Merge branch 'refs/heads/master' into fix/internal_external_ports

* refs/heads/master: (71 commits)
  Remove nonce from default Request Object params (#3125)
  Burn nonce type SessionStore entries after first use (#3123)
  Crypto: alter Storage interface to create keys inside key store (#3120)
  Crypto: let Exists() return an error if one occurs (#3127)
  Bump github.com/nats-io/nats-server/v2 from 2.10.14 to 2.10.15 (#3121)
  Bump github.com/nats-io/nats.go from 1.34.1 to 1.35.0 (#3122)
  Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#3119)
  Bump azure/setup-helm from 3.5 to 4 (#3050)
  cleanup oauth constants (#3117)
  prevent panic (#3118)
  Support request_uri_method=post (#3102)
  add GetAndDelete to SessionStore (#3116)
  bugfix: redirect browser instead of returning error when requested scope is unknown (3104) (#3113)
  SQL: Fix SQL Server e2e test connection strings (#3112)
  Docs: updated v6 release notes to include missing stuff (#3108)
  IAM: nil deref when re-using same user session (#3106)
  cleanup metadata (#3103)
  Docs: fixed MySql example DSN (#3110)
  Change tag in discovery service to simple lamport clock value (int) (#3098)
  e2e tests: have Nuts containers wait for DB container healthy (#3109)
  ...

# Conflicts:
#	charts/nuts-node/values.yaml

.codeclimate.yml

@@ -16,7 +16,9 @@ exclude_patterns:
   - "**/mock.go"
   - "**/*_mock.go"
   - "docs/**/*.go"
+  - "codegen/**/*.go"
   - "**/*.pb.go"
+  - "e2e-tests/**/*.go"
 plugins:
   gofmt:
     enabled: true

.github/workflows/helm-chart-release.yaml

@@ -20,7 +20,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v4
         with:
           version: v3.8.0
 

.golangci.yml

@@ -0,0 +1,9 @@
+run:
+  tests: false
+issues:
+  exclude-files:
+    - ".*/generated.go"
+    - ".*/.*_test.go"
+    - ".*/test.go"
+    - "docs/.*"
+    - "codegen/.*"

Dockerfile

@@ -1,5 +1,5 @@
 # golang alpine
-FROM golang:1.22.2-alpine as builder
+FROM golang:1.22.3-alpine as builder
 
 ARG TARGETARCH
 ARG TARGETOS
@@ -25,7 +25,7 @@ COPY go.sum .
 RUN go mod download && go mod verify
 
 COPY . .
-RUN CGO_ENABLED=1 CGO_CFLAGS="-D_LARGEFILE64_SOURCE" GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
 
 # alpine
 FROM alpine:3.19.1

auth/api/auth/v1/api_test.go

@@ -598,7 +598,7 @@ func TestWrapper_CreateAccessToken(t *testing.T) {
 		params := CreateAccessTokenRequest{GrantType: "urn:ietf:params:oauth:grant-type:jwt-bearer", Assertion: validJwt}
 
 		in800000 := 800000
-		pkgResponse := &oauth2.TokenResponse{AccessToken: "foo", ExpiresIn: &in800000}
+		pkgResponse := oauth2.NewTokenResponse("foo", "Bearer", in800000, "")
 		ctx.authzServerMock.EXPECT().CreateAccessToken(gomock.Any(), services.CreateAccessTokenRequest{RawJwtBearerToken: validJwt}).Return(pkgResponse, nil)
 
 		expectedResponse := CreateAccessToken200JSONResponse{

auth/api/iam/access_token.go

@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2024 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+package iam
+
+import (
+	"fmt"
+	"github.com/nuts-foundation/go-did/did"
+	"github.com/nuts-foundation/nuts-node/auth/oauth"
+	"github.com/nuts-foundation/nuts-node/crypto"
+	"time"
+
+	"github.com/nuts-foundation/nuts-node/crypto/dpop"
+	"github.com/nuts-foundation/nuts-node/vcr/pe"
+)
+
+type AccessToken struct {
+	// DPoP is the proof-of-possession of the key for the DID of the entity requesting the access token.
+	DPoP *dpop.DPoP `json:"dpop"`
+	// Token is the access token
+	Token string `json:"token"`
+	// Issuer and Subject of a token are always the same.
+	Issuer string `json:"issuer"`
+	// TODO: should client_id be extracted to the PDPMap using the presentation definition?
+	// ClientId is the DID of the entity requesting the access token. The Client needs to proof its id through proof-of-possession of the key for the DID.
+	ClientId string `json:"client_id"`
+	// IssuedAt is the time the token is issued
+	IssuedAt time.Time `json:"issued_at"`
+	// Expiration is the time the token expires
+	Expiration time.Time `json:"expiration"`
+	// Scope the token grants access to. Not necessarily the same as the requested scope
+	Scope string `json:"scope"`
+	// InputDescriptorConstraintIdMap maps the ID field of a PresentationDefinition input descriptor constraint to the value provided in the VPToken for the constraint.
+	// The Policy Decision Point can use this map to make decisions without having to deal with PEX/VCs/VPs/SignatureValidation
+	InputDescriptorConstraintIdMap map[string]any `json:"inputdescriptor_constraint_id_map,omitempty"`
+
+	// additional fields to support unforeseen policy decision requirements
+
+	// VPToken contains the VPs provided in the 'assertion' field of the s2s AT request.
+	VPToken []VerifiablePresentation `json:"vp_token,omitempty"`
+	// PresentationSubmissions as provided in by the wallet to fulfill the required Presentation Definition(s).
+	PresentationSubmissions map[string]pe.PresentationSubmission `json:"presentation_submissions,omitempty"`
+	// PresentationDefinitions that were required by the verifier to fulfill the request.
+	PresentationDefinitions pe.WalletOwnerMapping `json:"presentation_definitions,omitempty"`
+}
+
+// createAccessToken is used in both the s2s and openid4vp flows
+func (r Wrapper) createAccessToken(issuer did.DID, walletDID did.DID, issueTime time.Time, scope string, pexState PEXConsumer, dpopToken *dpop.DPoP) (*oauth.TokenResponse, error) {
+	credentialMap, err := pexState.credentialMap()
+	if err != nil {
+		return nil, err
+	}
+	fieldsMap, err := resolveInputDescriptorValues(pexState.RequiredPresentationDefinitions, credentialMap)
+	if err != nil {
+		return nil, err
+	}
+
+	accessToken := AccessToken{
+		DPoP:                           dpopToken,
+		Token:                          crypto.GenerateNonce(),
+		Issuer:                         issuer.String(),
+		IssuedAt:                       issueTime,
+		ClientId:                       walletDID.String(),
+		Expiration:                     issueTime.Add(accessTokenValidity),
+		Scope:                          scope,
+		PresentationSubmissions:        pexState.Submissions,
+		PresentationDefinitions:        pexState.RequiredPresentationDefinitions,
+		InputDescriptorConstraintIdMap: fieldsMap,
+	}
+	for _, envelope := range pexState.SubmittedEnvelopes {
+		accessToken.VPToken = append(accessToken.VPToken, envelope.Presentations...)
+	}
+
+	err = r.accessTokenServerStore().Put(accessToken.Token, accessToken)
+	if err != nil {
+		return nil, fmt.Errorf("unable to store access token: %w", err)
+	}
+	expiresIn := int(accessTokenValidity.Seconds())
+	tokenType := AccessTokenTypeDPoP
+	if dpopToken == nil {
+		tokenType = AccessTokenTypeBearer
+	}
+	return &oauth.TokenResponse{
+		AccessToken: accessToken.Token,
+		ExpiresIn:   &expiresIn,
+		Scope:       &scope,
+		TokenType:   tokenType,
+	}, nil
+}