Added auth v2 request access token api for s2s flow

regenerated APIs using codegen 1.15.0
nuts-foundation · Sep 19, 2023 · 26cab94 · 26cab94
1 parent f84adae
commit 26cab94
Show file tree

Hide file tree

Showing 5 changed files with 291 additions and 57 deletions.
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
@@ -38,7 +38,7 @@ func TestWrapper_GetOAuthAuthorizationServerMetadata(t *testing.T) {
 		//	200
 		ctx := newTestClient(t)
 		did := did.MustParseDID("did:nuts:123")
-		ctx.vdrInstance.EXPECT().IsOwner(nil, did).Return(true, nil)
+		ctx.vdr.EXPECT().IsOwner(nil, did).Return(true, nil)
 
 		res, err := ctx.client.GetOAuthAuthorizationServerMetadata(nil, GetOAuthAuthorizationServerMetadataRequestObject{Did: did.String()})
 
@@ -69,7 +69,7 @@ func TestWrapper_GetOAuthAuthorizationServerMetadata(t *testing.T) {
 		//404
 		ctx := newTestClient(t)
 		did := did.MustParseDID("did:nuts:123")
-		ctx.vdrInstance.EXPECT().IsOwner(nil, did)
+		ctx.vdr.EXPECT().IsOwner(nil, did)
 
 		res, err := ctx.client.GetOAuthAuthorizationServerMetadata(nil, GetOAuthAuthorizationServerMetadataRequestObject{Did: did.String()})
 
@@ -81,7 +81,7 @@ func TestWrapper_GetOAuthAuthorizationServerMetadata(t *testing.T) {
 		//404
 		ctx := newTestClient(t)
 		did := did.MustParseDID("did:nuts:123")
-		ctx.vdrInstance.EXPECT().IsOwner(nil, did).Return(false, vdr.ErrNotFound)
+		ctx.vdr.EXPECT().IsOwner(nil, did).Return(false, vdr.ErrNotFound)
 
 		res, err := ctx.client.GetOAuthAuthorizationServerMetadata(nil, GetOAuthAuthorizationServerMetadataRequestObject{Did: did.String()})
 
@@ -93,7 +93,7 @@ func TestWrapper_GetOAuthAuthorizationServerMetadata(t *testing.T) {
 		//500
 		ctx := newTestClient(t)
 		did := did.MustParseDID("did:nuts:123")
-		ctx.vdrInstance.EXPECT().IsOwner(nil, did).Return(false, errors.New("unknown error"))
+		ctx.vdr.EXPECT().IsOwner(nil, did).Return(false, errors.New("unknown error"))
 
 		res, err := ctx.client.GetOAuthAuthorizationServerMetadata(nil, GetOAuthAuthorizationServerMetadataRequestObject{Did: did.String()})
 
@@ -118,7 +118,7 @@ func TestWrapper_GetWebDID(t *testing.T) {
 
 	t.Run("ok", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdrInstance.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(&expectedWebDIDDoc, nil)
+		test.vdr.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(&expectedWebDIDDoc, nil)
 
 		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
 
@@ -127,7 +127,7 @@ func TestWrapper_GetWebDID(t *testing.T) {
 	})
 	t.Run("unknown DID", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdrInstance.EXPECT().DeriveWebDIDDocument(ctx, *webDIDBaseURL, nutsDID).Return(nil, vdr.ErrNotFound)
+		test.vdr.EXPECT().DeriveWebDIDDocument(ctx, *webDIDBaseURL, nutsDID).Return(nil, vdr.ErrNotFound)
 
 		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
 
@@ -136,7 +136,7 @@ func TestWrapper_GetWebDID(t *testing.T) {
 	})
 	t.Run("other error", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdrInstance.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(nil, errors.New("failed"))
+		test.vdr.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(nil, errors.New("failed"))
 
 		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
 
@@ -227,7 +227,8 @@ func statusCodeFrom(err error) int {
 type testCtx struct {
 	client        *Wrapper
 	authnServices *auth.MockAuthenticationServices
-	vdrInstance   *vdr.MockVDR
+	vdr           *vdr.MockVDR
+	resolver      *vdr.MockDIDResolver
 }
 
 func newTestClient(t testing.TB) *testCtx {
@@ -236,13 +237,16 @@ func newTestClient(t testing.TB) *testCtx {
 	ctrl := gomock.NewController(t)
 	authnServices := auth.NewMockAuthenticationServices(ctrl)
 	authnServices.EXPECT().PublicURL().Return(publicURL).AnyTimes()
-	vdrInstance := vdr.NewMockVDR(ctrl)
+	resolver := vdr.NewMockDIDResolver(ctrl)
+	vdr := vdr.NewMockVDR(ctrl)
+	vdr.EXPECT().Resolver().Return(resolver).AnyTimes()
 	return &testCtx{
 		authnServices: authnServices,
-		vdrInstance:   vdrInstance,
+		resolver:      resolver,
+		vdr:           vdr,
 		client: &Wrapper{
 			auth: authnServices,
-			vdr:  vdrInstance,
+			vdr:  vdr,
 		},
 	}
 }
diff --git a/auth/api/iam/generated.go b/auth/api/iam/generated.go
diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go
@@ -19,9 +19,12 @@
 package iam
 
 import (
+	"context"
 	"errors"
 	"github.com/labstack/echo/v4"
+	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/nuts-node/core"
+	"github.com/nuts-foundation/nuts-node/vdr/types"
 	"net/http"
 )
 
@@ -60,3 +63,39 @@ func (s serviceToService) handleAuthzRequest(_ map[string]string, _ *Session) (*
 	// Protocol does not support authorization code flow
 	return nil, nil
 }
+
+func (r Wrapper) RequestAccessToken(ctx context.Context, request RequestAccessTokenRequestObject) (RequestAccessTokenResponseObject, error) {
+	if request.Body == nil {
+		// why did oapi-codegen generate a pointer for the body??
+		return nil, core.InvalidInputError("missing request body")
+	}
+	// resolve wallet
+	requestHolder, err := did.ParseDID(request.Did)
+	if err != nil {
+		return nil, core.NotFoundError("did not found: %w", err)
+	}
+	isWallet, err := r.vdr.IsOwner(ctx, *requestHolder)
+	if err != nil {
+		return nil, err
+	}
+	if !isWallet {
+		return nil, core.InvalidInputError("did not owned by this node: %w", err)
+	}
+
+	// resolve verifier metadata
+	requestVerifier, err := did.ParseDID(request.Body.Verifier)
+	if err != nil {
+		return nil, core.InvalidInputError("invalid verifier: %w", err)
+	}
+	_, _, err = r.vdr.Resolver().Resolve(*requestVerifier, nil)
+	if err != nil {
+		if errors.Is(err, types.ErrNotFound) {
+			return nil, core.InvalidInputError("verifier not found: %w", err)
+		}
+		return nil, err
+	}
+
+	// todo fetch metadata using didDocument service data or .well-known path
+
+	return RequestAccessToken200JSONResponse{}, nil
+}
diff --git a/auth/api/iam/s2s_vptoken_test.go b/auth/api/iam/s2s_vptoken_test.go
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2023 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+package iam
+
+import (
+	"github.com/nuts-foundation/nuts-node/vdr/types"
+	"testing"
+
+	"github.com/nuts-foundation/go-did/did"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestWrapper_RequestAccessToken(t *testing.T) {
+	walletDID := did.MustParseDID("did:test:123")
+	verifierDID := did.MustParseDID("did:test:456")
+	body := &RequestAccessTokenJSONRequestBody{Verifier: verifierDID.String()}
+
+	t.Run("ok", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.vdr.EXPECT().IsOwner(nil, walletDID).Return(true, nil)
+		ctx.resolver.EXPECT().Resolve(verifierDID, nil).Return(&did.Document{}, &types.DocumentMetadata{}, nil)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: walletDID.String(), Body: body})
+
+		require.NoError(t, err)
+	})
+	t.Run("error - DID not owned", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.vdr.EXPECT().IsOwner(nil, walletDID).Return(false, nil)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: walletDID.String(), Body: body})
+
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "not owned by this node")
+	})
+	t.Run("error - invalid DID", func(t *testing.T) {
+		ctx := newTestClient(t)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: "invalid", Body: body})
+
+		require.EqualError(t, err, "did not found: invalid DID")
+	})
+	t.Run("missing request body", func(t *testing.T) {
+		ctx := newTestClient(t)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: walletDID.String()})
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "missing request body")
+	})
+	t.Run("invalid verifier did", func(t *testing.T) {
+		ctx := newTestClient(t)
+		body := &RequestAccessTokenJSONRequestBody{Verifier: "invalid"}
+		ctx.vdr.EXPECT().IsOwner(nil, walletDID).Return(true, nil)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: walletDID.String(), Body: body})
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "invalid verifier: invalid DID")
+	})
+	t.Run("verifier not found", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.vdr.EXPECT().IsOwner(nil, walletDID).Return(true, nil)
+		ctx.resolver.EXPECT().Resolve(verifierDID, nil).Return(nil, nil, types.ErrNotFound)
+
+		_, err := ctx.client.RequestAccessToken(nil, RequestAccessTokenRequestObject{Did: walletDID.String(), Body: body})
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "verifier not found: unable to find the DID document")
+	})
+}