Merge pull request #346 from wistefan/did-integration

Did integration

controllers/authregistry/authregistry.js

@@ -114,35 +114,39 @@ const is_matching_policy = function is_matching_policy(policy_mask, policy) {
 
   const resource = policy.target.resource;
 
-  // Check identifiers
-  const id_match = policy_mask.target.resource.identifiers.every((mid) => {
-    return (
-      (resource.identifiers.length === 1 && resource.identifiers.includes('*')) || resource.identifiers.includes(mid)
+  try {
+    // identifiers are optional
+    if(policy_mask.target.resource.identifiers != null) {
+      // Check identifiers
+      const id_match = policy_mask.target.resource.identifiers.every(
+        mid => {return resource.identifiers.length === 1 && resource.identifiers.includes("*") || resource.identifiers.includes(mid);}
+      );
+      if (!id_match) {
+        return false;
+      }
+    }
+    // attributes are optional
+    if(policy_mask.target.resource.attributes != null) {
+      // Check attributes
+      const attributes_match = policy_mask.target.resource.attributes.every(
+        aid => {return resource.attributes.length === 1 && resource.attributes.includes("*") || resource.attributes.includes(aid);}
+      );
+      if (!attributes_match) {
+        return false;
+      }
+    }
+
+    // Check actions
+    return policy_mask.target.actions != null &&
+      policy_mask.target.actions.length > 0 &&
+      policy_mask.target.actions.every(
+        mact => {return policy.target.actions.length === 1 && policy.target.actions.includes("*") || policy.target.actions.includes(mact);}
     );
-  });
-  if (!id_match) {
-    return false;
-  }
 
-  // Check attributes
-  const attributes_match = policy_mask.target.resource.attributes.every((aid) => {
-    return (resource.attributes.length === 1 && resource.attributes.includes('*')) || resource.attributes.includes(aid);
-  });
-  if (!attributes_match) {
+  } catch (error) {
+    debug(`unexpected error ` + error)
     return false;
   }
-
-  // Check actions
-  return (
-    policy_mask.target.actions != null &&
-    policy_mask.target.actions.length > 0 &&
-    policy_mask.target.actions.every((mact) => {
-      return (
-        (policy.target.actions.length === 1 && policy.target.actions.includes('*')) ||
-        policy.target.actions.includes(mact)
-      );
-    })
-  );
 };
 
 const is_denying_permission = function is_denying_permission(policy_mask, policy) {
@@ -298,7 +302,7 @@ const _query_evidences = async function _query_evidences(req, res) {
       };
 
       response_policy_set.policies = policy_set_mask.policies.map((policy_mask, z) => {
-        debug(`    Processing policy ${z} from the current policy set`);
+        debug(`    Processing policy ${z} from the current policy set` + JSON.stringify(policy_set.policies));
         const matching_policies = policy_set.policies.filter((policy) => is_matching_policy(policy_mask, policy));
         return {
           target: policy_mask.target,
@@ -331,7 +335,6 @@ const _query_evidences = async function _query_evidences(req, res) {
     delegationEvidence: evidence // eslint-disable-line snakecase/snakecase
   });
 
-  debug('Delegation evidence processed');
   res.status(200).json({ delegation_token });
 
   return false;

controllers/extparticipant/utils.js

@@ -85,7 +85,6 @@ exports.validate_client_certificate = function validate_client_certificate(chain
   check(errors, exports.verify_certificate_chain(chain), 'Certificate chain cannot be verified.');
   check(errors, cert.signatureOid === forge.pki.oids.sha256WithRSAEncryption, 'Certificate signature invalid');
   check(errors, cert.publicKey.n.bitLength() >= 2048, 'Certificate public key size is smaller than 2048');
-  check(errors, cert.serialNumber != null && cert.serialNumber.trim() !== '', 'Certificate has no serial number');
 
   const key_usage = cert.getExtension('keyUsage');
   const digital_only = key_usage.digitalSignature && !(key_usage.keyCertSign || key_usage.cRLSign);
@@ -161,19 +160,6 @@ exports.validate_jwt = async function validate_jwt(credentials, client_id) {
     return forge.pki.certificateFromPem('-----BEGIN CERTIFICATE-----' + cert + '-----END CERTIFICATE-----');
   });
 
-  const serial_number_field = fullchain[0].subject.getField({ name: 'serialNumber' });
-  if (serial_number_field == null) {
-    // JWT iss parameter does not match the serialNumber field of the signer certificate
-    throw new Error('Issuer certificate serialNumber parameter is missing');
-  }
-
-  const cert_serial_number = serial_number_field.value;
-  if (payload.iss !== cert_serial_number) {
-    // JWT iss parameter does not match the serialNumber field of the signer certificate
-    throw new Error(
-      `Issuer certificate serialNumber parameter does not match jwt iss parameter (${payload.iss} != ${cert_serial_number})`
-    );
-  }
   await exports.validate_client_certificate(fullchain);
 
   return { payload, fullchain };
@@ -414,4 +400,4 @@ const get_trusted_list = (function () {
       return trusted_list;
     }
   };
-})();
+})();

migrations/202309190008-IncreaseClientId.js

@@ -0,0 +1,33 @@
+module.exports = {
+  up(queryInterface, Sequelize) {
+    return queryInterface.changeColumn(
+      'oauth_client',
+      'id',
+      {
+          type: Sequelize.STRING(255), 
+          unique: true,
+          primaryKey: true,
+      }).then(() =>
+      queryInterface.changeColumn('oauth_access_token', 'oauth_client_id', 
+      {
+        type: Sequelize.STRING(255), 
+        onDelete: 'CASCADE',
+        references: {
+          model: 'oauth_client',
+          key: 'id',
+        },
+      })
+    );
+  },
+
+  down(queryInterface, Sequelize) {
+    return queryInterface.changeColumn(
+      'oauth_client',
+      'id',
+      {
+          type: Sequelize.STRING(36), 
+          unique: true,
+          primaryKey: true,
+      });
+  },
+};

models/oauth2/oauth_client.js

@@ -7,7 +7,7 @@ module.exports = function (sequelize, DataTypes) {
     'OauthClient',
     {
       id: {
-        type: DataTypes.UUID,
+        type: DataTypes.STRING(255),
         defaultValue: DataTypes.UUIDV4,
         primaryKey: true
       },