VDR: Produce did:web documents

auth/api/iam/api.go

@@ -283,8 +283,7 @@ func (r Wrapper) HandleAuthorizeRequest(ctx context.Context, request HandleAutho
 
 // OAuthAuthorizationServerMetadata returns the Authorization Server's metadata
 func (r Wrapper) OAuthAuthorizationServerMetadata(ctx context.Context, request OAuthAuthorizationServerMetadataRequestObject) (OAuthAuthorizationServerMetadataResponseObject, error) {
-	// TODO: must be web DID once web DID creation and DB are implemented
-	ownDID := idToNutsDID(request.Id)
+	ownDID := r.idToDID(request.Id)
 	owned, err := r.vdr.IsOwner(ctx, ownDID)
 	if err != nil {
 		if resolver.IsFunctionalResolveError(err) {
@@ -302,17 +301,15 @@ func (r Wrapper) OAuthAuthorizationServerMetadata(ctx context.Context, request O
 	return OAuthAuthorizationServerMetadata200JSONResponse(authorizationServerMetadata(*identity)), nil
 }
 
-func (r Wrapper) GetWebDID(ctx context.Context, request GetWebDIDRequestObject) (GetWebDIDResponseObject, error) {
-	baseURL := *(r.auth.PublicURL().JoinPath(apiPath))
-	// TODO: must be web DID once web DID creation and DB are implemented
-	ownDID := idToNutsDID(request.Id)
+func (r Wrapper) GetWebDID(_ context.Context, request GetWebDIDRequestObject) (GetWebDIDResponseObject, error) {
+	ownDID := r.idToDID(request.Id)
 
-	document, err := r.vdr.DeriveWebDIDDocument(ctx, baseURL, ownDID)
+	document, err := r.vdr.ResolveManaged(ownDID)
 	if err != nil {
 		if resolver.IsFunctionalResolveError(err) {
 			return GetWebDID404Response{}, nil
 		}
-		log.Logger().WithError(err).Errorf("Could not resolve Nuts DID: %s", ownDID.String())
+		log.Logger().WithError(err).Errorf("Could not resolve Web DID: %s", ownDID.String())
 		return nil, errors.New("unable to resolve DID")
 	}
 	return GetWebDID200JSONResponse(*document), nil

auth/api/iam/api_test.go

@@ -28,7 +28,6 @@ import (
 	"testing"
 
 	"github.com/labstack/echo/v4"
-	ssi "github.com/nuts-foundation/go-did"
 	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/go-did/vc"
 	"github.com/nuts-foundation/nuts-node/audit"
@@ -49,14 +48,15 @@ import (
 
 var nutsDID = did.MustParseDID("did:nuts:123")
 var webDID = did.MustParseDID("did:web:example.com:iam:123")
+var webIDPart = "123"
 
 func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 	t.Run("ok", func(t *testing.T) {
 		//	200
 		ctx := newTestClient(t)
-		ctx.vdr.EXPECT().IsOwner(nil, nutsDID).Return(true, nil)
+		ctx.vdr.EXPECT().IsOwner(nil, webDID).Return(true, nil)
 
-		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: nutsDID.ID})
+		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: webIDPart})
 
 		require.NoError(t, err)
 		assert.IsType(t, OAuthAuthorizationServerMetadata200JSONResponse{}, res)
@@ -65,9 +65,9 @@ func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 	t.Run("error - did not managed by this node", func(t *testing.T) {
 		//404
 		ctx := newTestClient(t)
-		ctx.vdr.EXPECT().IsOwner(nil, nutsDID)
+		ctx.vdr.EXPECT().IsOwner(nil, webDID)
 
-		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: nutsDID.ID})
+		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: webIDPart})
 
 		assert.Equal(t, 404, statusCodeFrom(err))
 		assert.EqualError(t, err, "authz server metadata: did not owned")
@@ -76,9 +76,9 @@ func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 	t.Run("error - did does not exist", func(t *testing.T) {
 		//404
 		ctx := newTestClient(t)
-		ctx.vdr.EXPECT().IsOwner(nil, nutsDID).Return(false, resolver.ErrNotFound)
+		ctx.vdr.EXPECT().IsOwner(nil, webDID).Return(false, resolver.ErrNotFound)
 
-		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: nutsDID.ID})
+		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: webIDPart})
 
 		assert.Equal(t, 404, statusCodeFrom(err))
 		assert.EqualError(t, err, "authz server metadata: unable to find the DID document")
@@ -87,9 +87,9 @@ func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 	t.Run("error - internal error 500", func(t *testing.T) {
 		//500
 		ctx := newTestClient(t)
-		ctx.vdr.EXPECT().IsOwner(nil, nutsDID).Return(false, errors.New("unknown error"))
+		ctx.vdr.EXPECT().IsOwner(nil, webDID).Return(false, errors.New("unknown error"))
 
-		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: nutsDID.ID})
+		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Id: webIDPart})
 
 		assert.Equal(t, 500, statusCodeFrom(err))
 		assert.EqualError(t, err, "authz server metadata: unknown error")
@@ -99,8 +99,7 @@ func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 
 func TestWrapper_GetWebDID(t *testing.T) {
 	webDID := did.MustParseDID("did:web:example.com:iam:123")
-	publicURL := ssi.MustParseURI("https://example.com").URL
-	webDIDBaseURL := publicURL.JoinPath("/iam")
+	id := "123"
 	ctx := audit.TestContext()
 	expectedWebDIDDoc := did.Document{
 		ID: webDID,
@@ -111,27 +110,27 @@ func TestWrapper_GetWebDID(t *testing.T) {
 
 	t.Run("ok", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdr.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(&expectedWebDIDDoc, nil)
+		test.vdr.EXPECT().ResolveManaged(webDID).Return(&expectedWebDIDDoc, nil)
 
-		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
+		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{id})
 
 		assert.NoError(t, err)
 		assert.Equal(t, expectedWebDIDDoc, did.Document(response.(GetWebDID200JSONResponse)))
 	})
 	t.Run("unknown DID", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdr.EXPECT().DeriveWebDIDDocument(ctx, *webDIDBaseURL, nutsDID).Return(nil, resolver.ErrNotFound)
+		test.vdr.EXPECT().ResolveManaged(webDID).Return(nil, resolver.ErrNotFound)
 
-		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
+		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{id})
 
 		assert.NoError(t, err)
 		assert.IsType(t, GetWebDID404Response{}, response)
 	})
 	t.Run("other error", func(t *testing.T) {
 		test := newTestClient(t)
-		test.vdr.EXPECT().DeriveWebDIDDocument(gomock.Any(), *webDIDBaseURL, nutsDID).Return(nil, errors.New("failed"))
+		test.vdr.EXPECT().ResolveManaged(webDID).Return(nil, errors.New("failed"))
 
-		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{nutsDID.ID})
+		response, err := test.client.GetWebDID(ctx, GetWebDIDRequestObject{id})
 
 		assert.EqualError(t, err, "unable to resolve DID")
 		assert.Nil(t, response)

cmd/root.go

@@ -23,13 +23,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/nuts-foundation/nuts-node/discovery"
-	"github.com/nuts-foundation/nuts-node/vdr/resolver"
-
-	"github.com/nuts-foundation/nuts-node/golden_hammer"
-	goldenHammerCmd "github.com/nuts-foundation/nuts-node/golden_hammer/cmd"
-	"github.com/nuts-foundation/nuts-node/vdr/didnuts"
-	"github.com/nuts-foundation/nuts-node/vdr/didnuts/didstore"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	"io"
 	"os"
 	"runtime/pprof"
@@ -47,9 +43,12 @@ import (
 	"github.com/nuts-foundation/nuts-node/didman"
 	didmanAPI "github.com/nuts-foundation/nuts-node/didman/api/v1"
 	didmanCmd "github.com/nuts-foundation/nuts-node/didman/cmd"
+	"github.com/nuts-foundation/nuts-node/discovery"
 	discoveryCmd "github.com/nuts-foundation/nuts-node/discovery/cmd"
 	"github.com/nuts-foundation/nuts-node/events"
 	eventsCmd "github.com/nuts-foundation/nuts-node/events/cmd"
+	"github.com/nuts-foundation/nuts-node/golden_hammer"
+	goldenHammerCmd "github.com/nuts-foundation/nuts-node/golden_hammer/cmd"
 	httpEngine "github.com/nuts-foundation/nuts-node/http"
 	httpCmd "github.com/nuts-foundation/nuts-node/http/cmd"
 	"github.com/nuts-foundation/nuts-node/jsonld"
@@ -65,10 +64,11 @@ import (
 	vcrCmd "github.com/nuts-foundation/nuts-node/vcr/cmd"
 	"github.com/nuts-foundation/nuts-node/vdr"
 	vdrAPI "github.com/nuts-foundation/nuts-node/vdr/api/v1"
+	vdrAPIv2 "github.com/nuts-foundation/nuts-node/vdr/api/v2"
 	vdrCmd "github.com/nuts-foundation/nuts-node/vdr/cmd"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
+	"github.com/nuts-foundation/nuts-node/vdr/didnuts"
+	"github.com/nuts-foundation/nuts-node/vdr/didnuts/didstore"
+	"github.com/nuts-foundation/nuts-node/vdr/resolver"
 )
 
 var stdOutWriter io.Writer = os.Stdout
@@ -191,7 +191,7 @@ func CreateSystem(shutdownCallback context.CancelFunc) *core.System {
 	didStore := didstore.New(storageInstance.GetProvider(vdr.ModuleName))
 	eventManager := events.NewManager()
 	networkInstance := network.NewNetworkInstance(network.DefaultConfig(), didStore, cryptoInstance, eventManager, storageInstance.GetProvider(network.ModuleName), pkiInstance)
-	vdrInstance := vdr.NewVDR(cryptoInstance, networkInstance, didStore, eventManager)
+	vdrInstance := vdr.NewVDR(cryptoInstance, networkInstance, didStore, eventManager, storageInstance)
 	credentialInstance := vcr.NewVCRInstance(cryptoInstance, vdrInstance, networkInstance, jsonld, eventManager, storageInstance, pkiInstance)
 	didmanInstance := didman.NewDidmanInstance(vdrInstance, credentialInstance, jsonld)
 	discoveryInstance := discovery.New(storageInstance, credentialInstance)
@@ -209,6 +209,7 @@ func CreateSystem(shutdownCallback context.CancelFunc) *core.System {
 		Updater:    vdrInstance,
 		Resolver:   vdrInstance.Resolver(),
 	}})
+	system.RegisterRoutes(&vdrAPIv2.Wrapper{VDR: vdrInstance})
 	system.RegisterRoutes(&vcrAPI.Wrapper{VCR: credentialInstance, ContextManager: jsonld})
 	system.RegisterRoutes(&openid4vciAPI.Wrapper{
 		VCR:           credentialInstance,

core/test.go

@@ -40,6 +40,7 @@ func TestServerConfig(template ServerConfig) ServerConfig {
 	config.Datadir = template.Datadir
 	config.Strictmode = template.Strictmode
 	config.InternalRateLimiter = template.InternalRateLimiter
+	config.URL = template.URL
 	return *config
 }
 

crypto/test.go

@@ -125,3 +125,25 @@ func (t TestKey) Public() crypto.PublicKey {
 func (t TestKey) Private() crypto.PrivateKey {
 	return t.PrivateKey
 }
+
+// TestPublicKey is a Key impl for testing purposes that only contains a public key. It can't be used for signing.
+type TestPublicKey struct {
+	Kid       string
+	PublicKey crypto.PublicKey
+}
+
+func (t TestPublicKey) Signer() crypto.Signer {
+	panic("test public key is not for signing")
+}
+
+func (t TestPublicKey) KID() string {
+	return t.Kid
+}
+
+func (t TestPublicKey) Public() crypto.PublicKey {
+	return t.PublicKey
+}
+
+func (t TestPublicKey) Private() crypto.PrivateKey {
+	panic("test public key is not for signing")
+}

e2e-tests/oauth-flow/rfc021/docker-compose.yml

@@ -24,7 +24,7 @@ services:
       - "../../tls-certs/nodeA-certificate.pem:/etc/nginx/ssl/key.pem:ro"
       - "../../tls-certs/truststore.pem:/etc/nginx/ssl/truststore.pem:ro"
       - "./node-A/html:/etc/nginx/html:ro"
-  nodeB:
+  nodeB-backend:
     image: "${IMAGE_NODE_B:-nutsfoundation/nuts-node:master}"
     ports:
       - "21323:1323"
@@ -38,3 +38,13 @@ services:
       - "../../tls-certs/truststore.pem:/etc/ssl/certs/truststore.pem:ro"
     healthcheck:
       interval: 1s # Make test run quicker by checking health status more often
+  nodeB:
+    image: nginx:1.25.1
+    ports:
+      - "20443:443"
+    volumes:
+      - "./node-B/nginx.conf:/etc/nginx/nginx.conf:ro"
+      - "../../tls-certs/nodeB-certificate.pem:/etc/nginx/ssl/server.pem:ro"
+      - "../../tls-certs/nodeB-certificate.pem:/etc/nginx/ssl/key.pem:ro"
+      - "../../tls-certs/truststore.pem:/etc/nginx/ssl/truststore.pem:ro"
+      - "./node-B/html:/etc/nginx/html:ro"

e2e-tests/oauth-flow/rfc021/node-B/html/ping

@@ -0,0 +1 @@
+pong

e2e-tests/oauth-flow/rfc021/node-B/nginx.conf

@@ -0,0 +1,47 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log debug;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    keepalive_timeout  65;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    upstream nodeB-backend {
+      server nodeB-backend:1323;
+    }
+
+    server {
+      server_name nodeB;
+      listen                    443 ssl;
+      http2                     on;
+      ssl_certificate           /etc/nginx/ssl/server.pem;
+      ssl_certificate_key       /etc/nginx/ssl/key.pem;
+      ssl_client_certificate    /etc/nginx/ssl/truststore.pem;
+      ssl_verify_client         optional;
+      ssl_verify_depth          1;
+      ssl_protocols             TLSv1.3;
+
+      location / {
+        proxy_set_header X-Ssl-Client-Cert $ssl_client_escaped_cert;
+        proxy_pass http://nodeB-backend;
+      }
+    }
+}

e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml

@@ -17,4 +17,3 @@ tls:
   truststorefile: /opt/nuts/truststore.pem
   certfile: /opt/nuts/certificate-and-key.pem
   certkeyfile: /opt/nuts/certificate-and-key.pem
-

e2e-tests/oauth-flow/rfc021/run-test.sh

@@ -19,31 +19,17 @@ echo "------------------------------------"
 echo "Registering vendors..."
 echo "------------------------------------"
 # Register Vendor A
-VENDOR_A_DIDDOC=$(docker compose exec nodeA-backend nuts vdr create-did)
+VENDOR_A_DIDDOC=$(docker compose exec nodeA-backend nuts vdr create-did --v2)
 VENDOR_A_DID=$(echo $VENDOR_A_DIDDOC | jq -r .id)
 echo Vendor A DID: $VENDOR_A_DID
-# Add assertionMethod
-VENDOR_A_KEYID=$(echo $VENDOR_A_DIDDOC | jq -r '.verificationMethod[0].id')
-VENDOR_A_DIDDOC=$(echo $VENDOR_A_DIDDOC | jq ". |= . + {assertionMethod: [\"${VENDOR_A_KEYID}\"]}")
-# Perform update
-echo $VENDOR_A_DIDDOC > ./node-A/data/updated-did.json
-DIDDOC_HASH=$(docker compose exec nodeA-backend nuts vdr resolve $VENDOR_A_DID --metadata | jq -r .hash)
-docker compose exec nodeA-backend nuts vdr update "${VENDOR_A_DID}" "${DIDDOC_HASH}" /opt/nuts/data/updated-did.json
 
 # Register Vendor B
-VENDOR_B_DIDDOC=$(docker compose exec nodeB nuts vdr create-did)
+VENDOR_B_DIDDOC=$(docker compose exec nodeB-backend nuts vdr create-did --v2)
 VENDOR_B_DID=$(echo $VENDOR_B_DIDDOC | jq -r .id)
 echo Vendor B DID: $VENDOR_B_DID
-# Add assertionMethod
-VENDOR_B_KEYID=$(echo $VENDOR_B_DIDDOC | jq -r '.verificationMethod[0].id')
-VENDOR_B_DIDDOC=$(echo $VENDOR_B_DIDDOC | jq ". |= . + {assertionMethod: [\"${VENDOR_B_KEYID}\"]}")
-# Perform update
-echo $VENDOR_B_DIDDOC > ./node-B/data/updated-did.json
-DIDDOC_HASH=$(docker compose exec nodeB nuts vdr resolve $VENDOR_B_DID --metadata | jq -r .hash)
-docker compose exec nodeB nuts vdr update "${VENDOR_B_DID}" "${DIDDOC_HASH}" /opt/nuts/data/updated-did.json
 
 # Issue NutsOrganizationCredential for Vendor B
-REQUEST="{\"type\":\"NutsOrganizationCredential\",\"issuer\":\"${VENDOR_B_DID}\", \"credentialSubject\": {\"id\":\"${VENDOR_B_DID}\", \"organization\":{\"name\":\"Caresoft B.V.\", \"city\":\"Caretown\"}},\"visibility\": \"public\"}"
+REQUEST="{\"type\":\"NutsOrganizationCredential\",\"issuer\":\"${VENDOR_B_DID}\", \"credentialSubject\": {\"id\":\"${VENDOR_B_DID}\", \"organization\":{\"name\":\"Caresoft B.V.\", \"city\":\"Caretown\"}},\"publishToNetwork\": false}"
 RESPONSE=$(echo $REQUEST | curl -X POST --data-binary @- http://localhost:21323/internal/vcr/v2/issuer/vc -H "Content-Type:application/json")
 if echo $RESPONSE | grep -q "VerifiableCredential"; then
   echo "VC issued"
@@ -53,14 +39,21 @@ else
   exitWithDockerLogs 1
 fi
 
+RESPONSE=$(echo $RESPONSE | curl -X POST --data-binary @- http://localhost:21323/internal/vcr/v2/holder/${VENDOR_B_DID}/vc -H "Content-Type:application/json")
+if echo $RESPONSE == ""; then
+  echo "VC stored in wallet"
+else
+  echo "FAILED: Could not load NutsOrganizationCredential in node-B wallet" 1>&2
+  echo $RESPONSE
+  exitWithDockerLogs 1
+fi
+
 echo "---------------------------------------"
 echo "Perform OAuth 2.0 rfc021 flow..."
 echo "---------------------------------------"
 # Request access token
 # Create DID for A with :nuts: replaced with :web:
-VENDOR_A_DID_WEB=$(echo $VENDOR_A_DID | sed 's/:nuts/:web:nodeA:iam/')
-VENDOR_B_DID_WEB=$(echo $VENDOR_B_DID | sed 's/:nuts/:web:nodeB:iam/')
-REQUEST="{\"verifier\":\"${VENDOR_A_DID_WEB}\",\"scope\":\"test\"}"
+REQUEST="{\"verifier\":\"${VENDOR_A_DID}\",\"scope\":\"test\"}"
 RESPONSE=$(echo $REQUEST | curl -X POST -s --data-binary @- http://localhost:21323/internal/auth/v2/$VENDOR_B_DID/request-access-token -H "Content-Type:application/json" -v)
 #if echo $RESPONSE | grep -q "access_token"; then
 #  echo $RESPONSE | sed -E 's/.*"access_token":"([^"]*).*/\1/' > ./node-B/data/accesstoken.txt