Add Group Name Mapping

Add Group DenyList
WorldHealthOrganization · May 17, 2024 · f1326d7 · f1326d7
1 parent e4ec390
commit f1326d7
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 17 deletions.
diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java b/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java
@@ -116,6 +116,9 @@ public static class DidConfig {
 
         private DgcGatewayConnectorConfigProperties.KeyStoreWithAlias localKeyStore =
             new DgcGatewayConnectorConfigProperties.KeyStoreWithAlias();
+
+        private List<String> groupDenyList = new ArrayList<>();
+        private Map<String, String> groupNameMapping = new HashMap<>();
 
         @Getter
         @Setter

diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java
@@ -97,6 +97,7 @@ public class DidTrustListService {
     private final GitProvider gitProvider;
 
     private final DocumentLoader documentLoader;
+    private final KdsConfigProperties kdsConfigProperties;
 
     @RequiredArgsConstructor
     @Getter
@@ -132,8 +133,6 @@ public void job() {
         List<String> domains = signerInformationService.getDomainsList();
         List<String> countries = signerInformationService.getCountryList();
 
-        // TODO: Add manual mapping for groups (e.g. CSCA -> CSA)
-        // TODO: Add deny list for groups (AUTHENTICATION, UPLOAD should not be contained)
         //CHECKSTYLE:OFF
         List<String> groups = signerInformationService.getGroupList();
         //CHECKSTYLE:ON
@@ -176,7 +175,7 @@ public void job() {
             domain -> countries.forEach(
                 country -> groups.forEach(
                     group -> didSpecifications.add(new DidSpecification(
-                        List.of(domain, getParticipantCode(country), group),
+                        List.of(domain, getParticipantCode(country), getMappedGroupName(group)),
                         () -> signerInformationService.getCertificatesByDomainParticipantGroup(domain, country, group),
                         trustedIssuerService::getAllDid)))));
 
@@ -206,7 +205,7 @@ private void saveDid(String containerPath, String didDocument) {
 
     private String generateTrustList(DidSpecification specification) {
 
-        List<SignerInformationEntity> signerInformationEntities = specification.getCertSupplier().get();
+        List<SignerInformationEntity> signerInformationEntities = filterEntities(specification.getCertSupplier().get());
         List<TrustedIssuerEntity> trustedIssuerEntities = specification.getIssuerSupplier().get();
 
         if (signerInformationEntities.isEmpty() || trustedIssuerEntities.isEmpty()) {
@@ -335,6 +334,19 @@ private void addTrustListEntry(DidTrustList trustList,
         trustList.getVerificationMethod().add(trustListEntry);
     }
 
+
+    private List<SignerInformationEntity> filterEntities(List<SignerInformationEntity> entities) {
+        return entities.stream()
+                       .filter(entity -> kdsConfigProperties.getDid().getGroupDenyList().stream()
+                                                            .noneMatch(e -> entity.getGroup().equalsIgnoreCase(e)))
+                       .toList();
+    }
+
+    private String getMappedGroupName(String groupName) {
+        return kdsConfigProperties.getDid().getGroupNameMapping()
+                           .computeIfAbsent(groupName, g -> g);
+    }
+
     /**
      * Search for CSCA for DSC.
      *

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -108,3 +108,8 @@ dgc:
       XB: XXB
       XO: XXO
       XL: XCL
+    group-deny-list:
+      - AUTHENTICATION
+      - UPLOAD
+    group-name-mapping:
+      CSCA: CSA
diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java
@@ -90,9 +90,9 @@ public class DidTrustListServiceTest {
     @MockBean
     DgcGatewayDownloadConnector dgcGatewayDownloadConnector;
 
-    X509Certificate certCscaDe, certCscaEu, certDscDe, certDscEu;
+    X509Certificate certCscaDe, certCscaEu, certDscDe, certDscEu, certUploadDe;
 
-    String certDscDeKid, certDscEuKid, certCscaDeKid, certCscaEuKid;
+    String certDscDeKid, certDscEuKid, certCscaDeKid, certCscaEuKid, certUploadDeKid;
 
 
     @AfterEach
@@ -127,6 +127,11 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception {
                                                              signerType);
         certDscEuKid = certificateUtils.getCertKid(certDscEu);
 
+        certUploadDe = CertificateTestUtils.generateCertificate(keyPairGenerator.generateKeyPair(), "DE",
+                                                             "Upload Test", certCscaDe, cscaDeKeyPair.getPrivate(),
+                                                             signerType);
+        certUploadDeKid = certificateUtils.getCertKid(certUploadDe);
+
         signerInformationRepository.save(new SignerInformationEntity(
             null,
             certCscaDeKid,
@@ -167,6 +172,17 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception {
             "DSC"
         ));
 
+        // Add Upload cert which should not be added to did
+        signerInformationRepository.save(new SignerInformationEntity(
+            null,
+            certUploadDeKid,
+            ZonedDateTime.now(),
+            Base64.getEncoder().encodeToString(certUploadDe.getEncoded()),
+            "DE",
+            "DCC",
+            "UPLOAD"
+        ));
+
         trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("DE"));
         trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("EU"));
         trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("XY"));
@@ -186,9 +202,9 @@ void testTrustList(boolean isEcAlgorithm) throws Exception {
 
         didTrustListService.job();
 
-        Assertions.assertEquals(10, uploadArgumentCaptor.getAllValues().size());
+        Assertions.assertEquals(12, uploadArgumentCaptor.getAllValues().size());
 
-        int expectedNullDid = 1;
+        int expectedNullDid = 3;
 
         for (byte[] uploadedDid : uploadArgumentCaptor.getAllValues()) {
 
@@ -251,12 +267,12 @@ void testTrustList(boolean isEcAlgorithm) throws Exception {
                     assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:-:DEU#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)),
                                              certCscaDeKid, certCscaDe, null, "deu","did:web:abc:-:DEU");
                     break;
-                case "did:web:abc:DCC:XEU:CSCA":
-                    Assertions.assertEquals("did:web:abc:DCC:XEU:CSCA", parsed.getController());
+                case "did:web:abc:DCC:XEU:CSA":
+                    Assertions.assertEquals("did:web:abc:DCC:XEU:CSA", parsed.getController());
                     Assertions.assertEquals(4, parsed.getVerificationMethod().size());
 
-                    assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:XEU:CSCA#" + URLEncoder.encode(certCscaEuKid, StandardCharsets.UTF_8)),
-                                             certCscaEuKid, certCscaEu, null, "xeu", "did:web:abc:DCC:XEU:CSCA");
+                    assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:XEU:CSA#" + URLEncoder.encode(certCscaEuKid, StandardCharsets.UTF_8)),
+                                             certCscaEuKid, certCscaEu, null, "xeu", "did:web:abc:DCC:XEU:CSA");
                     break;
                 case "did:web:abc:DCC:DEU:DSC":
                     Assertions.assertEquals("did:web:abc:DCC:DEU:DSC", parsed.getController());
@@ -265,12 +281,12 @@ void testTrustList(boolean isEcAlgorithm) throws Exception {
                     assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:DSC#" + URLEncoder.encode(certDscDeKid, StandardCharsets.UTF_8)),
                                              certDscDeKid, certDscDe, null, "deu", "did:web:abc:DCC:DEU:DSC");
                     break;
-                case "did:web:abc:DCC:DEU:CSCA":
-                    Assertions.assertEquals("did:web:abc:DCC:DEU:CSCA", parsed.getController());
+                case "did:web:abc:DCC:DEU:CSA":
+                    Assertions.assertEquals("did:web:abc:DCC:DEU:CSA", parsed.getController());
                     Assertions.assertEquals(4, parsed.getVerificationMethod().size());
 
-                    assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:CSCA#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)),
-                                             certCscaDeKid, certCscaDe, null, "deu", "did:web:abc:DCC:DEU:CSCA");
+                    assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(),"did:web:abc:DCC:DEU:CSA#" + URLEncoder.encode(certCscaDeKid, StandardCharsets.UTF_8)),
+                                             certCscaDeKid, certCscaDe, null, "deu", "did:web:abc:DCC:DEU:CSA");
                     break;
                 case "did:web:abc:DCC:DEU":
                     Assertions.assertEquals("did:web:abc:DCC:DEU", parsed.getController());

diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
@@ -57,7 +57,10 @@ dgc:
       "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json
     virtualCountries:
       EU: XEU
-
+    group-deny-list:
+      - UPLOAD
+    group-name-mapping:
+      CSCA: CSA
 universal:
   resolver: "https://dev.uniresolver.io/1.0/identifiers"