From e9f86eec0f8af4eabb65db6dc44c292497e1d229 Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Wed, 16 Oct 2024 11:53:39 +0200 Subject: [PATCH] require DiscoveryRegistrationCredential in PEX (#3484) --- discovery/client.go | 12 ----------- discovery/client_test.go | 3 +-- discovery/module.go | 20 ------------------- discovery/module_test.go | 1 + discovery/test.go | 10 ++++++++++ docs/pages/deployment/discovery.rst | 13 ++++++++++++ .../discovery/definitions/definition.json | 12 +++++++++++ 7 files changed, 37 insertions(+), 34 deletions(-) diff --git a/discovery/client.go b/discovery/client.go index 08fc8a4d6e..4ba43f3c0e 100644 --- a/discovery/client.go +++ b/discovery/client.go @@ -263,18 +263,6 @@ func (r *defaultClientRegistrationManager) findCredentialsAndBuildPresentation(c return nil, fmt.Errorf(errStr, service.ID, subjectDID, err) } - // add registration params as credential if not already done so by the Presentation Definition - var found bool - for _, cred := range matchingCredentials { - if cred.ID == registrationCredential.ID { - found = true - break - } - } - if !found { - matchingCredentials = append(matchingCredentials, credential.AutoCorrectSelfAttestedCredential(registrationCredential, subjectDID)) - } - return r.buildPresentation(ctx, subjectDID, service, matchingCredentials, nil) } diff --git a/discovery/client_test.go b/discovery/client_test.go index b3209a43a9..4c08cc871b 100644 --- a/discovery/client_test.go +++ b/discovery/client_test.go @@ -178,8 +178,7 @@ func Test_defaultClientRegistrationManager_activate(t *testing.T) { ctx.didResolver.EXPECT().Resolve(aliceDID, gomock.Any()).Return(nil, nil, nil) ctx.wallet.EXPECT().List(gomock.Any(), gomock.Any()).Return(nil, nil) ctx.wallet.EXPECT().BuildPresentation(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), false).DoAndReturn(func(_ interface{}, credentials []vc.VerifiableCredential, _ interface{}, _ interface{}, _ interface{}) (*vc.VerifiablePresentation, error) { - // expect registration credential - assert.Len(t, credentials, 1) + assert.Len(t, credentials, 0) return &vpAlice, nil }) ctx.subjectManager.EXPECT().ListDIDs(gomock.Any(), aliceSubject).Return([]did.DID{aliceDID}, nil) diff --git a/discovery/module.go b/discovery/module.go index a231d47abc..538b7d54a8 100644 --- a/discovery/module.go +++ b/discovery/module.go @@ -289,26 +289,6 @@ func (m *Module) validateRegistration(definition ServiceDefinition, presentation return fmt.Errorf("verifiable presentation doesn't match required presentation definition: %w", err) } if len(creds) != len(presentation.VerifiableCredential) { - // it could be the case that the VP contains a registration credential and the matching credentials do not. - // only return errPresentationDoesNotFulfillDefinition if both contain the registration credential or neither do. - vpContainsRegistrationCredential := false - for _, cred := range presentation.VerifiableCredential { - if slices.Contains(cred.Type, credential.DiscoveryRegistrationCredentialTypeV1URI()) { - vpContainsRegistrationCredential = true - break - } - } - matchingContainsRegistrationCredential := false - for _, cred := range creds { - if slices.Contains(cred.Type, credential.DiscoveryRegistrationCredentialTypeV1URI()) { - matchingContainsRegistrationCredential = true - break - } - } - if vpContainsRegistrationCredential && !matchingContainsRegistrationCredential && len(presentation.VerifiableCredential)-len(creds) == 1 { - return nil - } - return errPresentationDoesNotFulfillDefinition } return nil diff --git a/discovery/module_test.go b/discovery/module_test.go index f0569a9fc6..e04ce0ff5c 100644 --- a/discovery/module_test.go +++ b/discovery/module_test.go @@ -464,6 +464,7 @@ func TestModule_Search(t *testing.T) { { Presentation: vpAlice, Fields: map[string]interface{}{ + "auth_server_url":"https://example.com/oauth2/alice", "issuer_field": authorityDID, }, Parameters: defaultRegistrationParams(aliceSubject), diff --git a/discovery/test.go b/discovery/test.go index 3c927495fe..9000bb497a 100644 --- a/discovery/test.go +++ b/discovery/test.go @@ -102,6 +102,16 @@ func testDefinitions() map[string]ServiceDefinition { }, }, }, + }, { + Id: "2", + Constraints: &pe.Constraints{ + Fields: []pe.Field{ + { + Id: to.Ptr("auth_server_url"), + Path: []string{"$.credentialSubject.authServerURL"}, + }, + }, + }, }, }, }, diff --git a/docs/pages/deployment/discovery.rst b/docs/pages/deployment/discovery.rst index d9365eddde..b6d1104b5b 100644 --- a/docs/pages/deployment/discovery.rst +++ b/docs/pages/deployment/discovery.rst @@ -60,6 +60,7 @@ Optionally, a POST body can be provided with registration parameters, e.g.: This can be used to provide additional information. All registration parameters are returned by the search API. The ``authServerURL`` is added automatically by the Nuts node. It's constructed as ``https:///oauth2/``. +Registration parameters can only be used if the specific parameters and/or ``DiscoveryRegistrationCredential`` are required by the Presentation Definition. Once registered, future refreshes will be done automatically by the Nuts node. These refreshes could fail because of various reasons. You can check the status of the refreshes by querying the service, e.g.: @@ -156,6 +157,18 @@ Service definitions } ] } + }, { + "id": "DiscoveryRegistrationCredential", + "constraints": { + "fields": [ + { + "id": "auth_server_url", + "path": [ + "$.credentialSubject.authServerURL" + ] + } + ] + } } ] } diff --git a/e2e-tests/discovery/definitions/definition.json b/e2e-tests/discovery/definitions/definition.json index 81a01bd4fe..d00b41dbf0 100644 --- a/e2e-tests/discovery/definitions/definition.json +++ b/e2e-tests/discovery/definitions/definition.json @@ -46,6 +46,18 @@ } ] } + },{ + "id": "DiscoveryRegistrationCredential", + "constraints": { + "fields": [ + { + "id": "auth_server_url", + "path": [ + "$.credentialSubject.authServerURL" + ] + } + ] + } } ] }