DO NOT MERGE: Project branch for Generic Functions

.github/workflows/build-images.yaml

@@ -5,11 +5,13 @@ on:
   push:
     branches:
       - master
+      - project-gf
     tags:
       - 'v*'
   pull_request:
     branches:
       - master
+      - project-gf
 
 # cancel build action if superseded by new commit on same branch
 concurrency:
@@ -51,7 +53,7 @@ jobs:
           images: nutsfoundation/nuts-node
           tags: |
             # generate 'master' tag for the master branch
-            type=ref,event=branch,enable={{is_default_branch}},prefix=
+            type=ref,event=branch,enable=true,prefix=
             # generate 5.2.1 tag
             type=semver,pattern={{version}}
           flavor: |

Dockerfile

@@ -17,7 +17,7 @@
 COPY go.sum .
 RUN go mod download && go mod verify
 
 COPY . .
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
 
 # alpine
@@ -25,7 +25,10 @@
 RUN apk update \
   && apk add --no-cache \
              tzdata \
-             curl
+             curl \
+             ca-certificates
+COPY pki/cacerts/* /usr/local/share/ca-certificates/
+RUN update-ca-certificates
 COPY --from=builder /opt/nuts/nuts /usr/bin/nuts
 
 HEALTHCHECK --start-period=30s --timeout=5s --interval=10s \

LSPxNuts_README.md

@@ -0,0 +1,16 @@
+# LSPxNuts Proof of Concept
+
+This is a branch that for the Proof of Concept of the LSPxNuts project.
+
+It adds or alters the following functionality versus the mainstream Nuts node:
+
+- OAuth2 `vp_bearer` token exchange: read presentation definition from local definitions instead of fetching it from the remote authorization server.
+  LSP doesn't support presentation definitions, meaning that we need to look it up locally.
+- Add support for JWT bearer grant type. If the server supports this, it uses this grant type instead of the Nuts-specific vp_token-bearer grant type.
+- Add CA certificates of Sectigo (root CA, OV and EV intermediate CA) to Docker image's OS CA bundle, because they're used by AORTA-LSP.
+- Fix marshalling of Verifiable Presentations in JWT format; `type` was marshalled as JSON-LD (single-entry-array was replaced by string)
+- Add `policy_id` field to access token request to specify the Presentation Definition that should be used.
+  The `scope` can then be specified as whatever the use case requires (e.g. SMART on FHIR-esque scopes).
+- Relax `did:x509` key usage check: the certificate from UZI smart cards that is used to sign credentials, doesn't have `serverAuth` key usage, only `digitalSignature`.
+  This broke, since we didn't specify the key usage, but `x509.Verify()` expects key usage `serverAuth` to be present by default.
+- Add support for `RS256` (RSA 2048) signatures, since that's what UZI smart cards produce.

README.rst

@@ -182,6 +182,7 @@ The following options can be configured on the server:
     verbosity                                     info                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Log level (trace, debug, info, warn, error)
     httpclient.timeout                            30s                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.
     **Auth**
+    auth.granttypes                               [authorization_code,vp_token-bearer,urn:ietf:params:oauth:grant-type:jwt-bearer]                                                                                                                                                                                                                                                                                                                                                                                         enables OAuth2 grant types for the Authorization Server, options: authorization_code, urn:ietf:params:oauth:grant-type:pre-authorized_code, vp_token-bearer, urn:ietf:params:oauth:grant-type:jwt-bearer
     auth.authorizationendpoint.enabled            false                                                                                                                                                                                                                                                                                                                                                                                                                                                                    enables the v2 API's OAuth2 Authorization Endpoint, used by OpenID4VP and OpenID4VCI. This flag might be removed in a future version (or its default become 'true') as the use cases and implementation of OpenID4VP and OpenID4VCI mature.
     **Crypto**
     crypto.storage                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         Storage to use, 'fs' for file system (for development purposes), 'vaultkv' for HashiCorp Vault KV store, 'azure-keyvault' for Azure Key Vault, 'external' for an external backend (deprecated).
@@ -233,6 +234,9 @@ The following options can be configured on the server:
     tracing.endpoint                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       OTLP collector endpoint for OpenTelemetry tracing (e.g., 'localhost:4318'). When empty, tracing is disabled.
     tracing.insecure                              false                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Disable TLS for the OTLP connection.
     tracing.servicename                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Service name reported to the tracing backend. Defaults to 'nuts-node'.
+    **VCR**
+    vcr.dezi.allowedjku                           []                                                                                                                                                                                                                                                                                                                                                                                                                                                                       List of allowed JKU URLs for fetching Dezi attestation keys. If not set, defaults to production (https://auth.dezi.nl/dezi/jwks.json), and in non-strict mode also acceptance (https://acceptatie.auth.dezi.nl/dezi/jwks.json).
+    vcr.verifier.revocation.maxage                15m0s                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Max age of revocation information. If the revocation information is older than this, it will be refreshed from the issuer. If set to 0 or negative, revocation information will always be refreshed.
     **policy**
     policy.directory                              ./config/policy                                                                                                                                                                                                                                                                                                                                                                                                                                                          Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping.
     ========================================      ===================================================================================================================================================================================================================================================================================================================================================================================================================================================================      ============================================================================================================================================================================================================================================================================================================================================

auth/api/auth/v1/api.go

@@ -260,13 +260,9 @@ func (w Wrapper) DrawUpContract(ctx context.Context, request DrawUpContractReque
 
 // CreateJwtGrant handles the http request (from the vendor's EPD/XIS) for creating a JWT bearer token which can be used to retrieve an access token from a remote Nuts node.
 func (w Wrapper) CreateJwtGrant(ctx context.Context, request CreateJwtGrantRequestObject) (CreateJwtGrantResponseObject, error) {
-
-	req := services.CreateJwtGrantRequest{
-		Requester:   request.Body.Requester,
-		Authorizer:  request.Body.Authorizer,
-		IdentityVP:  request.Body.Identity,
-		Service:     request.Body.Service,
-		Credentials: request.Body.Credentials,
+	req, err := toCreateJwtGrantRequest(request.Body)
+	if err != nil {
+		return nil, err
 	}
 
 	response, err := w.Auth.RelyingParty().CreateJwtGrant(ctx, req)
@@ -279,12 +275,9 @@ func (w Wrapper) CreateJwtGrant(ctx context.Context, request CreateJwtGrantReque
 
 // RequestAccessToken handles the HTTP request (from the vendor's EPD/XIS) for creating a JWT grant and using it as authorization grant to get an access token from the remote Nuts node.
 func (w Wrapper) RequestAccessToken(ctx context.Context, request RequestAccessTokenRequestObject) (RequestAccessTokenResponseObject, error) {
-	req := services.CreateJwtGrantRequest{
-		Requester:   request.Body.Requester,
-		Authorizer:  request.Body.Authorizer,
-		IdentityVP:  request.Body.Identity,
-		Service:     request.Body.Service,
-		Credentials: request.Body.Credentials,
+	req, err := toCreateJwtGrantRequest(request.Body)
+	if err != nil {
+		return nil, err
 	}
 
 	jwtGrant, err := w.Auth.RelyingParty().CreateJwtGrant(ctx, req)
@@ -430,6 +423,27 @@ func (w *Wrapper) resolveCredential(credentialID string) (*vc.VerifiableCredenti
 	return w.CredentialResolver.Resolve(*id, nil)
 }
 
+// toCreateJwtGrantRequest translates the generated API request body into the internal
+// services.CreateJwtGrantRequest. If authorization_server_endpoint is set, it is validated
+// as a URL; an invalid URL is surfaced as a 400 InvalidInputError so we don't produce a
+// signed JWT with a malformed audience.
+func toCreateJwtGrantRequest(body *JwtGrantBaseRequest) (services.CreateJwtGrantRequest, error) {
+	req := services.CreateJwtGrantRequest{
+		Requester:   body.Requester,
+		Authorizer:  body.Authorizer,
+		IdentityVP:  body.Identity,
+		Service:     body.Service,
+		Credentials: body.Credentials,
+	}
+	if body.AuthorizationServerEndpoint != nil && *body.AuthorizationServerEndpoint != "" {
+		if _, err := url.Parse(*body.AuthorizationServerEndpoint); err != nil {
+			return services.CreateJwtGrantRequest{}, core.InvalidInputError("invalid authorization_server_endpoint: %w", err)
+		}
+		req.AuthorizationServerEndpoint = *body.AuthorizationServerEndpoint
+	}
+	return req, nil
+}
+
 // convertToMap converts an object to a map[string]interface{} using json conversion
 func convertToMap(obj interface{}, target interface{}) error {
 	jsonStr, err := json.Marshal(obj)

auth/api/auth/v1/api_test.go

@@ -21,6 +21,12 @@ package v1
 import (
 	"context"
 	"errors"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+	"time"
+
 	ssi "github.com/nuts-foundation/go-did"
 	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/go-did/vc"
@@ -40,11 +46,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"testing"
-	"time"
 )
 
 type TestContext struct {
@@ -98,6 +99,10 @@ func (m *mockAuthClient) SupportedDIDMethods() []string {
 	return m.supportedDIDMethods
 }
 
+func (m *mockAuthClient) GrantTypes() []string {
+	return oauth2.SupportedGrantTypes()
+}
+
 func createContext(t *testing.T) *TestContext {
 	t.Helper()
 	ctrl := gomock.NewController(t)
@@ -439,6 +444,53 @@ func TestWrapper_CreateJwtGrant(t *testing.T) {
 		assert.Equal(t, expectedResponse, response)
 		assert.Nil(t, err)
 	})
+
+	t.Run("AuthorizationServerEndpoint is plumbed through", func(t *testing.T) {
+		ctx := createContext(t)
+		endpoint := "https://as.example.nl/ura/12345678/token"
+		body := CreateJwtGrantRequest{
+			Requester:                   vdr.TestDIDA.String(),
+			Authorizer:                  vdr.TestDIDB.String(),
+			Service:                     "service",
+			AuthorizationServerEndpoint: &endpoint,
+		}
+
+		expectedRequest := services.CreateJwtGrantRequest{
+			Requester:                   body.Requester,
+			Authorizer:                  body.Authorizer,
+			Service:                     "service",
+			AuthorizationServerEndpoint: endpoint,
+		}
+
+		ctx.relyingPartyMock.EXPECT().CreateJwtGrant(gomock.Any(), expectedRequest).Return(&services.JwtBearerTokenResult{
+			BearerToken:                 "jwt",
+			AuthorizationServerEndpoint: endpoint,
+		}, nil)
+
+		response, err := ctx.wrapper.CreateJwtGrant(ctx.audit, CreateJwtGrantRequestObject{Body: &body})
+
+		assert.NoError(t, err)
+		assert.Equal(t, CreateJwtGrant200JSONResponse{BearerToken: "jwt", AuthorizationServerEndpoint: endpoint}, response)
+	})
+
+	t.Run("invalid AuthorizationServerEndpoint returns 400", func(t *testing.T) {
+		ctx := createContext(t)
+		badEndpoint := "%invalid"
+		body := CreateJwtGrantRequest{
+			Requester:                   vdr.TestDIDA.String(),
+			Authorizer:                  vdr.TestDIDB.String(),
+			Service:                     "service",
+			AuthorizationServerEndpoint: &badEndpoint,
+		}
+
+		response, err := ctx.wrapper.CreateJwtGrant(ctx.audit, CreateJwtGrantRequestObject{Body: &body})
+
+		assert.Nil(t, response)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "invalid authorization_server_endpoint")
+		require.Implements(t, new(core.HTTPStatusCodeError), err)
+		assert.Equal(t, http.StatusBadRequest, err.(core.HTTPStatusCodeError).StatusCode())
+	})
 }
 
 func TestWrapper_RequestAccessToken(t *testing.T) {