Discovery: update client copy of Discovery Services

Author: reinkrul

README.rst

@@ -14,13 +14,15 @@ type clientUpdater struct {
 	services map[string]ServiceDefinition
 	store    *sqlStore
 	client   client.HTTPClient
+	verifier registrationVerifier
 }
 
-func newClientUpdater(services map[string]ServiceDefinition, store *sqlStore, client client.HTTPClient) *clientUpdater {
+func newClientUpdater(services map[string]ServiceDefinition, store *sqlStore, verifier registrationVerifier, client client.HTTPClient) *clientUpdater {
 	return &clientUpdater{
 		services: services,
 		store:    store,
 		client:   client,
+		verifier: verifier,
 	}
 }
 
@@ -67,8 +69,12 @@ func (u *clientUpdater) updateService(ctx context.Context, service ServiceDefini
 	newTagStr := new(Tag)
 	*newTagStr = Tag(*newTag)
 	for _, presentation := range presentations {
+		if err := u.verifier.verifyRegistration(service, presentation); err != nil {
+			log.Logger().WithError(err).Warnf("Presentation verification failed, not adding it (service=%s, id=%s)", service.ID, presentation.ID)
+			continue
+		}
 		if err := u.store.add(service.ID, presentation, newTagStr); err != nil {
-			return fmt.Errorf("failed to store presentation (id=%s): %w", presentation.ID, err)
+			return fmt.Errorf("failed to store presentation (service=%s, id=%s): %w", service.ID, presentation.ID, err)
 		}
 	}
 	return nil

discovery/client.go

@@ -33,5 +33,7 @@ func FlagSet() *pflag.FlagSet {
 	flagSet.StringSlice("discovery.server.definition_ids", defs.Server.DefinitionIDs,
 		"IDs of the Discovery Service Definitions for which to act as server. "+
 			"If an ID does not map to a loaded service definition, the node will fail to start.")
+	flagSet.Duration("discovery.client.update_interval", defs.Client.UpdateInterval, "How often to check for Discovery Services updates, "+
+		"specified as Golang duration (e.g. 1m, 1h30m).")
 	return flagSet
 }

discovery/cmd/cmd.go

@@ -18,9 +18,12 @@
 
 package discovery
 
+import "time"
+
 // Config holds the config of the module
 type Config struct {
 	Server      ServerConfig             `koanf:"server"`
+	Client      ClientConfig             `koanf:"client"`
 	Definitions ServiceDefinitionsConfig `koanf:"definitions"`
 }
 
@@ -35,10 +38,19 @@ type ServerConfig struct {
 	DefinitionIDs []string `koanf:"definition_ids"`
 }
 
+// ClientConfig holds the config for the client
+type ClientConfig struct {
+	// UpdateInterval specifies how often the client should update the Discovery Services.
+	UpdateInterval time.Duration `koanf:"update_interval"`
+}
+
 // DefaultConfig returns the default configuration.
 func DefaultConfig() Config {
 	return Config{
 		Server: ServerConfig{},
+		Client: ClientConfig{
+			UpdateInterval: 1 * time.Minute,
+		},
 	}
 }
 

discovery/config.go

@@ -108,3 +108,7 @@ type SearchResult struct {
 	// It only includes constraint fields that have an ID.
 	Fields map[string]interface{} `json:"fields"`
 }
+
+type registrationVerifier interface {
+	verifyRegistration(definition ServiceDefinition, presentation vc.VerifiablePresentation) error
+}

discovery/interface.go

@@ -122,11 +122,11 @@ func (m *Module) Start() error {
 	if err != nil {
 		return err
 	}
-	m.clientUpdater = newClientUpdater(m.serverDefinitions, m.store, m.httpClient)
+	m.clientUpdater = newClientUpdater(m.serverDefinitions, m.store, m, m.httpClient)
 	m.routines.Add(1)
 	go func() {
 		defer m.routines.Done()
-		m.clientUpdater.update(m.ctx, 10*time.Second)
+		m.clientUpdater.update(m.ctx, m.config.Client.UpdateInterval)
 	}()
 	return nil
 }
@@ -150,11 +150,13 @@ func (m *Module) Add(serviceID string, presentation vc.VerifiablePresentation) e
 	if !isServer {
 		return ErrServerModeDisabled
 	}
-	return m.add(definition, presentation)
+	if err := m.verifyRegistration(definition, presentation); err != nil {
+		return err
+	}
+	return m.store.add(definition.ID, presentation, nil)
 }
 
-// add validates the presentation and adds it to the store, if all checks pass.
-func (m *Module) add(definition ServiceDefinition, presentation vc.VerifiablePresentation) error {
+func (m *Module) verifyRegistration(definition ServiceDefinition, presentation vc.VerifiablePresentation) error {
 	// First, simple sanity checks
 	if presentation.Format() != vc.JWTPresentationProofFormat {
 		return errors.Join(ErrInvalidPresentation, errUnsupportedPresentationFormat)
@@ -200,7 +202,7 @@ func (m *Module) add(definition ServiceDefinition, presentation vc.VerifiablePre
 	if err != nil {
 		return errors.Join(ErrInvalidPresentation, fmt.Errorf("presentation verification failed: %w", err))
 	}
-	return m.store.add(definition.ID, presentation, nil)
+	return nil
 }
 
 func (m *Module) validateRegistration(definition ServiceDefinition, presentation vc.VerifiablePresentation) error {

discovery/mock.go

@@ -29,6 +29,7 @@ The following options apply to the server commands below:
       --crypto.vault.timeout duration                 Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). (default 5s)
       --crypto.vault.token string                     The Vault token. If set it overwrites the VAULT_TOKEN env var.
       --datadir string                                Directory where the node stores its files. (default "./data")
+      --discovery.client.update_interval duration     How often to check for Discovery Services updates, specified as Golang duration (e.g. 1m, 1h30m). (default 1m0s)
       --discovery.definitions.directory string        Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start.
       --discovery.server.definition_ids strings       IDs of the Discovery Service Definitions for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start.
       --events.nats.hostname string                   Hostname for the NATS server (default "0.0.0.0")
@@ -45,7 +46,7 @@ The following options apply to the server commands below:
       --http.default.log string                       What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). (default "metadata")
       --http.default.tls string                       Whether to enable TLS for the default interface, options are 'disabled', 'server', 'server-client'. Leaving it empty is synonymous to 'disabled',
       --internalratelimiter                           When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. (default true)
-      --jsonld.contexts.localmapping stringToString   This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson])
+      --jsonld.contexts.localmapping stringToString   This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson])
       --jsonld.contexts.remoteallowlist strings       In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. (default [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1])
       --loggerformat string                           Log format (text, json) (default "text")
       --network.bootstrapnodes strings                List of bootstrap nodes ('<host>:<port>') which the node initially connect to.