refactor: Refactor CSL event handler (#1812)

Extract the code that retrieves/signs CSLs into a separate service. Signed-off-by: Bob Stasyszyn <bob.stasyszyn@gendigital.com>
trustbloc · Dec 4, 2024 · e63d8b2 · e63d8b2
1 parent 017b029
commit e63d8b2
Show file tree

Hide file tree

Showing 9 changed files with 919 additions and 785 deletions.
diff --git a/cmd/vc-rest/startcmd/start.go b/cmd/vc-rest/startcmd/start.go
@@ -91,6 +91,7 @@ import (
 	"github.com/trustbloc/vcs/pkg/service/clientidscheme"
 	clientmanagersvc "github.com/trustbloc/vcs/pkg/service/clientmanager"
 	credentialstatustypes "github.com/trustbloc/vcs/pkg/service/credentialstatus"
+	"github.com/trustbloc/vcs/pkg/service/credentialstatus/cslservice"
 	"github.com/trustbloc/vcs/pkg/service/didconfiguration"
 	"github.com/trustbloc/vcs/pkg/service/issuecredential"
 	"github.com/trustbloc/vcs/pkg/service/oidc4ci"
@@ -580,17 +581,21 @@ func buildEchoHandler(
 		return nil, err
 	}
 
+	cslService := cslservice.New(&cslservice.Config{
+		CSLStore:       cslVCStore,
+		ProfileService: issuerProfileSvc,
+		KMSRegistry:    kmsRegistry,
+		Crypto:         vcCrypto,
+		DocumentLoader: documentLoader,
+	})
+
 	// Create event service
 	eventSvc, err := event.Initialize(event.Config{
 		TLSConfig:      tlsConfig,
 		CMD:            cmd,
-		CSLVCStore:     cslVCStore,
-		ProfileService: issuerProfileSvc,
-		KMSRegistry:    kmsRegistry,
-		Crypto:         vcCrypto,
 		Tracer:         conf.Tracer,
 		IsTraceEnabled: conf.IsTraceEnabled,
-		DocumentLoader: documentLoader,
+		CSLService:     cslService,
 	})
 	if err != nil {
 		return nil, err
@@ -606,6 +611,7 @@ func buildEchoHandler(
 		RequestTokens:                  conf.StartupParameters.requestTokens,
 		DocumentLoader:                 documentLoader,
 		CSLVCStore:                     cslVCStore,
+		CSLIndexStore:                  cslIndexStore,
 		CSLManager:                     cslManager,
 		VCStatusStore:                  vcStatusStore,
 		ProfileService:                 issuerProfileSvc,

diff --git a/component/credentialstatus/credentialstatus_service.go b/component/credentialstatus/credentialstatus_service.go
@@ -93,6 +93,7 @@ type Config struct {
 	RequestTokens                  map[string]string
 	VDR                            vdrapi.Registry
 	CSLVCStore                     credentialstatus.CSLVCStore
+	CSLIndexStore                  credentialstatus.CSLIndexStore
 	CSLManager                     cslManager
 	VCStatusStore                  vcStatusStore
 	Crypto                         vcCrypto
@@ -111,6 +112,7 @@ type Service struct {
 	requestTokens                  map[string]string
 	vdr                            vdrapi.Registry
 	cslVCStore                     credentialstatus.CSLVCStore
+	cslIndexStore                  credentialstatus.CSLIndexStore
 	cslMgr                         cslManager
 	vcStatusStore                  vcStatusStore
 	crypto                         vcCrypto
@@ -131,6 +133,7 @@ func New(config *Config) (*Service, error) {
 		requestTokens:                  config.RequestTokens,
 		vdr:                            config.VDR,
 		cslVCStore:                     config.CSLVCStore,
+		cslIndexStore:                  config.CSLIndexStore,
 		cslMgr:                         config.CSLManager,
 		vcStatusStore:                  config.VCStatusStore,
 		crypto:                         config.Crypto,

diff --git a/component/credentialstatus/credentialstatus_service_test.go b/component/credentialstatus/credentialstatus_service_test.go
@@ -44,6 +44,7 @@ import (
 	"github.com/trustbloc/vcs/pkg/event/spi"
 	profileapi "github.com/trustbloc/vcs/pkg/profile"
 	"github.com/trustbloc/vcs/pkg/service/credentialstatus"
+	"github.com/trustbloc/vcs/pkg/service/credentialstatus/cslservice"
 	"github.com/trustbloc/vcs/pkg/service/credentialstatus/eventhandler"
 )
 
@@ -387,13 +388,17 @@ func TestCredentialStatusList_UpdateVCStatus(t *testing.T) {
 			})
 		require.NoError(t, err)
 
+		cslService := cslservice.New(&cslservice.Config{
+			CSLStore:       cslVCStore,
+			ProfileService: mockProfileSrv,
+			KMSRegistry:    mockKMSRegistry,
+			Crypto:         crypto,
+			DocumentLoader: loader,
+		})
+
 		mockEventPublisher := &mockedEventPublisher{
 			eventHandler: eventhandler.New(&eventhandler.Config{
-				CSLVCStore:     cslVCStore,
-				ProfileService: mockProfileSrv,
-				KMSRegistry:    mockKMSRegistry,
-				Crypto:         crypto,
-				DocumentLoader: loader,
+				CSLService: cslService,
 			}),
 		}
 
@@ -820,13 +825,17 @@ func TestCredentialStatusList_UpdateVCStatus(t *testing.T) {
 
 		require.NoError(t, err)
 
+		cslService := cslservice.New(&cslservice.Config{
+			CSLStore:       cslVCStore,
+			ProfileService: mockProfileSrv,
+			KMSRegistry:    mockKMSRegistry,
+			Crypto:         crypto,
+			DocumentLoader: loader,
+		})
+
 		mockEventPublisher := &mockedEventPublisher{
 			eventHandler: eventhandler.New(&eventhandler.Config{
-				CSLVCStore:     cslVCStore,
-				ProfileService: mockProfileSrv,
-				KMSRegistry:    mockKMSRegistry,
-				Crypto:         crypto,
-				DocumentLoader: loader,
+				CSLService: cslService,
 			}),
 		}
 

diff --git a/component/event/bus.go b/component/event/bus.go
@@ -11,20 +11,14 @@ import (
 	"crypto/tls"
 	"sync"
 
-	"github.com/piprate/json-gold/ld"
 	"github.com/spf13/cobra"
 	"github.com/trustbloc/logutil-go/pkg/log"
-	"github.com/trustbloc/vc-go/verifiable"
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/trustbloc/vcs/internal/logfields"
-	"github.com/trustbloc/vcs/pkg/doc/vc"
-	vccrypto "github.com/trustbloc/vcs/pkg/doc/vc/crypto"
 	"github.com/trustbloc/vcs/pkg/event/spi"
-	vcskms "github.com/trustbloc/vcs/pkg/kms"
 	"github.com/trustbloc/vcs/pkg/lifecycle"
-	profileapi "github.com/trustbloc/vcs/pkg/profile"
-	"github.com/trustbloc/vcs/pkg/service/credentialstatus"
+	"github.com/trustbloc/vcs/pkg/service/credentialstatus/eventhandler"
 )
 
 var logger = log.New("event-bus")
@@ -33,30 +27,13 @@ const (
 	defaultBufferSize = 250
 )
 
-type profileService interface {
-	GetProfile(profileID profileapi.ID, profileVersion profileapi.Version) (*profileapi.Issuer, error)
-}
-
-type kmsRegistry interface {
-	GetKeyManager(config *vcskms.Config) (vcskms.VCSKeyManager, error)
-}
-
-type vcCrypto interface {
-	SignCredential(signerData *vc.Signer, vc *verifiable.Credential,
-		opts ...vccrypto.SigningOpts) (*verifiable.Credential, error)
-}
-
 // Config holds the configuration for the publisher/subscriber.
 type Config struct {
 	TLSConfig      *tls.Config
 	CMD            *cobra.Command
-	CSLVCStore     credentialstatus.CSLVCStore
-	ProfileService profileService
-	KMSRegistry    kmsRegistry
-	Crypto         vcCrypto
 	Tracer         trace.Tracer
 	IsTraceEnabled bool
-	DocumentLoader ld.DocumentLoader
+	CSLService     eventhandler.CSLService
 }
 
 // Bus implements a publisher/subscriber using Go channels. This implementation

diff --git a/component/event/event.go b/component/event/event.go
@@ -64,11 +64,7 @@ func Initialize(cfg Config) (*Bus, error) {
 	}
 
 	service := credentialstatuseventhandler.New(&credentialstatuseventhandler.Config{
-		CSLVCStore:     cfg.CSLVCStore,
-		ProfileService: cfg.ProfileService,
-		KMSRegistry:    cfg.KMSRegistry,
-		Crypto:         cfg.Crypto,
-		DocumentLoader: cfg.DocumentLoader,
+		CSLService: cfg.CSLService,
 	})
 
 	var credentialStatusEventHandler eventHandlerWithContext = service.HandleEvent

diff --git a/pkg/service/credentialstatus/cslservice/cslservice.go b/pkg/service/credentialstatus/cslservice/cslservice.go
@@ -0,0 +1,201 @@
+/*
+Copyright Gen Digital Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package cslservice
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/piprate/json-gold/ld"
+	"github.com/trustbloc/vc-go/dataintegrity/models"
+	"github.com/trustbloc/vc-go/verifiable"
+
+	"github.com/trustbloc/vcs/pkg/doc/vc"
+	vccrypto "github.com/trustbloc/vcs/pkg/doc/vc/crypto"
+	vcsverifiable "github.com/trustbloc/vcs/pkg/doc/verifiable"
+	vcskms "github.com/trustbloc/vcs/pkg/kms"
+	profileapi "github.com/trustbloc/vcs/pkg/profile"
+	"github.com/trustbloc/vcs/pkg/service/credentialstatus"
+)
+
+//go:generate mockgen -destination cslservice_mocks_test.go -self_package mocks -package cslservice -source=cslservice.go -mock_names profileService=MockProfileService,kmsRegistry=MockKMSRegistry
+
+const (
+	defaultRepresentation = "jws"
+
+	jsonKeyProofValue         = "proofValue"
+	jsonKeyProofPurpose       = "proofPurpose"
+	jsonKeyVerificationMethod = "verificationMethod"
+	jsonKeySignatureOfType    = "type"
+)
+
+type profileService interface {
+	GetProfile(profileID profileapi.ID, profileVersion profileapi.Version) (*profileapi.Issuer, error)
+}
+
+type kmsRegistry interface {
+	GetKeyManager(config *vcskms.Config) (vcskms.VCSKeyManager, error)
+}
+
+type vcCrypto interface {
+	SignCredential(signerData *vc.Signer, vc *verifiable.Credential,
+		opts ...vccrypto.SigningOpts) (*verifiable.Credential, error)
+}
+
+type Config struct {
+	CSLStore       credentialstatus.CSLVCStore
+	ProfileService profileService
+	KMSRegistry    kmsRegistry
+	Crypto         vcCrypto
+	DocumentLoader ld.DocumentLoader
+}
+
+type Service struct {
+	cslStore       credentialstatus.CSLVCStore
+	profileService profileService
+	kmsRegistry    kmsRegistry
+	crypto         vcCrypto
+	documentLoader ld.DocumentLoader
+}
+
+func New(cfg *Config) *Service {
+	return &Service{
+		cslStore:       cfg.CSLStore,
+		profileService: cfg.ProfileService,
+		kmsRegistry:    cfg.KMSRegistry,
+		crypto:         cfg.Crypto,
+		documentLoader: cfg.DocumentLoader,
+	}
+}
+
+func (s *Service) SignCSL(profileID, profileVersion string, csl *verifiable.Credential) ([]byte, error) {
+	issuerProfile, err := s.profileService.GetProfile(profileID, profileVersion)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get profile: %w", err)
+	}
+
+	keyManager, err := s.kmsRegistry.GetKeyManager(issuerProfile.KMSConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get KMS: %w", err)
+	}
+
+	signer := &vc.Signer{
+		Format:                  issuerProfile.VCConfig.Format,
+		DID:                     issuerProfile.SigningDID.DID,
+		Creator:                 issuerProfile.SigningDID.Creator,
+		KMSKeyID:                issuerProfile.SigningDID.KMSKeyID,
+		SignatureType:           issuerProfile.VCConfig.SigningAlgorithm,
+		KeyType:                 issuerProfile.VCConfig.KeyType,
+		KMS:                     keyManager,
+		SignatureRepresentation: issuerProfile.VCConfig.SignatureRepresentation,
+		VCStatusListType:        issuerProfile.VCConfig.Status.Type,
+		SDJWT:                   vc.SDJWT{Enable: false},
+		DataIntegrityProof:      issuerProfile.VCConfig.DataIntegrityProof,
+	}
+
+	signOpts, err := prepareSigningOpts(signer, csl.Proofs())
+	if err != nil {
+		return nil, fmt.Errorf("prepareSigningOpts failed: %w", err)
+	}
+
+	signedCredential, err := s.crypto.SignCredential(signer, csl, signOpts...)
+	if err != nil {
+		return nil, fmt.Errorf("sign CSL failed: %w", err)
+	}
+
+	return signedCredential.MarshalJSON()
+}
+
+func (s *Service) GetCSLVCWrapper(ctx context.Context, cslURL string) (*credentialstatus.CSLVCWrapper, error) {
+	vcWrapper, err := s.cslStore.Get(ctx, cslURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get CSL from store: %w", err)
+	}
+
+	cslVC, err := verifiable.ParseCredential(vcWrapper.VCByte,
+		verifiable.WithDisabledProofCheck(),
+		verifiable.WithJSONLDDocumentLoader(s.documentLoader))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse CSL: %w", err)
+	}
+
+	vcWrapper.VC = cslVC
+
+	return vcWrapper, nil
+}
+
+func (s *Service) UpsertCSLVCWrapper(ctx context.Context, cslURL string, wrapper *credentialstatus.CSLVCWrapper) error {
+	if err := s.cslStore.Upsert(ctx, cslURL, wrapper); err != nil {
+		return fmt.Errorf("failed to upsert CSL: %w", err)
+	}
+
+	return nil
+}
+
+// prepareSigningOpts prepares signing opts from recently issued proof of given credential.
+func prepareSigningOpts(profile *vc.Signer, proofs []verifiable.Proof) ([]vccrypto.SigningOpts, error) {
+	var signingOpts []vccrypto.SigningOpts
+
+	if len(proofs) == 0 {
+		return signingOpts, nil
+	}
+
+	// pick latest proof if there are multiple
+	proof := proofs[len(proofs)-1]
+
+	representation := defaultRepresentation
+	if _, ok := proof[jsonKeyProofValue]; ok {
+		representation = jsonKeyProofValue
+	}
+
+	signingOpts = append(signingOpts, vccrypto.WithSigningRepresentation(representation))
+
+	purpose, err := getStringValue(jsonKeyProofPurpose, proof)
+	if err != nil {
+		return nil, err
+	}
+
+	signingOpts = append(signingOpts, vccrypto.WithPurpose(purpose))
+
+	vm, err := getStringValue(jsonKeyVerificationMethod, proof)
+	if err != nil {
+		return nil, err
+	}
+
+	// add verification method option only when it is not matching profile creator
+	if vm != profile.Creator {
+		signingOpts = append(signingOpts, vccrypto.WithVerificationMethod(vm))
+	}
+
+	signTypeName, err := getStringValue(jsonKeySignatureOfType, proof)
+	if err != nil {
+		return nil, err
+	}
+
+	if signTypeName != "" && signTypeName != models.DataIntegrityProof {
+		signType, err := vcsverifiable.GetSignatureTypeByName(signTypeName)
+		if err != nil {
+			return nil, err
+		}
+
+		signingOpts = append(signingOpts, vccrypto.WithSignatureType(signType))
+	}
+
+	return signingOpts, nil
+}
+
+func getStringValue(key string, vMap map[string]interface{}) (string, error) {
+	if val, ok := vMap[key]; ok {
+		if s, ok := val.(string); ok {
+			return s, nil
+		}
+
+		return "", fmt.Errorf("invalid '%s' type", key)
+	}
+
+	return "", nil
+}