not expired, false otherwise
+ */
+bool
+checkExpired(ripple::SLE const& sleCred, ripple::LedgerHeader const& ledger);
+
+/**
+ * @brief Creates authentication credential field (which is a set of pairs of AccountID and Credential ID)
+ *
+ * @param in The array of Credential objects to check
+ * @return Auth Credential array
+ */
+std::set<std::pair<ripple::AccountID, ripple::Slice>>
+createAuthCredentials(ripple::STArray const& in);
+
+/**
+ * @brief Parses each credential object and makes sure the credential type and values are correct
+ *
+ * @param jv The boost json array of credentials to parse
+ * @return Array of credentials after parsing
+ */
+ripple::STArray
+parseAuthorizeCredentials(boost::json::array const& jv);
+
+/**
+ * @brief Get Array of Credential objects
+ *
+ * @param credID Array of CredentialID's to parse
+ * @param srcAcc The Source Account
+ * @param backend backend interface
+ * @param info The ledger header
+ * @param yield The coroutine context
+ * @return Array of credential objects, error if failed otherwise
+ */
+std::expected<ripple::STArray, Status>
+fetchCredentialArray(
+    std::optional<boost::json::array> const& credID,
+    ripple::AccountID const& srcAcc,
+    BackendInterface const& backend,
+    ripple::LedgerHeader const& info,
+    boost::asio::yield_context const& yield
+);
+
+}  // namespace rpc::credentials

src/rpc/Errors.cpp

@@ -83,6 +83,9 @@ getErrorInfo(ClioError code)
         {ClioError::rpcUNKNOWN_OPTION, "unknownOption", "Unknown option."},
         {ClioError::rpcFIELD_NOT_FOUND_TRANSACTION, "fieldNotFoundTransaction", "Missing field."},
         {ClioError::rpcMALFORMED_ORACLE_DOCUMENT_ID, "malformedDocumentID", "Malformed oracle_document_id."},
+        {ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS,
+         "malformedAuthorizedCredentials",
+         "Malformed authorized credentials."},
         // special system errors
         {ClioError::rpcINVALID_API_VERSION, JS(invalid_API_version), "Invalid API version."},
         {ClioError::rpcCOMMAND_IS_MISSING, JS(missingCommand), "Method is not specified or is not a string."},

src/rpc/Errors.hpp

@@ -43,6 +43,7 @@ enum class ClioError {
     rpcUNKNOWN_OPTION = 5005,
     rpcFIELD_NOT_FOUND_TRANSACTION = 5006,
     rpcMALFORMED_ORACLE_DOCUMENT_ID = 5007,
+    rpcMALFORMED_AUTHORIZED_CREDENTIALS = 5008,
 
     // special system errors start with 6000
     rpcINVALID_API_VERSION = 6000,

src/rpc/common/Validators.cpp

@@ -29,8 +29,10 @@
 #include <boost/json/value.hpp>
 #include <boost/json/value_to.hpp>
 #include <fmt/core.h>
+#include <xrpl/basics/StringUtilities.h>
 #include <xrpl/basics/base_uint.h>
 #include <xrpl/protocol/AccountID.h>
+#include <xrpl/protocol/Protocol.h>
 #include <xrpl/protocol/UintTypes.h>
 
 #include <charconv>
@@ -253,4 +255,67 @@ CustomValidator CustomValidators::CurrencyIssueValidator =
         return MaybeError{};
     }};
 
+CustomValidator CustomValidators::CredentialTypeValidator =
+    CustomValidator{[](boost::json::value const& value, std::string_view key) -> MaybeError {
+        if (not value.is_string())
+            return Error{Status{RippledError::rpcINVALID_PARAMS, std::string(key) + " NotString"}};
+
+        auto const& credTypeHex = ripple::strViewUnHex(value.as_string());
+        if (!credTypeHex.has_value())
+            return Error{Status{ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS, std::string(key) + " NotHexString"}};
+
+        if (credTypeHex->empty())
+            return Error{Status{ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS, std::string(key) + " is empty"}};
+
+        if (credTypeHex->size() > ripple::maxCredentialTypeLength)
+            return Error{
+                Status{ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS, std::string(key) + " greater than max length"}
+            };
+
+        return MaybeError{};
+    }};
+
+CustomValidator CustomValidators::AuthorizeCredentialValidator =
+    CustomValidator{[](boost::json::value const& value, std::string_view key) -> MaybeError {
+        if (not value.is_array())
+            return Error{Status{ClioError::rpcMALFORMED_REQUEST, std::string(key) + " not array"}};
+
+        auto const& authCred = value.as_array();
+        if (authCred.size() == 0) {
+            return Error{Status{
+                ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS,
+                fmt::format("Requires at least one element in authorized_credentials array")
+            }};
+        }
+
+        if (authCred.size() > ripple::maxCredentialsArraySize) {
+            return Error{Status{
+                ClioError::rpcMALFORMED_AUTHORIZED_CREDENTIALS,
+                fmt::format(
+                    "Max {} number of credentials in authorized_credentials array", ripple::maxCredentialsArraySize
+                )
+            }};
+        }
+
+        for (auto const& credObj : value.as_array()) {
+            auto const& obj = credObj.as_object();
+
+            if (!obj.contains("issuer"))
+                return Error{Status{ClioError::rpcMALFORMED_REQUEST, "Field 'Issuer' is required but missing."}};
+
+            if (auto const err = IssuerValidator.verify(credObj, "issuer"); !err)
+                return err;
+
+            if (!obj.contains("credential_type")) {
+                return Error{Status{ClioError::rpcMALFORMED_REQUEST, "Field 'CredentialType' is required but missing."}
+                };
+            }
+
+            if (auto const err = CredentialTypeValidator.verify(credObj, "credential_type"); !err)
+                return err;
+        }
+
+        return MaybeError{};
+    }};
+
 }  // namespace rpc::validation