feat: profile specific transient data configuration.

Signed-off-by: Mykhailo Sizov <[email protected]>
mishasizov-SK · Apr 4, 2024 · b7f44f8 · b7f44f8
1 parent 2f4a18a
commit b7f44f8
Show file tree

Hide file tree

Showing 50 changed files with 896 additions and 520 deletions.
diff --git a/api/spec/openapi.gen.go b/api/spec/openapi.gen.go
diff --git a/cmd/vc-rest/startcmd/params.go b/cmd/vc-rest/startcmd/params.go
@@ -238,6 +238,7 @@ const (
 		"OIDC4CI issuance auth state store " + "(TTL configurable via " + oidc4ciAuthStateTTLEnvKey + "), " +
 		"OIDC4VP transaction mapping " + "(TTL configurable via " + oidc4vpNonceTTLEnvKey + "), " +
 		"OIDC4VP transaction data " + "(TTL configurable via " + oidc4vpTransactionDataTTLEnvKey + "), " +
+		"notification data " + "(TTL configurable via " + oidc4ciAckDataTTLEnvKey + "), " +
 		"encrypted claim data of OIDC4VP presentation transaction. " + "(TTL configurable via " + oidc4vpReceivedClaimsDataTTLEnvKey + "). " +
 		"Possible values are \"redis\" or \"mongo\". Default is \"mongo\". " +
 		commonEnvVarUsageText + transientDataStoreTypeFlagEnvKey

diff --git a/cmd/vc-rest/startcmd/start.go b/cmd/vc-rest/startcmd/start.go
@@ -1178,14 +1178,14 @@ func getOIDC4CITransactionStore(
 
 func getAckStore(
 	redisClient *redis.Client,
-	oidc4ciTransactionDataTTL int32,
+	oidc4ciAckDataTTL int32,
 ) *ackstore.Store {
 	if redisClient == nil {
 		logger.Warn("Redis client is not configured. Acknowledgement store will not be used")
 		return nil
 	}
 
-	return ackstore.New(redisClient, oidc4ciTransactionDataTTL)
+	return ackstore.New(redisClient, oidc4ciAckDataTTL)
 }
 
 func createRequestObjectStore(

diff --git a/docs/v1/openapi.yaml b/docs/v1/openapi.yaml
@@ -1412,12 +1412,16 @@ components:
         tx_id:
           type: string
           description: Transaction ID to correlate upcoming authorization response.
+        profile_auth_state_ttl:
+          type: integer
+          description: Profile specific Auth state TTL.
         wallet_initiated_flow:
           $ref: ./common.yaml#/components/schemas/WalletInitiatedFlowData
       required:
         - authorization_request
         - authorization_endpoint
         - tx_id
+        - profile_auth_state_ttl
     OAuthParameters:
       title: OAuthParameters
       x-tags:

diff --git a/pkg/profile/api.go b/pkg/profile/api.go
@@ -51,6 +51,15 @@ type Issuer struct {
 	WebHook             string                `json:"webHook,omitempty"`
 	CredentialMetaData  *CredentialMetaData   `json:"credentialMetadata"`
 	Checks              IssuanceChecks        `json:"checks"`
+	DataConfig          IssuerDataConfig      `json:"dataConfig"`
+}
+
+// IssuerDataConfig stores profile specific transient data configuration.
+type IssuerDataConfig struct {
+	ClaimDataTTL              int32
+	OIDC4CITransactionDataTTL int32
+	OIDC4CIAuthStateTTL       int32
+	OIDC4CIAckDataTTL         int32
 }
 
 type CredentialMetaData struct {
@@ -207,6 +216,14 @@ type Verifier struct {
 	SigningDID              *SigningDID                        `json:"signingDID,omitempty"`
 	PresentationDefinitions []*presexch.PresentationDefinition `json:"presentationDefinitions,omitempty"`
 	WebHook                 string                             `json:"webHook,omitempty"`
+	DataConfig              VerifierDataConfig                 `json:"dataConfig"`
+}
+
+// VerifierDataConfig stores profile specific transient data configuration.
+type VerifierDataConfig struct {
+	OIDC4VPNonceStoreDataTTL     int32
+	OIDC4VPTransactionDataTTL    int32
+	OIDC4VPReceivedClaimsDataTTL int32
 }
 
 // OIDC4VPConfig store config for verifier did that used to sign request object in oidc4vp process.

diff --git a/pkg/restapi/v1/issuer/controller.go b/pkg/restapi/v1/issuer/controller.go
@@ -599,6 +599,7 @@ func (c *Controller) prepareClaimDataAuthorizationRequest(
 		AuthorizationEndpoint:              resp.AuthorizationEndpoint,
 		PushedAuthorizationRequestEndpoint: lo.ToPtr(resp.PushedAuthorizationRequestEndpoint),
 		TxId:                               string(resp.TxID),
+		ProfileAuthStateTtl:                int(profile.DataConfig.OIDC4CIAuthStateTTL),
 	}, nil
 }
 

diff --git a/pkg/restapi/v1/issuer/controller_test.go b/pkg/restapi/v1/issuer/controller_test.go
@@ -1383,16 +1383,26 @@ func TestController_PrepareAuthorizationRequest(t *testing.T) {
 		mockProfileService := NewMockProfileService(gomock.NewController(t))
 		mockProfileService.EXPECT().GetProfile(profileID, profileVersion).Return(&profileapi.Issuer{
 			OIDCConfig: &profileapi.OIDCConfig{},
+			DataConfig: profileapi.IssuerDataConfig{OIDC4CIAuthStateTTL: 10},
 		}, nil)
 
 		c := &Controller{
 			oidc4ciService: mockOIDC4CIService,
 			profileSvc:     mockProfileService,
 		}
 
+		recorder := httptest.NewRecorder()
+
 		req := `{"response_type":"code","op_state":"123","scope":["scope1", "scope2"]}`
-		ctx := echoContext(withRequestBody([]byte(req)))
+		ctx := echoContext(withRecorder(recorder), withRequestBody([]byte(req)))
 		assert.NoError(t, c.PrepareAuthorizationRequest(ctx))
+
+		var prepareClaimDataAuthorizationResponse PrepareClaimDataAuthorizationResponse
+
+		err := json.NewDecoder(recorder.Body).Decode(&prepareClaimDataAuthorizationResponse)
+		assert.NoError(t, err)
+
+		assert.Equal(t, prepareClaimDataAuthorizationResponse.ProfileAuthStateTtl, 10)
 	})
 
 	t.Run("read body error", func(t *testing.T) {

diff --git a/pkg/restapi/v1/issuer/openapi.gen.go b/pkg/restapi/v1/issuer/openapi.gen.go
diff --git a/pkg/restapi/v1/oidc4ci/controller.go b/pkg/restapi/v1/oidc4ci/controller.go
@@ -87,9 +87,9 @@ var logger = log.New("oidc4ci")
 type StateStore interface {
 	SaveAuthorizeState(
 		ctx context.Context,
+		profileAuthStateTTL int32,
 		opState string,
 		state *oidc4ci.AuthorizeState,
-		params ...func(insertOptions *oidc4ci.InsertOptions),
 	) error
 
 	GetAuthorizeState(ctx context.Context, opState string) (*oidc4ci.AuthorizeState, error)
@@ -352,6 +352,7 @@ func (c *Controller) OidcAuthorize(e echo.Context, params OidcAuthorizeParams) e
 
 	if err = c.stateStore.SaveAuthorizeState(
 		ctx,
+		int32(claimDataAuth.ProfileAuthStateTtl),
 		lo.FromPtr(params.IssuerState),
 		&oidc4ci.AuthorizeState{
 			RedirectURI:         ar.GetRedirectURI(),

diff --git a/pkg/restapi/v1/oidc4ci/controller_e2e_flows_test.go b/pkg/restapi/v1/oidc4ci/controller_e2e_flows_test.go
@@ -541,9 +541,9 @@ func (s *memoryStateStore) GetAuthorizeState(
 
 func (s *memoryStateStore) SaveAuthorizeState(
 	_ context.Context,
+	_ int32,
 	opState string,
 	state *oidc4cisrv.AuthorizeState,
-	_ ...func(insertOptions *oidc4cisrv.InsertOptions),
 ) error {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

diff --git a/pkg/restapi/v1/oidc4ci/controller_test.go b/pkg/restapi/v1/oidc4ci/controller_test.go
@@ -298,6 +298,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 
 				b, err := json.Marshal(&issuer.PrepareClaimDataAuthorizationResponse{
 					AuthorizationRequest: issuer.OAuthParameters{},
+					ProfileAuthStateTtl:  10,
 				})
 				require.NoError(t, err)
 
@@ -321,7 +322,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 						}, nil
 					})
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), *params.IssuerState, gomock.Any()).
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(10), *params.IssuerState, gomock.Any()).
 					Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
@@ -384,7 +385,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 						}, nil
 					})
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), gomock.Any(), gomock.Any()).
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), gomock.Any(), gomock.Any()).
 					Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
@@ -445,7 +446,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 						}, nil
 					})
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), *params.IssuerState, gomock.Any()).
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), *params.IssuerState, gomock.Any()).
 					Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
@@ -512,7 +513,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 						}, nil
 					})
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), "generated-op-state", gomock.Any()).
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), "generated-op-state", gomock.Any()).
 					Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
@@ -578,7 +579,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 					},
 				)
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), *params.IssuerState, gomock.Any()).Return(nil)
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), *params.IssuerState, gomock.Any()).Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
 				require.NoError(t, err)
@@ -638,7 +639,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 					},
 				)
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), *params.IssuerState, gomock.Any()).
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), *params.IssuerState, gomock.Any()).
 					Return(nil)
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {
@@ -872,7 +873,7 @@ func TestController_OidcAuthorize(t *testing.T) {
 						}, nil
 					})
 
-				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), *params.IssuerState, gomock.Any()).Return(
+				mockStateStore.EXPECT().SaveAuthorizeState(gomock.Any(), int32(0), *params.IssuerState, gomock.Any()).Return(
 					errors.New("save state error"))
 			},
 			check: func(t *testing.T, rec *httptest.ResponseRecorder, err error) {

diff --git a/pkg/service/oidc4ci/api.go b/pkg/service/oidc4ci/api.go
@@ -258,10 +258,6 @@ type PrepareCredentialResultData struct {
 	NotificationID          *string
 }
 
-type InsertOptions struct {
-	TTL time.Duration
-}
-
 type AuthorizeState struct {
 	RedirectURI         *url.URL                        `json:"redirect_uri"`
 	RespondMode         string                          `json:"respond_mode"`

diff --git a/pkg/service/oidc4ci/oidc4ci_acknowledgement.go b/pkg/service/oidc4ci/oidc4ci_acknowledgement.go
@@ -47,7 +47,12 @@ func (s *AckService) CreateAck(
 		return nil, nil //nolint:nilnil
 	}
 
-	id, err := s.cfg.AckStore.Create(ctx, ack)
+	profile, err := s.cfg.ProfileSvc.GetProfile(ack.ProfileID, ack.ProfileVersion)
+	if err != nil {
+		return nil, err
+	}
+
+	id, err := s.cfg.AckStore.Create(ctx, profile.DataConfig.OIDC4CIAckDataTTL, ack)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/service/oidc4ci/oidc4ci_acknowledgement_test.go b/pkg/service/oidc4ci/oidc4ci_acknowledgement_test.go
@@ -29,27 +29,70 @@ func TestCreateAck(t *testing.T) {
 	})
 
 	t.Run("success", func(t *testing.T) {
+		profileSvc := NewMockProfileService(gomock.NewController(t))
+		profileSvc.EXPECT().GetProfile("some_issuer", "v1.0").
+			Return(&profile.Issuer{
+				DataConfig: profile.IssuerDataConfig{OIDC4CIAckDataTTL: 10},
+			}, nil)
+
 		store := NewMockAckStore(gomock.NewController(t))
 		srv := oidc4ci.NewAckService(&oidc4ci.AckServiceConfig{
-			AckStore: store,
+			ProfileSvc: profileSvc,
+			AckStore:   store,
 		})
 
-		item := &oidc4ci.Ack{}
-		store.EXPECT().Create(gomock.Any(), item).Return("id", nil)
+		item := &oidc4ci.Ack{
+			ProfileID:      "some_issuer",
+			ProfileVersion: "v1.0",
+		}
+
+		store.EXPECT().Create(gomock.Any(), int32(10), item).Return("id", nil)
 		id, err := srv.CreateAck(context.TODO(), item)
 
 		assert.NoError(t, err)
 		assert.Equal(t, "id", *id)
 	})
 
+	t.Run("profile srv err", func(t *testing.T) {
+		profileSvc := NewMockProfileService(gomock.NewController(t))
+		profileSvc.EXPECT().GetProfile("some_issuer", "v1.0").
+			Return(nil, errors.New("some error"))
+
+		store := NewMockAckStore(gomock.NewController(t))
+		srv := oidc4ci.NewAckService(&oidc4ci.AckServiceConfig{
+			AckStore:   store,
+			ProfileSvc: profileSvc,
+		})
+
+		item := &oidc4ci.Ack{
+			ProfileID:      "some_issuer",
+			ProfileVersion: "v1.0",
+		}
+
+		id, err := srv.CreateAck(context.TODO(), item)
+
+		assert.Nil(t, id)
+		assert.ErrorContains(t, err, "some error")
+	})
+
 	t.Run("store err", func(t *testing.T) {
+		profileSvc := NewMockProfileService(gomock.NewController(t))
+		profileSvc.EXPECT().GetProfile("some_issuer", "v1.0").
+			Return(&profile.Issuer{
+				DataConfig: profile.IssuerDataConfig{OIDC4CIAckDataTTL: 10},
+			}, nil)
+
 		store := NewMockAckStore(gomock.NewController(t))
 		srv := oidc4ci.NewAckService(&oidc4ci.AckServiceConfig{
-			AckStore: store,
+			ProfileSvc: profileSvc,
+			AckStore:   store,
 		})
 
-		item := &oidc4ci.Ack{}
-		store.EXPECT().Create(gomock.Any(), item).Return("", errors.New("some err"))
+		item := &oidc4ci.Ack{
+			ProfileID:      "some_issuer",
+			ProfileVersion: "v1.0",
+		}
+		store.EXPECT().Create(gomock.Any(), int32(10), item).Return("", errors.New("some err"))
 		id, err := srv.CreateAck(context.TODO(), item)
 
 		assert.Nil(t, id)

diff --git a/pkg/service/oidc4ci/oidc4ci_service.go b/pkg/service/oidc4ci/oidc4ci_service.go
@@ -54,8 +54,8 @@ type pinGenerator interface {
 type transactionStore interface {
 	Create(
 		ctx context.Context,
+		profileTransactionDataTTL int32,
 		data *TransactionData,
-		params ...func(insertOptions *InsertOptions),
 	) (*Transaction, error)
 
 	Get(
@@ -75,7 +75,7 @@ type transactionStore interface {
 }
 
 type claimDataStore interface {
-	Create(ctx context.Context, data *ClaimData) (string, error)
+	Create(ctx context.Context, profileTTLSec int32, data *ClaimData) (string, error)
 	GetAndDelete(ctx context.Context, id string) (*ClaimData, error)
 }
 
@@ -127,7 +127,7 @@ type trustRegistry interface {
 }
 
 type ackStore interface {
-	Create(ctx context.Context, data *Ack) (string, error)
+	Create(ctx context.Context, profileAckDataTTL int32, data *Ack) (string, error)
 	Get(ctx context.Context, id string) (*Ack, error)
 	Delete(ctx context.Context, id string) error
 }

diff --git a/pkg/service/oidc4ci/oidc4ci_service_initiate_issuance.go b/pkg/service/oidc4ci/oidc4ci_service_initiate_issuance.go
@@ -128,7 +128,7 @@ func (s *Service) InitiateIssuance( // nolint:funlen,gocyclo,gocognit
 		txData.UserPin = s.pinGenerator.Generate(uuid.NewString())
 	}
 
-	tx, err := s.store.Create(ctx, txData)
+	tx, err := s.store.Create(ctx, profile.DataConfig.OIDC4CITransactionDataTTL, txData)
 	if err != nil {
 		return nil, resterr.NewSystemError(resterr.TransactionStoreComponent, "create",
 			fmt.Errorf("store tx: %w", err))
@@ -218,6 +218,7 @@ func (s *Service) newTxCredentialConf(
 	if isPreAuthFlow {
 		err = s.applyPreAuthFlowModifications(
 			ctx,
+			profile.DataConfig.ClaimDataTTL,
 			credentialConfiguration,
 			credentialTemplate,
 			txCredentialConfiguration,
@@ -232,6 +233,7 @@ func (s *Service) newTxCredentialConf(
 
 func (s *Service) applyPreAuthFlowModifications(
 	ctx context.Context,
+	profileClaimDataTTLSec int32,
 	req InitiateIssuanceCredentialConfiguration,
 	credentialTemplate *profileapi.CredentialTemplate,
 	txCredentialConfiguration *TxCredentialConfiguration,
@@ -271,7 +273,7 @@ func (s *Service) applyPreAuthFlowModifications(
 		return errEncrypt
 	}
 
-	claimDataID, claimDataErr := s.claimDataStore.Create(ctx, claimDataEncrypted)
+	claimDataID, claimDataErr := s.claimDataStore.Create(ctx, profileClaimDataTTLSec, claimDataEncrypted)
 	if claimDataErr != nil {
 		return resterr.NewSystemError(resterr.ClaimDataStoreComponent, "create",
 			fmt.Errorf("store claim data: %w", claimDataErr))