Always support did:jwk, web, x509 and key when verifying VCs

reinkrul · reinkrul · commit 1198e7353c36 · 2024-11-19T18:03:30.000+01:00
diff --git a/auth/auth.go b/auth/auth.go
@@ -23,10 +23,16 @@ import (
 	"errors"
 	"github.com/nuts-foundation/nuts-node/auth/client/iam"
 	"github.com/nuts-foundation/nuts-node/vdr"
+	"github.com/nuts-foundation/nuts-node/vdr/didjwk"
+	"github.com/nuts-foundation/nuts-node/vdr/didkey"
+	"github.com/nuts-foundation/nuts-node/vdr/didnuts"
 	"github.com/nuts-foundation/nuts-node/vdr/didsubject"
+	"github.com/nuts-foundation/nuts-node/vdr/didweb"
+	"github.com/nuts-foundation/nuts-node/vdr/didx509"
 	"github.com/nuts-foundation/nuts-node/vdr/resolver"
 	"net/url"
 	"path"
+	"slices"
 	"time"
 
 	"github.com/nuts-foundation/nuts-node/auth/services"
@@ -46,23 +52,25 @@ var _ AuthenticationServices = (*Auth)(nil)
 
 // Auth is the main struct of the Auth service
 type Auth struct {
-	config              Config
-	jsonldManager       jsonld.JSONLD
-	authzServer         oauth.AuthorizationServer
-	relyingParty        oauth.RelyingParty
-	contractNotary      services.ContractNotary
-	serviceResolver     didman.CompoundServiceResolver
-	keyStore            crypto.KeyStore
-	vcr                 vcr.VCR
-	pkiProvider         pki.Provider
-	shutdownFunc        func()
-	vdrInstance         vdr.VDR
-	publicURL           *url.URL
-	strictMode          bool
-	httpClientTimeout   time.Duration
-	tlsConfig           *tls.Config
-	subjectManager      didsubject.Manager
-	supportedDIDMethods []string
+	config            Config
+	jsonldManager     jsonld.JSONLD
+	authzServer       oauth.AuthorizationServer
+	relyingParty      oauth.RelyingParty
+	contractNotary    services.ContractNotary
+	serviceResolver   didman.CompoundServiceResolver
+	keyStore          crypto.KeyStore
+	vcr               vcr.VCR
+	pkiProvider       pki.Provider
+	shutdownFunc      func()
+	vdrInstance       vdr.VDR
+	publicURL         *url.URL
+	strictMode        bool
+	httpClientTimeout time.Duration
+	tlsConfig         *tls.Config
+	subjectManager    didsubject.Manager
+	// configuredDIDMethods contains the DID methods that are configured in the Nuts node,
+	// of which VDR will create DIDs.
+	configuredDIDMethods []string
 }
 
 // Name returns the name of the module.
@@ -137,7 +145,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
 		return err
 	}
 
-	auth.supportedDIDMethods = config.DIDMethods
+	auth.configuredDIDMethods = config.DIDMethods
 
 	auth.contractNotary = notary.NewNotary(notary.Config{
 		PublicURL:             auth.publicURL.String(),
@@ -179,7 +187,13 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
 }
 
 func (auth *Auth) SupportedDIDMethods() []string {
-	return append(auth.supportedDIDMethods, "x509")
+	// DID methods that don't require additional resources/configuration in the Nuts node are always supported.
+	// Other DID methods (did:nuts), are only supported if explicitly enabled.
+	result := []string{didweb.MethodName, didjwk.MethodName, didkey.MethodName, didx509.MethodName}
+	if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) {
+		result = append(result, didnuts.MethodName)
+	}
+	return result
 }
 
 // Start starts the Auth engine (Noop)
diff --git a/auth/auth_test.go b/auth/auth_test.go
@@ -125,3 +125,22 @@ func TestAuth_IAMClient(t *testing.T) {
 	})
 
 }
+
+func TestAuth_SupportedDIDMethods(t *testing.T) {
+	t.Run("supports did:web", func(t *testing.T) {
+		assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "web")
+	})
+	t.Run("supports did:key", func(t *testing.T) {
+		assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key")
+	})
+	t.Run("supports did:x509", func(t *testing.T) {
+		assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "x509")
+	})
+	t.Run("supports did:jwk", func(t *testing.T) {
+		assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "jwk")
+	})
+	t.Run("supports did:nuts if configured", func(t *testing.T) {
+		assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts")
+		assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts")
+	})
+}
diff --git a/auth/interface.go b/auth/interface.go
@@ -42,6 +42,6 @@ type AuthenticationServices interface {
 	PublicURL() *url.URL
 	// AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled.
 	AuthorizationEndpointEnabled() bool
-	// SupportedDIDMethods list the DID methods configured for the nuts node in preferred order.
+	// SupportedDIDMethods lists the DID methods the Nuts node can resolve.
 	SupportedDIDMethods() []string
 }

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,6 @@ type AuthenticationServices interface {`
`42`	`42`	`PublicURL() *url.URL`
`43`	`43`	`// AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled.`
`44`	`44`	`AuthorizationEndpointEnabled() bool`
`45`		`- // SupportedDIDMethods list the DID methods configured for the nuts node in preferred order.`
	`45`	`+ // SupportedDIDMethods lists the DID methods the Nuts node can resolve.`
`46`	`46`	`SupportedDIDMethods() []string`
`47`	`47`	`}`