Skip to content

Commit

Permalink
Move didmethods to config root (#3439)
Browse files Browse the repository at this point in the history 
* Move didmethods to config root
  • Loading branch information
@gerardsn
gerardsn authored Oct 3, 2024
1 parent f8ebb6c commit d888d2c
Show file tree
Hide file tree
Showing 35 changed files with 129 additions and 197 deletions.
3 changes: 1 addition & 2 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ The following options can be configured on the server:
configfile ./config/nuts.yaml Nuts config file
cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set.
datadir ./data Directory where the node stores its files.
didmethods [web,nuts] Comma-separated list of enabled DID methods (without did: prefix). It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.
internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.
loggerformat text Log format (text, json)
strictmode true When set, insecure settings are forbidden.
Expand Down Expand Up @@ -216,8 +217,6 @@ The following options can be configured on the server:
storage.session.redis.username Redis session database username. If set, it overrides the username in the connection URL.
storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL').
**VDR**
vdr.didmethods [web,nuts] Comma-separated list of enabled DID methods (without did: prefix). It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.
**policy**
policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping.
======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================
Expand Down
26 changes: 16 additions & 10 deletions auth/api/auth/v1/api_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,12 @@ type TestContext struct {
var _ pkg2.AuthenticationServices = &mockAuthClient{}

type mockAuthClient struct {
ctrl *gomock.Controller
authzServer *oauth.MockAuthorizationServer
contractNotary *services.MockContractNotary
iamClient *iam.MockClient
relyingParty *oauth.MockRelyingParty
ctrl *gomock.Controller
authzServer *oauth.MockAuthorizationServer
contractNotary *services.MockContractNotary
iamClient *iam.MockClient
relyingParty *oauth.MockRelyingParty
supportedDIDMethods []string
}

func (m *mockAuthClient) AuthorizationEndpointEnabled() bool {
Expand All @@ -92,6 +93,10 @@ func (m *mockAuthClient) PublicURL() *url.URL {
return nil
}

func (m *mockAuthClient) SupportedDIDMethods() []string {
return m.supportedDIDMethods
}

func createContext(t *testing.T) *TestContext {
t.Helper()
ctrl := gomock.NewController(t)
Expand All @@ -102,11 +107,12 @@ func createContext(t *testing.T) *TestContext {
iamClient := iam.NewMockClient(ctrl)

authMock := &mockAuthClient{
ctrl: ctrl,
contractNotary: contractNotary,
authzServer: authzServer,
relyingParty: relyingParty,
iamClient: iamClient,
ctrl: ctrl,
contractNotary: contractNotary,
authzServer: authzServer,
relyingParty: relyingParty,
iamClient: iamClient,
supportedDIDMethods: []string{"web", "nuts"},
}

requestCtx := audit.TestContext()
Expand Down
14 changes: 5 additions & 9 deletions auth/api/iam/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ import (
"github.com/nuts-foundation/nuts-node/storage"
"github.com/nuts-foundation/nuts-node/vcr"
"github.com/nuts-foundation/nuts-node/vcr/pe"
"github.com/nuts-foundation/nuts-node/vdr"
"github.com/nuts-foundation/nuts-node/vdr/didsubject"
"github.com/nuts-foundation/nuts-node/vdr/resolver"
)
Expand Down Expand Up @@ -98,37 +97,34 @@ type Wrapper struct {
storageEngine storage.Engine
jsonldManager jsonld.JSONLD
vcr vcr.VCR
vdr vdr.VDR
jwtSigner nutsCrypto.JWTSigner
keyResolver resolver.KeyResolver
subjectManager didsubject.Manager
jar JAR
}

func New(
authInstance auth.AuthenticationServices, vcrInstance vcr.VCR, vdrInstance vdr.VDR, subjectManager didsubject.Manager, storageEngine storage.Engine,
authInstance auth.AuthenticationServices, vcrInstance vcr.VCR, didKeyResolver resolver.DIDKeyResolver, subjectManager didsubject.Manager, storageEngine storage.Engine,
policyBackend policy.PDPBackend, jwtSigner nutsCrypto.JWTSigner, jsonldManager jsonld.JSONLD) *Wrapper {

templates := template.New("oauth2 templates")
_, err := templates.ParseFS(assetsFS, "assets/*.html")
if err != nil {
panic(err)
}
keyResolver := resolver.DIDKeyResolver{Resolver: vdrInstance.Resolver()}
return &Wrapper{
auth: authInstance,
policyBackend: policyBackend,
storageEngine: storageEngine,
vcr: vcrInstance,
vdr: vdrInstance,
subjectManager: subjectManager,
jsonldManager: jsonldManager,
jwtSigner: jwtSigner,
keyResolver: keyResolver,
keyResolver: didKeyResolver,
jar: jar{
auth: authInstance,
jwtSigner: jwtSigner,
keyResolver: keyResolver,
keyResolver: didKeyResolver,
},
}
}
Expand Down Expand Up @@ -603,7 +599,7 @@ func (r Wrapper) OAuthAuthorizationServerMetadata(_ context.Context, request OAu
}

func (r Wrapper) oauthAuthorizationServerMetadata(clientID url.URL) (*oauth.AuthorizationServerMetadata, error) {
md := authorizationServerMetadata(&clientID, r.vdr.SupportedMethods())
md := authorizationServerMetadata(&clientID, r.auth.SupportedDIDMethods())
if !r.auth.AuthorizationEndpointEnabled() {
md.AuthorizationEndpoint = ""
}
Expand Down Expand Up @@ -667,7 +663,7 @@ func (r Wrapper) OpenIDConfiguration(ctx context.Context, request OpenIDConfigur
// this is a shortcoming of the openID federation vs OpenID4VP/DID worlds
// issuer URL equals server baseURL + :/oauth2/:subject
issuerURL := r.subjectToBaseURL(request.SubjectID)
configuration := openIDConfiguration(issuerURL, set, r.vdr.SupportedMethods())
configuration := openIDConfiguration(issuerURL, set, r.auth.SupportedDIDMethods())
claims := make(map[string]interface{})
asJson, _ := json.Marshal(configuration)
_ = json.Unmarshal(asJson, &claims)
Expand Down
7 changes: 1 addition & 6 deletions auth/api/iam/api_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1419,7 +1419,6 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b
vcIssuer := issuer.NewMockIssuer(ctrl)
vcVerifier := verifier.NewMockVerifier(ctrl)
iamClient := iam.NewMockClient(ctrl)
mockVDR := vdr.NewMockVDR(ctrl)
mockDocumentOwner := didsubject.NewMockDocumentOwner(ctrl)
subjectManager := didsubject.NewMockManager(ctrl)
mockVCR := vcr.NewMockVCR(ctrl)
Expand All @@ -1430,14 +1429,12 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b

authnServices.EXPECT().PublicURL().Return(publicURL).AnyTimes()
authnServices.EXPECT().RelyingParty().Return(relyingPary).AnyTimes()
authnServices.EXPECT().SupportedDIDMethods().Return([]string{"web"}).AnyTimes()
mockVCR.EXPECT().Issuer().Return(vcIssuer).AnyTimes()
mockVCR.EXPECT().Verifier().Return(vcVerifier).AnyTimes()
mockVCR.EXPECT().Wallet().Return(mockWallet).AnyTimes()
authnServices.EXPECT().IAMClient().Return(iamClient).AnyTimes()
authnServices.EXPECT().AuthorizationEndpointEnabled().Return(authEndpointEnabled).AnyTimes()
mockVDR.EXPECT().Resolver().Return(mockResolver).AnyTimes()
mockVDR.EXPECT().DocumentOwner().Return(mockDocumentOwner).AnyTimes()
mockVDR.EXPECT().SupportedMethods().Return([]string{"web"}).AnyTimes()

subjectManager.EXPECT().ListDIDs(gomock.Any(), holderSubjectID).Return([]did.DID{holderDID}, nil).AnyTimes()
subjectManager.EXPECT().ListDIDs(gomock.Any(), unknownSubjectID).Return(nil, didsubject.ErrSubjectNotFound).AnyTimes()
Expand All @@ -1449,7 +1446,6 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b

client := &Wrapper{
auth: authnServices,
vdr: mockVDR,
subjectManager: subjectManager,
vcr: mockVCR,
storageEngine: storageEngine,
Expand All @@ -1466,7 +1462,6 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b
vcIssuer: vcIssuer,
vcVerifier: vcVerifier,
resolver: mockResolver,
vdr: mockVDR,
documentOwner: mockDocumentOwner,
subjectManager: subjectManager,
iamClient: iamClient,
Expand Down
2 changes: 1 addition & 1 deletion auth/api/iam/openid4vp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,7 +384,7 @@ func (r Wrapper) sendAndHandleDirectPost(ctx context.Context, subject string, vp
// Dispatch a new HTTP request to the local OpenID4VP wallet's authorization endpoint that includes request parameters,
// but with openid4vp: as scheme.
// The context contains data from the previous request. Usage by the handler will probably result in incorrect behavior.
userWalletMetadata := authorizationServerMetadata(nil, r.vdr.SupportedMethods())
userWalletMetadata := authorizationServerMetadata(nil, r.auth.SupportedDIDMethods())
response, err := r.handleAuthorizeRequest(ctx, subject, userWalletMetadata, *parsedRedirectURI)
if err != nil {
return nil, err
Expand Down
39 changes: 23 additions & 16 deletions auth/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,22 +46,23 @@ var _ AuthenticationServices = (*Auth)(nil)

// Auth is the main struct of the Auth service
type Auth struct {
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
supportedDIDMethods []string
}

// Name returns the name of the module.
Expand Down Expand Up @@ -136,6 +137,8 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
return err
}

auth.supportedDIDMethods = config.DIDMethods

auth.contractNotary = notary.NewNotary(notary.Config{
PublicURL: auth.publicURL.String(),
IrmaConfigPath: path.Join(config.Datadir, "irma"),
Expand Down Expand Up @@ -175,6 +178,10 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
return nil
}

func (auth *Auth) SupportedDIDMethods() []string {
return auth.supportedDIDMethods
}

// Start starts the Auth engine (Noop)
func (auth *Auth) Start() error {
return nil
Expand Down
2 changes: 2 additions & 0 deletions auth/interface.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,6 @@ type AuthenticationServices interface {
PublicURL() *url.URL
// AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled.
AuthorizationEndpointEnabled() bool
// SupportedDIDMethods list the DID methods configured for the nuts node in preferred order.
SupportedDIDMethods() []string
}
14 changes: 14 additions & 0 deletions auth/mock.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit d888d2c

Please sign in to comment.