Skip to content

Commit

Permalink
VDR: Remove specific KeyResolver funcs in favor of generic ResolveKey (
Browse files Browse the repository at this point in the history 
…#2366)
  • Loading branch information
@reinkrul
reinkrul authored Jul 25, 2023
1 parent ff62235 commit 94b40d3
Show file tree
Hide file tree
Showing 35 changed files with 413 additions and 668 deletions.
4 changes: 2 additions & 2 deletions auth/services/notary/notary.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,14 @@ func NewNotary(config Config, vcr vcr.VCR, keyResolver types.KeyResolver, keySto
// If the duration is 0 than the default duration is used.
func (n *notary) DrawUpContract(ctx context.Context, template contract.Template, orgID did.DID, validFrom time.Time, validDuration time.Duration, organizationCredential *vc.VerifiableCredential) (*contract.Contract, error) {
// Test if the org in managed by this node:
signingKeyID, err := n.keyResolver.ResolveSigningKeyID(orgID, &validFrom)
signingKeyID, _, err := n.keyResolver.ResolveKey(orgID, &validFrom, types.NutsSigningKeyType)
if errors.Is(err, types.ErrNotFound) {
return nil, services.InvalidContractRequestError{Message: "no valid organization credential at provided validFrom date"}
} else if err != nil {
return nil, fmt.Errorf("could not draw up contract: %w", err)
}

if !n.privateKeyStore.Exists(ctx, signingKeyID) {
if !n.privateKeyStore.Exists(ctx, signingKeyID.String()) {
return nil, services.InvalidContractRequestError{Message: fmt.Errorf("organization is not managed by this node: %w", ErrMissingOrganizationKey)}
}

Expand Down
26 changes: 13 additions & 13 deletions auth/services/notary/notary_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func TestContract_DrawUpContract(t *testing.T) {
duration := 10 * time.Minute

// Create DID document for org
keyID := orgID
keyID := orgID.URI()
keyID.Fragment = "key-1"

searchTerms := []vcr.SearchTerm{
Expand All @@ -69,7 +69,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("draw up valid contract", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, types.NutsSigningKeyType).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential}, nil)

Expand All @@ -84,7 +84,7 @@ func TestContract_DrawUpContract(t *testing.T) {
test := buildContext(t)
defer test.ctrl.Finish()

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, gomock.Any(), types.NutsSigningKeyType).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)

drawnUpContract, err := test.notary.DrawUpContract(ctx, template, orgID, validFrom, duration, &testCredential)
Expand All @@ -97,7 +97,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("no given duration uses default", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential}, nil)

Expand All @@ -111,7 +111,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("no given time uses time.Now()", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &time.Time{}, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential}, nil)

Expand All @@ -129,7 +129,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - unknown organization", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return("", types.ErrNotFound)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(ssi.URI{}, nil, types.ErrNotFound)

drawnUpContract, err := test.notary.DrawUpContract(ctx, template, orgID, validFrom, duration, nil)

Expand All @@ -140,7 +140,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - unknown private key", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(false)

drawnUpContract, err := test.notary.DrawUpContract(ctx, template, orgID, validFrom, duration, nil)
Expand All @@ -152,7 +152,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - other DID resolver error", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return("", errors.New("error occurred"))
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(ssi.URI{}, nil, errors.New("error occurred"))

drawnUpContract, err := test.notary.DrawUpContract(ctx, template, orgID, validFrom, duration, nil)

Expand All @@ -163,7 +163,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - could not find credential", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return(nil, errors.New("error occurred"))

Expand All @@ -176,7 +176,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - render error", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential}, nil)

Expand All @@ -193,7 +193,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("ok - multiple (matching) VCs", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential, testCredential}, nil)

Expand All @@ -210,7 +210,7 @@ func TestContract_DrawUpContract(t *testing.T) {
testCredential2 := vc.VerifiableCredential{}
_ = json.Unmarshal([]byte(jsonld.TestCredential), &testCredential2)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)
test.vcr.EXPECT().Search(context.Background(), searchTerms, false, nil).Return([]vc.VerifiableCredential{testCredential, testCredential2}, nil)

Expand All @@ -223,7 +223,7 @@ func TestContract_DrawUpContract(t *testing.T) {
t.Run("nok - given VC does not contain organization name", func(t *testing.T) {
test := buildContext(t)

test.keyResolver.EXPECT().ResolveSigningKeyID(orgID, gomock.Any()).Return(keyID.String(), nil)
test.keyResolver.EXPECT().ResolveKey(orgID, &validFrom, gomock.Any()).Return(keyID, nil, nil)
test.keyStore.EXPECT().Exists(ctx, keyID.String()).Return(true)

drawnUpContract, err := test.notary.DrawUpContract(ctx, template, orgID, validFrom, duration, &vc.VerifiableCredential{})
Expand Down
14 changes: 7 additions & 7 deletions auth/services/oauth/authz_server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,7 +370,7 @@ func (s *authzServer) validateIssuer(vContext *validationContext) error {
}

validationTime := vContext.jwtBearerToken.IssuedAt()
if _, err := s.keyResolver.ResolveSigningKey(vContext.kid, &validationTime); err != nil {
if _, err := s.keyResolver.ResolveKeyByID(vContext.kid, &validationTime, types.NutsSigningKeyType); err != nil {
return fmt.Errorf(errInvalidIssuerKeyFmt, err)
}

Expand Down Expand Up @@ -422,11 +422,11 @@ func (s *authzServer) validateSubject(ctx context.Context, validationCtx *valida
validationCtx.authorizer = subject

iat := validationCtx.jwtBearerToken.IssuedAt()
signingKeyID, err := s.keyResolver.ResolveSigningKeyID(*subject, &iat)
signingKeyID, _, err := s.keyResolver.ResolveKey(*subject, &iat, types.NutsSigningKeyType)
if err != nil {
return err
}
if !s.privateKeyStore.Exists(ctx, signingKeyID) {
if !s.privateKeyStore.Exists(ctx, signingKeyID.String()) {
return fmt.Errorf("subject.vendor: %s is not managed by this node", subject)
}

Expand Down Expand Up @@ -494,7 +494,7 @@ func (s *authzServer) parseAndValidateJwtBearerToken(context *validationContext)
var kidHdr string
token, err := nutsCrypto.ParseJWT(context.rawJwtBearerToken, func(kid string) (crypto.PublicKey, error) {
kidHdr = kid
return s.keyResolver.ResolveSigningKey(kid, nil)
return s.keyResolver.ResolveKeyByID(kid, nil, types.NutsSigningKeyType)
}, jwt.WithAcceptableSkew(s.clockSkew))
if err != nil {
return err
Expand All @@ -512,7 +512,7 @@ func (s *authzServer) IntrospectAccessToken(ctx context.Context, accessToken str
if !s.privateKeyStore.Exists(ctx, kid) {
return nil, fmt.Errorf("JWT signing key not present on this node (kid=%s)", kid)
}
return s.keyResolver.ResolveSigningKey(kid, nil)
return s.keyResolver.ResolveKeyByID(kid, nil, types.NutsSigningKeyType)
}, jwt.WithAcceptableSkew(s.clockSkew))
if err != nil {
return nil, err
Expand Down Expand Up @@ -573,11 +573,11 @@ func (s *authzServer) buildAccessToken(ctx context.Context, requester did.DID, a
}

// Sign with the private key of the issuer
signingKeyID, err := s.keyResolver.ResolveSigningKeyID(authorizer, &issueTime)
signingKeyID, _, err := s.keyResolver.ResolveKey(authorizer, &issueTime, types.NutsSigningKeyType)
if err != nil {
return "", accessToken, err
}
token, err := s.privateKeyStore.SignJWT(ctx, keyVals, nil, signingKeyID)
token, err := s.privateKeyStore.SignJWT(ctx, keyVals, nil, signingKeyID.String())
if err != nil {
return token, accessToken, fmt.Errorf("could not build accessToken: %w", err)
}
Expand Down
Loading

0 comments on commit 94b40d3

Please sign in to comment.