From b43608767ae844d0cc8d212df250771f806dc448 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Thu, 30 Nov 2023 13:44:15 +0100 Subject: [PATCH 1/7] Root URL server config property to replace auth.publicurl --- README.rst | 4 +- auth/auth.go | 9 ++-- auth/auth_test.go | 52 +----------------------- auth/cmd/cmd.go | 4 -- auth/cmd/cmd_test.go | 1 - auth/config.go | 1 - auth/test.go | 1 - core/server_config.go | 37 ++++++++++++++++- core/server_config_test.go | 43 ++++++++++++++++++++ docs/pages/deployment/cli-reference.rst | 4 +- docs/pages/deployment/configuration.rst | 2 +- docs/pages/deployment/server_options.rst | 2 +- main_test.go | 2 +- 13 files changed, 91 insertions(+), 71 deletions(-) diff --git a/README.rst b/README.rst index f6316b814b..31cfba7433 100644 --- a/README.rst +++ b/README.rst @@ -185,6 +185,7 @@ The following options can be configured on the server: internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. loggerformat text Log format (text, json) strictmode true When set, insecure settings are forbidden. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. verbosity info Log level (trace, debug, info, warn, error) tls.certfile PEM file containing the certificate for the server (also used as client certificate). tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. @@ -195,7 +196,6 @@ The following options can be configured on the server: auth.accesstokenlifespan 60 defines how long (in seconds) an access token is valid. Uses default in strict mode. auth.clockskew 5000 allowed JWT Clock skew in milliseconds auth.contractvalidators [irma,uzi,dummy,employeeid] sets the different contract validators to use - auth.publicurl public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy. auth.http.timeout 30 HTTP timeout (in seconds) used by the Auth API HTTP client auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes. auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. @@ -288,7 +288,7 @@ See :ref:`getting started ` on how to set this up correctly. The incorporated `IRMA server `_ is automatically changed to production mode. In fact, running in strict mode is the only way to enable IRMA's production mode. -In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``auth.publicurl`` where the IRMA client can reach the server must be set. +In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``url`` where the IRMA client can reach the server must be set. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, diff --git a/auth/auth.go b/auth/auth.go index f77a801d31..c7dbeefd8d 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -124,17 +124,14 @@ func (auth *Auth) Configure(config core.ServerConfig) error { return errors.New("in strictmode the only valid irma-scheme-manager is 'pbdf'") } - if auth.config.PublicURL == "" { - return errors.New("invalid auth.publicurl: must provide url") - } var err error - auth.publicURL, err = core.ParsePublicURL(auth.config.PublicURL, config.Strictmode) + auth.publicURL, err = config.ServerURL() if err != nil { - return fmt.Errorf("invalid auth.publicurl: %w", err) + return err } auth.contractNotary = notary.NewNotary(notary.Config{ - PublicURL: auth.config.PublicURL, + PublicURL: auth.publicURL.String(), IrmaConfigPath: path.Join(config.Datadir, "irma"), IrmaSchemeManager: auth.config.Irma.SchemeManager, AutoUpdateIrmaSchemas: auth.config.Irma.AutoUpdateSchemas, diff --git a/auth/auth_test.go b/auth/auth_test.go index 21f1d9a9ae..ddc777f4a5 100644 --- a/auth/auth_test.go +++ b/auth/auth_test.go @@ -33,6 +33,7 @@ import ( func TestAuth_Configure(t *testing.T) { tlsServerConfig := *core.NewServerConfig() + tlsServerConfig.URL = "https://nuts.nl" tlsServerConfig.LegacyTLS.TrustStoreFile = "test/certs/ca.pem" tlsServerConfig.LegacyTLS.CertKeyFile = "test/certs/example.com.key" tlsServerConfig.LegacyTLS.CertFile = "test/certs/example.com.pem" @@ -40,7 +41,6 @@ func TestAuth_Configure(t *testing.T) { t.Run("ok", func(t *testing.T) { config := DefaultConfig() config.ContractValidators = []string{"uzi"} - config.PublicURL = "https://nuts.nl" ctrl := gomock.NewController(t) pkiMock := pki.NewMockProvider(ctrl) pkiMock.EXPECT().AddTruststore(gomock.Any()) // uzi @@ -53,28 +53,6 @@ func TestAuth_Configure(t *testing.T) { require.NoError(t, i.Configure(tlsServerConfig)) }) - t.Run("publicUrl", func(t *testing.T) { - t.Run("error - missing", func(t *testing.T) { - authCfg := TestConfig() - authCfg.PublicURL = "" - authCfg.Irma.SchemeManager = "pbdf" - i := testInstance(t, authCfg) - cfg := core.NewServerConfig() - cfg.Strictmode = true - cfg.TLS.CertFile = "certificate.pem" - assert.EqualError(t, i.Configure(*cfg), "invalid auth.publicurl: must provide url") - }) - t.Run("error - invalid URL (must be hostname, not IP)", func(t *testing.T) { - authCfg := TestConfig() - authCfg.Irma.SchemeManager = "pbdf" - authCfg.PublicURL = "https://127.0.0.1" - i := testInstance(t, authCfg) - cfg := core.NewServerConfig() - cfg.Strictmode = true - assert.EqualError(t, i.Configure(*cfg), "invalid auth.publicurl: hostname is IP") - }) - }) - t.Run("error - IRMA config failure", func(t *testing.T) { authCfg := TestConfig() authCfg.Irma.SchemeManager = "non-existing" @@ -106,6 +84,7 @@ func TestAuth_Configure(t *testing.T) { i := testInstance(t, authCfg) serverConfig := core.NewServerConfig() serverConfig.Strictmode = true + serverConfig.URL = "https://nuts.nl" err := i.Configure(*serverConfig) assert.EqualError(t, err, "in strictmode TLS must be enabled") }) @@ -118,33 +97,6 @@ func TestAuth_Configure(t *testing.T) { err := i.Configure(tlsServerConfig) assert.ErrorIs(t, err, assert.AnError) }) - t.Run("public url", func(t *testing.T) { - type test struct { - strict bool - pURL string - errStr string - } - tt := []test{ - {true, "", "invalid auth.publicurl: must provide url"}, - {true, ":invalid", "invalid auth.publicurl: parse \":invalid\": missing protocol scheme"}, - {true, "https://127.0.0.1", "invalid auth.publicurl: hostname is IP"}, - {true, "https://example.com", "invalid auth.publicurl: hostname is RFC2606 reserved"}, - {true, "https://localhost", "invalid auth.publicurl: hostname is RFC2606 reserved"}, - {true, "http://nuts.nl", "invalid auth.publicurl: scheme must be https"}, - - {false, "", "invalid auth.publicurl: must provide url"}, - {false, ":invalid", "invalid auth.publicurl: parse \":invalid\": missing protocol scheme"}, - {false, "something://nuts.nl", "invalid auth.publicurl: scheme must be http or https"}, - } - authCfg := TestConfig() - cfg := core.NewServerConfig() - for _, test := range tt { - authCfg.PublicURL = test.pURL - i := testInstance(t, authCfg) - cfg.Strictmode = test.strict - assert.EqualError(t, i.Configure(*cfg), test.errStr, "test config: url=%s; strict=%s", test.pURL, test.strict) - } - }) } func TestAuth_Name(t *testing.T) { diff --git a/auth/cmd/cmd.go b/auth/cmd/cmd.go index 13a1680b73..d9c8f8cdd3 100644 --- a/auth/cmd/cmd.go +++ b/auth/cmd/cmd.go @@ -23,9 +23,6 @@ import ( "github.com/spf13/pflag" ) -// ConfPublicURL is the config key for the public URL the http/irma server can be discovered -const ConfPublicURL = "auth.publicurl" - // ConfClockSkew is the config key for allowed JWT clockskew (deviance of iat, exp) in milliseconds const ConfClockSkew = "auth.clockskew" @@ -55,7 +52,6 @@ func FlagSet() *pflag.FlagSet { defs := auth.DefaultConfig() flags.String(ConfIrmaSchemeManager, defs.Irma.SchemeManager, "IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'.") - flags.String(ConfPublicURL, defs.PublicURL, "public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy.") flags.Bool(ConfAutoUpdateIrmaSchemas, defs.Irma.AutoUpdateSchemas, "set if you want automatically update the IRMA schemas every 60 minutes.") flags.Int(ConfHTTPTimeout, defs.HTTPTimeout, "HTTP timeout (in seconds) used by the Auth API HTTP client") flags.Int(ConfClockSkew, defs.ClockSkew, "allowed JWT Clock skew in milliseconds") diff --git a/auth/cmd/cmd_test.go b/auth/cmd/cmd_test.go index 70b246442c..6df25bb351 100644 --- a/auth/cmd/cmd_test.go +++ b/auth/cmd/cmd_test.go @@ -49,7 +49,6 @@ func TestFlagSet(t *testing.T) { ConfAutoUpdateIrmaSchemas, ConfIrmaSchemeManager, ConfPresentationExchangeMappingFile, - ConfPublicURL, ConfV2APIEnabled, }, keys) } diff --git a/auth/config.go b/auth/config.go index 1b1bf1acd8..3f64eba2da 100644 --- a/auth/config.go +++ b/auth/config.go @@ -29,7 +29,6 @@ import ( type Config struct { Irma IrmaConfig `koanf:"irma"` HTTPTimeout int `koanf:"http.timeout"` - PublicURL string `koanf:"publicurl"` ClockSkew int `koanf:"clockskew"` ContractValidators []string `koanf:"contractvalidators"` AccessTokenLifeSpan int `koanf:"accesstokenlifespan"` diff --git a/auth/test.go b/auth/test.go index bfe96fb526..76c1f8afe1 100644 --- a/auth/test.go +++ b/auth/test.go @@ -31,7 +31,6 @@ import ( func TestConfig() Config { config := DefaultConfig() config.ContractValidators = []string{"dummy"} - config.PublicURL = "https://nuts.nl" return config } diff --git a/core/server_config.go b/core/server_config.go index 80a45fe7f9..ec379c1ec6 100644 --- a/core/server_config.go +++ b/core/server_config.go @@ -23,12 +23,14 @@ import ( "bytes" "crypto/tls" "crypto/x509" + "errors" "fmt" "github.com/knadh/koanf" "github.com/knadh/koanf/providers/env" "github.com/knadh/koanf/providers/posflag" "github.com/sirupsen/logrus" "github.com/spf13/pflag" + "net/url" "reflect" "strings" ) @@ -58,7 +60,10 @@ type ServerConfig struct { Datadir string `koanf:"datadir"` TLS TLSConfig `koanf:"tls"` LegacyTLS *NetworkTLSConfig `koanf:"network"` - configMap *koanf.Koanf + LegacyAuth LegacyAuthConfig `koanf:"auth"` + // URL contains the base URL for public-facing HTTP services. + URL string `koanf:"url"` + configMap *koanf.Koanf } // TLSConfig specifies how TLS should be configured for connections. @@ -229,6 +234,12 @@ func (ngc *ServerConfig) Load(flags *pflag.FlagSet) (err error) { return nil } +// LegacyAuthConfig is here since we're moving auth.publicurl to the "url" root property. +// This way we can validate the property at the correct (future) place. +type LegacyAuthConfig struct { + PublicURL string `koanf:"publicurl"` +} + // resolveConfigFilePath resolves the path of the config file using the following sources: // 1. commandline params (using the given flags) // 2. environment vars, @@ -261,6 +272,7 @@ func FlagSet() *pflag.FlagSet { flagSet.Bool("strictmode", true, "When set, insecure settings are forbidden.") flagSet.Bool("internalratelimiter", true, "When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.") flagSet.String("datadir", "./data", "Directory where the node stores its files.") + flagSet.String("url", "", "Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated.") flagSet.String("tls.certfile", "", "PEM file containing the certificate for the server (also used as client certificate).") flagSet.String("tls.certkeyfile", "", "PEM file containing the private key of the server certificate.") flagSet.String("tls.truststorefile", "truststore.pem", "PEM file containing the trusted CA certificates for authenticating remote servers.") @@ -278,12 +290,14 @@ func FlagSet() *pflag.FlagSet { "Required when 'network.enabletls' is 'true'.") flagSet.String("network.truststorefile", "", "Deprecated: use 'tls.truststorefile'. PEM file containing the trusted CA certificates for authenticating remote gRPC servers.") flagSet.Int("network.maxcrlvaliditydays", 0, "Deprecated: use 'tls.crl.maxvaliditydays'. The number of days a CRL can be outdated, after that it will hard-fail.") + flagSet.String("auth.publicurl", "", "Public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy.") flagSet.MarkDeprecated("tls.crl.maxvaliditydays", "CRLs can no longer be accepted after the time in NextUpdate has past") flagSet.MarkDeprecated("network.certfile", "use 'tls.certfile' instead") flagSet.MarkDeprecated("network.certkeyfile", "use 'tls.certkeyfile' instead") flagSet.MarkDeprecated("network.truststorefile", "use 'tls.truststorefile' instead") flagSet.MarkDeprecated("network.maxcrlvaliditydays", "use 'tls.crl.maxvaliditydays' instead") + flagSet.MarkDeprecated("auth.publicurl", "use 'url' instead") return flagSet } @@ -315,6 +329,27 @@ func (ngc *ServerConfig) InjectIntoEngine(e Injectable) error { return unmarshalRecursive([]string{strings.ToLower(e.Name())}, e.Config(), ngc.configMap) } +// ServerURL returns the parsed URL of the server +func (ngc *ServerConfig) ServerURL() (*url.URL, error) { + // Validate server URL + if ngc.LegacyAuth.PublicURL != "" { + coreLogger.Warn("Deprecated: use 'url' instead of 'auth.publicurl', which will be removed in the removed") + } + serverURL := ngc.LegacyAuth.PublicURL + if ngc.URL != "" { + // give precedence over new property + serverURL = ngc.URL + } + if serverURL == "" { + return nil, errors.New("'url' must be configured") + } + result, err := ParsePublicURL(serverURL, ngc.Strictmode) + if err != nil { + return nil, fmt.Errorf("invalid 'url': %w", err) + } + return result, nil +} + func elemType(ty reflect.Type) (reflect.Type, bool) { isPtr := ty.Kind() == reflect.Ptr diff --git a/core/server_config_test.go b/core/server_config_test.go index 67430aa380..25eaaf3bb7 100644 --- a/core/server_config_test.go +++ b/core/server_config_test.go @@ -294,3 +294,46 @@ func TestTLSConfig_LoadTrustStore(t *testing.T) { assert.EqualError(t, err, "unable to read trust store (file=test/non-existent.pem): open test/non-existent.pem: no such file or directory") }) } + +func TestServerConfig_ServerURL(t *testing.T) { + t.Run("url", func(t *testing.T) { + cfg := ServerConfig{LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} + actual, err := cfg.ServerURL() + assert.NoError(t, err) + assert.Equal(t, "https://example.com", actual.String()) + }) + t.Run("deprecated auth.publicurl", func(t *testing.T) { + cfg := ServerConfig{URL: "https://example.com"} + actual, err := cfg.ServerURL() + assert.NoError(t, err) + assert.Equal(t, "https://example.com", actual.String()) + }) + t.Run("precedence to url", func(t *testing.T) { + cfg := ServerConfig{URL: "https://nuts.nl", LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} + actual, err := cfg.ServerURL() + assert.NoError(t, err) + assert.Equal(t, "https://nuts.nl", actual.String()) + }) + t.Run("public URL can be http when not in strict mode", func(t *testing.T) { + cfg := ServerConfig{URL: "http://nuts.nl"} + actual, err := cfg.ServerURL() + assert.NoError(t, err) + assert.Equal(t, "http://nuts.nl", actual.String()) + }) + t.Run("url is required", func(t *testing.T) { + cfg := ServerConfig{} + _, err := cfg.ServerURL() + assert.EqualError(t, err, "'url' must be configured") + }) + t.Run("url is invalid", func(t *testing.T) { + cfg := ServerConfig{URL: "nuts.nl"} + _, err := cfg.ServerURL() + assert.EqualError(t, err, "invalid 'url': url must contain scheme and host") + }) + t.Run("deprecated auth.publicurl is still supported", func(t *testing.T) { + cfg := ServerConfig{LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} + actual, err := cfg.ServerURL() + assert.NoError(t, err) + assert.Equal(t, "https://example.com", actual.String()) + }) +} diff --git a/docs/pages/deployment/cli-reference.rst b/docs/pages/deployment/cli-reference.rst index 0bf3c272ea..7a9f0eb510 100755 --- a/docs/pages/deployment/cli-reference.rst +++ b/docs/pages/deployment/cli-reference.rst @@ -19,7 +19,6 @@ The following options apply to the server commands below: --auth.http.timeout int HTTP timeout (in seconds) used by the Auth API HTTP client (default 30) --auth.irma.autoupdateschemas set if you want automatically update the IRMA schemas every 60 minutes. (default true) --auth.irma.schememanager string IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. (default "pbdf") - --auth.publicurl string public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy. --configfile string Nuts config file (default "nuts.yaml") --cpuprofile string When set, a CPU profile is written to the given path. Ignored when strictmode is set. --crypto.external.address string Address of the external storage service. @@ -44,7 +43,7 @@ The following options apply to the server commands below: --http.default.log string What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). (default "metadata") --http.default.tls string Whether to enable TLS for the default interface, options are 'disabled', 'server', 'server-client'. Leaving it empty is synonymous to 'disabled', --internalratelimiter When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. (default true) - --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson]) + --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson]) --jsonld.contexts.remoteallowlist strings In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. (default [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json]) --loggerformat string Log format (text, json) (default "text") --network.bootstrapnodes strings List of bootstrap nodes (':') which the node initially connect to. @@ -77,6 +76,7 @@ The following options apply to the server commands below: --tls.certkeyfile string PEM file containing the private key of the server certificate. --tls.offload string Whether to enable TLS offloading for incoming connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. --tls.truststorefile string PEM file containing the trusted CA certificates for authenticating remote servers. (default "truststore.pem") + --url string Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. --vcr.openid4vci.definitionsdir string Directory with the additional credential definitions the node could issue (experimental, may change without notice). --vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI. (default true) --vcr.openid4vci.timeout duration Time-out for OpenID4VCI HTTP client operations. (default 30s) diff --git a/docs/pages/deployment/configuration.rst b/docs/pages/deployment/configuration.rst index 98aba45603..c0dc7cea9c 100644 --- a/docs/pages/deployment/configuration.rst +++ b/docs/pages/deployment/configuration.rst @@ -79,7 +79,7 @@ See :ref:`getting started ` on how to set this up correctly. The incorporated `IRMA server `_ is automatically changed to production mode. In fact, running in strict mode is the only way to enable IRMA's production mode. -In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``auth.publicurl`` where the IRMA client can reach the server must be set. +In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``url`` where the IRMA client can reach the server must be set. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, diff --git a/docs/pages/deployment/server_options.rst b/docs/pages/deployment/server_options.rst index 03b274bb46..01566d2722 100755 --- a/docs/pages/deployment/server_options.rst +++ b/docs/pages/deployment/server_options.rst @@ -11,6 +11,7 @@ internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. loggerformat text Log format (text, json) strictmode true When set, insecure settings are forbidden. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. verbosity info Log level (trace, debug, info, warn, error) tls.certfile PEM file containing the certificate for the server (also used as client certificate). tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. @@ -21,7 +22,6 @@ auth.accesstokenlifespan 60 defines how long (in seconds) an access token is valid. Uses default in strict mode. auth.clockskew 5000 allowed JWT Clock skew in milliseconds auth.contractvalidators [irma,uzi,dummy,employeeid] sets the different contract validators to use - auth.publicurl public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy. auth.http.timeout 30 HTTP timeout (in seconds) used by the Auth API HTTP client auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes. auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. diff --git a/main_test.go b/main_test.go index 3a15984e56..3621bbd280 100644 --- a/main_test.go +++ b/main_test.go @@ -206,6 +206,7 @@ func getIntegrationTestConfig(t *testing.T, testDirectory string) (core.ServerCo } config := *system.Config + config.URL = "https://nuts.nl" config.LegacyTLS.Enabled = true config.TLS.CertFile = pki.CertificateFile(t) config.TLS.CertKeyFile = config.TLS.CertFile @@ -218,7 +219,6 @@ func getIntegrationTestConfig(t *testing.T, testDirectory string) (core.ServerCo authConfig := auth.DefaultConfig() authConfig.ContractValidators = []string{"dummy"} // disables IRMA - authConfig.PublicURL = "https://nuts.nl" cryptoConfig := crypto.Config{Storage: "fs"} From 92c712bec04cfc2c7581d0c647bc96cef63e94d5 Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 09:57:16 +0100 Subject: [PATCH 2/7] Update docs/pages/deployment/configuration.rst Co-authored-by: Gerard Snaauw <33763579+gerardsn@users.noreply.github.com> --- docs/pages/deployment/configuration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/deployment/configuration.rst b/docs/pages/deployment/configuration.rst index c0dc7cea9c..54bfc32897 100644 --- a/docs/pages/deployment/configuration.rst +++ b/docs/pages/deployment/configuration.rst @@ -79,7 +79,7 @@ See :ref:`getting started ` on how to set this up correctly. The incorporated `IRMA server `_ is automatically changed to production mode. In fact, running in strict mode is the only way to enable IRMA's production mode. -In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``url`` where the IRMA client can reach the server must be set. +In addition, it requires ``auth.irma.schememanager=pbdf``. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, From 9a5f5feb892f4fd9bbc3d926a7e39102880ff26d Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 10:04:52 +0100 Subject: [PATCH 3/7] PR feedback --- README.rst | 6 +++--- core/server_config.go | 23 +++-------------------- core/server_config_test.go | 18 ------------------ docs/pages/deployment/cli-reference.rst | 2 +- docs/pages/deployment/server_options.rst | 4 ++-- 5 files changed, 9 insertions(+), 44 deletions(-) diff --git a/README.rst b/README.rst index 31cfba7433..ef8eed2624 100644 --- a/README.rst +++ b/README.rst @@ -185,7 +185,7 @@ The following options can be configured on the server: internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. loggerformat text Log format (text, json) strictmode true When set, insecure settings are forbidden. - url Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. verbosity info Log level (trace, debug, info, warn, error) tls.certfile PEM file containing the certificate for the server (also used as client certificate). tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. @@ -224,7 +224,7 @@ The following options can be configured on the server: http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface. **JSONLD** - jsonld.contexts.localmapping [https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. **Network** network.bootstrapnodes [] List of bootstrap nodes (':') which the node initially connect to. @@ -288,7 +288,7 @@ See :ref:`getting started ` on how to set this up correctly. The incorporated `IRMA server `_ is automatically changed to production mode. In fact, running in strict mode is the only way to enable IRMA's production mode. -In addition, it requires ``auth.irma.schememanager=pbdf`` and the ``url`` where the IRMA client can reach the server must be set. +In addition, it requires ``auth.irma.schememanager=pbdf``. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, diff --git a/core/server_config.go b/core/server_config.go index ec379c1ec6..ed6b59ccd9 100644 --- a/core/server_config.go +++ b/core/server_config.go @@ -60,7 +60,6 @@ type ServerConfig struct { Datadir string `koanf:"datadir"` TLS TLSConfig `koanf:"tls"` LegacyTLS *NetworkTLSConfig `koanf:"network"` - LegacyAuth LegacyAuthConfig `koanf:"auth"` // URL contains the base URL for public-facing HTTP services. URL string `koanf:"url"` configMap *koanf.Koanf @@ -234,12 +233,6 @@ func (ngc *ServerConfig) Load(flags *pflag.FlagSet) (err error) { return nil } -// LegacyAuthConfig is here since we're moving auth.publicurl to the "url" root property. -// This way we can validate the property at the correct (future) place. -type LegacyAuthConfig struct { - PublicURL string `koanf:"publicurl"` -} - // resolveConfigFilePath resolves the path of the config file using the following sources: // 1. commandline params (using the given flags) // 2. environment vars, @@ -272,7 +265,7 @@ func FlagSet() *pflag.FlagSet { flagSet.Bool("strictmode", true, "When set, insecure settings are forbidden.") flagSet.Bool("internalratelimiter", true, "When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.") flagSet.String("datadir", "./data", "Directory where the node stores its files.") - flagSet.String("url", "", "Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated.") + flagSet.String("url", "", "Public facing URL of the server (required). Must be HTTPS when strictmode is set.") flagSet.String("tls.certfile", "", "PEM file containing the certificate for the server (also used as client certificate).") flagSet.String("tls.certkeyfile", "", "PEM file containing the private key of the server certificate.") flagSet.String("tls.truststorefile", "truststore.pem", "PEM file containing the trusted CA certificates for authenticating remote servers.") @@ -290,14 +283,12 @@ func FlagSet() *pflag.FlagSet { "Required when 'network.enabletls' is 'true'.") flagSet.String("network.truststorefile", "", "Deprecated: use 'tls.truststorefile'. PEM file containing the trusted CA certificates for authenticating remote gRPC servers.") flagSet.Int("network.maxcrlvaliditydays", 0, "Deprecated: use 'tls.crl.maxvaliditydays'. The number of days a CRL can be outdated, after that it will hard-fail.") - flagSet.String("auth.publicurl", "", "Public URL which can be reached by a users IRMA client, this should include the scheme and domain: https://example.com. Additional paths should only be added if some sort of url-rewriting is done in a reverse-proxy.") flagSet.MarkDeprecated("tls.crl.maxvaliditydays", "CRLs can no longer be accepted after the time in NextUpdate has past") flagSet.MarkDeprecated("network.certfile", "use 'tls.certfile' instead") flagSet.MarkDeprecated("network.certkeyfile", "use 'tls.certkeyfile' instead") flagSet.MarkDeprecated("network.truststorefile", "use 'tls.truststorefile' instead") flagSet.MarkDeprecated("network.maxcrlvaliditydays", "use 'tls.crl.maxvaliditydays' instead") - flagSet.MarkDeprecated("auth.publicurl", "use 'url' instead") return flagSet } @@ -332,18 +323,10 @@ func (ngc *ServerConfig) InjectIntoEngine(e Injectable) error { // ServerURL returns the parsed URL of the server func (ngc *ServerConfig) ServerURL() (*url.URL, error) { // Validate server URL - if ngc.LegacyAuth.PublicURL != "" { - coreLogger.Warn("Deprecated: use 'url' instead of 'auth.publicurl', which will be removed in the removed") - } - serverURL := ngc.LegacyAuth.PublicURL - if ngc.URL != "" { - // give precedence over new property - serverURL = ngc.URL - } - if serverURL == "" { + if ngc.URL == "" { return nil, errors.New("'url' must be configured") } - result, err := ParsePublicURL(serverURL, ngc.Strictmode) + result, err := ParsePublicURL(ngc.URL, ngc.Strictmode) if err != nil { return nil, fmt.Errorf("invalid 'url': %w", err) } diff --git a/core/server_config_test.go b/core/server_config_test.go index 25eaaf3bb7..aa6c311965 100644 --- a/core/server_config_test.go +++ b/core/server_config_test.go @@ -297,23 +297,11 @@ func TestTLSConfig_LoadTrustStore(t *testing.T) { func TestServerConfig_ServerURL(t *testing.T) { t.Run("url", func(t *testing.T) { - cfg := ServerConfig{LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} - actual, err := cfg.ServerURL() - assert.NoError(t, err) - assert.Equal(t, "https://example.com", actual.String()) - }) - t.Run("deprecated auth.publicurl", func(t *testing.T) { cfg := ServerConfig{URL: "https://example.com"} actual, err := cfg.ServerURL() assert.NoError(t, err) assert.Equal(t, "https://example.com", actual.String()) }) - t.Run("precedence to url", func(t *testing.T) { - cfg := ServerConfig{URL: "https://nuts.nl", LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} - actual, err := cfg.ServerURL() - assert.NoError(t, err) - assert.Equal(t, "https://nuts.nl", actual.String()) - }) t.Run("public URL can be http when not in strict mode", func(t *testing.T) { cfg := ServerConfig{URL: "http://nuts.nl"} actual, err := cfg.ServerURL() @@ -330,10 +318,4 @@ func TestServerConfig_ServerURL(t *testing.T) { _, err := cfg.ServerURL() assert.EqualError(t, err, "invalid 'url': url must contain scheme and host") }) - t.Run("deprecated auth.publicurl is still supported", func(t *testing.T) { - cfg := ServerConfig{LegacyAuth: LegacyAuthConfig{PublicURL: "https://example.com"}} - actual, err := cfg.ServerURL() - assert.NoError(t, err) - assert.Equal(t, "https://example.com", actual.String()) - }) } diff --git a/docs/pages/deployment/cli-reference.rst b/docs/pages/deployment/cli-reference.rst index 7a9f0eb510..b7e87f9e32 100755 --- a/docs/pages/deployment/cli-reference.rst +++ b/docs/pages/deployment/cli-reference.rst @@ -76,7 +76,7 @@ The following options apply to the server commands below: --tls.certkeyfile string PEM file containing the private key of the server certificate. --tls.offload string Whether to enable TLS offloading for incoming connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. --tls.truststorefile string PEM file containing the trusted CA certificates for authenticating remote servers. (default "truststore.pem") - --url string Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. + --url string Public facing URL of the server (required). Must be HTTPS when strictmode is set. --vcr.openid4vci.definitionsdir string Directory with the additional credential definitions the node could issue (experimental, may change without notice). --vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI. (default true) --vcr.openid4vci.timeout duration Time-out for OpenID4VCI HTTP client operations. (default 30s) diff --git a/docs/pages/deployment/server_options.rst b/docs/pages/deployment/server_options.rst index 01566d2722..8b1816dc32 100755 --- a/docs/pages/deployment/server_options.rst +++ b/docs/pages/deployment/server_options.rst @@ -11,7 +11,7 @@ internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. loggerformat text Log format (text, json) strictmode true When set, insecure settings are forbidden. - url Public facing URL of the server (required). Must be HTTPS when strictmode is set. Superseeds 'auth.publicurl', which is deprecated. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. verbosity info Log level (trace, debug, info, warn, error) tls.certfile PEM file containing the certificate for the server (also used as client certificate). tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. @@ -50,7 +50,7 @@ http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface. **JSONLD** - jsonld.contexts.localmapping [https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. **Network** network.bootstrapnodes [] List of bootstrap nodes (':') which the node initially connect to. From dbb0a98a6de2daacfaebaca4a006cf6d9f86699d Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 10:09:12 +0100 Subject: [PATCH 4/7] PR feedback --- README.rst | 2 +- docs/pages/deployment/cli-reference.rst | 2 +- docs/pages/deployment/server_options.rst | 166 ++++++++++++----------- 3 files changed, 87 insertions(+), 83 deletions(-) diff --git a/README.rst b/README.rst index b8ab5f4975..f11f43e231 100644 --- a/README.rst +++ b/README.rst @@ -227,7 +227,7 @@ The following options can be configured on the server: http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface. **JSONLD** - jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.localmapping [https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. **Network** network.bootstrapnodes [] List of bootstrap nodes (':') which the node initially connect to. diff --git a/docs/pages/deployment/cli-reference.rst b/docs/pages/deployment/cli-reference.rst index b57545a7a1..ac8c33f2fb 100755 --- a/docs/pages/deployment/cli-reference.rst +++ b/docs/pages/deployment/cli-reference.rst @@ -45,7 +45,7 @@ The following options apply to the server commands below: --http.default.log string What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). (default "metadata") --http.default.tls string Whether to enable TLS for the default interface, options are 'disabled', 'server', 'server-client'. Leaving it empty is synonymous to 'disabled', --internalratelimiter When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. (default true) - --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson]) + --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson]) --jsonld.contexts.remoteallowlist strings In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. (default [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json]) --loggerformat string Log format (text, json) (default "text") --network.bootstrapnodes strings List of bootstrap nodes (':') which the node initially connect to. diff --git a/docs/pages/deployment/server_options.rst b/docs/pages/deployment/server_options.rst index 6a46a5e479..85076e29c5 100755 --- a/docs/pages/deployment/server_options.rst +++ b/docs/pages/deployment/server_options.rst @@ -2,84 +2,88 @@ :widths: 20 30 50 :class: options-table - ==================================== =============================================================================================================================================================================================================================================================================================================== ================================================================================================================================================================================================================================== - Key Default Description - ==================================== =============================================================================================================================================================================================================================================================================================================== ================================================================================================================================================================================================================================== - configfile nuts.yaml Nuts config file - cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. - datadir ./data Directory where the node stores its files. - internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. - loggerformat text Log format (text, json) - strictmode true When set, insecure settings are forbidden. - url Public facing URL of the server (required). Must be HTTPS when strictmode is set. - verbosity info Log level (trace, debug, info, warn, error) - tls.certfile PEM file containing the certificate for the server (also used as client certificate). - tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. - tls.certkeyfile PEM file containing the private key of the server certificate. - tls.offload Whether to enable TLS offloading for incoming connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. - tls.truststorefile truststore.pem PEM file containing the trusted CA certificates for authenticating remote servers. - **Auth** - auth.accesstokenlifespan 60 defines how long (in seconds) an access token is valid. Uses default in strict mode. - auth.clockskew 5000 allowed JWT Clock skew in milliseconds - auth.contractvalidators [irma,uzi,dummy,employeeid] sets the different contract validators to use - auth.http.timeout 30 HTTP timeout (in seconds) used by the Auth API HTTP client - auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes. - auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. - **Crypto** - crypto.storage fs Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). - crypto.external.address Address of the external storage service. - crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). - crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. - crypto.vault.pathprefix kv The Vault path prefix. - crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). - crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. - **Events** - events.nats.hostname 0.0.0.0 Hostname for the NATS server - events.nats.port 4222 Port where the NATS server listens on - events.nats.storagedir Directory where file-backed streams are stored in the NATS server - events.nats.timeout 30 Timeout for NATS server operations - **GoldenHammer** - goldenhammer.enabled true Whether to enable automatically fixing DID documents with the required endpoints. - goldenhammer.interval 10m0s The interval in which to check for DID documents to fix. - **HTTP** - http.default.address \:1323 Address and port the server will be listening to - http.default.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). - http.default.tls Whether to enable TLS for the default interface, options are 'disabled', 'server', 'server-client'. Leaving it empty is synonymous to 'disabled', - http.default.auth.audience Expected audience for JWT tokens (default: hostname) - http.default.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers - http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. - http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface. - **JSONLD** - jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. - jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. - **Network** - network.bootstrapnodes [] List of bootstrap nodes (':') which the node initially connect to. - network.connectiontimeout 5000 Timeout before an outbound connection attempt times out (in milliseconds). - network.enablediscovery true Whether to enable automatic connecting to other nodes. - network.enabletls true Whether to enable TLS for gRPC connections, which can be disabled for demo/development purposes. It is NOT meant for TLS offloading (see 'tls.offload'). Disabling TLS is not allowed in strict-mode. - network.grpcaddr \:5555 Local address for gRPC to listen on. If empty the gRPC server won't be started and other nodes will not be able to connect to this node (outbound connections can still be made). - network.maxbackoff 24h0m0s Maximum between outbound connections attempts to unresponsive nodes (in Golang duration format, e.g. '1h', '30m'). - network.nodedid Specifies the DID of the organization that operates this node, typically a vendor for EPD software. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start. - network.protocols [] Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled. - network.v2.diagnosticsinterval 5000 Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable). - network.v2.gossipinterval 5000 Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. - **PKI** - pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail - pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true - **Storage** - storage.bbolt.backup.directory Target directory for BBolt database backups. - storage.bbolt.backup.interval 0s Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed. - storage.redis.address Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. - storage.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. - storage.redis.password Redis database password. If set, it overrides the username in the connection URL. - storage.redis.username Redis database username. If set, it overrides the username in the connection URL. - storage.redis.sentinel.master Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. - storage.redis.sentinel.nodes [] Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. - storage.redis.sentinel.password Password for authenticating to Redis Sentinels. - storage.redis.sentinel.username Username for authenticating to Redis Sentinels. - storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). - storage.sql.connection Connection string for the SQL database. If not set, it defaults to a SQLite database stored inside the configured data directory - **VCR** - vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice). - vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI. - vcr.openid4vci.timeout 30s Time-out for OpenID4VCI HTTP client operations. \ No newline at end of file + ==================================== =============================================================================================================================================================================================================================================================================================================== ================================================================================================================================================================================================================================================================================================================================ + Key Default Description + ==================================== =============================================================================================================================================================================================================================================================================================================== ================================================================================================================================================================================================================================================================================================================================ + configfile nuts.yaml Nuts config file + cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. + datadir ./data Directory where the node stores its files. + internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. + loggerformat text Log format (text, json) + strictmode true When set, insecure settings are forbidden. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. + verbosity info Log level (trace, debug, info, warn, error) + tls.certfile PEM file containing the certificate for the server (also used as client certificate). + tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded. + tls.certkeyfile PEM file containing the private key of the server certificate. + tls.offload Whether to enable TLS offloading for incoming connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. + tls.truststorefile truststore.pem PEM file containing the trusted CA certificates for authenticating remote servers. + **Auth** + auth.accesstokenlifespan 60 defines how long (in seconds) an access token is valid. Uses default in strict mode. + auth.clockskew 5000 allowed JWT Clock skew in milliseconds + auth.contractvalidators [irma,uzi,dummy,employeeid] sets the different contract validators to use + auth.http.timeout 30 HTTP timeout (in seconds) used by the Auth API HTTP client + auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes. + auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. + **Crypto** + crypto.storage fs Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). + crypto.external.address Address of the external storage service. + crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). + crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. + crypto.vault.pathprefix kv The Vault path prefix. + crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). + crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. + **Discovery** + discovery.definitions.directory Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. + discovery.server.definition_ids [] IDs of the Discovery Service Definitions for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. + **Events** + events.nats.hostname 0.0.0.0 Hostname for the NATS server + events.nats.port 4222 Port where the NATS server listens on + events.nats.storagedir Directory where file-backed streams are stored in the NATS server + events.nats.timeout 30 Timeout for NATS server operations + **GoldenHammer** + goldenhammer.enabled true Whether to enable automatically fixing DID documents with the required endpoints. + goldenhammer.interval 10m0s The interval in which to check for DID documents to fix. + **HTTP** + http.default.address \:1323 Address and port the server will be listening to + http.default.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). + http.default.tls Whether to enable TLS for the default interface, options are 'disabled', 'server', 'server-client'. Leaving it empty is synonymous to 'disabled', + http.default.auth.audience Expected audience for JWT tokens (default: hostname) + http.default.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers + http.default.auth.type Whether to enable authentication for the default interface, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. + http.default.cors.origin [] When set, enables CORS from the specified origins on the default HTTP interface. + **JSONLD** + jsonld.contexts.localmapping [https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. + **Network** + network.bootstrapnodes [] List of bootstrap nodes (':') which the node initially connect to. + network.connectiontimeout 5000 Timeout before an outbound connection attempt times out (in milliseconds). + network.enablediscovery true Whether to enable automatic connecting to other nodes. + network.enabletls true Whether to enable TLS for gRPC connections, which can be disabled for demo/development purposes. It is NOT meant for TLS offloading (see 'tls.offload'). Disabling TLS is not allowed in strict-mode. + network.grpcaddr \:5555 Local address for gRPC to listen on. If empty the gRPC server won't be started and other nodes will not be able to connect to this node (outbound connections can still be made). + network.maxbackoff 24h0m0s Maximum between outbound connections attempts to unresponsive nodes (in Golang duration format, e.g. '1h', '30m'). + network.nodedid Specifies the DID of the organization that operates this node, typically a vendor for EPD software. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start. + network.protocols [] Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled. + network.v2.diagnosticsinterval 5000 Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable). + network.v2.gossipinterval 5000 Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. + **PKI** + pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail + pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true + **Storage** + storage.bbolt.backup.directory Target directory for BBolt database backups. + storage.bbolt.backup.interval 0s Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed. + storage.redis.address Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. + storage.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. + storage.redis.password Redis database password. If set, it overrides the username in the connection URL. + storage.redis.username Redis database username. If set, it overrides the username in the connection URL. + storage.redis.sentinel.master Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. + storage.redis.sentinel.nodes [] Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. + storage.redis.sentinel.password Password for authenticating to Redis Sentinels. + storage.redis.sentinel.username Username for authenticating to Redis Sentinels. + storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). + storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). + **VCR** + vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice). + vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI. + vcr.openid4vci.timeout 30s Time-out for OpenID4VCI HTTP client operations. + ==================================== =============================================================================================================================================================================================================================================================================================================== ================================================================================================================================================================================================================================================================================================================================ From 0076258ef23f290b97a4e55935b76c8aca28ed45 Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 10:20:46 +0100 Subject: [PATCH 5/7] e2e test fixes --- auth/test/testconfig.yaml | 3 --- charts/nuts-node/values.yaml | 2 +- docs/pages/getting-started/1-running-docker.rst | 3 +-- docs/pages/getting-started/5-authentication.rst | 3 +-- e2e-tests/auth/selfsigned/config/node/nuts.yaml | 2 +- e2e-tests/denylist/defaults/nuts.yaml | 2 +- e2e-tests/denylist/github/nuts.yaml | 2 +- e2e-tests/nuts-network/direct-wan/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/direct-wan/node-B/nuts.yaml | 2 +- e2e-tests/nuts-network/gossip-overflow/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/gossip/node-C/nuts.yaml | 2 +- e2e-tests/nuts-network/gossip/node-D/nuts.yaml | 2 +- e2e-tests/nuts-network/private-transactions/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/private-transactions/node-B/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-offloading/haproxy/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-offloading/haproxy/node-B/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-offloading/nginx/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-offloading/nginx/node-B/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-pass-through/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/ssl-pass-through/node-B/nuts.yaml | 2 +- e2e-tests/oauth-flow/rfc002/node-A/nuts.yaml | 2 +- e2e-tests/oauth-flow/rfc002/node-B/nuts.yaml | 2 +- e2e-tests/oauth-flow/rfc021/node-A/nuts.yaml | 2 +- e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml | 2 +- e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml | 2 +- e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml | 2 +- e2e-tests/openid4vci/network-issuance/node-A/nuts.yaml | 2 +- e2e-tests/openid4vci/network-issuance/node-B/nuts.yaml | 2 +- e2e-tests/ops/key-rotation/node-A/nuts.yaml | 2 +- e2e-tests/ops/key-rotation/node-B/nuts.yaml | 2 +- 30 files changed, 29 insertions(+), 34 deletions(-) delete mode 100644 auth/test/testconfig.yaml diff --git a/auth/test/testconfig.yaml b/auth/test/testconfig.yaml deleted file mode 100644 index 6092c3b5f5..0000000000 --- a/auth/test/testconfig.yaml +++ /dev/null @@ -1,3 +0,0 @@ -publicUrl: https://example.org -irma: - directory: ../../development/irma \ No newline at end of file diff --git a/charts/nuts-node/values.yaml b/charts/nuts-node/values.yaml index e03afdf4f8..742864ddb5 100644 --- a/charts/nuts-node/values.yaml +++ b/charts/nuts-node/values.yaml @@ -109,8 +109,8 @@ nuts: network: enabletls: true grpcaddr: :5555 + url: https://chart-example.local auth: - publicurl: https://chart-example.local contractvalidators: - irma - uzi diff --git a/docs/pages/getting-started/1-running-docker.rst b/docs/pages/getting-started/1-running-docker.rst index 33cbab1d0f..9e1d7c8d48 100644 --- a/docs/pages/getting-started/1-running-docker.rst +++ b/docs/pages/getting-started/1-running-docker.rst @@ -48,8 +48,7 @@ This setup uses the following ``nuts.yaml`` configuration file: network: bootstrapnodes: - example.com:5555 - auth: - publicurl: https://example.com + url: https://example.com .. note:: diff --git a/docs/pages/getting-started/5-authentication.rst b/docs/pages/getting-started/5-authentication.rst index 602069e882..b5bd9b630f 100644 --- a/docs/pages/getting-started/5-authentication.rst +++ b/docs/pages/getting-started/5-authentication.rst @@ -20,8 +20,7 @@ The domain must be configured on the Nuts node: .. code-block:: yaml - auth: - publicurl: https://example.com + url: https://example.com Getting a valid contract ************************ diff --git a/e2e-tests/auth/selfsigned/config/node/nuts.yaml b/e2e-tests/auth/selfsigned/config/node/nuts.yaml index 4697085b84..425acee0f0 100644 --- a/e2e-tests/auth/selfsigned/config/node/nuts.yaml +++ b/e2e-tests/auth/selfsigned/config/node/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node:1323 datadir: /opt/nuts/data strictmode: false http: @@ -7,7 +8,6 @@ http: origin: "*" verbosity: debug auth: - publicurl: http://node:1323 contractvalidators: - selfsigned network: diff --git a/e2e-tests/denylist/defaults/nuts.yaml b/e2e-tests/denylist/defaults/nuts.yaml index 5636650b57..611864b045 100644 --- a/e2e-tests/denylist/defaults/nuts.yaml +++ b/e2e-tests/denylist/defaults/nuts.yaml @@ -1,3 +1,4 @@ +url: http://nuts-node verbosity: trace strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://nuts-node contractvalidators: - dummy irma: diff --git a/e2e-tests/denylist/github/nuts.yaml b/e2e-tests/denylist/github/nuts.yaml index 794ed11345..dba5e5b107 100644 --- a/e2e-tests/denylist/github/nuts.yaml +++ b/e2e-tests/denylist/github/nuts.yaml @@ -1,3 +1,4 @@ +url: http://nuts-node verbosity: trace strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://nuts-node contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/direct-wan/node-A/nuts.yaml b/e2e-tests/nuts-network/direct-wan/node-A/nuts.yaml index aa5876837d..5cae48ba51 100644 --- a/e2e-tests/nuts-network/direct-wan/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/direct-wan/node-A/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-A verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/direct-wan/node-B/nuts.yaml b/e2e-tests/nuts-network/direct-wan/node-B/nuts.yaml index d8fe3aa960..e6f2b370dd 100644 --- a/e2e-tests/nuts-network/direct-wan/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/direct-wan/node-B/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-B verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/gossip-overflow/node-A/nuts.yaml b/e2e-tests/nuts-network/gossip-overflow/node-A/nuts.yaml index 3168ee03dd..c51926cff7 100644 --- a/e2e-tests/nuts-network/gossip-overflow/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/gossip-overflow/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-A verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/gossip/node-C/nuts.yaml b/e2e-tests/nuts-network/gossip/node-C/nuts.yaml index 9922480ed3..0fc7658f5b 100644 --- a/e2e-tests/nuts-network/gossip/node-C/nuts.yaml +++ b/e2e-tests/nuts-network/gossip/node-C/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-C verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-C contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/gossip/node-D/nuts.yaml b/e2e-tests/nuts-network/gossip/node-D/nuts.yaml index 0ac26ceca2..f4310da488 100644 --- a/e2e-tests/nuts-network/gossip/node-D/nuts.yaml +++ b/e2e-tests/nuts-network/gossip/node-D/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-D verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-D contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/private-transactions/node-A/nuts.yaml b/e2e-tests/nuts-network/private-transactions/node-A/nuts.yaml index 31be29b5c7..7b5269d5e9 100644 --- a/e2e-tests/nuts-network/private-transactions/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/private-transactions/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: https://node-A verbosity: debug strictmode: true internalratelimiter: false @@ -6,7 +7,6 @@ http: default: address: :1323 auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/private-transactions/node-B/nuts.yaml b/e2e-tests/nuts-network/private-transactions/node-B/nuts.yaml index def0f22cf4..4fdb49f879 100644 --- a/e2e-tests/nuts-network/private-transactions/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/private-transactions/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: https://node-B verbosity: debug strictmode: true internalratelimiter: false @@ -6,7 +7,6 @@ http: default: address: :1323 auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-offloading/haproxy/node-A/nuts.yaml b/e2e-tests/nuts-network/ssl-offloading/haproxy/node-A/nuts.yaml index 461c443748..068baf10ba 100644 --- a/e2e-tests/nuts-network/ssl-offloading/haproxy/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-offloading/haproxy/node-A/nuts.yaml @@ -1,7 +1,7 @@ +url: https://node-A verbosity: debug internalratelimiter: false auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-offloading/haproxy/node-B/nuts.yaml b/e2e-tests/nuts-network/ssl-offloading/haproxy/node-B/nuts.yaml index 148eb802d9..a74546a6dd 100644 --- a/e2e-tests/nuts-network/ssl-offloading/haproxy/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-offloading/haproxy/node-B/nuts.yaml @@ -1,7 +1,7 @@ +url: https://node-B verbosity: debug internalratelimiter: false auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-offloading/nginx/node-A/nuts.yaml b/e2e-tests/nuts-network/ssl-offloading/nginx/node-A/nuts.yaml index 461c443748..068baf10ba 100644 --- a/e2e-tests/nuts-network/ssl-offloading/nginx/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-offloading/nginx/node-A/nuts.yaml @@ -1,7 +1,7 @@ +url: https://node-A verbosity: debug internalratelimiter: false auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-offloading/nginx/node-B/nuts.yaml b/e2e-tests/nuts-network/ssl-offloading/nginx/node-B/nuts.yaml index 148eb802d9..a74546a6dd 100644 --- a/e2e-tests/nuts-network/ssl-offloading/nginx/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-offloading/nginx/node-B/nuts.yaml @@ -1,7 +1,7 @@ +url: https://node-B verbosity: debug internalratelimiter: false auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-pass-through/node-A/nuts.yaml b/e2e-tests/nuts-network/ssl-pass-through/node-A/nuts.yaml index 4390a17b04..ac684d748b 100644 --- a/e2e-tests/nuts-network/ssl-pass-through/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-pass-through/node-A/nuts.yaml @@ -1,6 +1,6 @@ +url: https://node-A verbosity: debug auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/ssl-pass-through/node-B/nuts.yaml b/e2e-tests/nuts-network/ssl-pass-through/node-B/nuts.yaml index 7a7fec6a83..2919b2e496 100644 --- a/e2e-tests/nuts-network/ssl-pass-through/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/ssl-pass-through/node-B/nuts.yaml @@ -1,6 +1,6 @@ +url: https://node-B verbosity: debug auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/oauth-flow/rfc002/node-A/nuts.yaml b/e2e-tests/oauth-flow/rfc002/node-A/nuts.yaml index 3a5389a516..b2e5b8785e 100644 --- a/e2e-tests/oauth-flow/rfc002/node-A/nuts.yaml +++ b/e2e-tests/oauth-flow/rfc002/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-A verbosity: debug strictmode: false internalratelimiter: false @@ -6,7 +7,6 @@ http: default: address: :1323 auth: - publicurl: http://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/oauth-flow/rfc002/node-B/nuts.yaml b/e2e-tests/oauth-flow/rfc002/node-B/nuts.yaml index 658d7cc936..e0c75f0ee6 100644 --- a/e2e-tests/oauth-flow/rfc002/node-B/nuts.yaml +++ b/e2e-tests/oauth-flow/rfc002/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-b verbosity: debug strictmode: false internalratelimiter: false @@ -7,7 +8,6 @@ http: address: :1323 auth: tlsenabled: true - publicurl: http://node-b contractvalidators: - dummy irma: diff --git a/e2e-tests/oauth-flow/rfc021/node-A/nuts.yaml b/e2e-tests/oauth-flow/rfc021/node-A/nuts.yaml index bf51193545..d256ee0ae4 100644 --- a/e2e-tests/oauth-flow/rfc021/node-A/nuts.yaml +++ b/e2e-tests/oauth-flow/rfc021/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeA verbosity: debug strictmode: false internalratelimiter: false @@ -6,7 +7,6 @@ http: default: address: :1323 auth: - publicurl: https://nodeA v2apienabled: true presentationexchangemappingfile: /opt/nuts/presentationexchangemapping.json contractvalidators: diff --git a/e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml b/e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml index 3691731054..48297172e5 100644 --- a/e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml +++ b/e2e-tests/oauth-flow/rfc021/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeB verbosity: debug strictmode: false internalratelimiter: false @@ -8,7 +9,6 @@ http: auth: tlsenabled: true v2apienabled: true - publicurl: https://nodeB contractvalidators: - dummy irma: diff --git a/e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml b/e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml index 55b00577d1..3a8b4650aa 100644 --- a/e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml +++ b/e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeA:1323 verbosity: debug strictmode: true internalratelimiter: false @@ -10,7 +11,6 @@ http: address: :443 tls: server-client auth: - publicurl: https://nodeA:1323 contractvalidators: - dummy irma: diff --git a/e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml b/e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml index 1c41aa2828..42fe45dbbf 100644 --- a/e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml +++ b/e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeB:1323 verbosity: debug strictmode: true internalratelimiter: false @@ -10,7 +11,6 @@ http: address: :443 tls: server-client auth: - publicurl: https://nodeB:1323 contractvalidators: - dummy irma: diff --git a/e2e-tests/openid4vci/network-issuance/node-A/nuts.yaml b/e2e-tests/openid4vci/network-issuance/node-A/nuts.yaml index e3d7926948..7d3ad6c8b9 100644 --- a/e2e-tests/openid4vci/network-issuance/node-A/nuts.yaml +++ b/e2e-tests/openid4vci/network-issuance/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeA:1323 verbosity: debug strictmode: true internalratelimiter: false @@ -10,7 +11,6 @@ http: address: :443 tls: server-client auth: - publicurl: https://nodeA:1323 contractvalidators: - dummy irma: diff --git a/e2e-tests/openid4vci/network-issuance/node-B/nuts.yaml b/e2e-tests/openid4vci/network-issuance/node-B/nuts.yaml index ce73fe5010..a10682b075 100644 --- a/e2e-tests/openid4vci/network-issuance/node-B/nuts.yaml +++ b/e2e-tests/openid4vci/network-issuance/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: https://nodeB:1323 verbosity: debug strictmode: true internalratelimiter: false @@ -10,7 +11,6 @@ http: address: :443 tls: server-client auth: - publicurl: https://nodeB:1323 contractvalidators: - dummy irma: diff --git a/e2e-tests/ops/key-rotation/node-A/nuts.yaml b/e2e-tests/ops/key-rotation/node-A/nuts.yaml index f6cae490b3..ff296702ab 100644 --- a/e2e-tests/ops/key-rotation/node-A/nuts.yaml +++ b/e2e-tests/ops/key-rotation/node-A/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-A verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/ops/key-rotation/node-B/nuts.yaml b/e2e-tests/ops/key-rotation/node-B/nuts.yaml index b7545fd654..c30b6a4bf3 100644 --- a/e2e-tests/ops/key-rotation/node-B/nuts.yaml +++ b/e2e-tests/ops/key-rotation/node-B/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-B verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-B contractvalidators: - dummy irma: From 0d9fc493b64cf8b6f8e8ec07dfeafb158fc6de46 Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 10:22:23 +0100 Subject: [PATCH 6/7] test fix --- test/node/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/node/server.go b/test/node/server.go index dde6da4377..0066aac439 100644 --- a/test/node/server.go +++ b/test/node/server.go @@ -72,7 +72,7 @@ func StartServer(t *testing.T, configFunc ...func(httpServerURL string)) (string t.Setenv("NUTS_NETWORK_GRPCADDR", grpcPort) t.Setenv("NUTS_EVENTS_NATS_PORT", natsPort) t.Setenv("NUTS_EVENTS_NATS_HOSTNAME", "localhost") - t.Setenv("NUTS_AUTH_PUBLICURL", httpServerURL) + t.Setenv("NUTS_URL", httpServerURL) certFile := pki.CertificateFile(t) t.Setenv("NUTS_TLS_CERTFILE", certFile) t.Setenv("NUTS_TLS_CERTKEYFILE", certFile) From 4dd134cc539c0ccfb74dbb6f31e3aa28f083d4b8 Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Fri, 1 Dec 2023 10:27:14 +0100 Subject: [PATCH 7/7] more e2e config fixes --- e2e-tests/nuts-network/gossip-overflow/node-B/nuts.yaml | 2 +- e2e-tests/nuts-network/gossip/node-A/nuts.yaml | 2 +- e2e-tests/nuts-network/gossip/node-B/nuts.yaml | 2 +- e2e-tests/storage/backup-restore/node-A/nuts.yaml | 2 +- e2e-tests/storage/redis/node-A/nuts.yaml | 2 +- e2e-tests/storage/redis/node-B/nuts.yaml | 2 +- e2e-tests/storage/vault/nuts.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/e2e-tests/nuts-network/gossip-overflow/node-B/nuts.yaml b/e2e-tests/nuts-network/gossip-overflow/node-B/nuts.yaml index aa53375990..bff8eb9aec 100644 --- a/e2e-tests/nuts-network/gossip-overflow/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/gossip-overflow/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-B verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/gossip/node-A/nuts.yaml b/e2e-tests/nuts-network/gossip/node-A/nuts.yaml index f71e2b7324..8a9289d422 100644 --- a/e2e-tests/nuts-network/gossip/node-A/nuts.yaml +++ b/e2e-tests/nuts-network/gossip/node-A/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-A verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/nuts-network/gossip/node-B/nuts.yaml b/e2e-tests/nuts-network/gossip/node-B/nuts.yaml index c3e57b9bae..d52819919d 100644 --- a/e2e-tests/nuts-network/gossip/node-B/nuts.yaml +++ b/e2e-tests/nuts-network/gossip/node-B/nuts.yaml @@ -1,3 +1,4 @@ +url: http://node-B verbosity: debug strictmode: false internalratelimiter: false @@ -5,7 +6,6 @@ http: default: address: :1323 auth: - publicurl: http://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/storage/backup-restore/node-A/nuts.yaml b/e2e-tests/storage/backup-restore/node-A/nuts.yaml index 3a70a73fb1..63cc7348c8 100644 --- a/e2e-tests/storage/backup-restore/node-A/nuts.yaml +++ b/e2e-tests/storage/backup-restore/node-A/nuts.yaml @@ -1,8 +1,8 @@ +url: "http://nodeA" verbosity: debug strictmode: false internalratelimiter: false auth: - publicurl: "http://nodeA" contractvalidators: - dummy irma: diff --git a/e2e-tests/storage/redis/node-A/nuts.yaml b/e2e-tests/storage/redis/node-A/nuts.yaml index d850f441d0..2760a031fe 100644 --- a/e2e-tests/storage/redis/node-A/nuts.yaml +++ b/e2e-tests/storage/redis/node-A/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-A verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-A contractvalidators: - dummy irma: diff --git a/e2e-tests/storage/redis/node-B/nuts.yaml b/e2e-tests/storage/redis/node-B/nuts.yaml index e4da37fde3..f7697f251d 100644 --- a/e2e-tests/storage/redis/node-B/nuts.yaml +++ b/e2e-tests/storage/redis/node-B/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-B verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-B contractvalidators: - dummy irma: diff --git a/e2e-tests/storage/vault/nuts.yaml b/e2e-tests/storage/vault/nuts.yaml index 9574b1f38a..dcf3446e9e 100644 --- a/e2e-tests/storage/vault/nuts.yaml +++ b/e2e-tests/storage/vault/nuts.yaml @@ -1,10 +1,10 @@ +url: https://node-A verbosity: debug internalratelimiter: false http: default: address: :1323 auth: - publicurl: https://node-A contractvalidators: - dummy irma: