Skip to content

Commit

Permalink
OpenID4VCI: Enable by default (#2346)
Browse files Browse the repository at this point in the history
  • Loading branch information
@reinkrul
reinkrul authored Jul 14, 2023
1 parent c3f476c commit ad25152
Show file tree
Hide file tree
Showing 12 changed files with 46 additions and 46 deletions.
2 changes: 1 addition & 1 deletion README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ The following options can be configured on the server:
storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
**VCR**
vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice).
vcr.openid4vci.enabled false Enable issuing and receiving credentials over OpenID4VCI (experimental).
vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI.
vcr.openid4vci.timeout 30s Time-out for OpenID4VCI HTTP client operations.
==================================== =============================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================

Expand Down
2 changes: 1 addition & 1 deletion docs/pages/deployment/cli-reference.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ The following options apply to the server commands below:
--tls.offload string Whether to enable TLS offloading for incoming connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well.
--tls.truststorefile string PEM file containing the trusted CA certificates for authenticating remote servers. (default "truststore.pem")
--vcr.openid4vci.definitionsdir string Directory with the additional credential definitions the node could issue (experimental, may change without notice).
--vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI (experimental).
--vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI. (default true)
--vcr.openid4vci.timeout duration Time-out for OpenID4VCI HTTP client operations. (default 30s)
--verbosity string Log level (trace, debug, info, warn, error) (default "info")

Expand Down
2 changes: 1 addition & 1 deletion docs/pages/deployment/server_options.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,6 @@
storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
**VCR**
vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice).
vcr.openid4vci.enabled false Enable issuing and receiving credentials over OpenID4VCI (experimental).
vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI.
vcr.openid4vci.timeout 30s Time-out for OpenID4VCI HTTP client operations.
==================================== =============================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================
24 changes: 6 additions & 18 deletions docs/pages/technology/openid4vci.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,6 @@ Nuts supports using `OpenID 4 Verifiable Credential Issuance (OpenID4VCI) <https
to issue credentials directly from an issuer to a holder. By supporting this protocol we aim to improve compliance with industry standards and products
and remove credentials from the network DAG.

.. note::

This functionality is experimental and subject to change.
We encourage developers to test it out and provide feedback.

We currently only support the issuer initiated, pre-authorized code flow,
without PIN (since the issuance is server-to-server, without user involvement).

Expand All @@ -28,17 +23,10 @@ We aim to support other flows and features in future:
Enabling
********

.. note::

These steps to enable OpenID4VCI are subject to change.

By default, the feature is disabled.

To enable issuing and receiving credentials over OpenID4VCI:

- set ``vcr.openid4vci.enabled`` to ``true``
- register service of type ``node-http-services-baseurl`` in your DID documents, pointing to the base URL of your node-to-node API, e.g. ``https://nutsnode.example.com/`` (excluding ``/n2n``).
Note that this step will be automated in (near) future.


By default, the feature is enabled.

But, for a DID to receive credentials over OpenID4VCI it needs to be discoverable,
meaning it needs a service of type ``node-http-services-baseurl``. The URL needs to point to the base URL of your node-to-node API,
e.g. ``https://nutsnode.example.com/`` (excluding ``/n2n``).
A background process ("golden hammer") tries to register this service for all of your node's DIDs automatically,
meaning in normal operation you don't need to do anything to start using OpenID4VCI.
2 changes: 0 additions & 2 deletions e2e-tests/openid4vci/issuer-initiated/node-A/nuts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ crypto:
storage: fs
vcr:
overrideissueallpublic: false
openid4vci:
enabled: true
goldenhammer:
interval: 1s
tls:
Expand Down
2 changes: 0 additions & 2 deletions e2e-tests/openid4vci/issuer-initiated/node-B/nuts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ crypto:
storage: fs
vcr:
overrideissueallpublic: false
openid4vci:
enabled: true
goldenhammer:
interval: 1s
tls:
Expand Down
2 changes: 1 addition & 1 deletion vcr/cmd/cmd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ func FlagSet() *pflag.FlagSet {
defs := vcr.DefaultConfig()
flagSet := pflag.NewFlagSet("vcr", pflag.ContinueOnError)
flagSet.String("vcr.openid4vci.definitionsdir", defs.OpenID4VCI.DefinitionsDIR, "Directory with the additional credential definitions the node could issue (experimental, may change without notice).")
flagSet.Bool("vcr.openid4vci.enabled", defs.OpenID4VCI.Enabled, "Enable issuing and receiving credentials over OpenID4VCI (experimental).")
flagSet.Bool("vcr.openid4vci.enabled", defs.OpenID4VCI.Enabled, "Enable issuing and receiving credentials over OpenID4VCI.")
flagSet.Duration("vcr.openid4vci.timeout", time.Second*30, "Time-out for OpenID4VCI HTTP client operations.")
return flagSet
}
Expand Down
10 changes: 8 additions & 2 deletions vcr/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@

package vcr

import "github.com/nuts-foundation/nuts-node/vcr/openid4vci"
import (
"github.com/nuts-foundation/nuts-node/vcr/openid4vci"
"time"
)

// ModuleName is the name of this module.
const ModuleName = "VCR"
Expand All @@ -32,5 +35,8 @@ type Config struct {

// DefaultConfig returns a fresh Config filled with default values
func DefaultConfig() Config {
return Config{}
return Config{OpenID4VCI: openid4vci.Config{
Enabled: true,
Timeout: 5 * time.Second,
}}
}
12 changes: 12 additions & 0 deletions vcr/config_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package vcr

import (
"github.com/stretchr/testify/assert"
"testing"
"time"
)

func TestDefaultConfig(t *testing.T) {
assert.True(t, DefaultConfig().OpenID4VCI.Enabled)
assert.Equal(t, 5*time.Second, DefaultConfig().OpenID4VCI.Timeout)
}
10 changes: 6 additions & 4 deletions vcr/test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/nuts-foundation/nuts-node/events"
"github.com/nuts-foundation/nuts-node/jsonld"
"github.com/nuts-foundation/nuts-node/network"
"github.com/nuts-foundation/nuts-node/pki"
"github.com/nuts-foundation/nuts-node/storage"
"github.com/nuts-foundation/nuts-node/test/io"
"github.com/nuts-foundation/nuts-node/vcr/trust"
Expand Down Expand Up @@ -64,7 +65,7 @@ func NewTestVCRContext(t *testing.T, keyStore crypto.KeyStore) TestVCRContext {
jsonld.NewTestJSONLDManager(t),
events.NewTestManager(t),
storage.NewTestStorageEngine(testDirectory),
nil, nil,
pki.New(), nil,
).(*vcr)

if err := newInstance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDirectory})); err != nil {
Expand All @@ -90,7 +91,7 @@ func NewTestVCRInstance(t *testing.T) *vcr {
jsonld.NewTestJSONLDManager(t),
events.NewTestManager(t),
storage.NewTestStorageEngine(testDirectory),
nil, nil,
pki.New(), nil,
).(*vcr)

if err := newInstance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDirectory})); err != nil {
Expand All @@ -112,7 +113,7 @@ func NewTestVCRInstanceInDir(t *testing.T, testDirectory string) *vcr {
jsonld.NewTestJSONLDManager(t),
events.NewTestManager(t),
storage.NewTestStorageEngine(testDirectory),
nil, nil,
pki.New(), nil,
).(*vcr)

if err := newInstance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDirectory})); err != nil {
Expand Down Expand Up @@ -150,10 +151,11 @@ func newMockContext(t *testing.T) mockContext {
eventManager := events.NewTestManager(t)
storageClient := storage.NewTestStorageEngine(testDir)
cryptoInstance := crypto.NewMemoryCryptoInstance()
vcr := NewVCRInstance(cryptoInstance, nil, tx, jsonldManager, eventManager, storageClient, nil, nil).(*vcr)
vcr := NewVCRInstance(cryptoInstance, nil, tx, jsonldManager, eventManager, storageClient, pki.New(), nil).(*vcr)
vcr.serviceResolver = serviceResolver
vcr.keyResolver = keyResolver
vcr.docResolver = docResolver
vcr.pkiProvider = pki.New()
vcr.trustConfig = trust.NewConfig(path.Join(testDir, "trust.yaml"))
if err := vcr.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDir})); err != nil {
t.Fatal(err)
Expand Down
17 changes: 6 additions & 11 deletions vcr/test/openid4vci_integration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,7 @@ import (
func TestOpenID4VCIHappyFlow(t *testing.T) {
auditLogs := audit.CaptureLogs(t)
ctx := audit.TestContext()
baseURL, system := node.StartServer(t, func(serverURL string) {
t.Setenv("NUTS_VCR_OPENID4VCI_ENABLED", "true")
})
baseURL, system := node.StartServer(t)
vcrService := system.FindEngineByName("vcr").(vcr.VCR)

issuerDID := registerDID(t, system)
Expand Down Expand Up @@ -92,9 +90,7 @@ func TestOpenID4VCIConnectionReuse(t *testing.T) {
http.DefaultTransport.(*http.Transport).MaxConnsPerHost = maxConnsPerHost

ctx := audit.TestContext()
baseURL, system := node.StartServer(t, func(serverURL string) {
t.Setenv("NUTS_VCR_OPENID4VCI_ENABLED", "true")
})
baseURL, system := node.StartServer(t)
vcrService := system.FindEngineByName("vcr").(vcr.VCR)

issuerDID := registerDID(t, system)
Expand Down Expand Up @@ -160,7 +156,6 @@ func TestOpenID4VCIConnectionReuse(t *testing.T) {
func TestOpenID4VCI_Metadata(t *testing.T) {
ctx := audit.TestContext()
baseURL, system := node.StartServer(t, func(serverURL string) {
t.Setenv("NUTS_VCR_OPENID4VCI_ENABLED", "true")
t.Setenv("NUTS_HTTP_DEFAULT_TLS", string(httpModule.TLServerClientCertMode))
})
vcrService := system.FindEngineByName("vcr").(vcr.VCR)
Expand All @@ -180,7 +175,9 @@ func TestOpenID4VCI_Metadata(t *testing.T) {

// TestOpenID4VCIDisabled tests the issuer won't try to issue over OpenID4VCI when it's disabled.
func TestOpenID4VCIDisabled(t *testing.T) {
baseURL, system := node.StartServer(t)
baseURL, system := node.StartServer(t, func(serverURL string) {
t.Setenv("NUTS_VCR_OPENID4VCI_ENABLED", "false")
})

// Setup issuer/holder
walletDID := registerDID(t, system)
Expand All @@ -198,9 +195,7 @@ func TestOpenID4VCIDisabled(t *testing.T) {
// TestOpenID4VCIErrorResponses tests the API returns the correct error responses (as specified in the OpenID4VCI spec, not as Problem types).
func TestOpenID4VCIErrorResponses(t *testing.T) {
ctx := audit.TestContext()
httpServerURL, system := node.StartServer(t, func(serverURL string) {
t.Setenv("NUTS_VCR_OPENID4VCI_ENABLED", "true")
})
httpServerURL, system := node.StartServer(t)
vcrService := system.FindEngineByName("vcr").(vcr.VCR)

// Setup issuer/holder
Expand Down
7 changes: 4 additions & 3 deletions vcr/vcr_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ import (
func TestVCR_Configure(t *testing.T) {
t.Run("error - creating issuer store", func(t *testing.T) {
testDirectory := io.TestDirectory(t)
instance := NewVCRInstance(nil, nil, nil, jsonld.NewTestJSONLDManager(t), nil, storage.NewTestStorageEngine(testDirectory), nil, nil).(*vcr)
instance := NewVCRInstance(nil, nil, nil, jsonld.NewTestJSONLDManager(t), nil, storage.NewTestStorageEngine(testDirectory), pki.New(), nil).(*vcr)

err := instance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: "test"}))
assert.EqualError(t, err, "failed to create leiaIssuerStore: mkdir test/vcr: not a directory")
Expand Down Expand Up @@ -121,7 +121,7 @@ func TestVCR_Start(t *testing.T) {
jsonld.NewTestJSONLDManager(t),
events.NewTestManager(t),
storage.NewTestStorageEngine(testDirectory),
nil, nil,
pki.New(), nil,
).(*vcr)
if err := instance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDirectory})); err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -168,8 +168,9 @@ func TestVCR_Diagnostics(t *testing.T) {
jsonld.NewTestJSONLDManager(t),
events.NewTestManager(t),
storage.NewTestStorageEngine(testDirectory),
nil, nil,
pki.New(), nil,
).(*vcr)
instance.config.OpenID4VCI.Enabled = false
if err := instance.Configure(core.TestServerConfig(core.ServerConfig{Datadir: testDirectory})); err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit ad25152

Please sign in to comment.