From 051b282810a85d3ac69007bb5c80c8004c0c9281 Mon Sep 17 00:00:00 2001 From: reinkrul Date: Thu, 21 Nov 2024 06:57:08 +0100 Subject: [PATCH] Support did:x509 in Authorization Server metadata (#3573) --- auth/auth.go | 55 +++++++++++++++++++++++++++++++---------------- auth/auth_test.go | 20 +++++++++++++++++ auth/interface.go | 2 +- 3 files changed, 57 insertions(+), 20 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 12f7d07fa2..78167b31f3 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -23,10 +23,16 @@ import ( "errors" "github.com/nuts-foundation/nuts-node/auth/client/iam" "github.com/nuts-foundation/nuts-node/vdr" + "github.com/nuts-foundation/nuts-node/vdr/didjwk" + "github.com/nuts-foundation/nuts-node/vdr/didkey" + "github.com/nuts-foundation/nuts-node/vdr/didnuts" "github.com/nuts-foundation/nuts-node/vdr/didsubject" + "github.com/nuts-foundation/nuts-node/vdr/didweb" + "github.com/nuts-foundation/nuts-node/vdr/didx509" "github.com/nuts-foundation/nuts-node/vdr/resolver" "net/url" "path" + "slices" "time" "github.com/nuts-foundation/nuts-node/auth/services" @@ -46,23 +52,25 @@ var _ AuthenticationServices = (*Auth)(nil) // Auth is the main struct of the Auth service type Auth struct { - config Config - jsonldManager jsonld.JSONLD - authzServer oauth.AuthorizationServer - relyingParty oauth.RelyingParty - contractNotary services.ContractNotary - serviceResolver didman.CompoundServiceResolver - keyStore crypto.KeyStore - vcr vcr.VCR - pkiProvider pki.Provider - shutdownFunc func() - vdrInstance vdr.VDR - publicURL *url.URL - strictMode bool - httpClientTimeout time.Duration - tlsConfig *tls.Config - subjectManager didsubject.Manager - supportedDIDMethods []string + config Config + jsonldManager jsonld.JSONLD + authzServer oauth.AuthorizationServer + relyingParty oauth.RelyingParty + contractNotary services.ContractNotary + serviceResolver didman.CompoundServiceResolver + keyStore crypto.KeyStore + vcr vcr.VCR + pkiProvider pki.Provider + shutdownFunc func() + vdrInstance vdr.VDR + publicURL *url.URL + strictMode bool + httpClientTimeout time.Duration + tlsConfig *tls.Config + subjectManager didsubject.Manager + // configuredDIDMethods contains the DID methods that are configured in the Nuts node, + // of which VDR will create DIDs. + configuredDIDMethods []string } // Name returns the name of the module. @@ -137,7 +145,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error { return err } - auth.supportedDIDMethods = config.DIDMethods + auth.configuredDIDMethods = config.DIDMethods auth.contractNotary = notary.NewNotary(notary.Config{ PublicURL: auth.publicURL.String(), @@ -180,7 +188,16 @@ func (auth *Auth) Configure(config core.ServerConfig) error { } func (auth *Auth) SupportedDIDMethods() []string { - return auth.supportedDIDMethods + // DID methods that don't require additional resources/configuration in the Nuts node are always supported. + // Other DID methods (did:nuts), are only supported if explicitly enabled. + result := []string{didjwk.MethodName, didkey.MethodName, didx509.MethodName} + if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) { + result = append(result, didnuts.MethodName) + } + if slices.Contains(auth.configuredDIDMethods, didweb.MethodName) { + result = append(result, didweb.MethodName) + } + return result } // Start starts the Auth engine (Noop) diff --git a/auth/auth_test.go b/auth/auth_test.go index 76fca6f8d1..968ea61ef8 100644 --- a/auth/auth_test.go +++ b/auth/auth_test.go @@ -125,3 +125,23 @@ func TestAuth_IAMClient(t *testing.T) { }) } + +func TestAuth_SupportedDIDMethods(t *testing.T) { + t.Run("supports did:key", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key") + }) + t.Run("supports did:x509", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "x509") + }) + t.Run("supports did:jwk", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "jwk") + }) + t.Run("supports did:nuts if configured", func(t *testing.T) { + assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts") + assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts") + }) + t.Run("supports did:web if configured", func(t *testing.T) { + assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "web") + assert.Contains(t, (&Auth{configuredDIDMethods: []string{"web"}}).SupportedDIDMethods(), "web") + }) +} diff --git a/auth/interface.go b/auth/interface.go index bae296c0da..6a0cd7eecb 100644 --- a/auth/interface.go +++ b/auth/interface.go @@ -42,6 +42,6 @@ type AuthenticationServices interface { PublicURL() *url.URL // AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled. AuthorizationEndpointEnabled() bool - // SupportedDIDMethods list the DID methods configured for the nuts node in preferred order. + // SupportedDIDMethods lists the DID methods the Nuts node can resolve. SupportedDIDMethods() []string }