feat: [OIDC4VP] Request Attestation VC by Verifier

Signed-off-by: Mykhailo Sizov <[email protected]>
mishasizov-SK · Nov 21, 2023 · 43d6a03 · 43d6a03
1 parent 1f94a3e
commit 43d6a03
Show file tree

Hide file tree

Showing 25 changed files with 892 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -75,6 +75,7 @@ jobs:
           echo '127.0.0.1 cognito-mock.trustbloc.local' | sudo tee -a /etc/hosts
           echo '127.0.0.1 mock-login-consent.example.com' | sudo tee -a /etc/hosts
           echo '127.0.0.1 cognito-auth.local' | sudo tee -a /etc/hosts
+          echo '127.0.0.1 mock-trustregistry.trustbloc.local' | sudo tee -a /etc/hosts
           make bdd-test
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/Makefile b/Makefile
@@ -124,6 +124,15 @@ mock-login-consent-docker:
 	--build-arg GO_PROXY=$(GOPROXY) \
 	--build-arg GO_IMAGE=$(GO_IMAGE) test/bdd/loginconsent
 
+.PHONY: mock-trustregistry-docker
+mock-trustregistry-docker:
+	@echo "Building mock Trust Registry server"
+	@docker build -f ./images/mocks/trustregistry/Dockerfile --no-cache -t  vcs/mock-trustregistry:latest \
+	--build-arg GO_VER=$(GO_VER) \
+	--build-arg ALPINE_VER=$(GO_ALPINE_VER) \
+	--build-arg GO_PROXY=$(GOPROXY) \
+	--build-arg GO_IMAGE=$(GO_IMAGE) test/bdd/trustregistry
+
 .PHONY: sample-cognito-auth
 sample-cognito-auth:
 	@echo "Building sample cognito auth server"
@@ -142,7 +151,7 @@ sample-cognito-auth-docker:
 
 
 .PHONY: bdd-test
-bdd-test: clean vc-rest-docker sample-cognito-auth-docker sample-webhook-docker mock-login-consent-docker generate-test-keys build-krakend-plugin
+bdd-test: clean vc-rest-docker sample-cognito-auth-docker sample-webhook-docker mock-login-consent-docker mock-trustregistry-docker generate-test-keys build-krakend-plugin
 	@cd test/bdd && GOPROXY=$(GOPROXY) go test -count=1 -v -cover . -p 1 -timeout=10m -race
 
 .PHONY: unit-test

diff --git a/component/wallet-cli/cmd/oidc4vp_cmd.go b/component/wallet-cli/cmd/oidc4vp_cmd.go
@@ -34,6 +34,7 @@ type oidc4vpCommandFlags struct {
 	enableLinkedDomainVerification bool
 	enableTracing                  bool
 	disableDomainMatching          bool
+	trustRegistryURL               string
 }
 
 // NewOIDC4VPCommand returns a new command for running OIDC4VP flow.
@@ -142,6 +143,7 @@ func NewOIDC4VPCommand() *cobra.Command {
 
 			opts := []oidc4vp.Opt{
 				oidc4vp.WithRequestURI(requestURI),
+				oidc4vp.WithTrustRegistryURL(flags.trustRegistryURL),
 			}
 
 			if flags.walletDIDIndex != -1 {
@@ -182,6 +184,7 @@ func createFlags(cmd *cobra.Command, flags *oidc4vpCommandFlags) {
 	cmd.Flags().BoolVar(&flags.enableLinkedDomainVerification, "enable-linked-domain-verification", false, "enables linked domain verification")
 	cmd.Flags().BoolVar(&flags.disableDomainMatching, "disable-domain-matching", false, "disables domain matching for issuer and verifier when presenting credentials (only for did:web)")
 	cmd.Flags().IntVar(&flags.walletDIDIndex, "wallet-did-index", -1, "index of wallet did, if not set the most recently created DID is used")
+	cmd.Flags().StringVar(&flags.trustRegistryURL, "trust-registry-url", "", "Trust Registry URL. If supplied, Wallet will run Verifier verification against Trust Registry")
 
 	cmd.Flags().BoolVar(&flags.enableTracing, "enable-tracing", false, "enables http tracing")
 }

diff --git a/component/wallet-cli/pkg/oidc4vp/oidc4vp_flow.go b/component/wallet-cli/pkg/oidc4vp/oidc4vp_flow.go
@@ -39,6 +39,7 @@ import (
 	vcskms "github.com/trustbloc/vcs/pkg/kms"
 	kmssigner "github.com/trustbloc/vcs/pkg/kms/signer"
 	"github.com/trustbloc/vcs/pkg/observability/metrics/noop"
+	"github.com/trustbloc/vcs/pkg/service/trustregistry"
 )
 
 const (
@@ -61,6 +62,7 @@ type Flow struct {
 	requestURI                     string
 	enableLinkedDomainVerification bool
 	disableDomainMatching          bool
+	trustRegistryURL               string
 }
 
 type provider interface {
@@ -124,6 +126,7 @@ func NewFlow(p provider, opts ...Opt) (*Flow, error) {
 		requestURI:                     o.requestURI,
 		enableLinkedDomainVerification: o.enableLinkedDomainVerification,
 		disableDomainMatching:          o.disableDomainMatching,
+		trustRegistryURL:               o.trustRegistryURL,
 	}, nil
 }
 
@@ -144,6 +147,19 @@ func (f *Flow) Run(ctx context.Context) error {
 		return fmt.Errorf("query wallet: %w", err)
 	}
 
+	if trustRegistryURL := f.trustRegistryURL; trustRegistryURL != "" {
+		slog.Info("Run Trust Registry Verifier validation", "url", trustRegistryURL)
+
+		trustRegistry := trustregistry.New(&trustregistry.Config{
+			TrustRegistryURL: trustRegistryURL,
+			HTTPClient:       f.httpClient,
+		})
+
+		if err = trustRegistry.ValidateVerifier(requestObject.ClientID, credentials); err != nil {
+			return fmt.Errorf("trust registry verifier validation: %w", err)
+		}
+	}
+
 	if !f.disableDomainMatching {
 		for i := len(credentials) - 1; i >= 0; i-- {
 			credential := credentials[i]
@@ -655,6 +671,7 @@ type options struct {
 	requestURI                     string
 	enableLinkedDomainVerification bool
 	disableDomainMatching          bool
+	trustRegistryURL               string
 }
 
 type Opt func(opts *options)
@@ -683,6 +700,12 @@ func WithDomainMatchingDisabled() Opt {
 	}
 }
 
+func WithTrustRegistryURL(url string) Opt {
+	return func(opts *options) {
+		opts.trustRegistryURL = url
+	}
+}
+
 // ExtractCustomScopeClaims returns Claims associated with custom scope.
 func ExtractCustomScopeClaims(requestObjectScope string) (map[string]Claims, error) {
 	chunks := strings.Split(requestObjectScope, "+")

diff --git a/component/wallet-cli/pkg/walletrunner/vcprovider/provider.go b/component/wallet-cli/pkg/walletrunner/vcprovider/provider.go
@@ -27,6 +27,7 @@ type Config struct {
 	UniResolverURL       string
 	ContextProviderURL   string
 	OidcProviderURL      string
+	TrustRegistryURL     string
 	IssueVCURL           string
 	DidDomain            string
 	DidServiceAuthToken  string

diff --git a/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4vp.go b/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4vp.go
@@ -42,6 +42,7 @@ import (
 	vcskms "github.com/trustbloc/vcs/pkg/kms"
 	"github.com/trustbloc/vcs/pkg/kms/signer"
 	"github.com/trustbloc/vcs/pkg/observability/metrics/noop"
+	"github.com/trustbloc/vcs/pkg/service/trustregistry"
 )
 
 type RPConfigOverride func(rpc *RPConfig)
@@ -121,6 +122,22 @@ func (s *Service) RunOIDC4VPFlow(ctx context.Context, authorizationRequest strin
 		s.wallet.Close()
 	}
 
+	// Run Trust Registry verification only if TrustRegistryURL supplied
+	if trustRegistryURL := s.vcProviderConf.TrustRegistryURL; trustRegistryURL != "" {
+		log.Println("Run Trust Registry Verifier validation")
+
+		trustRegistry := trustregistry.New(&trustregistry.Config{
+			TrustRegistryURL: trustRegistryURL,
+			HTTPClient:       s.httpClient,
+		})
+
+		credentials := s.vpFlowExecutor.requestPresentation[0].Credentials()
+
+		if err = trustRegistry.ValidateVerifier(s.vpFlowExecutor.requestObject.ClientID, credentials); err != nil {
+			return fmt.Errorf("trust registry verifier validation: %w", err)
+		}
+	}
+
 	var createAuthorizedResponseHooks []RPConfigOverride
 	if hooks != nil {
 		createAuthorizedResponseHooks = hooks.CreateAuthorizedResponse

diff --git a/docs/build.md b/docs/build.md
@@ -43,3 +43,4 @@ To run BDD tests (`make bdd-test`) you need to modify your hosts file (`/etc/hos
     127.0.0.1 cognito-mock.trustbloc.local
     127.0.0.1 mock-login-consent.example.com
     127.0.0.1 cognito-auth.local
+    127.0.0.1 mock-trustregistry.trustbloc.local
diff --git a/images/mocks/trustregistry/Dockerfile b/images/mocks/trustregistry/Dockerfile
@@ -0,0 +1,29 @@
+#
+# Copyright Avast Software. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+ARG GO_VER
+ARG GO_IMAGE
+ARG ALPINE_VER
+
+FROM ${GO_IMAGE}:${GO_VER}-alpine${ALPINE_VER} as builder
+
+RUN apk update && apk add git && apk add ca-certificates
+RUN adduser -D -g '' appuser
+COPY . $GOPATH/src/github.com/trustbloc/vcs/test/bdd/trustregistry/
+WORKDIR $GOPATH/src/github.com/trustbloc/vcs/test/bdd/trustregistry/
+ARG GO_PROXY
+RUN GOPROXY=${GO_PROXY} CGO_ENABLED=0 go build -o /usr/bin/mock-trustregistry
+
+FROM scratch
+
+LABEL org.opencontainers.image.source https://github.com/trustbloc/vcs/test/bdd/trustregistry
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /usr/bin/mock-trustregistry /usr/bin/mock-trustregistry
+USER appuser
+
+ENTRYPOINT ["/usr/bin/mock-trustregistry"]
diff --git a/pkg/service/trustregistry/models.go b/pkg/service/trustregistry/models.go
@@ -0,0 +1,30 @@
+/*
+Copyright Gen Digital Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package trustregistry
+
+type VerifierValidationConfig struct {
+	VerifierDID string                `json:"verifier_did"`
+	Metadata    []*CredentialMetadata `json:"metadata"`
+}
+
+type PresentationValidationConfig struct {
+	PolicyID      string                `json:"policy_id"`
+	AttestationVC interface{}           `json:"attestation_vc"`
+	Metadata      []*CredentialMetadata `json:"metadata"`
+}
+
+type CredentialMetadata struct {
+	CredentialID string   `json:"credential_id"`
+	Types        []string `json:"types"`
+	Issuer       string   `json:"issuer"`
+	Issued       string   `json:"issued"`
+	Expired      string   `json:"expired"`
+}
+
+type Response struct {
+	Allowed bool `json:"allowed"`
+}
diff --git a/pkg/service/trustregistry/service.go b/pkg/service/trustregistry/service.go
@@ -0,0 +1,158 @@
+/*
+Copyright Gen Digital Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package trustregistry
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/samber/lo"
+
+	"github.com/trustbloc/logutil-go/pkg/log"
+	"github.com/trustbloc/vc-go/verifiable"
+)
+
+var (
+	ErrInteractionRestricted = errors.New("interaction restricted")
+	logger                   = log.New("trustregistry")
+)
+
+const (
+	walletAttestationVCType = "WalletAttestationCredential"
+)
+
+type Service struct {
+	url        string
+	httpClient *http.Client
+}
+
+type Config struct {
+	TrustRegistryURL string
+	HTTPClient       *http.Client
+}
+
+func New(conf *Config) *Service {
+	return &Service{
+		url:        conf.TrustRegistryURL,
+		httpClient: conf.HTTPClient,
+	}
+}
+
+func (s *Service) ValidateVerifier(verifierDID string, presentationCredentials []*verifiable.Credential) error {
+	logger.Debug("ValidateVerifier begin")
+	verifierValidationConfig := &VerifierValidationConfig{
+		VerifierDID: verifierDID,
+		Metadata:    make([]*CredentialMetadata, len(presentationCredentials)),
+	}
+
+	for i, credential := range presentationCredentials {
+		content := credential.Contents()
+
+		verifierValidationConfig.Metadata[i] = s.getCredentialMetadata(content)
+	}
+
+	req, err := json.Marshal(verifierValidationConfig)
+	if err != nil {
+		return fmt.Errorf("encode verifier config: %w", err)
+	}
+
+	responseDecoded, err := s.doRequest(req)
+	if err != nil {
+		return err
+	}
+
+	if !responseDecoded.Allowed {
+		return ErrInteractionRestricted
+	}
+
+	logger.Debug("ValidateVerifier succeed")
+
+	return nil
+}
+
+func (s *Service) ValidatePresentation(policyID string, presentationCredentials []*verifiable.Credential) error {
+	logger.Debug("ValidatePresentation begin")
+
+	presentationValidationConfig := &PresentationValidationConfig{
+		PolicyID: policyID,
+		Metadata: make([]*CredentialMetadata, len(presentationCredentials)),
+	}
+
+	for i, credential := range presentationCredentials {
+		content := credential.Contents()
+
+		if lo.Contains(content.Types, walletAttestationVCType) {
+			attestationVC, err := credential.ToUniversalForm()
+			if err == nil {
+				presentationValidationConfig.AttestationVC = attestationVC
+			}
+		}
+
+		presentationValidationConfig.Metadata[i] = s.getCredentialMetadata(content)
+	}
+
+	req, err := json.Marshal(presentationValidationConfig)
+	if err != nil {
+		return fmt.Errorf("encode presentation config: %w", err)
+	}
+
+	responseDecoded, err := s.doRequest(req)
+	if err != nil {
+		return err
+	}
+
+	if !responseDecoded.Allowed {
+		return ErrInteractionRestricted
+	}
+
+	logger.Debug("ValidatePresentation succeed")
+
+	return nil
+}
+
+func (s *Service) doRequest(req []byte) (*Response, error) {
+	resp, err := s.httpClient.Post(s.url, "application/json", bytes.NewReader(req)) //nolint:noctx
+	if err != nil {
+		return nil, fmt.Errorf("send request: %w", err)
+	}
+
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	var responseDecoded *Response
+	err = json.NewDecoder(resp.Body).Decode(&responseDecoded)
+	if err != nil {
+		return nil, fmt.Errorf("read response: %w", err)
+	}
+
+	return responseDecoded, nil
+}
+
+func (s *Service) getCredentialMetadata(content verifiable.CredentialContents) *CredentialMetadata {
+	var iss, exp string
+	if content.Issued != nil {
+		iss = content.Issued.FormatToString()
+	}
+
+	if content.Expired != nil {
+		exp = content.Expired.FormatToString()
+	}
+
+	return &CredentialMetadata{
+		CredentialID: content.ID,
+		Types:        content.Types,
+		Issuer:       content.Issuer.ID,
+		Issued:       iss,
+		Expired:      exp,
+	}
+}