Skip to content

Commit

Permalink
Merge branch 'master' into x509
Browse files Browse the repository at this point in the history 
* master: (72 commits)
  PKI add ValidateStrict (#3531)
  PEX: Return capture group for matched patterns (#3526)
  Schedule CodeQL twice a week (#3525)
  change cron schedule (#3524)
  Add gh action for CodeQL schedule (#3523)
  Bump github.com/lestrrat-go/jwx/v2 from 2.1.1 to 2.1.2 (#3520)
  docs: v6 release date (#3519)
  status codes for discovery client (#3513)
  Require SQL connection string in strictmode (#3517)
  Fix duplicate discovery results (#3515)
  Bump github.com/chromedp/chromedp from 0.11.0 to 0.11.1 (#3514)
  fix duplicate search results for wildcard param (#3512)
  Bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys (#3511)
  remove network migration and optimize network event retry (#3510)
  secure outgoing http client with max connections (#3508)
  make gen-mocks (#3509)
  Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.15.0 to 1.16.0 (#3506)
  fix invalid keyReference migration objects (#3504)
  Bump go.uber.org/mock from 0.4.0 to 0.5.0 (#3507)
  Bump github.com/nats-io/nats-server/v2 from 2.10.21 to 2.10.22 (#3505)
  ...

# Conflicts:
#	vcr/test.go
#	vdr/legacy_integration_test.go
#	vdr/vdr.go
#	vdr/vdr_test.go
  • Loading branch information
@rolandgroen
rolandgroen committed Nov 1, 2024
2 parents fc20b9e + 3859302 commit 89ebc2d
Show file tree
Hide file tree
Showing 268 changed files with 4,944 additions and 2,453 deletions.
4 changes: 2 additions & 2 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
build:
parallelism: 8
docker:
- image: cimg/go:1.22
- image: cimg/go:1.23
steps:
- checkout

Expand All @@ -36,7 +36,7 @@ jobs:

report:
docker:
- image: cimg/go:1.22
- image: cimg/go:1.23
steps:
- checkout
- attach_workspace:
Expand Down
1 change: 1 addition & 0 deletions .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @woutslakhorst @reinkrul @gerardsn @stevenvegt
69 changes: 69 additions & 0 deletions .github/workflows/codeql-analysis-cron-schedule.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# This is an alternative to the codeql-analysis.yml that only contains a scheduled evaluation of CodeQL
# The action runs for all branches defined in jobs.analyze.strategy.matrix.branches.
# Every new production branch (minor release branches) should be added to this list.

name: "Scheduled CodeQL"

# run twice a week at a random time on Sunday and Wednesday evening so its available the next morning
on:
schedule:
- cron: '42 21 * * 0,3'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
# CodeQL runs on these branches
branches:
- 'master'
- 'V5.4'
- 'V6.0'

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ matrix.branches }}

- name: Set up Go
uses: actions/setup-go@v5
with:
# use go version from go.mod.
go-version-file: 'go.mod'

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: 'go'
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl

# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language

#- run: |
# make bootstrap
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
2 changes: 0 additions & 2 deletions .github/workflows/codeql-analysis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ on:
branches:
- 'master'
- 'V*'
schedule:
- cron: '21 10 * * 2'

jobs:
analyze:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
- name: Run E2E tests
run: |
cd e2e-tests && \
find . -type f -name "docker-compose.yml" | xargs -I{} sed -i 's~nutsfoundation/nuts-node:master~ghcr.io/nuts-foundation/nuts-node-ci:${{ env.SHA }}~g' {} && \
find . -type f -name "docker-compose*.yml" | xargs -I{} sed -i 's~nutsfoundation/nuts-node:master~ghcr.io/nuts-foundation/nuts-node-ci:${{ env.SHA }}~g' {} && \
find . -type f -name "run-test.sh" | xargs -I{} sed -i 's/docker-compose exec/docker-compose exec -T/g' {} && \
./run-tests.sh
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# golang alpine
FROM golang:1.23.1-alpine AS builder
FROM golang:1.23.2-alpine AS builder

ARG TARGETARCH
ARG TARGETOS
Expand Down
8 changes: 4 additions & 4 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ The following options can be configured on the server:
configfile ./config/nuts.yaml Nuts config file
cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set.
datadir ./data Directory where the node stores its files.
didmethods [web,nuts] Comma-separated list of enabled DID methods (without did: prefix). It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.
internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.
loggerformat text Log format (text, json)
strictmode true When set, insecure settings are forbidden.
Expand All @@ -196,6 +197,7 @@ The following options can be configured on the server:
discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start.
discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start.
**HTTP**
http.clientipheader X-Forwarded-For Case-sensitive HTTP Header that contains the client IP used for audit logs. For the X-Forwarded-For header only link-local, loopback, and private IPs are excluded. Switch to X-Real-IP or a custom header if you see your own proxy/infra in the logs.
http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). When debug vebosity is set the authorization headers are also logged when the request is fully logged.
http.cache.maxbytes 10485760 HTTP client maximum size of the response cache in bytes. If 0, the HTTP client does not cache responses.
http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints.
Expand All @@ -216,8 +218,6 @@ The following options can be configured on the server:
storage.session.redis.username Redis session database username. If set, it overrides the username in the connection URL.
storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL').
**VDR**
vdr.didmethods [web,nuts] Comma-separated list of enabled DID methods (without did: prefix). It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.
**policy**
policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping.
======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================
Expand Down Expand Up @@ -301,8 +301,8 @@ Several of the server options above allow the node to be configured in a way tha
The node can be configured to run in strict mode (default) to prevent any insecure configurations.
Below is a summary of the impact ``strictmode=true`` has on the node and its configuration.

Save storage of any private key material requires some serious consideration.
For this reason the ``crypto.storage`` backend must explicitly be set.
Save storage of any private key material and data requires some serious consideration.
For this reason the ``crypto.storage`` backend and the ``storage.sql.connection`` connection string must explicitly be set.

Private transactions can only be exchanged over authenticated nodes.
Therefore is requires TLS to be configured through ``tls.{certfile,certkeyfile,truststore}``.
Expand Down
2 changes: 1 addition & 1 deletion api/generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions auth/api/auth/v1/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ func (w Wrapper) CreateJwtGrant(ctx context.Context, request CreateJwtGrantReque

response, err := w.Auth.RelyingParty().CreateJwtGrant(ctx, req)
if err != nil {
return nil, core.InvalidInputError(err.Error())
return nil, core.InvalidInputError("%w", err)
}

return CreateJwtGrant200JSONResponse{BearerToken: response.BearerToken, AuthorizationServerEndpoint: response.AuthorizationServerEndpoint}, nil
Expand All @@ -289,7 +289,7 @@ func (w Wrapper) RequestAccessToken(ctx context.Context, request RequestAccessTo

jwtGrant, err := w.Auth.RelyingParty().CreateJwtGrant(ctx, req)
if err != nil {
return nil, core.InvalidInputError(err.Error())
return nil, core.InvalidInputError("%w", err)
}

authServerEndpoint, err := url.Parse(jwtGrant.AuthorizationServerEndpoint)
Expand All @@ -299,7 +299,7 @@ func (w Wrapper) RequestAccessToken(ctx context.Context, request RequestAccessTo

accessTokenResult, err := w.Auth.RelyingParty().RequestRFC003AccessToken(ctx, jwtGrant.BearerToken, *authServerEndpoint)
if err != nil {
return nil, core.Error(http.StatusServiceUnavailable, err.Error())
return nil, core.Error(http.StatusServiceUnavailable, "%w", err)
}
return RequestAccessToken200JSONResponse(*accessTokenResult), nil
}
Expand Down Expand Up @@ -401,7 +401,7 @@ func (w Wrapper) IntrospectAccessToken(ctx context.Context, request IntrospectAc
introspectionResponse.AssuranceLevel = &level
}

if claims.Credentials != nil && len(claims.Credentials) > 0 {
if len(claims.Credentials) > 0 {
introspectionResponse.Vcs = &claims.Credentials

var resolvedVCs []VerifiableCredential
Expand Down
Loading

0 comments on commit 89ebc2d

Please sign in to comment.