input-output-hk · bkioshn · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025 · Oct 24, 2025
@@ -156,6 +156,7 @@ rfind
 Rmax
 Rmin
 rngs
+rsplit
 rollouts
 rusqlite
 rustc

@@ -1,29 +1,33 @@
 {
-  "$schema": "https://raw.githubusercontent.com/input-output-hk/hermes/main/hermes/schemas/hermes_app_manifest.schema.json",
-  "name": "athena",
-  "icon": "icon.svg",
-  "metadata": "metadata.json",
-  "modules": [
-    {
-      "package": "modules/http-proxy/lib/http_proxy.hmod",
-      "name": "http_proxy"
-    },
-    {
-      "package": "modules/rbac-registration-indexer/lib/rbac_registration_indexer.hmod",
-      "name": "rbac_registration_indexer"
-    },
-    {
-      "package": "modules/rbac-registration/lib/rbac_registration.hmod",
-      "name": "rbac_registration"
-    },
-    {
-      "package": "modules/staked-ada-indexer/lib/staked_ada_indexer.hmod",
-      "name": "staked_ada_indexer"
-    },
-    {
-      "package": "modules/staked-ada/lib/staked_ada.hmod",
-      "name": "staked_ada"
-    }
-  ],
-  "www": "modules/http-proxy/lib/www"
+	"$schema": "https://raw.githubusercontent.com/input-output-hk/hermes/main/hermes/schemas/hermes_app_manifest.schema.json",
+	"name": "athena",
+	"icon": "icon.svg",
+	"metadata": "metadata.json",
+	"modules": [
+		{
+			"package": "modules/http-proxy/lib/http_proxy.hmod",
+			"name": "http_proxy"
+		},
+		{
+			"package": "modules/rbac-registration-indexer/lib/rbac_registration_indexer.hmod",
+			"name": "rbac_registration_indexer"
+		},
+		{
+			"package": "modules/rbac-registration/lib/rbac_registration.hmod",
+			"name": "rbac_registration"
+		},
+		{
+			"package": "modules/staked-ada-indexer/lib/staked_ada_indexer.hmod",
+			"name": "staked_ada_indexer"
+		},
+		{
+			"package": "modules/staked-ada/lib/staked_ada.hmod",
+			"name": "staked_ada"
+		},
+		{
+			"package": "modules/auth/lib/auth.hmod",
+			"name": "auth"
+		}
+	],
+	"www": "modules/http-proxy/lib/www"
 }
@@ -0,0 +1,30 @@
+[package]
+edition.workspace = true
+name = "auth"
+version = "0.1.0"
+license = "MIT OR Apache-2.0"
+
+[lints]
+workspace = true
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+shared = { version = "0.1.0", path = "../../shared", features = ["cardano-blockchain-types"] }
+anyhow = "1.0.98"
+ed25519-dalek = "2.1.1"
+base64 = "0.22.1"
+chrono = "0.4.38"
+regex = "1.11.1"
+thiserror = "1.0.68"
+rand = "0.8.5"
+serde_json = "1.0.142"
+serde = "1.0.226"
+
+cardano-blockchain-types = { version = "0.0.8", git = "https://github.com/input-output-hk/catalyst-libs", tag = "cardano-blockchain-types/v0.0.8" }
+rbac-registration = { version = "0.0.14", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "rbac-registration/v0.0.14" }
+catalyst-types = { version = "0.0.10", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "catalyst-types/v0.0.10" }
+
+[dev-dependencies]
+test-case = "3.3.1"
@@ -0,0 +1,22 @@
+VERSION 0.8
+
+IMPORT ../../../../ AS hermes
+IMPORT ../.. AS athena
+
+build-auth:
+    DO athena+BUILD_ATHENA_COMPONENT --out=auth.wasm
+
+local-build-auth:
+    FROM scratch
+    COPY +build-auth/auth.wasm .
+    SAVE ARTIFACT auth.wasm AS LOCAL lib/auth.wasm
+
+
+auth-package-module:
+    FROM hermes+build
+
+    COPY lib/ .
+    COPY +build-auth/auth.wasm .
+
+    RUN ./target/release/hermes module package manifest_module.json
+    SAVE ARTIFACT auth.hmod
@@ -0,0 +1 @@
+{}
@@ -0,0 +1 @@
+{}
@@ -0,0 +1,13 @@
+{
+	"$schema": "https://raw.githubusercontent.com/input-output-hk/hermes/main/hermes/schemas/hermes_module_manifest.schema.json",
+	"name": "auth",
+	"metadata": "metadata.json",
+	"component": "auth.wasm",
+	"config": {
+		"file": "config.json",
+		"schema": "config.schema.json"
+	},
+	"settings": {
+		"schema": "settings.schema.json"
+	}
+}
@@ -0,0 +1,26 @@
+{
+	"$schema": "https://raw.githubusercontent.com/input-output-hk/hermes/main/hermes/schemas/hermes_app_metadata.schema.json",
+	"name": "Authentication and Authorization service",
+	"version": "V0.1.0",
+	"description": "Catalyst authentication and authorization service",
+	"src": [
+		"https://github.com/input-output-hk/hermes",
+		"https://github.com/input-output-hk/catalyst-voices"
+	],
+	"copyright": ["Copyright Ⓒ 2024, IOG Singapore."],
+	"license": [
+		{
+			"spdx": "Apache-2.0",
+			"file": "/srv/data/apache2.txt"
+		},
+		{
+			"spdx": "MIT",
+			"file": "/srv/data/mit.txt"
+		}
+	],
+	"developer": {
+		"name": "IOG Singapore",
+		"contact": "[email protected]",
+		"payment": "wallet address"
+	}
+}
@@ -0,0 +1 @@
+{}
@@ -0,0 +1,33 @@
+//! API Key auth scheme is used ONLY by internal endpoints.
+//!
+//! Its purpose is to prevent their use externally, if they were accidentally exposed.
+//!
+//! It is NOT to be used on any endpoint intended to be publicly facing.
+
+use std::env;
+
+use anyhow::{bail, Result};
+
+use crate::{extract_header, hermes::http_gateway::api::Headers};
+
+/// The header name that holds the API Key
+pub(crate) const API_KEY_HEADER: &str = "X-API-Key";
+
+/// Check if the API Key is correctly set.
+pub(crate) fn check_api_key(headers: &Headers) -> Result<()> {
+    if let Some(key) = extract_header!(headers, API_KEY_HEADER) {
+        if check_internal_api_key(&key) {
+            return Ok(());
+        }
+    }
+    bail!("Invalid API Key");
+}
+
+/// Check a given key matches the internal API Key
+fn check_internal_api_key(value: &str) -> bool {
+    // TODO: This should be moved to application setting/config
+    match env::var("INTERNAL_API_KEY") {
+        Ok(expected_key) => value == expected_key,
+        Err(_) => false,
+    }
+}
@@ -0,0 +1,10 @@
+//! Database access layer for RBAC registration.
+// TODO - This is redundant to what is in rbac-registration module, need to move the share
+
+pub(crate) mod query_builder;
+pub(crate) mod select;
+
+/// RBAC registration persistent table name.
+pub(crate) const RBAC_REGISTRATION_PERSISTENT_TABLE_NAME: &str = "rbac_registration_persistent";
+/// RBAC registration volatile table name.
+pub(crate) const RBAC_REGISTRATION_VOLATILE_TABLE_NAME: &str = "rbac_registration_volatile";
@@ -0,0 +1,41 @@
+//! `SQLite` query builders
+
+/// Query builder
+pub(crate) struct QueryBuilder;
+
+impl QueryBuilder {
+    /// Select a root registration from a catalyst ID.
+    /// The earliest (lowest `slot_no`, then lowest `txn_idx`) registration
+    /// is considered the canonical/valid registration if multiple exist.
+    pub(crate) fn select_root_reg_by_cat_id(table: &str) -> String {
+        format!(
+            r"
+            SELECT txn_id, slot_no, txn_idx
+            FROM {table}
+                WHERE prv_txn_id IS NULL
+                AND problem_report IS NULL
+                AND catalyst_id = ?
+                ORDER BY slot_no ASC, txn_idx ASC
+                LIMIT 1;
+            "
+        )
+    }
+
+    /// Select a child registration from a parent registration
+    /// The earliest (lowest `slot_no`, then lowest `txn_idx`) registration
+    /// is considered the canonical/valid registration if multiple exist.
+    ///
+    /// The child is linked to the parent by the `prv_txn_id` field.
+    pub(crate) fn select_child_reg_from_parent(table: &str) -> String {
+        format!(
+            r"
+            SELECT txn_id, slot_no, txn_idx
+            FROM {table}
+                WHERE prv_txn_id = ?
+                AND problem_report IS NULL
+                ORDER BY slot_no ASC, txn_idx ASC
+                LIMIT 1;
+            "
+        )
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -156,6 +156,7 @@ rfind @@
     Rmax
     Rmin
     rngs
+    rsplit
     rollouts
     rusqlite
     rustc
@@ Expand Down @@