feat: add custom issuer guard (jwt-guard)

contracts/Cargo.toml

@@ -1,10 +1,11 @@
 [workspace]
 members = [
     "./attestation",
-    "./auth0-guard",
+    "./jwt-guards/base-jwt-guard",
+    "./jwt-guards/auth0-guard",
+    "./jwt-guards/firebase-guard",
+    "./jwt-guards/jwt-guard",
     "./fa",
-    "./firebase-guard",
-    "./jwt-guard",
     "./jwt-guard-router",
     "./mocks/external-guard",
     "./mocks/mpc",

contracts/auth0-guard/Cargo.toml → contracts/jwt-guards/auth0-guard/Cargo.toml

@@ -33,7 +33,7 @@ container_build_command = [
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
-jwt_guard = { path = "../jwt-guard" }
+base-jwt-guard = { path = "../base-jwt-guard" }
 near-sdk = "5.9"
 serde = { version = "1", features = ["derive"] }
 borsh = { version = "1.3.1", features = ["unstable__schema"] }

contracts/firebase-guard/package.json → contracts/jwt-guards/auth0-guard/package.json

@@ -1,5 +1,5 @@
 {
-    "name": "@contracts/firebase-guard",
+    "name": "@contracts/auth0-guard",
     "version": "0.0.0",
     "description": "",
     "scripts": {

contracts/auth0-guard/src/lib.rs → contracts/jwt-guards/auth0-guard/src/lib.rs

@@ -2,8 +2,8 @@
 use near_sdk::{near, AccountId, env, Promise, NearToken, Gas};
 use near_sdk::serde_json;
 use serde::{Deserialize, Serialize};
-use jwt_guard::{JwtGuard, JwtPublicKey};
-use jwt_guard::assert_valid_public_key;
+use base_jwt_guard::{JwtGuard, JwtPublicKey};
+use base_jwt_guard::assert_valid_public_key;
 const MIGRATION_TGAS: u64 = 10;
 
 /// Custom claims structure for FastAuth Auth0 JWT tokens

contracts/auth0-guard/tests/test_integration.rs → contracts/jwt-guards/auth0-guard/tests/test_integration.rs

@@ -1,5 +1,5 @@
 use near_sdk::serde_json::json;
-use jwt_guard::JwtPublicKey;
+use base_jwt_guard::JwtPublicKey;
 
 #[tokio::test]
 async fn test_verify_signature_should_pass() -> Result<(), Box<dyn std::error::Error>> {
@@ -304,7 +304,7 @@ async fn test_set_public_key_should_fail_even_modulus() -> Result<(), Box<dyn st
     let new_e = vec![3];
 
     let outcome = owner_account
-        .call(contract.id(), "set_public_key"s)
+        .call(contract.id(), "set_public_keys")
         .args_json(json!({
             "public_keys": vec![json!({"n": even_n, "e": new_e})]
         }))

contracts/jwt-guard/Cargo.toml → contracts/jwt-guards/base-jwt-guard/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
-name = "jwt_guard"
-description = "jwt_guard"
+name = "base-jwt-guard"
+description = "base-jwt-guard"
 version = "0.1.0-rc.1"
 edition = "2021"
 repository = "https://github.com/Peersyst/fast-auth"

contracts/jwt-guard/README.md → contracts/jwt-guards/base-jwt-guard/README.md

@@ -1,4 +1,4 @@
-# contracts/jwt-guard
+# contracts/base-jwt-guard
 
 A NEAR contract that verifies JWT tokens signed with RS256 algorithm.
 

contracts/firebase-guard/Cargo.toml → contracts/jwt-guards/firebase-guard/Cargo.toml

@@ -33,7 +33,7 @@ container_build_command = [
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
-jwt_guard = { path = "../jwt-guard" }
+base-jwt-guard = { path = "../base-jwt-guard" }
 near-sdk = "5.9"
 near-contract-standards = "5.17.2"
 near-plugins = { git = "https://github.com/Near-One/near-plugins", tag = "v0.5.0" }

contracts/firebase-guard/src/config.rs → contracts/jwt-guards/firebase-guard/src/config.rs

@@ -1,6 +1,6 @@
 use near_sdk::{near, AccountId};
 use std::collections::{HashMap, HashSet};
-use jwt_guard::{JwtPublicKey, assert_valid_public_key};
+use base_jwt_guard::{JwtPublicKey, assert_valid_public_key};
 use crate::{
     error::FirebaseGuardError,
     require_err,

contracts/firebase-guard/src/lib.rs → contracts/jwt-guards/firebase-guard/src/lib.rs

@@ -2,8 +2,8 @@ use std::slice::Iter;
 use borsh::{BorshDeserialize};
 use near_sdk::{near, AccountId, env, NearToken, PanicOnDefault, Promise, Gas, ext_contract};
 use near_sdk::env::sha256;
-use jwt_guard::{JwtGuard, JwtPublicKey};
-use jwt_guard::assert_valid_public_key;
+use base_jwt_guard::{JwtGuard, JwtPublicKey};
+use base_jwt_guard::assert_valid_public_key;
 use near_contract_standards::storage_management::{StorageBalance, StorageBalanceBounds, StorageManagement};
 use near_sdk::json_types::{U128};
 use near_plugins::{access_control, access_control_any, AccessControlRole, AccessControllable, Pausable, Upgradable};

contracts/firebase-guard/src/utils/utils.rs → contracts/jwt-guards/firebase-guard/src/utils/utils.rs

@@ -1,6 +1,4 @@
-use crypto_bigint::{BoxedUint, Odd};
 use near_sdk::{env, AccountId};
-use jwt_guard::JwtPublicKey;
 use crate::{error::FirebaseGuardError, require_err};
 
 /// Asserts that the account ID is valid

contracts/firebase-guard/tests/test_integration.rs → contracts/jwt-guards/firebase-guard/tests/test_integration.rs

@@ -1,9 +1,7 @@
-use near_sdk::base64;
-use near_sdk::base64::Engine;
 use near_sdk::env::sha256;
 use near_sdk::serde_json::json;
 use near_workspaces::{Account, Contract};
-use jwt_guard::JwtPublicKey;
+use base_jwt_guard::JwtPublicKey;
 
 async fn deploy_contract() -> Result<(Account, Contract), Box<dyn std::error::Error>> {
     let contract_wasm = near_workspaces::compile_project("./").await?;

contracts/jwt-guards/jwt-guard/.gitignore

@@ -0,0 +1 @@
+/target

contracts/jwt-guards/jwt-guard/Cargo.toml

@@ -0,0 +1,61 @@
+[package]
+name = "jwt-guard"
+description = "jwt-guard"
+version = "0.1.0-rc.1"
+edition = "2021"
+repository = "https://github.com/Peersyst/fast-auth"
+
+[lib]
+crate-type = ["cdylib", "rlib"]
+
+# fields to configure build with WASM reproducibility, according to specs
+# in https://github.com/near/NEPs/blob/master/neps/nep-0330.md
+[package.metadata.near.reproducible_build]
+# docker image, descriptor of build environment
+image = "sourcescan/cargo-near:0.13.4-rust-1.85.1"
+# tag after colon above serves only descriptive purpose; image is identified by digest
+image_digest = "sha256:1f8b71742802f38990d442e8678aa4c0cd1c8317dd3ff493f41c079675d4f35b"
+# list of environment variables names, whose values, if set, will be used as external build parameters
+# in a reproducible manner
+# supported by `sourcescan/cargo-near:0.10.1-rust-1.82.0` image or later images
+passed_env = []
+# build command inside of docker container
+# if docker image from default gallery is used https://hub.docker.com/r/sourcescan/cargo-near/tags,
+# the command may be any combination of flags of `cargo-near`,
+# supported by respective version of binary inside the container besides `--no-locked` flag
+container_build_command = [
+    "cargo",
+    "near",
+    "build",
+    "non-reproducible-wasm",
+    "--locked",
+]
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[dependencies]
+base-jwt-guard = { path = "../base-jwt-guard" }
+near-sdk = "5.9"
+near-contract-standards = "5.17.2"
+near-plugins = { git = "https://github.com/Near-One/near-plugins", tag = "v0.5.0" }
+serde = { version = "1", features = ["derive"] }
+borsh = { version = "1.3.1", features = ["unstable__schema"] }
+schemars = "0.8"
+serde_with = { version = "3.0", features = ["base64"] }
+sha2 = "0.10.8"
+crypto-bigint = { version = "0.7.0-pre", default-features = false, features = ["zeroize", "alloc"] }
+
+[dev-dependencies]
+near-sdk = { version = "5.9", features = ["unit-testing"] }
+near-workspaces = { version = "0.18", features = ["unstable"] }
+tokio = { version = "1.12.0", features = ["full"] }
+serde_json = "1"
+
+[profile.release]
+codegen-units = 1
+# Tell `rustc` to optimize for small code size.
+opt-level = "z"
+lto = true
+debug = false
+panic = "abort"
+# Opt into extra safety checks on arithmetic operations https://stackoverflow.com/a/64136471/249801
+overflow-checks = true

contracts/jwt-guards/jwt-guard/README.md

@@ -0,0 +1,49 @@
+# contracts/custom-issuer-guard
+
+A NEAR contract that verifies JWT tokens signed with RS256 algorithm.
+
+## How to Build Locally?
+
+Install [`cargo-near`](https://github.com/near/cargo-near) and run:
+
+```bash
+pnpm build
+```
+
+or
+
+```bash
+cargo near build non-reproducible-wasm
+```
+
+## How to Test Locally?
+
+```bash
+pnpm test
+```
+
+or
+
+```bash
+cargo test
+```
+
+## How to Deploy?
+
+Deployment is automated with GitHub Actions CI/CD pipeline.
+To deploy manually, install [`cargo-near`](https://github.com/near/cargo-near) and run:
+
+```bash
+cargo near deploy build-reproducible-wasm <account-id>
+```
+
+## Useful Links
+
+- [cargo-near](https://github.com/near/cargo-near) - NEAR smart contract development toolkit for Rust
+- [near CLI](https://near.cli.rs) - Interact with NEAR blockchain from command line
+- [NEAR Rust SDK Documentation](https://docs.near.org/sdk/rust/introduction)
+- [NEAR Documentation](https://docs.near.org)
+- [NEAR StackOverflow](https://stackoverflow.com/questions/tagged/nearprotocol)
+- [NEAR Discord](https://near.chat)
+- [NEAR Telegram Developers Community Group](https://t.me/neardev)
+- NEAR DevHub: [Telegram](https://t.me/neardevhub), [Twitter](https://twitter.com/neardevhub)

contracts/jwt-guards/jwt-guard/package.json

@@ -0,0 +1,13 @@
+{
+    "name": "@contracts/custom-issuer-guard",
+    "version": "0.0.0",
+    "description": "",
+    "scripts": {
+        "build": "cargo near build non-reproducible-wasm",
+        "test": "cargo test",
+        "lint": "cargo clippy -- -D warnings"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC"
+}

contracts/jwt-guards/jwt-guard/src/config.rs

@@ -0,0 +1,67 @@
+use near_sdk::{near, AccountId};
+use std::collections::{HashMap, HashSet};
+use base_jwt_guard::{JwtPublicKey, assert_valid_public_key};
+use crate::{
+    error::CustomIssuerGuardError,
+    require_err,
+    utils::{assert_valid_account_id},
+};
+use super::Role;
+
+#[near(serializers = [json])]
+#[derive(Clone)]
+pub struct CustomIssuerGuardConfig {
+    pub public_keys: Vec<JwtPublicKey>,
+    pub roles: RolesConfig,
+}
+
+impl CustomIssuerGuardConfig {
+    /// Asserts that the config is valid
+    /// # Arguments
+    /// * `config` - The config
+    /// # Panics
+    /// * If the config is not valid
+    pub fn assert_valid(&self) {
+        // Public key validation
+        for public_key in self.public_keys.iter() {
+            assert_valid_public_key(public_key.clone());
+        }
+        // Roles validation
+        self.roles.assert_valid();
+    }
+}
+
+#[near(serializers = [json])]
+#[derive(Debug, Clone)]
+pub struct RolesConfig {
+    pub super_admins: HashSet<AccountId>,
+    pub admins: HashMap<Role, HashSet<AccountId>>,
+    pub grantees: HashMap<Role, HashSet<AccountId>>,
+}
+
+impl RolesConfig {
+    /// Asserts that the roles config is valid
+    /// # Arguments
+    /// * `roles` - The roles config
+    /// # Panics
+    /// * If the roles config is not valid
+    pub fn assert_valid(&self) {
+        require_err!(
+            !self.super_admins.is_empty(),
+            CustomIssuerGuardError::SuperAdminsMustBeNonEmpty
+        );
+        for super_admin in self.super_admins.iter() {
+            assert_valid_account_id(super_admin);
+        }
+        for account_ids in self.admins.values() {
+            for account_id in account_ids.iter() {
+                assert_valid_account_id(account_id);
+            }
+        }
+        for account_ids in self.grantees.values() {
+            for account_id in account_ids.iter() {
+                assert_valid_account_id(account_id);
+            }
+        }
+    }
+}