From fd2b4c530db977ddd49f7defe37a5576567d96d1 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Tue, 19 Nov 2024 14:03:58 +0100 Subject: [PATCH 1/3] Support did:x509 in Authorization Server metadata, allowing credentials to be issued issued from it --- auth/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/auth.go b/auth/auth.go index 0c934d098..6ba2376bc 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -179,7 +179,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error { } func (auth *Auth) SupportedDIDMethods() []string { - return auth.supportedDIDMethods + return append(auth.supportedDIDMethods, "x509") } // Start starts the Auth engine (Noop) From 1198e7353c3689568b7704c3bfba5c0d203bf6eb Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Tue, 19 Nov 2024 18:03:30 +0100 Subject: [PATCH 2/3] Always support did:jwk, web, x509 and key when verifying VCs --- auth/auth.go | 52 ++++++++++++++++++++++++++++++----------------- auth/auth_test.go | 19 +++++++++++++++++ auth/interface.go | 2 +- 3 files changed, 53 insertions(+), 20 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 6ba2376bc..65b9ee795 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -23,10 +23,16 @@ import ( "errors" "github.com/nuts-foundation/nuts-node/auth/client/iam" "github.com/nuts-foundation/nuts-node/vdr" + "github.com/nuts-foundation/nuts-node/vdr/didjwk" + "github.com/nuts-foundation/nuts-node/vdr/didkey" + "github.com/nuts-foundation/nuts-node/vdr/didnuts" "github.com/nuts-foundation/nuts-node/vdr/didsubject" + "github.com/nuts-foundation/nuts-node/vdr/didweb" + "github.com/nuts-foundation/nuts-node/vdr/didx509" "github.com/nuts-foundation/nuts-node/vdr/resolver" "net/url" "path" + "slices" "time" "github.com/nuts-foundation/nuts-node/auth/services" @@ -46,23 +52,25 @@ var _ AuthenticationServices = (*Auth)(nil) // Auth is the main struct of the Auth service type Auth struct { - config Config - jsonldManager jsonld.JSONLD - authzServer oauth.AuthorizationServer - relyingParty oauth.RelyingParty - contractNotary services.ContractNotary - serviceResolver didman.CompoundServiceResolver - keyStore crypto.KeyStore - vcr vcr.VCR - pkiProvider pki.Provider - shutdownFunc func() - vdrInstance vdr.VDR - publicURL *url.URL - strictMode bool - httpClientTimeout time.Duration - tlsConfig *tls.Config - subjectManager didsubject.Manager - supportedDIDMethods []string + config Config + jsonldManager jsonld.JSONLD + authzServer oauth.AuthorizationServer + relyingParty oauth.RelyingParty + contractNotary services.ContractNotary + serviceResolver didman.CompoundServiceResolver + keyStore crypto.KeyStore + vcr vcr.VCR + pkiProvider pki.Provider + shutdownFunc func() + vdrInstance vdr.VDR + publicURL *url.URL + strictMode bool + httpClientTimeout time.Duration + tlsConfig *tls.Config + subjectManager didsubject.Manager + // configuredDIDMethods contains the DID methods that are configured in the Nuts node, + // of which VDR will create DIDs. + configuredDIDMethods []string } // Name returns the name of the module. @@ -137,7 +145,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error { return err } - auth.supportedDIDMethods = config.DIDMethods + auth.configuredDIDMethods = config.DIDMethods auth.contractNotary = notary.NewNotary(notary.Config{ PublicURL: auth.publicURL.String(), @@ -179,7 +187,13 @@ func (auth *Auth) Configure(config core.ServerConfig) error { } func (auth *Auth) SupportedDIDMethods() []string { - return append(auth.supportedDIDMethods, "x509") + // DID methods that don't require additional resources/configuration in the Nuts node are always supported. + // Other DID methods (did:nuts), are only supported if explicitly enabled. + result := []string{didweb.MethodName, didjwk.MethodName, didkey.MethodName, didx509.MethodName} + if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) { + result = append(result, didnuts.MethodName) + } + return result } // Start starts the Auth engine (Noop) diff --git a/auth/auth_test.go b/auth/auth_test.go index 76fca6f8d..b80b126ff 100644 --- a/auth/auth_test.go +++ b/auth/auth_test.go @@ -125,3 +125,22 @@ func TestAuth_IAMClient(t *testing.T) { }) } + +func TestAuth_SupportedDIDMethods(t *testing.T) { + t.Run("supports did:web", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "web") + }) + t.Run("supports did:key", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key") + }) + t.Run("supports did:x509", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "x509") + }) + t.Run("supports did:jwk", func(t *testing.T) { + assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "jwk") + }) + t.Run("supports did:nuts if configured", func(t *testing.T) { + assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts") + assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts") + }) +} diff --git a/auth/interface.go b/auth/interface.go index bae296c0d..6a0cd7eec 100644 --- a/auth/interface.go +++ b/auth/interface.go @@ -42,6 +42,6 @@ type AuthenticationServices interface { PublicURL() *url.URL // AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled. AuthorizationEndpointEnabled() bool - // SupportedDIDMethods list the DID methods configured for the nuts node in preferred order. + // SupportedDIDMethods lists the DID methods the Nuts node can resolve. SupportedDIDMethods() []string } From e1de68cc896d5cba355f35a30a2d6c64fd00fbd1 Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Wed, 20 Nov 2024 10:30:49 +0100 Subject: [PATCH 3/3] PR feedback --- auth/auth.go | 5 ++++- auth/auth_test.go | 7 ++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 65b9ee795..5b87a310a 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -189,10 +189,13 @@ func (auth *Auth) Configure(config core.ServerConfig) error { func (auth *Auth) SupportedDIDMethods() []string { // DID methods that don't require additional resources/configuration in the Nuts node are always supported. // Other DID methods (did:nuts), are only supported if explicitly enabled. - result := []string{didweb.MethodName, didjwk.MethodName, didkey.MethodName, didx509.MethodName} + result := []string{didjwk.MethodName, didkey.MethodName, didx509.MethodName} if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) { result = append(result, didnuts.MethodName) } + if slices.Contains(auth.configuredDIDMethods, didweb.MethodName) { + result = append(result, didweb.MethodName) + } return result } diff --git a/auth/auth_test.go b/auth/auth_test.go index b80b126ff..968ea61ef 100644 --- a/auth/auth_test.go +++ b/auth/auth_test.go @@ -127,9 +127,6 @@ func TestAuth_IAMClient(t *testing.T) { } func TestAuth_SupportedDIDMethods(t *testing.T) { - t.Run("supports did:web", func(t *testing.T) { - assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "web") - }) t.Run("supports did:key", func(t *testing.T) { assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key") }) @@ -143,4 +140,8 @@ func TestAuth_SupportedDIDMethods(t *testing.T) { assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts") assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts") }) + t.Run("supports did:web if configured", func(t *testing.T) { + assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "web") + assert.Contains(t, (&Auth{configuredDIDMethods: []string{"web"}}).SupportedDIDMethods(), "web") + }) }