Merge pull request trustbloc#586 from talwinder50/issue-581

feat: Validate and check Waci profile creation that each scope has output descriptors configured.
talwinder50 · Jan 27, 2022 · de984ef · de984ef
2 parents 5bb1b98 + c01fddb
commit de984ef
Show file tree

Hide file tree

Showing 10 changed files with 190 additions and 36 deletions.
diff --git a/pkg/profile/issuer/profile.go b/pkg/profile/issuer/profile.go
@@ -125,6 +125,10 @@ func validateProfileRequest(pr *ProfileData) error {
 		return fmt.Errorf("supported vc contexts mandatory")
 	}
 
+	if pr.SupportsWACI && pr.IssuerID == "" {
+		return fmt.Errorf("issuer id mandatory for waci profiles")
+	}
+
 	if !adapterutil.ValidHTTPURL(pr.URL) {
 		return fmt.Errorf("issuer url is invalid")
 	}

diff --git a/pkg/profile/issuer/profile_test.go b/pkg/profile/issuer/profile_test.go
@@ -91,6 +91,11 @@ func TestCredentialRecord_SaveProfile(t *testing.T) {
 		err = record.SaveProfile(value)
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "issuer url is invalid")
+
+		value.SupportsWACI = true
+		err = record.SaveProfile(value)
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "issuer id mandatory for waci profiles")
 	})
 
 	t.Run("test save profile - profile already exists", func(t *testing.T) {

diff --git a/pkg/restapi/issuer/operation/models.go b/pkg/restapi/issuer/operation/models.go
@@ -26,10 +26,12 @@ type ProfileDataRequest struct {
 	SupportsWACI                bool              `json:"supportsWACI"`
 	OIDCProviderURL             string            `json:"oidcProvider"`
 	OIDCClientParams            *OIDCClientParams `json:"oidcParams,omitempty"`
-	CredentialScopes            []string          `json:"scopes,omitempty"`
+	CredentialScopes            []string          `json:"credScopes,omitempty"`
 	LinkedWalletURL             string            `json:"linkedWallet,omitempty"`
-	IssuerID                    string            `json:"issuerID,omitempty"`
-	CMStyle                     cm.Styles         `json:"styles,omitempty"`
+	// Issuer ID identifies who is the issuer of the credential manifests being issued.
+	IssuerID string `json:"issuerID,omitempty"`
+	// CMStyle represents an entity styles object as defined in credential manifest spec.
+	CMStyle cm.Styles `json:"styles,omitempty"`
 }
 
 // OIDCClientParams optional parameters for setting the adapter's oidc client parameters statically.
@@ -46,6 +48,7 @@ type WalletConnect struct {
 
 // txnData contains session data.
 type txnData struct {
+	// Todo #580 rename IssuerID to ProfileID
 	IssuerID          string                `json:"issuerID,omitempty"`
 	State             string                `json:"state,omitempty"`
 	DIDCommInvitation *outofband.Invitation `json:"didCommInvitation,omitempty"`

diff --git a/pkg/restapi/issuer/operation/operations.go b/pkg/restapi/issuer/operation/operations.go
@@ -284,6 +284,7 @@ func New(config *Config) (*Operation, error) { // nolint:funlen,gocyclo,cyclop
 		refreshTokenStore:  refreshStore,
 		didDomain:          config.DidDomain,
 		jsonldDocLoader:    config.JSONLDDocumentLoader,
+		cmOutputDescriptor: config.CmOutputDescriptor,
 	}
 
 	op.createOIDCClientFunc = op.getOrCreateOIDCClient
@@ -383,6 +384,18 @@ func (o *Operation) createIssuerProfileHandler(rw http.ResponseWriter, req *http
 		return
 	}
 
+	if profileData.SupportsWACI {
+		for _, pCredScope := range profileData.CredentialScopes {
+			if _, ok := o.cmOutputDescriptor[pCredScope]; !ok {
+				commhttp.WriteErrorResponseWithLog(rw, http.StatusBadRequest,
+					fmt.Sprintf("failed to find the allowed cred scope in credential manifest output descriptor"+
+						"object %s", pCredScope), profileEndpoint, logger)
+
+				return
+			}
+		}
+	}
+
 	if profileData.OIDCProviderURL != "" {
 		_, err = o.createOIDCClientFunc(profileData)
 		if err != nil {
@@ -1268,7 +1281,10 @@ func (o *Operation) handleProposeCredential(msg service.DIDCommAction) (issuecre
 	// read credential manifest
 	manifest := o.readCredentialManifest(profile, txn.CredScope)
 
-	// TODO #581 validate read credential manifest object
+	err = manifest.Validate()
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate credential manifest object: %w", err)
+	}
 
 	// get unsigned credential
 	vc, err := o.createCredential(getUserDataURL(profile.URL), userInvMap.TxToken, oauthToken,

diff --git a/pkg/restapi/issuer/operation/operations_test.go b/pkg/restapi/issuer/operation/operations_test.go
@@ -549,6 +549,46 @@ func TestCreateProfile(t *testing.T) {
 		require.Equal(t, vReq.URL, profileRes.URL)
 		require.Equal(t, vReq.SupportsAssuranceCredential, profileRes.SupportsAssuranceCredential)
 	})
+	t.Run("create waci profile with cm output descriptors - success", func(t *testing.T) {
+		t.Parallel()
+
+		vReq := createProfileData(uuid.New().String())
+		vReq.SupportsWACI = true
+		vReq.CredentialScopes = []string{mockCredScope}
+		vReq.OIDCClientParams = &issuer.OIDCClientParams{
+			ClientID:     "client id",
+			ClientSecret: "client secret",
+			SecretExpiry: 0,
+		}
+
+		vReqBytes, err := json.Marshal(vReq)
+		require.NoError(t, err)
+
+		op.cmOutputDescriptor = map[string][]*cm.OutputDescriptor{
+			mockCredScope: {
+				&cm.OutputDescriptor{
+					ID:     uuid.New().String(),
+					Schema: "https://www.w3.org/2018/credentials/examples/v1",
+				},
+			},
+		}
+
+		h := getHandler(t, op, endpoint)
+		rr := serveHTTP(t, h.Handle(), http.MethodPost, endpoint, vReqBytes)
+
+		require.Equal(t, http.StatusCreated, rr.Code)
+
+		profileRes := &issuer.ProfileData{}
+		err = json.Unmarshal(rr.Body.Bytes(), &profileRes)
+		require.NoError(t, err)
+		require.Equal(t, vReq.ID, profileRes.ID)
+		require.Equal(t, vReq.Name, profileRes.Name)
+		require.Equal(t, vReq.URL, profileRes.URL)
+		require.Equal(t, vReq.SupportsAssuranceCredential, profileRes.SupportsAssuranceCredential)
+		require.Equal(t, vReq.CredentialScopes, profileRes.CredentialScopes)
+		require.Equal(t, vReq.IssuerID, profileRes.IssuerID)
+		require.Equal(t, vReq.SupportsWACI, profileRes.SupportsWACI)
+	})
 
 	t.Run("create profile - invalid request", func(t *testing.T) {
 		t.Parallel()
@@ -646,6 +686,33 @@ func TestCreateProfile(t *testing.T) {
 
 		require.Contains(t, resErr.ErrMessage, "create oidc client")
 	})
+	t.Run("create profile - failed to find the allowed cred scope in credential manifest"+
+		" output descriptor for WACI profiles", func(t *testing.T) {
+		t.Parallel()
+
+		ops, err := New(config(t))
+		require.NoError(t, err)
+
+		vReq := createProfileData(uuid.New().String())
+		vReq.SupportsWACI = true
+		vReq.CredentialScopes = []string{mockCredScope}
+
+		vReqBytes, err := json.Marshal(vReq)
+		require.NoError(t, err)
+
+		rr := serveHTTP(t, getHandler(t, ops, endpoint).Handle(), http.MethodPost, endpoint, vReqBytes)
+
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+
+		resErr := struct {
+			ErrMessage string `json:"errMessage"`
+		}{}
+		err = json.Unmarshal(rr.Body.Bytes(), &resErr)
+		require.NoError(t, err)
+
+		require.Contains(t, resErr.ErrMessage,
+			"failed to find the allowed cred scope in credential manifest output descriptor")
+	})
 }
 
 func TestGetProfile(t *testing.T) {
@@ -3490,6 +3557,18 @@ func TestWACIIssuanceHandler(t *testing.T) {
 			txDataSample := &txnData{
 				IssuerID: profile.ID,
 			}
+
+			tdByte, err := json.Marshal(txDataSample)
+			require.NoError(t, err)
+
+			err = c.txnStore.Put(usrInvitationMapping.TxID, tdByte)
+			require.NoError(t, err)
+
+			testFailure(actionCh, service.NewDIDCommMsgMap(issuecredsvc.ProposeCredentialV2{
+				Type:         issuecredsvc.ProposeCredentialMsgTypeV2,
+				InvitationID: invitationID,
+			}), "failed to validate credential manifest object")
+
 			// credential data error
 			txDataSample.CredScope = mockCredScope
 			tdCredByte, err := json.Marshal(txDataSample)

diff --git a/test/bdd/features/issuer_e2e_waci.feature b/test/bdd/features/issuer_e2e_waci.feature
@@ -14,13 +14,13 @@ Feature: Issuer Adapter e2e with WACI
 
   @issuer_adapter_waci
   Scenario Outline: Issuer adapter features
-    Given Issuer Profile with id "<profileID>", name "<profileName>", issuerURL "<issuerURL>", supportedVCContexts "<supportedVCContexts>", linked wallet "<linkedWallet>" and oidc provider "https://issuer-hydra.trustbloc.local:9044/" with WACI support
-    And   Retrieved profile with id "<profileID>" contains name "<profileName>", issuerURL "<issuerURL>", supportedVCContexts "<supportedVCContexts>", linked wallet "<linkedWallet>" and oidc provider "https://issuer-hydra.trustbloc.local:9044/" with WACI support
-    Then  Issuer adapter shows the wallet connect UI when the issuer "<profileID>" wants to connect to the wallet
+    Given Issuer Profile with id "<profileID>", name "<profileName>", issuerURL "<issuerURL>", supportedVCContexts "<supportedVCContexts>", credScopes "<credScopes>", issuer id "<issuerID>", linked wallet "<linkedWallet>" and oidc provider "https://issuer-hydra.trustbloc.local:9044/" with WACI support
+    And   Retrieved profile with id "<profileID>" contains name "<profileName>", issuerURL "<issuerURL>", supportedVCContexts "<supportedVCContexts>", credScopes "<credScopes>", issuer id "<issuerID>", linked wallet "<linkedWallet>" and oidc provider "https://issuer-hydra.trustbloc.local:9044/" with WACI support
+    Then  Issuer adapter shows the wallet connect UI when the issuer "<profileID>" with cred scope "<credScopes>" wants to connect to the wallet
     And   Issuer adapter ("<profileID>") creates DIDComm connection invitation for "<walletID>"
     And   "<walletID>" accepts invitation from issuer adapter "<profileID>" and performs WACI credential issuance interaction
     And   "<walletID>" received web redirect info from "<profileID>" after successful completion of WACI credential issuance interaction
     Examples:
-      | profileID  | profileName   | issuerURL                          | supportedVCContexts                                                   | linkedWallet                    | walletID  |
-      | prCardWACI | PRCard Issuer | http://mock-issuer.com:9080/prCard | https://trustbloc.github.io/context/vc/examples/citizenship-v1.jsonld | https://example.wallet.com/waci | WalletApp |
+      | profileID  | profileName   | issuerURL                          | supportedVCContexts                                                   | credScopes | issuerID                         | linkedWallet                    | walletID  |
+      | prCardWACI | PRCard Issuer | http://mock-issuer.com:9080/prCard | https://trustbloc.github.io/context/vc/examples/citizenship-v1.jsonld | prc        | did:example:123?linked-domains=3 | https://example.wallet.com/waci | WalletApp |
 
diff --git a/test/bdd/fixtures/adapter-rest/docker-compose.yml b/test/bdd/fixtures/adapter-rest/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       - ADAPTER_REST_EXTERNAL_URL=https://issuer-adapter-rest.trustbloc.local:9070
       - ADAPTER_REST_DID_ANCHOR_ORIGIN=https://testnet.orb.local
       - ADAPTER_REST_CONTEXT_PROVIDER_URL=${CONTEXT_PROVIDER_URL}
-      - ADAPTER_REST_OUTPUT_DESCRIPTORS_FILE=/etc/manifest-config/outputdescriptors.json
+      - ADAPTER_REST_OUTPUT_DESCRIPTORS_FILE=/etc/testdata/manifest-config/outputdescriptors.json
       - ADAPTER_REST_KEY_TYPE=${AGENT_KEY_TYPE}
       - ADAPTER_REST_KEY_AGREEMENT_TYPE=${AGENT_KEY_AGREEMENT_TYPE}
       - ADAPTER_REST_MEDIA_TYPE_PROFILES=${AGENT_MEDIA_TYPE_PROFILES}
@@ -39,7 +39,7 @@ services:
     volumes:
       - ../keys/tls:/etc/tls
       - ../keys/issuer-stores:/etc/store-keys
-      - ./manifest-config:/etc/manifest-config
+      - ../testdata:/etc/testdata
     networks:
       - bdd_net
     depends_on:

diff --git a/...st/manifest-config/outputdescriptors.json → ...ta/manifest-config/outputdescriptors.json b/...st/manifest-config/outputdescriptors.json → ...ta/manifest-config/outputdescriptors.json